[Senate Hearing 116-265]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 116-265
 
   DEPARTMENT OF DEFENSE ENTERPRISE-WIDE CYBERSECURITY POLICIES AND 
                              ARCHITECTURE

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                             CYBERSECURITY

                                 of the

                      COMMITTEE ON ARMED SERVICES
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            JANUARY 29, 2019

                               __________

         Printed for the use of the Committee on Armed Services
         
         
         
         
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]       
 


                  Available via http://www.govinfo.gov
                  
                  
                  
                            ______                      


             U.S. GOVERNMENT PUBLISHING OFFICE 
 41-330 PDF           WASHINGTON : 2020 
 
                 


                      COMMITTEE ON ARMED SERVICES

                       JAMES M. INHOFE, Oklahoma, 
                               Chairman
             
ROGER F. WICKER, Mississippi       JACK REED, Rhode Island
DEB FISCHER, Nebraska              JEANNE SHAHEEN, New Hampshire
TOM COTTON, Arkansas               KIRSTEN E. GILLIBRAND, New York
MIKE ROUNDS, South Dakota          RICHARD BLUMENTHAL, Connecticut
JONI ERNST, Iowa                   MAZIE K. HIRONO, Hawaii
THOM TILLIS, North Carolina        TIM KAINE, Virginia
DAN SULLIVAN, Alaska               ANGUS S. KING, Jr., Maine
DAVID PERDUE, Georgia              MARTIN HEINRICH, New Mexico
KEVIN CRAMER, North Dakota         ELIZABETH WARREN, Massachusetts
MARTHA McSALLY, Arizona            GARY C. PETERS, Michigan
RICK SCOTT, Florida                JOE MANCHIN, West Virginia
MARSHA BLACKBURN, Tennessee        TAMMY DUCKWORTH, Illinois
JOSH HAWLEY, Missouri              DOUG JONES, Alabama
                                     
                                     
                     John Bonsell, Staff Director
                   Elizabeth L. King, Minority Staff 
                               Director


                     Subcommittee on Cybersecurity

                       MIKE ROUNDS, South Dakota, 
                               Chairman
                               
ROGER F. WICKER, Mississippi        JOE MANCHIN, West Virginia
DAVID PERDUE, Georgia               KIRSTEN E. GILLIBRAND, New York
RICK SCOTT, Florida                 RICHARD BLUMENTHAL, Connecticut
MARSHA BLACKBURN, Tennessee         MARTIN HEINRICH, New Mexico
                                     
                                     
                                     

                                  (ii)

  

                           C O N T E N T S



                            January 29, 2019

                                                                   Page

Department of Defense Enterprise-Wide Cybersecurity Policies and      1
  Architecture.

Deasy, The Honorable Dana, Department of Defense Chief                4
  Information Officer.
Norton, Vice Admiral Nancy A., USN, Director, Defense Information    10
  Systems Agency, and Commander, Joint Force Headquarters--
  Department of Defense Information Network.
Crall, Brigadier General Dennis A., USMC, Principal Deputy Cyber     11
  Advisor and Senior Military Advisor for Cyber Policy.

Questions for the Record.........................................    32

                                 (iii)



                   DEPARTMENT OF DEFENSE ENTERPRISE-

              WIDE CYBERSECURITY POLICIES AND ARCHITECTURE

                              ----------                              


                       TUESDAY, JANUARY 29, 2019

                               U.S. Senate,
                     Subcommittee on Cybersecurity,
                               Committee on Armed Services,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:29 p.m. in 
Room SR-222, Russell Senate Office Building, Senator Mike 
Rounds (presiding) chairman of the subcommittee.
    Members present: Senators Rounds, Wicker, Scott, Blackburn, 
Manchin, Gillibrand, and Blumenthal.

            OPENING STATEMENT OF SENATOR MIKE ROUNDS

    Senator Rounds. The Cybersecurity Subcommittee meets this 
afternoon for our first hearing of the 116th Congress.
    Before we begin, I want to welcome our new Ranking Member, 
Senator Joe Manchin. I'd also like to welcome all of our former 
members back to the subcommittee and extend a special welcome 
to the new members joining us. On the Majority side, we are 
joined by Senator Wicker, Senator Scott, Senator Blackburn. On 
the Minority side, we are joined by Senator Heinrich.
    Two years ago, this subcommittee was formed to address the 
most pressing national cybersecurity matters, with a focus on 
Department of Defense (DOD)-related legislation and oversight. 
I look forward to legislation that builds on the hard work we 
have done over the past 2 years, and continuing our important 
oversight of the plans, programs, and policies related to 
cyberforces and capabilities within the Department of Defense.
    Today, we will receive testimony on the Department of 
Defense enterprise-wide cybersecurity policies and architecture 
form: Mr. Dana Deasy, the Department of Defense Chief 
Information Officer (CIO); Vice Admiral Nancy Norton, the 
Director of the Defense Information Systems Agency (DISA), and 
Commander of the Joint Force Headquarters-Department of Defense 
Information Network (JFHQ-DODIN); and Brigadier General Dennis 
Crall, the Deputy Principal Cyber Advisor (PLA) and Senior 
Military Advisor for Cyber Policy. We welcome you.
    We have a lot of information to cover, so I will be brief. 
At the conclusion of Ranking Member Manchin's comments, our 
witnesses will make their opening remarks. I would appreciate 
the witnesses limiting their remarks to about 5 minutes, with 
the option of providing a longer statement for the record. 
After they finish their remarks, we will have a round of 
questions and answers.
    One of the Department's main cyberspace objectives 
articulated in the 2018 Department of Defense Cyber Strategy is 
securing DOD information and systems against malicious cyber 
activity. Unfortunately, in recent years, we have seen 
relentless and sophisticated cyberattacks on the DOD 
enterprise, other government agencies, and the private sector, 
while the capabilities of our adversaries continue to increase. 
Simply continuing to defend our networks as we have in the past 
is not adequate to counter the growing threats that we face.
    At a hearing with private-sector witnesses last fall, we 
heard about the advances that industry has made in developing 
new tools and techniques for defending large enterprise 
networks. While there are many unique challenges because of the 
complexity and scope of the Department of Defense Information 
Network, also known as the DODIN, it is important that, where 
possible, we leverage the best practices from industry to 
defend our networks. In addition, it is equally imperative that 
the acquisition process of DOD is not precluding it from 
organically developing and producing state-of-the-art 
cybersecurity capabilities. In this context, we look forward 
today to learning more about JFHQ-DODIN and, in particular, how 
the organization can achieve a complete, realtime picture of 
the entire DOD network.
    The Department's cybersecurity tools are not the only 
factor important to robust defense of the DODIN. It is also 
critical that the Department formulate and implement 
appropriate cybersecurity policies and stand up a robust 
cybersecurity workforce. Specifically, we are looking forward 
to learning how the Department is implementing their 2018 Cyber 
Strategy in these areas of cybersecurity.
    Across the cybersecurity spectrum, it is vital that we are 
consistent in our approach as we further centralize, 
standardize, and integrate the complexities of DOD's cyber 
enterprise. We cannot afford to waste time or resources with 
the duplication of effort across the services, combatant 
commands, and support agencies. In that context, the witnesses 
here today are charged with these important tasks toward 
further streamlining and modernizing the Department's cyber 
defensive posture. We look forward to hearing how you are 
accomplishing this challenging task.
    Today's discussion builds on many of the themes that were 
discussed in our cybersecurity hearings with the private sector 
this past fall. While most of our subcommittee hearings are 
closed because they include classified information, I chose to 
hold an open hearing today so that private industry would have 
further insight into the Department's plans and future 
cybersecurity needs. I encourage DOD and private industry to 
continue a robust dialogue so that you can help each other to 
achieve overlapping goals and prepare for our upcoming 
cybersecurity hearings this year. Any questions that would 
require a classified answer can be submitted for the record, 
for which we would appreciate the Department's timely 
responses.
    Let me close by thanking our witnesses for appearing today, 
and for their service to our Nation.
    Senator Manchin.

                STATEMENT OF SENATOR JOE MANCHIN

    Senator Manchin. Thank you, Mr. Chairman.
    As you said, this is my first hearing as the Ranking Member 
of Cyber Subcommittee and how it doves in well with my Ranking 
on Energy, which we have oversight of cyber also, so it's 
really going to be helpful.
    I'm delighted to be joining you, Senator Rounds. We've 
worked together as Governors together, and now we're back 
together again as partners to improve the cybersecurity of the 
Department of Defense and, indeed, I hope, the Nation.
    I join you in welcoming our distinguished witnesses today: 
Chief Information Officer Dana Deasy--is it--is--am I correct 
on that? Okay. Defense Information System Agency Director, 
Admiral Norton; and General Crall, who has the challenging task 
of overseeing, on behalf of the Secretary of Defense, the 
implementation of the Department's new Cyber Strategy. The 
committee has long looked for a way to empower DOD with the 
ability to adopt an effective strategy and plan of action to 
deter cyberattacks and defend against them. Thankfully, based 
on initial reviews of the new Cyber Strategy and the results of 
the new Cyber Posture Review, there is optimism that DOD has 
turned a corner, that we now have a credible strategy and a 
commitment to implement it.
    The specifics of the new wide-ranging strategy are quite 
complicated, but I believe common sense can make this all 
understandable to our constituents back home. Here are some 
examples:
    I'm told we have not one network in DOD, but, in fact, 
thousands. Each military service, defense agency, and every 
component within them have built their own networks, with 
chaotic results. They can't work together effectively, and they 
are hard to defend. There is now a plan to break down these 
fractured networks and implement a common security 
architecture. We cannot allow computers and other devices to be 
connected to the network without verifying who installed them 
and whether they're correctly configured and protected. We have 
to be able to manage who accesses the network and what they can 
see and do, according to the role they are assigned. We have to 
monitor the activity that people and the computers they control 
are conducting on our network to guard against insider threats, 
like Snowden. We have to improve the security of the networks 
of the companies that build weapons and provide services to 
DOD. We cannot allow China to keep stealing our technology and 
program plans to cyberattacks on the industrial base. We have 
to recruit, train, and retain real experts in cyber warfare, 
despite fierce competition with the private sector and the 
hiring obstacles that the government faces. We have to figure 
out how to apply new artificial intelligence (AI) and machine 
learning technologies to detect cyber intrusions, as well as to 
help our cyber forces operate better and faster.
    These are the types of issues that the committee and DOD 
have talked about fixing for a long time, but now, finally, the 
Department may be prepared to take real action. We hope so.
    So, I want to thank you, Mr. Chairman. And we look forward 
to y'all's testimony.
    Senator Rounds. Thank you.
    And I would note, also, that former Governor Scott is here 
with us, as well.
    Senator Manchin. Yeah.
    Senator Rounds. So, now you face questioning from three 
different Governors from----
    Senator Manchin. Things will happen now.
    Senator Rounds.--as well. So, going to start things 
popping.
    And thanks, Joe. We look forward to working----
    Senator Manchin. Yes sir.
    Senator Rounds.--with you on this project, as well.
    We'll do the questioning in 5-minute cycles, and we'll just 
take our time and work our way through. We'll try to limit our 
questions to get specifics, and then we'll ask each of our 
members if we would try to limit them to 5 minutes, and we'll 
move back and forth.
    So, as I said earlier, you are all welcome to provide a 
complete transcript or a statement for the record, but we would 
appreciate it if you would also keep your opening statements to 
5 minutes, as well.
    Mr. Deasy, I'll turn to you first, if you'd like to begin, 
and then I'll let you decide how you would like to proceed from 
there.

 STATEMENT OF THE HONORABLE DANA DEASY, DEPARTMENT OF DEFENSE 
                   CHIEF INFORMATION OFFICER

    Mr. Deasy. Okay. Thank you.
    Good afternoon, Mr. Chairman, Ranking Member, distinguished 
members of the subcommittee. Thank you for this opportunity to 
testify before the subcommittee today on the Department's cyber 
architectures and policies.
    I'm Dana Deasy, the Department of Defense Chief Information 
Officer. With me today are Vice Admiral Nancy Norton, Director 
of DISA and Commander, JFHQ-DODIN; and Brigadier General Dennis 
Crall, Senior Military Advisor for cyber policy and Deputy 
Principal Cyber Advisor to the Secretary of Defense.
    Since my arrival at the Department last May, I have made 
cybersecurity one of my top priorities. In September of 2018, 
the Department released a top-level DOD Cyber Strategy. This 
Strategy represents the Department's vision for addressing 
cyber threats and implementing the cyber priorities of the 
National Security Strategy (NSS) and National Defense Strategy 
(NDS). The Department also released its Cyber Posture Review to 
Congress, which provided a comprehensive review of the cyber 
posture for the DOD and identified gaps in our strategy, 
policy, and cyber capabilities. Also last year, the Secretary 
and the Deputy Secretary asked me to undertake a study to 
determine what the Department's cyber priorities should be. 
This led to the creation of the top ten cyber priorities. Cyber 
roles and responsibilities are shared across the Department. 
Only by working together, as you will hear from the three of us 
today, we are able to close the gaps and secure our systems.
    For the first time under the authorities granted by section 
909 of Fiscal Year 2018 National Defense Authorization Act 
(NDAA), the DOD is reviewing, commenting on, and certifying all 
of the Information Technology (IT) budgets, which includes 
cyber, across the Department. Additionally, the DOD CIO now has 
the authority to set and enforce IT standards across the 
Department. Together, DOD CIO, DISA, and PCA work regularly to 
implement the DOD Cyber Strategies, in close coordination with 
the Military Departments and other DOD components. DOD CIO and 
PCA co-lead a weekly meeting focused on cyber issues with the 
Deputy Secretary of Defense, at which all Military Departments 
and Office of the Secretary of Defense (OSD) principals are in 
attendance.
    A key element of the Department's approach to standardizing 
cybersecurity across the Department is setting the standards in 
the cybersecurity reference architecture, which is the tool to 
providing cyber guidance for the family of architectures that 
align to the DOD overall enterprise architecture. As we 
aggressively leverage automation, new endpoint security 
technologies, and standard architectures to achieve military 
advantage through information, having strong assurances of who 
is accessing the data and how they are accessing the data is 
critical. We have been actively deploying a DOD identity 
credential and access management strategy that recognizes the 
changing environment and addresses the increasing dependence on 
digital identities to share information rapidly and more 
securely.
    Turning to cyber workforce. As my Deputy, Ms. Essye Miller, 
testified before you last September, DOD recognizes the 
importance of growing and maintaining the cyber workforce. It's 
an imperative that DOD attract the next generation to view the 
Department as an employer with unique and challenging 
opportunities within the cybersecurity career field. Recent 
authorities provided by Congress have allowed the Department to 
adjust existing policies and to implement new policies that 
account for this dynamic need in an increasing important 
mission area. One of these key authorities has been the 
establishment of a Cyber Excepted Service.
    In closing, the close working relationship among DOD CIO, 
DISA, and PCA is critical to our ability to address 
cybersecurity vulnerabilities. The importance of connection 
between policy, standard architectures, and remediation cannot 
be overstated. The Department has clearly defined cybersecurity 
problems to be solved, has a well-thought-out remediation 
approach; the right mechanisms are in place to monitor and 
report on our progress on the top ten cyber priorities.
    I want to emphasize the importance of our partnership with 
Congress in all areas, but with particular focus on 
cybersecurity. Continued support for a flexible approach to 
cyber resourcing, budgeting, acquisition, and personnel will 
help enable success against an ever-changing, dynamic cyber 
threat.
    Thank you for the opportunity to testify today, and I look 
forward to your questions.
    With that, over to Admiral Norton.
    [The prepared statement of Mr. Deasy follows:]

    Prepared Statement by The Honorable Dana Deasy on Behalf of the 
                         Department of Defense
                              introduction
    Good afternoon Mr. Chairman, Ranking Member, and distinguished 
Members of the Subcommittee. Thank you for this opportunity to testify 
before the Subcommittee today on the Department's cybersecurity 
architecture and policies. I am Dana Deasy, the Department of Defense 
(DOD) Chief Information Officer (CIO). I am the principal advisor to 
the Secretary of Defense for information management, IT, cybersecurity, 
communications, positioning, navigation, and timing (PNT), spectrum 
management, senior leadership communications, and nuclear command, 
control, and communications (NC3) matters. These latter 
responsibilities are clearly unique to the DOD, and my imperative as 
the CIO in managing this broad and diverse set of functions, is to 
ensure that the Department has the information and communications 
technology capabilities needed to support the broad set of Department 
missions. This includes supporting our deployed forces, cyber mission 
forces, as well as those providing mission and business support 
functions.
    With me today are Vice Admiral Nancy Norton, Director, Defense 
Information Systems Agency (DISA)/Commander, Joint Force Headquarters-
Department of Defense Information Network (JFHQ-DODIN) and Brigadier 
General Dennis Crall, Senior Military Advisor for Cyber Policy and 
Deputy Principal Cyber Advisor (PCA) to the Secretary of Defense (OSD).
    Since my arrival at the Department last May, I have made 
cybersecurity one of my top priorities, along with cloud computing, 
artificial intelligence, and command, control, and communications. In 
September 2018, the Department released its top-level DOD Cyber 
Strategy. The Strategy represents the Department's vision for 
addressing cyber threats and implementing the cyberspace priorities of 
the National Security Strategy and National Defense Strategy. The 
Department also released its Cyber Posture Review to Congress, which 
provided a comprehensive review of the cyber posture of the United 
States and identified gaps in our strategy, policy and cyber 
capabilities. These gaps are being addressed through the implementation 
of the DOD Cyber Strategy Lines of Effort (LOE) managed by PCA.
    About a year ago, the Deputy Secretary of Defense tasked the DOD 
CIO and PCA to compile a list of the top ten cyber priorities of the 
Department and, with Service input, we identified the four areas the 
Department should address first. Addressing these top risks and 
priorities will go a long way toward implementing cybersecurity 
capabilities, addressing critical vulnerabilities, and building a Cyber 
Workforce that will improve DOD's overall cyber posture to effectively 
deter our adversaries.
    Today, I would like to highlight five key areas. First, I will 
highlight the cyber roles and responsibilities of DOD CIO, DISA, and 
PCA. Then I will provide a brief overview of the Department's cyber 
architecture, along with details regarding DOD's use of automation and 
identity, credential and access management. Finally, I would like to 
reiterate the critical importance of our cyber workforce to our success 
in our cybersecurity mission.
                    cyber roles and responsibilities
    Cyber roles and responsibilities are shared across the Department. 
Only by working in partnership together, are we able to close the gaps 
and secure our systems.
    As stated previously, the role of the DOD CIO is a unique position 
in the Federal Government. I have the traditional CIO roles associated 
with information management, IT, and cybersecurity, as well as the more 
complex and unique roles associated with PNT, NC3, and senior 
leadership communications. Section 909 of the National Defense 
Authorization Act of 2018 clarified and expanded upon my roles and 
responsibilities to also include the certification of the DOD's IT 
budget, to include cybersecurity, and the development and enforcement 
of IT standards.
      Cyber Budget Certification: For the first time, DOD CIO 
is reviewing, commenting on, and certifying all of the IT budgets, 
which include cyber, across the Department. The DOD CIO's 
congressionally mandated responsibility to certify the Military 
Departments' cybersecurity investments and efforts enables me to ensure 
the Department is pursuing enterprise cybersecurity solutions that are 
lethal, flexible, and resilient.
      Standards: DOD CIO now has the authority to set and 
enforce IT standards across the Department. Standards are not limited 
to the technical standards developed by the commercial sector and 
organizations like the International Standards Organization. Standards 
include setting the bar for cybersecurity requirements, such as 
endpoint security standards and standards for architecture, and DODIN 
standards. Determining the standard for the Department is a theme 
across many of our architectural and technical initiatives.
                   defense information systems agency
    Operating under the direction of the DOD CIO, the Defense 
Information Systems Agency (DISA) is a combat support agency that on 
behalf of the Department builds, operates, and secures global 
telecommunications and IT infrastructure in support of joint 
warfighters, national-level leaders, and other mission and coalition 
partners across the full spectrum of operations. The Agency delivers 
enterprise services and data at the user point of need and is focused 
on securing, operating, and modernizing our networks, applications, and 
systems with innovative tools to counter threats, minimize risks, and 
maintain a competitive advantage.
    VADM Norton is dual-hatted as Commander of JFHQ-DODIN and Director 
of DISA. JFHQ-DODIN's global responsibility is to direct unity of 
effort for the command and control, planning, direction, coordination, 
integration, and synchronization of DODIN operations and Defensive 
Cyberspace Operations--Internal Defense Measures (DCO-IDM) for the 
DODIN infrastructure in support of DOD, Combatant Command, Military 
Service, Defense Agency and Coalition missions. JFHQ-DODIN, under 
Operational Control of U.S. Cyber Command, has Directive Authority for 
Cyberspace Operations over all 43 DOD Components to enable power 
projection and freedom of action across all warfighting domains. DISA 
is one of those Components.
    DISA is an IT service provider which aligns efforts to the DOD 
Cyber Strategy, Cyber Posture, Cyber Top 10 and DOD Directives. DISA 
designs, deploys, sustains, operates and secures the Defense 
Information Systems Network (DISN), which is the core element for all 
DOD/Joint architectures, Unified Capabilities (UC), voice, video, data 
and internet technology transport within the larger DODIN.
    DISA serves a critical role in advancing IT and cybersecurity 
capabilities across the Department. As the primary IT engineering arm 
for the Department, DISA develops solutions that support implementation 
of the DOD CIO-directed standardized solutions such as the Windows 10 
Secure Host Baseline and JRSS. DISA prevents about one billion cyber 
operations events targeting the DODIN each month, providing layered 
defense across the enterprise from the internet access points (IAP) to 
the end user devices.
    DISA partnerships with industry and other organizations across the 
Federal government are key to delivering cybersecurity related 
processes and services. For example, working in close partnership with 
industry, DISA develops and publishes a wide breadth of technical 
security guidance enabling the secure deployment of products and 
capabilities.
    DISA enterprise services such as our IAP, Cloud Access Points, 
Enterprise Networks (NIPRNET/SIPRNET), Email (Defense Enterprise 
Email), and Data Centers (Acropolis/Big Data Platform) have established 
a DOD enterprise approach to cybersecurity and network operations 
resiliency. These services are enabling future data-driven 
infrastructures, which is required to deploy software defined networks 
(SDN) with machine-augmented workflows, cybersecurity machine learning 
for increased detection and mitigation of cyber threats and future 
artificial intelligence for data protection and network healing at 
cyber speeds.
                        principal cyber advisor
    As described in section 932 of the National Defense Authorization 
Act for Fiscal Year 2014, the PCA is the civilian DOD official who acts 
as the principal advisor to the Secretary of Defense on the 
Department's military and civilian cyber forces and activities. The PCA 
synchronizes, coordinates, and oversees the implementation of the 
Department's Cyber Strategy and other relevant policy and planning 
documents to achieve DOD's cyber missions, goals, and objectives. At 
the core of the PCA is the Cross Functional Team (CFT) of detailed 
personnel from key Departments, Services, and Agencies. The CFT 
provides an objective and broad perspective needed to ensure outcomes 
match both short and long-term approved, strategic visions.
    The PCA executes the DOD Cyber Strategy, including addressing the 
gaps identified in the DOD Cyber Posture Review, through the LOE 
implementation process. The LOE implementation process also allows the 
Department to take a system view of the environment, address disparate 
approaches and eliminate friction points across the Services and the 
enterprise. While the LOE end states defined in the Cyber Strategy are 
enduring, the objectives are more dynamic to allow the Department to 
re-evaluate and adjust as needed to the operating environment. PCA 
activities are rooted in strategy, and prioritized by risk; they are 
warfighter focused with the aim of increasing lethality. To that end, 
we are leading a Department-wide effort to translate the Cyber Strategy 
LOEs into specific objectives, tasks, and sub-tasks that are focused on 
outcomes which can be monitored and measured to demonstrate return on 
investment.
    The DOD's ``Top 10 Cyber Priorities'' and ``First Four'' efforts, 
already underway, are nested under the Cyber Strategy LOEs. LOE 3, 
Transform Network and System Architecture, identifies objectives to 
achieve enterprise-wide cybersecurity policies and architecture based 
on priorities determined by DOD CIO. Similarly, LOE 8, ``Sustain a 
Ready Cyber Workforce'', is focused on the enterprise approach to 
recruit, retain, develop, and train cyber professionals. Through 
implementing the ``First Four,'' the PCA is focused on outcomes to 
improve perimeter, network, and endpoint defense. Additionally, the Top 
10, along with the DOD Cyber Strategy implementation process, provides 
the Department with the ability to prioritize investments, such as the 
modernization of cybersecurity architectures and the cyber workforce.
    Together, DOD CIO, DISA, and PCA work together regularly to 
implement the DOD Cyber Strategy in close coordination with the 
Military Department and other DOD Component CIOs. DOD CIO and PCA co-
lead weekly meetings focused on cyber issues with the Deputy Secretary 
of Defense with all of the Military Departments and Office of the 
Secretary of Defense (OSD) Principals present. These meetings ensure 
that the Deputy Secretary of Defense is kept abreast of progress on 
cyber initiatives and that all Department leaders are present to 
receive direction and share challenges.
                      cyber architecture overview
    A key element of the Department's approach to standardizing 
cybersecurity across the Department is setting the standard in the 
Cybersecurity Reference Architecture (CS RA) which is a tool providing 
cybersecurity guidance for the family of architectures that aligned to 
the DOD Information Enterprise Architecture (IEA) and establishes a 
modern and adaptive approach to meet future cybersecurity requirements.
    The recently developed CS RA Version 4.1 aims to baseline the 
enterprise cloud security landscape for DOD components currently 
migrating or planning migrations to commercial cloud and leverages 
techniques such as automation, next generation network architecture, 
and Machine Learning and Artificial Intelligence.
    The DOD Cyber Architecture features a tiered system of cyber 
defenses that act in concert to provide protections from a variety of 
cyber threats. The major components for these tiers include the IAP, 
JRSS, and End Points. The IAPs are the gateway between the internal DOD 
environment and the larger internet. They provide email security, 
analysis of web traffic using intelligence-informed sensors and other 
tools, and they manage the flow of information between DOD and the 
internet.
    JRSS is another major component of DOD's architectural approach. 
They provide network security functionality for traffic flows across 
DOD networks, providing traffic inspection, incident detection, and 
analysis capabilities for both inbound and outbound internal and 
external users or services.
    Other ways DOD is transforming the cyber architecture include cloud 
initiatives such as Joint Enterprise Defense Initiative (JEDI), Secure 
Development Operations (DevSecOps) and DOD Cybersecurity Analysis and 
Review (DODCAR).

      Joint Enterprise Defense Initiative (JEDI), one of the 
main elements of DOD CIO's recently-released Cloud Strategy, aims to 
provide a general purpose cloud computing solution and drives the 
standardization of secure commercial cloud service offerings across the 
DOD enterprise alongside other efforts such as the Defense Enterprise 
Office Solution (DEOS).

      The Department is deploying an enterprise DevSecOps 
Platform in the cloud that will establish an enduring secure software 
development environment to demonstrate that Agile DevSecOps can rapidly 
deliver software by fully automating the development, testing, and 
cybersecurity focused pipelines.

      DODCAR, a cooperative effort between NSA, DISA and DOD 
CIO, is a modernized systems engineering methodology that is designed 
to incorporate threat-based data into all phases of the technology 
lifecycle from architecture through development and deployment. Its 
techniques and tools allow architects, engineers and operations 
professionals to assess how well their capabilities defend against 
actual adversary threat conditions.

      Next Generation Cybersecurity Architecture: DOD CIO, 
working in concert with DISA, is evaluating emerging architectures to 
shift the way the Department's networks are protected. This requires 
rethinking how we implement protections so that our ability to conduct 
operations is unimpeded but ensures that the network resists 
unauthorized activity and makes it easier to detect bad actors.
       using cyber automation as a defensive ``force multiplier''
    In 2016, the Defense Science Board recommended DOD consider cyber 
approaches to assess system resilience and leverage emerging 
technologies to increase system resilience. The study detailed a set of 
recommendations for the ``next dollar spent'' to maximize effects 
against cyber threats. The new areas of investment include increasing 
automation for cyber defense, improving endpoint security, and 
heightening cyber preparedness to accelerate cyber force readiness 
reporting in response to different kinds and levels of cyber-attack. 
The 2018 DOD Cyber Strategy also called for the Department to leverage 
automation and data analysis across the enterprise to improve 
effectiveness in cyber defense and cyber capabilities.
    Private industry enterprises, in comparison to DOD cyber 
operations, employ highly automated IT and IT security operations (IT 
SECOPS) processes to keep their networks secure and updated as quickly 
as possible. Cost containment is necessary to drive down the expense of 
running their enterprises.
    For DOD, current IT SECOPS is a largely manual and very labor-
intensive process. Our networks are critical to our warfighting and 
support missions, but they must become cheaper to operate with 
increased investments in data protection. By increasing the use of 
automation across the enterprise and limiting the standing privileges 
that systems administrators have, we can have stronger assurances of 
the security of the environment, in addition to stronger safeguards 
against the insider threat. We must integrate automation in an 
effective cyber flow to enable our IT workforce to focus on the most 
sophisticated cyber attacks and we must automate IT SECOPS to protect 
mission critical systems.
    DOD has a number of automated cyber defenses currently in use. 
Intelligence-informed sensors takes automated action against web-based 
threats using behavioral analysis and commercially derived intelligence 
resulting in 7 million automated mitigations executed per day. DISA's 
Fight By Indicator system automatically scans Threat Intelligence 
Reports developed by NSA, Defense Cyber Crime Center, DIA, and others 
and automatically scans a PDF document to parse out the threat 
indicators documented in the report. Fight By Indicator processes 300+ 
indicators automatically which results in 19 million blocks at the IAP 
perimeter per day.
    Advances in IT security devices have allowed DOD to provide more 
protections on email, examine previously encrypted web traffic for 
malicious content and data loss prevention, and provide more security 
on public facing DOD web sites. These are in place today. There is a 
significant amount of automation in DISA's Ecosystem that saves 
hundreds of thousands of manual work hours. We are working to fully 
extend those capabilities across the enterprise.
    DOD recognizes that we must plan and architect for an increasingly 
automated cyber environment to improve accuracy, timeliness, and 
effectiveness of our cyber workforce. We have evaluated machine 
learning systems and are working to integrate them into the Big Data 
Platform and End Point Security. The LOE implementation process managed 
by PCA offers the Department the ability to incorporate cyber 
automation both near term, such as through the ``First Four'' Comply to 
Connect initiative, and long-term through the development of next 
generational technologies. The Department must be dedicated to 
increasing cyber space security and cyber space defense. During last 
year's budget planning cycle, DOD CIO led a strategic effort to 
increase investment in cyber security management.
              identity, credential, and access management
    As we aggressively leverage new architectures and technologies to 
achieve military advantage through information, having strong 
assurances of who is accessing data and how is critical. We have been 
actively developing a DOD Identity, Credential, and Access Management 
(ICAM) Strategy that recognizes the changing environment and these 
objectives and addresses our increasing dependence on digital 
identities to share information rapidly and more securely. Like the 
Cyber Strategy, the goals of the ICAM Strategy are enduring. At the 
urging of the services as part of the First Four, we are investing in 
foundational ICAM enterprise capabilities to meet immediate critical 
needs, and provide the necessary platform for ongoing innovation and 
adoption at scale going forward. Maintaining end-to-end integration of 
evolving ICAM capabilities is critical to enabling modernization of 
DOD's networked capabilities. ICAM provides indispensable auditable 
functional and security controls that implement dynamic digital 
policies. Increased use of machine-to-machine interfaces and robotic 
processes requires the same level of assurance in terms of identities 
and access control. The ICAM Strategy and ongoing investment in ICAM 
capabilities will allow warfighters and supporting systems to rapidly 
access whatever information they are authorized to access from wherever 
they are on the network. Importantly, this access must be removed when 
it is no longer authorized. The bottom line for ICAM is that we need to 
know who or what is on our network at all times.
                        cybersecurity workforce
    As my deputy, Ms. Essye Miller, testified before you last 
September, DOD recognizes the importance of growing and maintaining the 
cyber workforce. The recent authorities provided by Congress have 
allowed the Department to adjust existing personnel policies and to 
implement new policies that account for this dynamic need in an 
increasingly important mission area. One key authority being the 
establishment of the Cyber Excepted Service (CES). As Ms. Miller 
relayed to the Subcommittee, fostering a culture based upon mission 
requirements and employee capabilities, CES will enhance the 
effectiveness of the Department's cyber defensive and offensive 
mission. This personnel system will provide DOD with the needed agility 
and flexibility for the recruitment, retention and development of high 
quality cyber professionals.
                               conclusion
    We believe a cyber capable adversary will focus their efforts on 
disrupting DOD's front line mission systems, during a conflict or in 
preparation for conflict, by exploiting vulnerabilities we did not 
realize we had. Increasing automation across the joint networks will 
support our Joint Forces' globally-integrated multi-domain operations.
    The close working relationship between DOD CIO, DISA, and PCA is 
critical to our ability to remediate our cybersecurity vulnerabilities. 
The importance of the connection between policy, network monitoring, 
and remediation cannot be overstated. The Department has clearly 
defined cybersecurity problems to be solved, and has a well thought out 
remediation approach. The right mechanisms are in place to monitor and 
report our progress in network security.
    I want to emphasize the importance of our partnerships with 
Congress in all areas, but with a particular focus on cybersecurity. 
The increased cyber authorities granted to the DOD CIO with each 
National Defense Authorization Act are one key example of this 
partnership. Continued support for a flexible approach to cyber 
resourcing, budgeting, acquisition, and personnel will help enable 
success against an ever-changing dynamic cyber threat. I look forward 
to continuing to work with Congress in this critical area. Thank you 
for the opportunity to testify this afternoon, and I look forward to 
your questions.

    Senator Rounds. Vice Admiral Norton, welcome.

   STATEMENT OF VICE ADMIRAL NANCY A. NORTON, USN, DIRECTOR, 
DEFENSE INFORMATION SYSTEMS AGENCY, AND COMMANDER, JOINT FORCE 
     HEADQUARTERS-DEPARTMENT OF DEFENSE INFORMATION NETWORK

    Vice Admiral Norton. Good afternoon, Mr. Chairman, Ranking 
Member, and distinguished members of the subcommittee.
    As Mr. Deasy said, I'm Vice Admiral Nancy Norton, and I 
serve as the Commander of the Joint Force Headquarters-DODIN, 
or JFHQ-DODIN, and the Defense Information Systems Network--I'm 
sorry, the Director of the Defense Information Systems Agency, 
also known as DISA.
    Thank you for your invitation to join Mr. Deasy and 
Brigadier General Crall here today as we discuss our 
cybersecurity efforts.
    The JFHQ-DODIN was created to globally integrate command 
and control (C2) for DODIN operations and Defensive Cyberspace 
Operations Internal Defensive Measures, or DCOIDM, across all 
43 DOD components. As an operational component command under 
U.S. Cyber Command (CYBERCOM), JFHQ-DODIN provides unity of 
effort and unity of command across the DOD's layered defense 
construct to protect DOD networks. JFHQ-DODIN exercises 
Directive Authority for Cyberspace Operations, or DACO, to 
establish a coordinated approach for implementing priority 
actions at all levels of cyber defense.
    In addition, we issue orders and directives to all DOD 
components that address threats and vulnerabilities to the 
DODIN. Our daily interactions with all 43 DOD components 
involve sharing cybersecurity operations information and cyber 
intelligence, validating status of directed cyberspace actions, 
and updating defensive cyber priorities regarding unclassified 
and classified networks and cyber-enabled devices that are 
connected to the DODIN.
    JFHQ-DODIN provides the operational requirements and 
expected outcomes aligned to the Cyber Strategy and the cyber 
top ten, which benefit from the standardization of capabilities 
across the cyber enterprise that is directed under the DOD 
CIO's authority. Additionally, JFHQ-DODIN conducts cyber 
readiness inspections, which require each network owner and 
their cybersecurity service providers to understand how their 
cyber readiness relates to their own mission and operational 
risks, and reviews their cyber compliance factors.
    DISA is a combat support agency that provides, operates, 
and assures command-and-control and information-sharing 
capabilities in direct support of joint warfighters, national-
level leaders, and other mission and coalition partners across 
the full spectrum of operations. Its primary purposes are to 
provide the information technology necessary for the DOD to 
protect our Nation and to support the JFHQ-DODIN and U.S. Cyber 
Command in defense of ongoing cyber attacks, clearly critical 
to national security.
    DISA is a combined workforce of approximately 16,000 
military, civilian, and contract employees. DISA is operating 
and evolving a global enterprise infrastructure based on common 
standards set by the DOD CIO, enabling effective, resilient, 
and interoperable solutions that support multidomain warfare in 
the face of escalating cyber threats. DISA directs, 
coordinates, and synchronizes the DISA-managed portions of the 
DODIN supporting the DOD around the world, and supports U.S. 
Cyber Command in its mission to secure, operate, and defend the 
DODIN.
    DISA's acquisition strategy works to provide efficient and 
compliant procurement services for information technology, 
telecommunications, and cybersecurity capabilities in defense 
of our Nation. The agency relies on a robust partnership with 
industry to achieve its mission. Just as the military services 
look to industry to design, build, and field weapons and 
platforms based on stringent requirements, DISA looks to 
industry to design, build, and field cybersecurity tools that 
will meet our stringent requirements in the rapidly evolving 
cyber domain. DISA's trusted partnerships with industry are 
critical to bringing effective and secure capability to leaders 
and warfighters around the world. DISA routinely engages with 
industry to ensure they have a clear understanding of what the 
Department needs are now and how we anticipate they will evolve 
in the future. Both DISA and Joint Force Headquarters-DODIN 
focus on one primary endeavor: to connect and protect our joint 
warfighters in cyberspace to increase lethality across all 
warfighting domains in defense of our Nation.
    I thank you for this opportunity to be here today, and I 
look forward to answering your questions.
    Thank you.
    Senator Rounds. Thank you, Vice Admiral Norton.
    General Crall, you may begin.

STATEMENT OF BRIGADIER GENERAL DENNIS A. CRALL, USMC, PRINCIPAL 
  DEPUTY CYBER ADVISOR AND SENIOR MILITARY ADVISOR FOR CYBER 
                             POLICY

    Brigadier General Crall. Thank you, sir. I certainly 
appreciate, like the others, the opportunity to come before the 
subcommittee and share a few thoughts and ideas, answer your 
questions. But, more importantly, I thank you for your genuine 
interest and help in this critical domain. It's made a 
difference.
    Just want to cover a couple items. If last year, maybe, the 
theme was on strategy, sir, and you've mentioned the fact that 
we finally published a Cyber Strategy, complete with a posture 
review, we can take a look at some of those gaps that we have, 
and get after them. I would say this year's moniker is a bit 
different. This is about implementation. We know where we need 
to head. We know the pacing that we have in front of us. But, 
it's now time to show results. So, I would say that this is the 
year of outcomes. We're focused on delivering the capabilities 
and improvements that we've discussed for some time. We have 
actionable lines of effort that come from our Cyber Strategy. 
These are things we can do and we can measure our progress 
against. That's what we're focused on.
    So, while it's a good year for implementation, I would say 
it may not be a good year for some items. And let me just share 
with you a couple of those.
    The first is stovepiped solutions. It's a bad year for 
those who like to approach this in a way that we have endless 
niche capabilities, that run off and do business their own way, 
lack standards, individual development, and have difficulty in 
integrating. We're putting an end to that practice, which has 
really robbed us of success.
    It's also a bad year for those who don't like measures of 
effectiveness or discussions on data-driven return of 
investments. We owe an accountability for how we've spent our 
money and also a level of accountability on what capabilities 
we've achieved in the spenditure of that money and effort.
    Lastly, I would say it's a bad year for those who like 
endless pilots, pathfinders, and experiments that lead to 
nowhere. This is about getting to results, experimenting 
quickly, and the learning that we get from those, and putting 
that back into implementation.
    So, I do agree that there's a sense of optimism. I think 
the Department has turned a corner. But, this is the year that 
we really have to show the results of that effort.
    I look forward to answering your questions.
    Senator Rounds. Thank you, General Crall.
    We've just been advised that we have votes at 3 o'clock. 
So, we will probably just keep the hearing going, but we'll 
take turns leaving, going and getting the vote in, and then 
coming back in. So, no disrespect meant, but we're going to be 
rotating in and out.
    To all witnesses--and this is a question that I guess I 
gave you all kind of a heads-up on that I'm going to ask 
today--in a hearing with private industry on best cybersecurity 
practices, we heard from Dimitri Alperovitch, of CrowdStrike, 
that they have a 1-10-60 challenge for responding to cyber 
intrusions: 1 minute to detect it, 10 minutes to understand it, 
and 1 hour to contain it. How well would DOD measure against 
these metrics? Are there any services or components that are 
better positioned to meet these goals?
    Mr. Deasy, I'll let you start.
    Mr. Deasy. Sure. So, this is clearly an operational 
question on how you handle a realtime event.
    Senator Rounds. This is a metrics question.
    Mr. Deasy. Absolutely. So, this is clearly best for Vice 
Admiral Norton to answer, since this is what she faces every 
day.
    Vice Admiral Norton. Yes sir.
    I appreciate that question, and definitely enjoyed the 
conversation that you had with industry in talking about that. 
That way of thinking about the challenge that we have, 1-10-60, 
was a good way of laying out what kinds of speed that we need 
in order to pace cybersecurity threats.
    We have not, in DOD, laid out a similar kind of benchmark, 
like the 1-10-60, but absolutely are looking at what the 
requirements are for detecting as rapidly as possible, 
responding as rapidly as possible, and how we can continuously 
increase that pace at the pace of cyber. So, I would like to 
take that question for the record for specifics on the 
response, but very definitely understand that we are watching 
and building towards a timed pacing of our adversary like that, 
just without that 1-10-60 construct.
    [The information referred to follows:]

    Vice Admiral Norton. The DOD absolutely recognizes the need 
for utmost speed in resolving cyber incidents, the focus to 
date has been on adopting automation to reduce cyber incident 
response time, to the greatest possible. DOD does not measure 
an incident response interval for analyst operations, analogous 
to the 1:10:60 rule. DOD does keep metrics on automated 
systems, for example from Oct 2017 - July 2018 the Sharkseer 
program created 300,000 automated response actions and 
mitigated 3.2 Billion distinct threats. The DODIN has a 3-
tiered defensive framework, where security and defense is 
layered around Tier 1: the outermost perimeter; Tier 2: the 
mid-tier; and Tier 3: the endpoint. There are cybersecurity 
sensors at each tier to detect suspicious or malicious activity 
in place by DISA or other DOD components that operate close to 
network-speed. These sensors auto-inject commercial threat 
intelligence and auto-block commercially known and provided 
threat vectors. This type of automated capability is provided 
by DISA for most (not all) of the DODIN at the boundary (Tier 
1). The DODIN is comprised of multiple networks below Tier 2, 
and multiple classifications. Each of the 43 DODIN Components 
designated as Area of Operations (AO) Commanders or Directors 
provide the cybersecurity response reporting requirements for 
the AO over which they are responsible. Their Cybersecurity 
Service Providers (CSSP) have the responsibility for 
Significant Activity (SIGACT) reporting to be conducted to 
JFHQ-DODIN within 1 hour of detection of suspicious or 
malicious activity, and CJCSM 6510 reporting is ongoing 
afterwards with JFHQ-DODIN analysts and AO operations centers 
working together.

    Senator Rounds. Okay. But, I'm going to go one step 
farther, and this time I'm going to direct it to General Crall. 
Metrics are important. In this particular case, CrowdStrike, 
who is public, clearly can say, in public, that's their goal. 
Are these metrics that should be attainable, or are these 
metrics that an enterprise such as the DODIN can look at right 
now? Are there metrics out there that we're trying to achieve? 
Share with me your thoughts about the importance of this type 
of an approach.
    Brigadier General Crall. Yes sir. I think, even in my 
opening, I talked about our ability to measure. So, there's no 
doubt that we need metrics in place. I can't comment 
specifically to the 1-10-60, whether that's the right metric 
for every DOD domain. These domains are constructed quite 
differently. And, even with some tactical-edge considerations 
on how they operate, we take some unique risks at the tactical 
edge that we might not take in other aspects of our network. 
So, those need to be tailored to the mission at hand.
    But, I would say this. The right question for a closed 
session, perhaps--is, What are our metrics? How are we striving 
to achieve them? In a closed session, I think we could talk 
about some of the first efforts that Mr. Deasy has laid out, 
that I'm helping institute, as it comes to some detection, 
remediation efforts that would drive that.
    Senator Rounds. Thank you.
    Mr. Deasy, you have publicly announced that your four 
priorities are cloud, AI, cybersecurity, and C2. What progress 
have you made in modernizing the Department's cybersecurity? 
Does your office have all of the resources it needs to execute 
these priorities?
    Mr. Deasy. I would say that, when I talk publicly about 
those four priorities, one of the things that I point out is 
how interlinked those are, meaning that, if you're having a 
cloud conversation, the way we're going to institute cloud is 
very much going to help our cyber posture. It's going to help 
the way we build applications and it's going to help the way we 
house our data. When we think of AI, AI is very much going to 
help the cyber agenda. Some of our early national mission 
initiatives are looking at, how do we use AI, for example, to 
look at insider threats? How do we look for anomalies in our, 
environment? Finally, on the command, control, and 
communications (C3) side, we know that we have generations of 
communications equipment that were designed in what I'll call a 
pre-cyber era. So, as we build the next generation of command, 
control, and communications, we are building them, first and 
foremost, with what it means to have the right cyber in place.
    As I go about discussing these priorities, we always say 
that cyber is at the heart of the digital modernization of the 
Department of Defense. Everything that we are banking on and 
building for the future is starting with the mindset of, we 
must bake cyber in from the start.
    Senator Rounds. Thank you.
    Senator Manchin.
    Senator Manchin. Thank you, Mr. Chairman.
    Mr. Deasy you have quite an impressive resume, basically in 
the private sector. Coming to the government sector, we 
appreciate you for your service. Seeing that over the years how 
we've been hacked and the espionage that's gone on, and the 
things that I have mentioned, as far as a thousand different 
sites, if you will, and none of them seem to be talking to each 
other or protecting each other, do you believe that we can 
rapidly close that gap and change our approach to how we do 
business?
    Mr. Deasy. It's an outstanding question, and probably one 
of the top ones every day I address. I think General Crall 
actually hit upon it. The days that people, what I like to 
refer to as roll their own solutions and stand up unique 
systems to solve unique mission sets, has to be revisited. So, 
one of the things, especially now, given the new authorities 
that I have, is that we are putting out a tone that, as we go 
through the remediation of our various cyber programs, the days 
of debating, what are the various tools and software that we're 
going to use? We have to stop. We have to quickly move from the 
debate of what's the right source of a solution to the 
implementation approach. I've always said, there's no reason we 
need different tools to solve for many of these problems. The 
way we will implement those tools are obviously going to be 
different if you're dealing with a tactical edge and advanced 
space versus if you're going to deal inside the Pentagon. But, 
I have been very direct and quite vocal that we need to 
standardize more, we need to stop rolling individual solutions, 
and we need to move beyond the debates of, what are the right 
product sets? And we need to spend all of our time talking 
about how to get the work done.
    Senator Manchin. I wanted to ask you about your cyber top 
ten to see where you're working. But, first of all, on the 
different types of systems we have been using in different 
applications in the companies we have dealt with, or contracted 
with, speaking of Kaspersky and Huawei, have you all been able 
to see if we're still using those contractors? Or their 
equipment?
    Mr. Deasy. I would say that some of this discussion should 
probably be held in a private--you know, classified session.
    But, I can say, generically, that, yes, we are aware of the 
capability of those particular----
    Senator Manchin. Because I was on Intel, so I know where 
you're coming from, but, have you all done the evaluation we 
probably requested in Intel to tell us who is still using--in 
any departments, are still using these components?
    Mr. Deasy. Yes. We have evaluated. Happy to share with you, 
offline, what the results of that.
    Senator Manchin. We'd love to see that.
    Mr. Deasy. More importantly, I would share with you the 
approach we're using, as we find additional vendors, how we 
deal with this.
    Senator Manchin. Well, maybe the Chairman and I can get 
together with you all on that in a classified setting.
    Mr. Deasy. Okay.
    Senator Manchin. How about your top-ten issues to 
characterize your priorities?
    Can you tell me what are your items of your top-ten list, 
and what's the relationship with the Cyber Strategy?
    Mr. Deasy. The way that I describe the top ten is, we 
stepped back--because if--depending on who you went and talked 
to inside the Department and said, what is a risk? You would 
get a very different answer, if you're talking to someone who's 
sitting at an endpoint, your desktop, or if you're out managing 
a weapon system. So, we stepped back and said, if you think 
this through the eyes of an adversary and how they think of the 
world, how they would traverse the Department of Defense. We 
stepped back, and we laid out a set of priorities to address 
all the points of interventions where we think adversaries 
would try to intersect with us. Obviously, it would not be 
prudent for me, today, to walk through each of those individual 
ten things, as one could draw conclusions from that, but 
suffice to say we've taken a very holistic approach, for the 
first time, of how we think about all aspects of the chain of 
how data moves across Department of Defense, and then, what are 
the points that we need to put prioritization against?
    Senator Manchin. Admiral Norton, you're the Director of the 
Defense Information System Agency, correct? But, you're also 
dual-hatted as the Commander of the Joint Force Headquarters 
for the DOD Information Network for the totality of the DOD's 
networks. Are all the cybersecurity providers scattered across 
DOD; are they under your purview, your command?
    Vice Admiral Norton. They are not under my command, sir, 
they are under my Directive Authority for Cyberspace 
Operations. So, those cybersecurity service providers (CSPs), 
in some cases, work for me, as DISA; in other cases, they work 
for the military----
    Senator Manchin. How about the cyber protection teams?
    Vice Admiral Norton. The cyber protection teams are the 
same thing. I do have some. I have six of those that work for 
me, specifically, as the Joint Force Headquarters-DODIN, 
directly supporting the DODIN backbone and the perimeter 
defenses. But, others of the cyber protection teams are 
assigned to the services and some to each of the combatant 
commands, as well. But, all of those, both the cyber security 
service providers and the cyber protection teams, as well as 
every system administrator, every one of those cyber 
workforces, is under my Directive Authority for Cyberspace 
Operations (DACO), meaning I can synchronize the actions across 
all of the DOD for any responses that we need to take, any 
changes that we need to make on the network, based on that DACO 
that I have under U.S. Cyber Command.
    Senator Manchin. How can you prevent, through cyber, the 
attacks that may be going on, could be going on, if you're not 
over total control? Your one directive goes across all of the 
different commands, but they don't report directly to you, and 
each of the commands have different chains?
    Vice Admiral Norton. Yes sir. So----
    Senator Manchin. Is that a disconnect there?
    Vice Admiral Norton. I don't believe it is. JFHQ-DODIN was 
stood up specifically to do the synchronization and command-
and-control of the defensive cyberspace operations forces 
across the DOD. So, it would be very difficult to aggregate 
them all into one command. There are about 250,000 cyber 
workforces across the DOD. They're as disparate as serving in a 
squadron in the Air Force or a submarine in the Navy, every one 
of the agencies, across the board. But, with that Directive 
Authority for Cyberspace Operations, I'm able to mandate what 
kind of actions they're taking on a daily basis, and do that 
through a daily cyber tasking order that we have with all 43 
components.
    Senator Manchin. I think, in a nutshell, what I'm asking, 
how do we prevent a Snowden from continuing all the different 
breaks that the public knows about? There's more that they 
don't know about. The ones that have been very public, have we 
taken steps? Mr. Deasy or General Crall, you've seen this 
through your career. Are there steps being taken to close that 
loophole so that doesn't repeat?
    Vice Admiral Norton. Yes sir. We absolutely have. There are 
many, many actions that we've taken. Snowden, of course, was an 
insider threat, and we have taken specific actions----
    Senator Manchin. Right.
    Admiral Norton.--addressing an insider threat, across the 
Department. There's always more to be done, because that's a 
very complex problem. But, we absolutely have. And Joint Force 
Headquarters-DODIN has only been in existence for 4 years, this 
week, so we are maturing in the ability to synchronize all of 
those efforts. We didn't have this when Snowden was able to 
infiltrate and exfiltrate the data that he did.
    Senator Manchin. I'm going to go vote, and I'll be right 
back.
    Vice Admiral Norton. Yes sir.
    Senator Rounds. Let me just continue on, because I think 
that's an important part of it. The reason why we do the open 
hearing now is to talk a little bit about how big this 
challenge is, because you're talking about not just all of the 
Armed Forces, but you're also talking about our acquisition 
processes, you're talking about a huge contractor base out 
there that is just as susceptible to cybertheft as our armed 
services are. And yet, all of our air, land, and sea domains 
are at risk if our cyber domain is not secured, just like our 
space domain has to be secured. And I think that's part of the 
message we're trying to get here, is, this is not something 
that can be done simply by the Department of Defense alone. 
This is a case of where we have to have the rest of industry, 
obviously, in tune with us. Can you talk a little bit about the 
coordination which you're trying to do with those entities that 
are defense contractors and their subcontractors, how big this 
is, but also what you're doing to try to focus on that?
    Mr. Deasy. I'll be happy to address that.
    On that top-ten priority list is the defense industrial 
base, or often referred to just as the supply chain. It's very, 
very clear that defending our networks extend all the way out 
to our contractor networks. You could argue they're just an 
extension of what we do. We pass classified data. They do 
things on behalf of us. So, there's no doubt, when you look at 
the first tier and the second tier, and you think about 
exfiltrations and the problems that have occurred, we have to 
treat our subcontracting base the same way that we think about 
defending our own networks.
    Now, to that end, we get some help. There are standards 
that our defense contractors are obligated to follow. It's the 
National Institute of Standards and Technology (NIST) standard. 
It's the same one the Department of Defense follows. The Deputy 
of Defense Secretary recently stood up a task force. I had made 
a recommendation that we need to look at, holistically, from 
the day we awarded a contract to the moment we have an exfil or 
a spill occurred, and how we then handle that needs to be re-
thought through. Right now, there is a task force that is 
stepping through the entire way through which we handle our 
contractual relationships, our notification of problems, our 
forensics, and, when we do have a problem, to improve upon 
that.
    This problem is not necessarily a tier-1 supply level, it's 
down in the tier 3 and the tier 4.
    Senator Rounds. Explain what that is.
    Mr. Deasy. In many cases, we will contract with a very 
large traditional defense, but they don't build everything for 
us, they don't engineer everything for us. They will go out and 
contract with a firm----
    Senator Rounds. Which means they share classified 
information with their subcontractors, who may very well share 
that same classified information with a subset of contractors 
again.
    Mr. Deasy. And that entire chain is tracked. Where the 
issue breaks down is, as you go down to those various 
subcontractors, do they understand, are they equipped, do they 
have the knowledge and the capability to defend themselves? And 
what is it that we should be doing more of to help them learn 
how to defend themselves at those tiers?
    Senator Rounds. Okay. It's not a new problem. But, most 
certainly, it's one that this is where we find a lot of our 
hygiene problems at. And that's the way most of our information 
is lost, is through improper cyber hygiene, meaning somebody at 
a level, basically, made a mistake, and somebody got into their 
system and now has access.
    It's one thing to make a law or a rule. It's another thing 
to be able to enforce it. Talk to me about your enforcement 
actions and how you see ways to, not only make the law, but 
enforce the law, and then to follow and audit the process. What 
do you have in place, and where are you short of capabilities 
today?
    Mr. Deasy. First of all, you make a very good point. If you 
look at a lot of the problems that have occurred and where the 
forensics have been done, it does come back, many times, to 
basic hygienes. So, we start with a self-certification process. 
We are now looking at a new process that the Office of the 
Under Secretary of Defense for Acquisition and Sustainment 
(A&S) is leading, and that is, how do we then build in a 
confidence score against their certification? Ellen Lord's 
organization, where they go through and they evaluate that 
self-assessment, they put a confidence score against that, and 
what they're now looking at is, how do we go out and have a 
closed-loop system, where we can go out and validate what it is 
that they self-assessed against? This is a massively large 
supply base, so there's discussions right now on, what is the 
right approach on doing that, given that trying to get every 
single member of that supply base might be overly challenged? 
And so, how do you sample, and how do you do this in a way 
where you can start to get confidence that, as you move down 
those tiers, that their self-certification----
    Senator Rounds. Let me follow up, because I think that's a 
critical lead-in to another piece here. As other members come 
back, we'll allow them to get into this, as well, but I have to 
ask. Even if you could hire--and I know that you need to hire 
more experts in cybersecurity, but you're also going to have to 
hire and contract out with entities that have real expertise in 
cybersecurity. Do you have a process in place to invite and vet 
expertise within cybersecurity that we can use to help us? And 
then, once you get past that stage, and you recognize that you 
can't do it with manpower alone, you're going to have to have 
the additional electronic resources, including AI. Can you work 
your way through that, from looking outside of government, 
manpower needs, and then also moving to AI?
    Mr. Deasy. As you know, I do come from private industry, 
and this problem for large companies, private industry is no 
different; i.e., they don't have the capability to evaluate 
every one of their supply-chain vendors. So, what has happened 
in private industry, which is what we are now looking at for 
the DOD, is actually a process of identifying, possibly even 
certifying, companies that can play the role that can follow 
the NIST standard and actually go in and look at a second-, 
third-tier supplier.
    Senator Rounds. Are you taking invitations for that now?
    Mr. Deasy. No, we are just in the early discussions of how 
we might do that. As I said, A&S is the lead for this. I've 
been advising them on how this has been done elsewhere.
    To your AI question, there is definitely going to be value 
in looking at, How do you take the entire supply base, the NIST 
standards, the hygiene problems we see, and can you apply AI to 
this problem to start to identify where you most likely are 
going to experience problems inside your supply chain? We are 
literally just in discussions. I do not want to suggest that we 
have an active program underway. But, I would suggest that this 
is a good case where we can apply machine learning to looking 
at this problem.
    Senator Rounds. I will give Senator Scott an opportunity to 
get settled, but I'm just going to ask you one more question. 
Then I'll move to Senator Scott.
    Right now, there really is a difference between AI and 
machine learning. Are you deeper in with machine learning right 
now to cover a lot of the items right now that otherwise we 
just don't have the manpower to cover? How far along are we?
    Mr. Deasy. We are still very much in the early days. I 
would actually be very happy to come and have a session with 
you on what is called the Joint Artificial Intelligence Center 
(JAIC) and how we're using that to apply new AI/machine-
learning algorithms to solve for some of these problems that I 
think you're touching upon here today. But, probably best that 
I come and talk to you offline about how we're approaching the 
AI/machine-learning problem.
    Senator Rounds. Very good. Thank you.
    Senator Scott.
    Senator Scott. I'm sorry if I ask a question that 
somebody's already asked.
    You get a lot of wonderful vendors from all over the United 
States and around the world that want to sell you stuff. How do 
you all make a decision on what you're going to buy and who's 
the best vendor?
    Mr. Deasy. There's a number of us that can do that. Why 
don't we start with Vice Admiral Norton.
    You use a number of suppliers. How do you go through your 
vetting process?
    Vice Admiral Norton. Well, we have a lot of different 
mechanisms that we interact with industry, starting with very 
public and very open things, like we have a forecast industry, 
where everybody is invited to come in and hear about what we're 
doing, what is already ongoing, what is planned in the near 
future, and then opportunities for each of those vendors to 
talk to the program managers and the leadership at DISA and get 
an understanding of what they might be interested in pursuing. 
We have a Small Business Programs Office that specifically 
targets and interacts directly with the small businesses that 
have interest in any of our activities. They feed back into 
different parts of DISA for further communications. So, that 
gives us the understanding with industry of what's available.
    From there, it's evaluation based on the performance 
criteria that we've set for the particular product or 
particular capability that we need in understanding what the 
acquisition strategy might be. In some cases, that means doing 
a major evaluation of a number of different contractors at 
companies that have similar products, and evaluating them for 
the best fit. In some cases, it means something like an other 
transaction authority, where we have a couple of different 
prototypes, and both of them are able to build out and 
demonstrate, what capability would best suit the need that we 
have.
    Brigadier General Crall. Sir, thank you.
    This really does come down, as Admiral Norton talked about, 
to requirements. That's both what I need today and what I 
anticipate, not just simply chasing after a capability that I 
might not need or couldn't find a use for, which sometimes they 
come packaged. We do look at performance. And we look at 
performance in measures at that tactical edge, which is 
different. We've found vendors, in many cases, that work very 
well in a flagpole or garrison environment, but, when we start 
getting to thin line, red line, or austere conditions, the 
product may not perform as well, and that's a consideration for 
a warfighting machine that's expected to operate in an 
information-contested environment. So, that's one area that we 
take a look at. And, of course, no shortchanging the idea of 
cost at something that's sustainable or affordable.
    But, the other piece that I think is important is how 
flexible it is, the thing that we're looking at. Requirements 
do change, and one of the big concerns is not getting locked 
into something that requires a level of emulation, patching, 
or, really, caretaking that could exceed the cost of the 
product to begin with. So, looking at more informative ways to 
do it.
    But, the problem really isn't so much about us finding the 
right vendor that can provide what it is, it's the vendor's 
patience in dealing with us and our lack of flexibility in 
acquisition. We find more vendors most likely to walk away from 
trying to deal with us because of simply the way that we 
contract. And I'm not saying that we shouldn't contract that 
way. There's reasons why we have some of the contracting rules 
and regulations, to ensure that we behave properly. But, in 
industry, as Mr. Deasy will attest, his experience of finding a 
solution, matching a vendor with a need, can be done very 
quickly in the civilian world, where we might find ourselves 
years out. By the time we compete properly, line up the 
resources, make sure it's within our Program Objective 
Memorandum (POM) cycle, and actually move on it, the product 
might not even be viable at the time of purchase.
    Senator Scott. So, what needs to change?
    Brigadier General Crall. Sir, I think we're doing the 
change on the front end, as we are focused on requirements. So, 
I think we're doing our part. We've had a great relationship 
with the vendors; really, industry is going to help us get 
through many of the problems we're talking about. They 
absolutely bring the technology we need to bear. But, focusing 
on requirements, that's our responsibility. I think we've done 
a better job. The way we consume products as a service model, 
vice having to own everything, is a methodology that we're 
looking at. I think we need to be more thoughtful on how we 
come back to Congress and ask for some help on how we acquire. 
The acquisition machine needs to change.
    Mr. Deasy. If you ask me, it's one word: speed. I think 
about how, in the private industry, from the time that they 
identify that the adversary now has a new set of methodologies 
and tactics, the ability to go out and scan industry to see 
who's addressing that, quickly find those companies, bring them 
in, evaluate them, move through the procurement cycle, and get 
them operationally installed inside the environment has to be 
done with a lot more speed than we have today.
    Senator Scott. May I continue?
    Do you ever feel taken advantage of by a vendor that talks 
you into a type of Request for Proposal (RFP), and then you 
find out, at the end, there were other vendors that you 
couldn't even do business with because of the RFP you started 
out with? How do you deal with that, if that's true?
    I used to be an investor in national security, and we'd do 
business with the Government. We won based on how well we did 
with the RFP. Do you feel that industry does that to you?
    Mr. Deasy. I have not seen that. What I have seen sometimes 
is a poor understanding of your requirements up front, and so 
you're misaligned because you haven't spent enough time really 
understanding what your requirements are. The vendor's trying 
to then come in and sell you something that may or may not meet 
your requirements. I see more of a disconnect between what the 
vendor is trying to tell you it has versus the requirements. 
That needs to be probably vetted at the front end better.
    Vice Admiral Norton. One of the things that DISA has done 
routinely is put out requests for information (RFIs) in advance 
of an RFP broadly, and have an ongoing dialogue with industry 
so that they get a good understanding of what it is that we're 
looking for, what is available, not trying to put out an RFP 
for something that will never be produced and will never 
deliver. So, we'll spend a lot of money on some vendor trying 
to do that. We don't do that anymore. We always baseline with 
an RFI, and that gives us a lot of opportunity for 
understanding.
    Senator Scott. Part of being decentralized is that it seems 
like it would make it difficult for somebody to intrude. As you 
get more centralized, are you concerned that'll make it easier 
for somebody to intrude, because, once they figure out exactly 
how to intrude in your system, they hit everybody at the same 
time? Do you have any concerns about that?
    Vice Admiral Norton. I am always concerned about that, sir, 
and the balance between the ease of operation and the speed at 
which you can operate a very homogenous network at a large 
scale. If everything is the same and you're able to automate 
the processes of changing that, then you can do that very 
rapidly. So, operation and cybersecurity can be done very, very 
rapidly. But, that same ability is also a potential weakness if 
an adversary is able to get in, because then they can do the 
same kind of thing. So, you have to balance that. How do you 
block that so that kind of adversary behavior isn't able to 
penetrate your entire network?
    Mr. Deasy. One of the things I've been advocating for since 
joining is, people always ask, are we better off being 
decentralized? And I would say, but then you have a thousand 
ways of which someone can get in, so that's the downside of 
that. If you centralize, then if someone could get in, the 
breadth of the surface space they can cause damage is much 
larger. I always say, it comes down to how you architect for 
that centralized approach. If you architect with a very flat 
area, where, once they get in, they can cause great havoc, 
that's not appropriate. If you're smartly architecting for a 
centralized approach, where you're limiting what I like to call 
the ``blast radius,'' where the problem can occur, then 
actually centralization has some huge merits that you don't get 
from a decentralized site.
    Senator Rounds. Thank you.
    Let me just move on. And I'll have Senator Wicker.
    Senator Wicker.
    Senator Wicker. Well, thank you very much.
    It's too bad we've got so many balls in the air; we can't 
be here for the entire hearing.
    Has anyone asked you all about China and Huawei and ZTE and 
Chinese-owned information companies yet? Has anyone asked that 
in this hearing today?
    Mr. Deasy. Yes sir. Earlier, it was asked. And what we said 
was, yes, we understand the nature of the problems with those 
products. We have a good understanding of where they are, and 
are not, inside of our environment. And we said that, if you 
would like to go deeper, given the sensitivity and the nature 
of what those products do, we'd be best to have that 
conversation in a closed hearing.
    Senator Wicker. Yes. But, let's see what we can talk about 
in an open setting like this.
    In terms of our National Security Strategy and our new 
national security policy, is what is contained in there 
adequate to meet this challenge? How much of DOD's information 
flows over commercial networks, for example? And do we need to 
be concerned about that? Is there something going on now with 
commercial providers to improve cybersecurity of these 
information networks that involve crucial national security 
matters?
    Mr. Deasy?
    Mr. Deasy. Yeah, there's a couple there. There's a part on 
strategy, and I'll let General Crall take the strategy.
    You bring up a good point. If you think about how data 
moves across the Department of Defense, both the continental 
United States (CONUS) and outside the continental United States 
(OCONUS), you have to ask yourself, Where are you touching the 
commercial side of an environment, and how well do we 
understand the commercial nature of what products, like 
Huawei's, might be in there? We have a very good understanding 
for CONUS, what that looks like and what those vulnerabilities 
are. For OCONUS, as you can imagine, it's a lot more 
complicated, because those networks sit with providers outside 
the United States. So, we have to architect and be a lot more 
thoughtful about how we set up on an OCONUS basis because of 
that.
    Senator Wicker. If there are Huawei products, what's our 
concern?
    Mr. Deasy. The concern is that, inside those products, 
there will be engineered solutions that allow them to capture 
information that can be sent back to the adversary.
    Senator Wicker. And those solutions would already have been 
engineered and already implanted, in certain instances. Isn't 
that correct?
    Mr. Deasy. I cannot speak to the detailed engineers' 
designs of the Huawei products, but, in theory, yes, if that 
product was engineered with backdoors where it was 
exfiltrating, that would be the case.
    Senator Wicker. So, I'm concerned that that capability may 
already be out there and installed in many places outside the 
continental United States, which is what you're saying when you 
say ``OCONUS.''
    Mr. Deasy. Uh-huh.
    Senator Wicker. Now, General Crall, what would you like to 
add about that?
    Brigadier General Crall. Sir, I realize the focus on 
outside CONUS, but I don't know that I would exclude inside 
CONUS.
    Senator Wicker. Right.
    Brigadier General Crall. To your point, we're talking about 
networks and service providers and that there's some level of 
granularity you can have in researching the flow of traffic and 
how they're handled, but there's also the smaller end 
peripherals, the switches, the routers, and the hardware that 
allow these connections to take place. We understand what white 
gear is. It's the fact that you can't trust what's on a label. 
There's a concerted effort to ensure that what's marked is, in 
fact, what's inside. So, you have concerns that there could be 
challenges in making sure that the authenticity of the gear is 
what's stated. And that concern is shared. In a closed session, 
sir, we'd be able to provide a little more detail on how we 
examine that.
    Senator Wicker. Admiral, do you have anything to add?
    Vice Admiral Norton. Just that we have done an enumeration 
of that equipment, and so we do understand what is out there. 
Again, we can talk about the specifics in a closed hearing.
    Senator Wicker. Very good.
    Well, thank you very much.
    And I am told that Senator Gillibrand is next.
    Senator Rounds. Senator Gillibrand.
    Senator Gillibrand. Thank you so much.
    I want to ask a little bit about cybersecurity 
architecture, because Senator Wicker talked about ZTE and 
Huawei already. Forming consistent and comprehensive 
cybersecurity architecture across the DOD and, frankly, across 
all of government, is vital to our national security. What 
roadblocks are currently in place that inhibit this from being 
a reality? Do you all feel that you have the necessary 
authorities to overcome those roadblocks?
    Mr. Deasy. I don't see roadblocks. I see legacy. That is 
probably our biggest challenge. For years--we had this 
conversation earlier--we have allowed services and various 
components to roll and implement unique solutions that maybe 
aren't interoperable or standalone. As I said earlier, the new 
authorities that the DOD CIO office was granted, starting this 
year, now allow my office to establish the standards and the 
architectures that the components and the services have 
followed, which was why General Crall made the comment earlier 
that this is the year where there will be a lot of noise in the 
system, because we are going to drive those standards. We're 
going to drive implementation. And we know there will be people 
that are going to be very uncomfortable about the fact that 
we're no longer going to allow them to stand up their own 
architectures or solutions.
    Senator Gillibrand. Right.
    Do either of you have anything to add?
    Vice Admiral Norton. Yes, ma'am. I'll just add that one of 
the difficulties of changing the architecture in the military 
is that we rely on these systems for ongoing missions every 
day.
    Senator Gillibrand. Yep.
    Vice Admiral Norton. So, the time that it takes for finding 
time where you can take a system offline in order to make the 
upgrade ends up oftentimes being the long pole in the tent of 
actually changing the architecture, which is why we oftentimes 
have a lot of legacy. Funding can become a problem, but the 
time is actually the driver in most cases. As we build out 
future architectures, we have to build in the ability to make 
those changes very rapidly on the fly, without having, in some 
cases, weeks and even months of downtime for the systems for 
something like a ship or an airplane or a headquarters 
building.
    Senator Gillibrand. Yep.
    Brigadier General Crall. Ma'am, I used to think that 
starting things was the most difficult thing in the Department. 
I've since learned that stopping them, potentially, is more 
difficult.
    Senator Gillibrand. Welcome to the Federal Government.
    [Laughter.]
    Brigadier General Crall. I think that really driving toward 
ensuring that, while we have a plan to onboard new 
capabilities, we're smart in making sure that we can retire 
legacy, where appropriate, because we end up in this position 
where it's simply not affordable to keep it all alive. We've 
been a little slow on retiring legacy, but we have a plan, 
under the new Strategy, in the lines of effort to get after 
that.
    Senator Gillibrand. A section of the NDAA I helped craft 
directed the Secretary of Defense to enhance awareness of 
cybersecurity threats among small manufacturers and 
universities working on DOD programs. What actions have been 
undertaken to execute this order? And how successful do you 
believe these actions have been? More to that point, a lot of 
the industrial base has led to an emphasis on bringing in more 
small businesses in the process, but meeting cybersecurity 
requirements is really hard for them. What does the DOD do now 
to help those small businesses with cybersecurity so that they 
could participate in the future?
    Mr. Deasy. As we had discussed earlier, that topic is 
actually part of our top ten priorities, probably three 
dimensions. You mentioned the academia dimension of that. You 
mentioned the small business dimension of that. We definitely 
need to help figure out how we're going to handle small 
businesses. If you look at what it takes today to do good cyber 
hygienes to stay ahead of the adversary, we know many of the 
second- and third- or fourth-tier supply base simply doesn't 
have the wherewithal to do that. We have some thoughts underway 
about how we can bring them into cyber hygiene, whether it's a 
cloud or an extension of our network, and we can fortify them 
with services that we provide. We are in the very early days of 
that. But, you should know that we're in active conversations 
of how to do that.
    The other thing we're doing, as was discussed earlier, is, 
we've stood up a task force that reports directly to the Deputy 
Secretary of Defense. And that task force is looking at the 
end-to-end way that a supply chain works, which includes the 
academic world around base research that's done, or maybe more 
classified work that's done on our behalf, and how do we really 
understand and get a better handle on how that research is 
done, where it's done, and what are the mechanisms that these 
institutions are using to ensure that things are being done in 
a safe, sound manner.
    Senator Gillibrand. Thank you so much.
    Thank you, Mr. Chairman.
    Senator Manchin [presiding]: Thank you, Senator.
    I have a quick question, and then we'll go back to Senator 
Wicker for a second round.
    In any competition, you're always evaluating your opponent. 
As we evaluate our opponents in the cyber technology realm, 
China and Russia--where they are today, where we are today, and 
their opportunity either to stay ahead or pull ahead, do you 
feel comfortable with the direction we're going to offset the 
advancements they've made in such a quick period of time?
    We can start with General Crall, and come right across.
    Brigadier General Crall. Yes sir. I think I'd have 
difficulty answering that in open forum. To characterize your 
question you never rest, as you know, on any capability or 
laurels that we have. We know what we know, but there's a 
concern about what we don't know. And we have a lot of 
suspicions on where our peer and near-peer competitors are----
    Senator Manchin. You're identifying two of your most 
challenging competitors. It's going to be China and Russia, 
correct?
    Brigadier General Crall. There's no doubt, sir, that they 
are at the top of our priorities. Their capabilities are 
increasing, as are ours which is why it requires great 
vigilance.
    Senator Manchin. Go ahead, Mr. Deasy.
    Mr. Deasy. To the General's point, it is difficult, in this 
setting, to answer some aspects of that. I will tell you that I 
have a weekly session where I am briefed by U.S. Cyber Command 
and the National Security Agency (NSA), and we specifically are 
briefed on China and Russia. One of the reasons I wanted to get 
into this normal cycle of doing these briefings was, to the 
very point that I think you're trying to poke at, is trying to 
understand, vis-a-vis where we are on our offensive as well as 
defensive capability. And suffice to say that these are very 
strong, capable adversaries, but, at the same time, we have 
some strong, capable abilities ourselves.
    Senator Manchin. Admiral?
    Vice Admiral Norton. Yes sir. I will echo their comments 
about specifics, but of capabilities against our adversaries 
would be better in a closed session. But, I will say that China 
and Russia both have very clearly exercised and demonstrated 
their, not just ability, but willingness to fight in this 
domain. And we see that every day. Regardless of the adversary, 
we see the concerted effort to attack the United States and the 
Department of Defense.
    Senator Manchin. Is Acting Director Shanahan committed to 
implementation of the new Cyber Strategy?
    Mr. Deasy. Absolutely. One of the things I said in my 
opening remarks that I should really stress is, when I came 
onboard, one of the things that he wanted to establish was a 
weekly cadence for CIO Cyber. We call it the CIO Cyber Working 
Group. He personally, before his new duties came into play, 
chaired that meeting. He was at it every week. He would look 
for the metrics. He would be quite the tasker of ensuring the 
activities were getting done. He's done a very strong handoff 
of duties to Deputy Secretary Norquist, who is now continuing 
that. You should know that one of the things I have been 
incredibly pleased with since joining the Department is to see 
the top of the house be extremely active on what I'll call a 
very frequent basis--i.e., weekly--in the engagement of all the 
activity that you heard us talk about today.
    Senator Rounds [presiding]: Senator Wicker.
    Senator Wicker. Well, that's good to know. It's 
encouraging. And I'm sure it's encouraging to Senator Manchin, 
too.
    My last question deals with data rights and data control 
policies, getting the best technology, but at an affordable 
price. You've got a company with good technology. They're 
profit-oriented. They don't have to make a deal with anybody. 
They're under no special obligation to do business with the 
government. So, how are we doing with regard to our policy 
there? Does it deter cutting-edge cybersecurity companies from 
doing business with the Pentagon? Is it difficult to strike a 
balance between getting the best and getting something we can 
afford? And what's your assessment of the Department's data-
rights and data-control policies?
    Brigadier General Crall. Yes sir. I can certainly tell you 
there's a focus. You bring up a couple issues when it comes to 
rights. I think the verdict is still out, by the way, on who 
owns data. Lawyers will tell you, when you go through this 
understanding of where it's housed, how it's moved, what 
residual components of data reside. We care. We're concerned. 
And we have policies in place on where we put that data in the 
Department of Defense.
    To your comment about the struggle between affordability 
and really doing business with the best--the best customers are 
always the desired customers--it would not be truthful for me 
to tell you that, in every instance, we get the best of both 
worlds. Again, because of some ways that we acquire services, 
we often, or at times, have gone with what is the most 
expedient or those we could do business with based on rules and 
regulations. So, we're still finding our way through that, in 
some cases.
    But, the real focus, I think, for the Department, when it 
comes to policy and implementation on the strategy, is really 
how we start focusing on data and data security at rest and in 
transit. Maybe less with how data are stored or transported in 
conventional ways, but more accurately now is, how do we 
safeguard it in all aspects of it at rest and in movement?
    Senator Wicker. Are you able to be specific about rules and 
regulations that you referred to? What would be an example?
    Brigadier General Crall. Sir, I would like to come back to 
you in writing on rules and regulations, to be specific. But, 
the idea, for example, if we wanted to host data in a 
commercial cloud today, and let's say that data was 
unclassified data, there's a reason why we tend to put this 
data repository under certain controls, like Federal ramp, and 
conditions on storage and security, but also on premises. I can 
just answer for the Marine Corps, that, when I was the CIO, 
prior to this job, I personally felt uncomfortable in some 
business arrangements of putting my data in a commercial cloud, 
where I could not guarantee, if I stopped doing business with 
that company, what it meant to return the data to me. It's 
electronic. I didn't know what I would get back. So, a very 
specific example personally----
    Senator Wicker. You didn't know if you would get it all 
back.
    Brigadier General Crall. That's correct, sir. So, I ended 
up storing that data on prem, where I could control it, and I 
asked for services to push that data through those commercial 
contractors. But, things have changed since then. There are 
some safeguards that are out there that make doing business 
that way maybe a little better when it comes to encryption, 
which is what I was getting after, meaning I might be able to 
house that data under certain rights where I hold the keys to 
that encryption and feel more secure about where it resides.
    Senator Wicker. Okay. Well, you're going to get back to me 
with a supplemental answer on it for the record.
    Brigadier General Crall. Yes sir.
    [The information referred to follows:]

    Brigadier General Crall. Following up on my 29 January 
testimony, I would like to confirm and further highlight 
Department of Defense issues, challenges and progress, 
associated with Data Rights Management. The anecdote I shared 
during my earlier testimony was based on my time as the USMC 
Chief Information Officer, but I believe the challenges I 
highlighted still reflect relevant problems. The Department is 
addressing some of these issues, while others remain 
unresolved. These include:
      Data Replication (If data is replicated to a 
foreign country, is the Department now subject to foreign or 
international laws?)
      o  Storing data in facilities outside of U.S. legal 
jurisdiction can subject that data to foreign and international 
laws. The lack of legal precedents, conflicting case law, and 
the potential for extraterritorial jurisdiction and secret gag 
orders placed on the cloud providers, increase these risks. 
Because of these liabilities, the Department implemented 
contract clauses in the Defense Federal Acquisition Regulation 
Supplement (DFARS) that require the cloud contractor to 
maintain all DOD data within the United States and outlying 
areas, or in DOD facilities when OCONUS. Under this clause, 
overseas hosting locations would be limited to U.S. embassies 
and U.S. military facilities operated under a Status of Forces 
Agreement (SOFA) that provides for U.S. legal jurisdiction.
      Decryption Keys (Who holds them for data at rest 
and in transit?)
      o  The Department requires encryption of data-in-transit 
and data-at-rest using NSA approved cryptographic solutions 
with the DOD mission owner having control over the management 
and use of the keys. In situations where encrypting data with 
DOD key control is not supported by the service provider, the 
Mission Owner's Authorizing Official is required perform a risk 
analysis and make an informed decision on the risks before 
transferring data into the commercial cloud. If we decide to . 
. . then . . . the risk is.
      Metadata (Who owns metadata? Can vendors sample 
or compile metadata?)
      o  Metadata used for Cloud Service Provider (CSP) 
operational management and user-experience improvement has the 
potential to be exploited. This information reveals patterns in 
workload activity volumes and flows, as well as the 
relationships of those workload activity volumes and flows to 
specific users and locations. The Department's cloud 
contracting clauses establish limitations on the contractor's 
access to, and use and disclosure of both government data and 
metadata. These clauses limit the contractors use of metadata 
only to manage the operational environment that supports the 
Government data and for no other purpose unless otherwise 
permitted with the prior written approval of the Department.
      Accreditation and Assessment (How can we trust 
vendor accreditation packages?) The Federal Information 
Security Modernization Act (FISMA) of 2014, 44 U.S.C. Sec.  
3551 et seq., Public Law (P.L.) 113-283, requires a security 
assessment be performed using the standard processes and 
controls published by the National Institute of Standards 
(NIST). Under FISMA, the Federal Government is not permitted to 
use a cloud service provided by a vendor unwilling to allow a 
risk assessment performed in accordance with NIST standards. 
Some vendors have been unwilling to conduct these assessments 
claiming that costs are high and hard to recoup. Additionally, 
not all vendors share their assessment documentation (not 
required to), making it difficult to assess the quality of 
their work. It is important to note that the Federal Risk and 
Authorization Management Program (FedRAMP) effort has been 
instrumental in helping to address these concerns. For example, 
FedRAMP allows third-party assessment organizations (3PAOs); a 
group of certified, independent assessors than can satisfy the 
requirements of both the Government and the commercial cloud 
vendors.
      Data Return (What happens to the data when a 
contract is closed?)
      o  The DFARS cloud computing services clause requires the 
contractor to provide the Contracting Officer all Government 
data and metadata in the format specified in the contract and 
to dispose of the data and metadata in accordance with the 
terms of the contract. The contractor is required to provide 
confirmation of the disposition In accordance with contract 
closeout procedures. The contactor and its employees are not 
allowed to access, use or disclose Government data unless 
specifically authorized by the terms of the contract, and then 
only for the purposes specified in the contract. These 
prohibitions and obligations survive the expiration or 
termination of the contract. The DOD is free to take additional 
steps to secure its data. For example, just as there are 
utilities that overwrite PC hard drives with zeros, or randomly 
generated patterns, similar utilities can be deployed in the 
cloud to overwrite encrypted data before data deletion request 
is generated. This step reduces the likelihood of a dataset 
accidentally not being deleted by the CSP, and being discovered 
by an adversary that later breaks the encryption code. Despite 
these procedures, there is no such thing as a true ``return'' 
of data as electronic copies can exist. This places even 
greater importance on ensuring the appropriate risk decisions 
are made concerning encryption; assessments of controls; and 
where data is placed (classified or general purpose cloud)--no 
different than in our own environment.

    Senator Wicker. Thank you.
    Thank you, Mr. Chair.
    Senator Rounds. Thanks.
    Senator Blumenthal.
    Senator Blumenthal. Thank you, Mr. Chairman.
    Thank you all for your service and for being here today.
    In an annual assessment of cyber threats reported by 
Bloomberg News--you may have seen that report--the DOD's 
Operational Test and Evaluation Office (OT&E), found that the 
Department has not fully grasped how to counter new threats 
posed by emerging technologies like artificial intelligence. 
Mr. Deasy, the CIO position has served as the principal advisor 
to the Secretary of Defense for a breadth of issues beyond 
cybersecurity, including information technology, communications 
networks, and the like, command systems. In your prepared 
remarks, you cite a number of emerging technologies that DOD 
has identified for potential use, such as software-defined 
networks. I know that Senator Rounds asked you some questions 
on this topic. You also noted that DOD has evaluated machine 
learning, artificial intelligence systems that are working to 
integrate these capabilities and networks. So, for you, and 
maybe for all the witnesses, what are the artificial systems 
currently useful at DOD, and what's holding DOD back elsewhere 
in the field? Is it in-house expertise? Technical resources? 
And maybe you would comment on the Bloomberg report, as well.
    Mr. Deasy. Yeah. So, we work very close with the DOT&E, so 
are very much aware of that report. It's quite interesting. 
When you go through the observations in that report, it points 
out things like leadership responsiveness finding hygiene 
problems. It points out things like nuclear command and control 
in this age and the serviceable life of equipment. It talks 
about stolen credentials and breaches of defense contractors. 
The top-ten program that we have been referring to throughout 
the testimony today was actually created, as I said earlier, to 
look at, holistically, where are all the intervention points 
that adversaries can touch us, and how do we address that? So, 
I'm pleased that, when I look at this report, many of the 
things that are sitting inside of the top-ten stuff that we're 
starting to implement actually mirrors very nicely to the 
report.
    The very end of that report makes observations about where 
there could be improvements. One of the things that it points 
out clearly in there is that they now believe the Department of 
Defense is scoping the task properly, they believe there is a 
followup--there is an organizational construct in place across 
the Department of Defense to address these problems, and that 
we now know what are the tools and the skillsets that we have 
to put in place to get after it. So, that's kind of part A to 
your question.
    To the part around the other activities, may it be 
artificial intelligence, the use of cloud, the use of next-
generation command and controls--as I stressed earlier, when I 
talk about the digital modernization of Department of Defense, 
I always like to remind people that this is a highly integrated 
set of things that we're doing. I always start off by saying 
there is no doubt that AI and what it offers the Department is 
going to be quite significant. How we implement that is going 
to require that we put in a robust enterprise cloud. How we 
secure that cloud, how we use commercial providers to put the 
AI on top of that is very important. However, if we don't solve 
for next-generation command-and-control communications, we will 
not get the necessary information out to the warfighter. So, 
you must look at cyber from a communications standpoint, and a 
satellite standpoint, as well.
    All of these things, to me, are tightly, tightly 
integrated, and that's why, when we talk about the digital 
modernization programs in the Department of Defense, cyber has 
to sit at the forefront of everything that we do, sir.
    Senator Blumenthal. Do either of you have any comment?
    Vice Admiral Norton. Yes sir. I'd like to say a couple of 
things.
    One of the things that they talk about in that report is 
the importance of understanding the cyber terrain and starting 
to really grasp that. That has been a major effort of the Joint 
Force Headquarters-DODIN. We actually put out an order that 
specifically lays that out for the 43 DOD components to 
identify, map their cyber terrain, map what is key cyber 
terrain so that we can recognize where additional forces need 
to be put, where additional emphasis might need to be, to 
include putting some of our cyber protection teams on that key 
cyber terrain. In my opening comments, I mentioned that I am 
responsible for the command readiness inspections that we have 
changed from just a readiness inspection of a checklist of 
configuration to an operational readiness inspection that 
operational evaluation is going to that command to understand. 
Do they understand what their key cyber terrain is, relevant to 
their mission, specific to their mission? Therefore, do they 
know how to protect their mission by protecting that key cyber 
terrain? Those are the kinds of things that DOT&E has 
recognized that are really critical for us to move forward and 
to not have to expand resources tremendously to protect 
everything equally, but to focus our resources on the things 
that are most important in the DOD.
    Senator Blumenthal. Thank you.
    Brigadier General Crall. Sir, I find it interesting that we 
answer that question a little bit based on some of our 
portfolio experience and where we sit. Mr. Deasy talks about, 
scoping the problem set, which is in the report. Admiral Norton 
talks about knowing your terrain. A third in that top three of 
what they talked about the Department may be doing fairly well 
at, or at least at the cusp of, is unity of effort. Mr. Deasy 
has talked about not going our own ways or allowing, these 
niche solutions that don't really work well together. As one of 
the implementors of that strategy, we have a strategy that we 
can execute, we have very clear goals and guidelines, and are 
really looking to ensure that we do this smartly, that we come 
together to solve that problem. So, I think those three answers 
really fit well in the top three that came out of the findings 
in that report.
    Senator Blumenthal. Was lack of unity of effort a problem, 
do you think?
    Brigadier General Crall. I think it has been a problem, 
sir, to be fair. I think that we've turned a corner on that, 
that, even well-intentioned people doing business in opposite 
directions really puts us in a fix. For example, simply putting 
requirements out on a table and allowing them to be solved in 
any way, shape, or form sometimes means to get those solutions, 
to work together as the government needs it to do, especially 
DOD, you might have more money in emulation and more 
engineering problems in getting things to fit that are 
dissimilar than you would if you had a common solution going 
forward. So, yes, I think it's a fair criticism of past 
performance, but I'd like to say that I think we're on a 
different track. And I'm pretty optimistic that we can pull 
together.
    Senator Blumenthal. Thank you.
    Thank you all.
    Senator Rounds. I'd like to follow up just one step 
further. And I'm going to go to Vice Admiral Norton with this. 
Today, the Department's cybersecurity architecture appears to 
be fairly decentralized with, in this particular case, JFHQ-
DODIN possessing what I think would be only limited visibility 
into its components, networks, and endpoints. Number one, is my 
premise correct? I think it is. Second of all, if it is, then 
is this because of a policy decision that needs to be changed? 
Is it a capacity issue on behalf of JFHQ-DODIN? Or is it a 
technical problem? Does JFHQ-DODIN need additional resources or 
authorities to be more effective?
    Vice Admiral Norton. Well, first, it was definitely not a 
policy decision to decentralize the data. Remember, I said that 
Joint Force Headquarters-DODIN has only been in existence for 4 
years. We just reached full operational capability a year ago, 
this week. So, all of those networks that Senator Manchin 
talked about--those thousand networks--they all grew up with 
their own ability to look at their own network independently. 
Over time, we're starting to aggregate that in a way that does 
centralize the ability to view that.
    Over the last year, Joint Force Headquarters-DODIN has made 
tremendous progress in gaining visibility on all of those 
networks across the DOD. Certainly at the tier-1 level, at the 
Internet access points, and at the endpoints, and helping to 
aggregate, as General Crall said, in some cases in difficult 
ways, because the technology doesn't necessarily make that 
easy, because they all acquire those in different ways. But, 
bringing that data together gives us, at Joint Force 
Headquarters-DODIN, a much better understanding of what 
everybody's cyber posture is across all of those networks.
    We're certainly not perfect. It's certainly not in a manner 
that is technically easy and quick, based on the disparate 
kinds of solutions.
    Senator Rounds. Specific resource needs?
    Vice Admiral Norton. An architecture that allows for the 
kind of standardization that Mr. Deasy is working on and the 
policy that requires more standardization that General Crall 
has talked about, are already in the work. I have the 
authority, under that Directive Authority for Cyberspace 
Operations, and have used that authority, to be able to get 
that data and start to give that visibility to both my forces 
and to U.S. Cyber Command.
    Senator Rounds. Thank you.
    Senator Manchin. Just one followup, there.
    I think, for Mr. Deasy and General Crall, I understand that 
there's a so-called cross-functional team composed of a small 
number of experts from across the Department, which works with 
both of you. Congress created this cross-functional team. 
Sometimes we're not always spot-on, to say the least. I want to 
know if you all agree with this team? Is it functioning well, 
or are there things we can do to help?
    Mr. Deasy. I'll start with that. Much of the work is 
actually led by General Crall.
    I think we actually have, for the first time, a series of 
things that are going on that are well. You have a Secretary 
and a Deputy, as I mentioned earlier, that are highly actively 
engaged in this topic. So, you need the top of the house to be 
highly engaged on this. But, you have a set of leaders that are 
very impatient, including myself, that are done admiring the 
problem and are moving into tasking. This is including being 
less tolerable on people being able to go off and use their own 
solutions. The authorities that you all gave me, starting this 
year, around being able to set architectural standards are 
quite significant. We are now starting to use those new 
authorities.
    Finally, you used the term, ``cross"--you know, a team 
that's been brought together. That, in my opinion, is probably 
the biggest thing that has helped us, is empowering General 
Crall by giving him a set of experts that cut across the 
Department, that are actually helping him now to drive those 
solutions.
    Brigadier General Crall. Sir, Congress got that right. The 
cross-functional team works. And it has several advantages. 
It's only as good as it's paid attention to. There are probably 
examples of some cross-functional teams maybe not producing. 
But, the cross-functional team that's involved under the PCA is 
well resourced, in the sense that we've got the right people. 
The participating agencies that provide representation in the 
workforce sent us their best. So, I'll start with that. We've 
got good people.
    The second piece is, we can approach problems in ways that 
don't have some of the biases. You know, we don't have any 
stake in the fight or any legacy that we hold on to. It really 
is about the mission. So, we normally come to the table with an 
advantage in solving some of those problems. It's been 
instrumental in moving the strategy into implementation.
    Senator Manchin. Great.
    Thank you all so much. Thank you all for being here.
    Senator Rounds. Okay.
    I want to take this opportunity to thank our members and 
Senator Manchin for participating today. This has been very 
helpful to us.
    I'd like to thank our witnesses today for their 
participation. There were several questions that you indicated 
you would prefer to answer in a classified setting. I would ask 
that you provide us with those answers. Committee staff has 
indicated that you may bring those in at the level of Sensitive 
Compartmented Information (SCI) in your responses. We would 
expect you to be able to do that in the next couple of weeks. 
Okay?
    With that, I want to thank everyone for participating.
    This subcommittee meeting is adjourned.
    [Whereupon, at 3:55 p.m., the subcommittee adjourned.]

    [Questions for the record with answers supplied follow:]

               Questions Submitted by Senator Mike Rounds
                             cyber strategy
    1. Senator Rounds. Mr. Deasy, there are myriad weapon systems and 
enclaves that are often not considered part of the standard network. 
How do you define the DODIN?
    Mr. Deasy. The Department of Defense information network (DODIN) 
includes all systems, subsystems, or system components (software, 
firmware, and hardware) performing DOD mission functions. This includes 
DOD systems, subsystems, and system components used to manage 
information, interact with the physical environment, or perform a 
combination of both. Weapons systems, control systems (e.g., industrial 
control systems), and traditional information systems are considered 
part of the DODIN.

    2. Senator Rounds. Mr. Deasy, most topics discussed at the hearing 
were focused on the standard network. What cyber teams are protecting 
our assets such as nuclear command and control, F-35s, ships, and our 
aircraft carriers with industrial control systems?
    Mr. Deasy. Under U.S. Cyber Command, the Department of Defense has 
133 cyber mission force teams operating at full operational capability, 
protecting Nuclear Command and Control systems, aircraft, ships, and 
the entirety of the Department. The force conducts a variety of 
missions: Cyber National Mission Teams defend the nation by identifying 
adversary activity, blocking attacks, and maneuvering to defeat them. 
Cyber Combat Mission Teams conduct military cyberspace operations in 
support of combatant commander priorities and missions. Cyber 
Protection Teams defend DOD's information network, protect priority 
missions, and prepare cyber forces for combat. Cyber Support Teams 
provide analytic and planning support to national mission and combat 
mission teams. Some teams are aligned to combatant commands to support 
combatant commander priorities and synchronize cyberspace operations 
with operations in the other four domains--land, sea, air and space--
and some are aligned to the individual services for defensive missions. 
The balance report directly to subordinate command sections of U.S. 
Cyber Command, the cyber national mission force, and Joint Force 
Headquarters-DOD Information Network. Specific to Industrial Control 
Systems (ICS), the Department has a much greater understanding of ICS 
vulnerabilities and is becoming more proactive in addressing ICS 
cybersecurity. As the Department continues to modernize capabilities, 
the use of ICS is increasing with corresponding increase in scope of 
what must be defended and need for means to prioritize limited cyber-
defense resources. In addition to ensuring availability of trained and 
qualified personnel to operate the ICS, resources are needed to 
maintain, update, and protect them just as must be done for traditional 
IT networks. Providing cybersecurity oversight of ICS by a 
cybersecurity service provider (CSSP) is relatively new concept and 
requires engineering support to develop the toolset and the situational 
awareness/reporting capabilities necessary for effective defense

    3. Senator Rounds. Mr. Deasy, how is DOD being proactive to assure 
that security is applied to 5G from the beginning, rather than as an 
afterthought?
    Mr. Deasy. The Department of Defense (DOD) is aggressively working 
on establishing a DOD 5G Strategy that addresses all aspects of 5G to 
include security. Deputy Secretary of Defense Shanahan commissioned a 
number of high level studies to include the Defense Policy Board, the 
Defense Science Board and the Defense Business Board each with their 
own area of focus. The results and recommendations from these boards 
are currently being submitted and evaluated. With specific regard to 
security it is critical the DOD engage with other Departments and 
Agencies (National Institute of Standards and Technology, Federal 
Communications Commission, National Telecommunications and Information 
Administration), industry, Federally Funded Research and Development 
Centers / University Affiliated Research Center, and universities to 
ensure any security objectives meet national requirements. Although the 
Department is still working on specific recommendations and courses of 
actions the DOD Chief Information Officer is considering the following 
with regards to 5G security and standards: Resource 5G cyber testbeds 
Identify objectives for National Security Policy Identify 
vulnerabilities and mitigation plans Introduce Supply Chain 
specifications into 5G standards Support 5G Institute of Electrical and 
Electronics Engineers Effort on Microelectronics Integrity Stand-up 
red/blue team Telecommunications security program(s) Employ Federal 
Risk and Authorization Management Program moderate/high security 
baselines to 5G.

    4. Senator Rounds. Mr. Deasy, has the DOD performed a comprehensive 
risk assessment on cloud computing as well as a comparative analysis on 
using one cloud service provider versus multiple providers?
    Mr. Deasy. The Department continues to perform an ongoing 
comprehensive risk assessment of cloud security risks. This assessment 
is not limited to a particular current or future program, but rather is 
a holistic assessment across the Department's cloud portfolio. The 
Department's assessment is ongoing, continuously analyzing and 
understanding how to characterize risks and effectively mitigate them. 
When considering one cloud service provider versus multiple providers, 
the Department's strategy incorporates a multiple cloud, multiple 
vendor environment, which includes General-Purpose cloud and Fit-For-
Purpose clouds. The cloud security risks resulting from the 
aforementioned risk assessment are relevant across the commercial cloud 
industry. Whether any particular contract is a single award or multiple 
award does not alter the fact that the Department is a multiple cloud, 
multiple vendor environment with security risks relevant across all 
environments.

    5. Senator Rounds. Mr. Deasy, you briefly mentioned the Joint 
Artificial Intelligence Center (JAIC) and that the JAIC is applying AI 
and machine learning to solve some of present day's most complex 
problems. What are some of the problems that the JAIC is solving?
    Mr. Deasy. Artificial Intelligence (AI) has the potential to 
transform every corner of the DOD. AI will enhance the Department's 
operational effectiveness, improve readiness, and increase efficiency 
of business practices. To harness the power of AI, the JAIC partners 
with the Military Services and other components across the Joint Force 
to systematically identify, prioritize, and select new AI mission 
initiatives. At the same time, the JAIC will develop a common 
foundation that is essential for scaling AI's impact across DOD. This 
foundation includes shared data, reusable tools, frameworks, libraries, 
and standards, and cloud and edge services. The JAIC will deliver AI 
capabilities through two means: National Mission Initiatives (NMIs) and 
Component Mission Initiatives (CMIs). NMIs are broad, joint, hard 
cross-cutting Artificial Intelligence/Machine Learning challenges that 
the JAIC will actually take on and run using a proven-successful, 
cross-functional team approach. CMIs are specific to individual 
components who are looking for an AI solution to a particular problem. 
Initially, JAIC is focusing on the following NMIs to deliver mission 
impact at speed, demonstrate the proof of concept for the JAIC 
operational model, enable rapid learning and iterative process 
refinement, and build out a library of reusable tools while validating 
an enterprise cloud architecture: Predictive Maintenance to better 
forecast, diagnose, and manage maintenance issues to reduce costs, 
increase safety and improve operational efficiency. Humanitarian 
Assistance / Disaster Relief to reduce the time associated with search 
and discovery, resource allocation decisions, and executing rescue and 
relief operations to save lives and livelihood during disaster 
operations. Cyber Sensemaking to detect and deter advanced adversarial 
cyber actors who infiltrate and operate within the DOD Information 
Network (DODIN) to increase security, safeguard sensitive information 
and allow warfighters and engineers to focus on strategic analysis and 
response. Future NMIs may include smart automation projects to increase 
back-office efficiency and effectiveness, and a focus on the National 
Defense Strategy and operations against peer competitors. These early 
projects serve a dual purpose: Deliver new AI-enabled capabilities to 
end users Incrementally develop a common foundation that is essential 
for scaling AI's impact across the Department. Each of the NMIs and 
CMIs will contribute to the Department's AI toolset, or common 
foundation that includes shared data, reusable tools, frameworks, 
libraries, and standards, and cloud and edge services. As the JAIC 
builds and scales each project, the Department's ability to harness the 
full operational potential of AI increases. The benefits to the 
Department will continue to accrue over time, increasing the level of 
understanding of AI across the force while accelerating the delivery 
and adoption of AI throughout DOD.

    6. Senator Rounds. Mr. Deasy, have the services finalized their 
annexes to the DOD AI strategy or have an estimated date of completion?
    Mr. Deasy. The United States Marine Corps' annex is complete. The 
other Services annexes are still being drafted and undergoing 
coordination throughout the Department.
                      cyber policy implementation
    7. Senator Rounds. Brigadier General Crall, you indicated that you 
have concerns with industry securing and storing DOD data, as well as 
having appropriate accesses to that data. How can Congress help to 
maintain the security, confidentiality, integrity, and availability of 
your DOD data?
    Brigadier General Crall. Following up on my 29 January testimony, I 
would like to confirm and further highlight Department of Defense 
issues, challenges and progress, associated with Data Rights 
Management. The anecdote I shared during my earlier testimony was based 
on my time as the USMC Chief Information Officer, but I believe the 
challenges I highlighted still reflect relevant problems. The 
Department is addressing some of these issues, while others remain 
unresolved. These include:
      Data Replication (If data is replicated to a foreign 
country, is the Department now subject to foreign or international 
laws?)
      o  Storing data in facilities outside of U.S. legal jurisdiction 
can subject that data to foreign and international laws. The lack of 
legal precedents, conflicting case law, and the potential for 
extraterritorial jurisdiction and secret gag orders placed on the cloud 
providers, increase these risks. Because of these liabilities, the 
Department implemented contract clauses in the Defense Federal 
Acquisition Regulation Supplement (DFARS) that require the cloud 
contractor to maintain all DOD data within the United States and 
outlying areas, or in DOD facilities when OCONUS. Under this clause, 
overseas hosting locations would be limited to U.S. embassies and U.S. 
military facilities operated under a Status of Forces Agreement (SOFA) 
that provides for U.S. legal jurisdiction.
      Decryption Keys (Who holds them for data at rest and in 
transit?)
      o  The Department requires encryption of data-in-transit and 
data-at-rest using NSA approved cryptographic solutions with the DOD 
mission owner having control over the management and use of the keys. 
In situations where encrypting data with DOD key control is not 
supported by the service provider, the Mission Owner's Authorizing 
Official is required perform a risk analysis and make an informed 
decision on the risks before transferring data into the commercial 
cloud. If we decide to . . . then . . . the risk is.
      Metadata (Who owns metadata? Can vendors sample or 
compile metadata?)
      o  Metadata used for Cloud Service Provider (CSP) operational 
management and user-experience improvement has the potential to be 
exploited. This information reveals patterns in workload activity 
volumes and flows, as well as the relationships of those workload 
activity volumes and flows to specific users and locations. The 
Department's cloud contracting clauses establish limitations on the 
contractor's access to, and use and disclosure of both government data 
and metadata. These clauses limit the contractors use of metadata only 
to manage the operational environment that supports the Government data 
and for no other purpose unless otherwise permitted with the prior 
written approval of the Department.
      Accreditation and Assessment (How can we trust vendor 
accreditation packages?) The Federal Information Security Modernization 
Act (FISMA) of 2014, 44 U.S.C. Sec.  3551 et seq., Public Law (P.L.) 
113-283, requires a security assessment be performed using the standard 
processes and controls published by the National Institute of Standards 
(NIST). Under FISMA, the Federal Government is not permitted to use a 
cloud service provided by a vendor unwilling to allow a risk assessment 
performed in accordance with NIST standards. Some vendors have been 
unwilling to conduct these assessments claiming that costs are high and 
hard to recoup. Additionally, not all vendors share their assessment 
documentation (not required to), making it difficult to assess the 
quality of their work. It is important to note that the Federal Risk 
and Authorization Management Program (FedRAMP) effort has been 
instrumental in helping to address these concerns. For example, FedRAMP 
allows third-party assessment organizations (3PAOs); a group of 
certified, independent assessors than can satisfy the requirements of 
both the Government and the commercial cloud vendors.
      Data Return (What happens to the data when a contract is 
closed?)
      o  The DFARS cloud computing services clause requires the 
contractor to provide the Contracting Officer all Government data and 
metadata in the format specified in the contract and to dispose of the 
data and metadata in accordance with the terms of the contract. The 
contractor is required to provide confirmation of the disposition In 
accordance with contract closeout procedures. The contactor and its 
employees are not allowed to access, use or disclose Government data 
unless specifically authorized by the terms of the contract, and then 
only for the purposes specified in the contract. These prohibitions and 
obligations survive the expiration or termination of the contract. The 
DOD is free to take additional steps to secure its data. For example, 
just as there are utilities that overwrite PC hard drives with zeros, 
or randomly generated patterns, similar utilities can be deployed in 
the cloud to overwrite encrypted data before data deletion request is 
generated. This step reduces the likelihood of a dataset accidentally 
not being deleted by the CSP, and being discovered by an adversary that 
later breaks the encryption code. Despite these procedures, there is no 
such thing as a true ``return'' of data as electronic copies can exist. 
This places even greater importance on ensuring the appropriate risk 
decisions are made concerning encryption; assessments of controls; and 
where data is placed (classified or general purpose cloud)--no 
different than in our own environment.

    8. Senator Rounds. Brigadier General Crall, how does the DOD 
prioritize the Cyber Strategy's lines of effort?
    Brigadier General Crall. The Department's Cyber Strategy is 
distilled into nine Lines of Effort (LOE), which is comprised of 
specific objectives and tasks mapped to achieving the LOE end state as 
well as addressing gaps identified in the Department's Cyber Posture 
Review. The Department considers all nine LOEs equally important and 
interconnected in achieving the objectives of the Cyber Strategy. The 
Office of the Principal Cyber Advisor (OPCA) continues to implement the 
Cyber Strategy LOEs with emphasis on warfighting outcomes, defense of 
the nation, achieving the strategic intent of the National Security 
Strategy and the National Defense Strategy.
                            cyber readiness
    9. Senator Rounds. Mr. Deasy, our weapon systems are becoming 
increasingly complex. How is the DOD integrating cybersecurity 
solutions to maximize interoperability and information sharing in our 
current threat environment?
    Mr. Deasy. Cyber capabilities have opened new opportunities for 
weapons systems. The weapons systems are becoming increasingly complex, 
as you stated, but these weapons systems are also integrated into 
networks and systems of systems as well. This increases cyber 
complexity and risk to the weapons system, the networks and the mission 
itself. No single organization in the DOD can hope to solve this 
problem by themselves. To tackle this problem my office is working 
across the Services, and DOD Components, through the DOD Cyber Strategy 
Lines of effort, to holistically improve how we build and engineer 
these systems from a cyber-resiliency and security perspective, to 
ensure the networks these systems rely on are robust and secure to meet 
mission need, and ensure the cyber workforce and mission forces have 
the training and tools necessary to maintain and defend these systems. 
DOD is working collaboratively to address weapons system cybersecurity 
implementation during development and in operations and sustainment. My 
office has implemented policy and guidance changes to improve weapons 
systems cybersecurity, to include requiring program sponsors to 
articulate cyber survivability requirements in the JCIDS process and 
requiring weapons systems assessment and authorization to operate 
through the cybersecurity Risk Management Framework. USD(A&S) is 
incorporating cybersecurity into large-scale military exercises to 
achieve a mission view of survivability in a cyber-contested 
environment. The DOD Components are leaning forward through efforts 
such as the Navy's CYBERSAFE initiative, Air Force's Cyber Resiliency 
Office of Weapon Systems (CROWS), the Army's Task Force Cyber Strong 
and execution of the Department-wide Fiscal Year 2016 NDAA Section 
1647, Evaluation of Cyber Vulnerabilities of Major DOD Weapon Systems, 
to identify cybersecurity solutions and leverage individual service 
solutions across the broader DOD enterprise.

    10. Senator Rounds. Mr. Deasy, is there a prioritized Defended 
Asset List for cyber across the DOD?
    Mr. Deasy. Defended Asset Lists are maintained by each Combatant 
Command for their respective defense and task critical assets. 
Identification of Combatant Command, Military Service, and Agency 
mission relevant terrain in cyberspace is ongoing and will inform 
prioritization of critical assets supporting Defense Critical Missions. 
Cyber defense is dynamic and priorities change based on factors such as 
missions, threats, vulnerabilities, intelligence, and adversary 
posturing. Cyber Protection Teams are currently aligned to monitor and 
secure some of DOD's most critical mission assets.
                        cyber incident response
    11. Senator Rounds. Mr. Deasy, insider threats continue to impact 
cybersecurity. How is DOD leveraging machine learning and AI as an 
analytical tool to proactively identify insider threats?
    Mr. Deasy. Detecting insider threats is particularly challenging 
and requires analysis of cyber and non-cyber information. The Defense 
Security Service is pursuing a project to improve insider threat 
detection by leveraging AI to search for anomalous employee behaviors. 
Partnering with the Army Analytics Group, we're building machine 
learning models that include security clearance, background 
investigation, security records, and personnel records (if / when 
available). The goal is to give context to the AI capability as it 
seeks to interpret anomalies in the cyber data. If successful, we will 
be able to detect changes in behavior much earlier and with greater 
granularity, while keeping the identity of the individual masked unless 
and until absolutely necessary. If unmasked, we'll put supervisors in a 
position to have a positive impact on the individual's future through 
early intervention. The Joint AI Center is planning an AI effort to 
leverage this DSS project to identify misused user accounts based on 
cyber data. Together these efforts represent significant initiatives to 
afford rapid detection of insider threats as well as compromised user 
accounts.

    12. Senator Rounds. Vice Admiral Norton and Brigadier General 
Crall, you indicated that the DOD has not yet developed a similar 
benchmark such as CrowdStrike's 1/10/60 for cyber intrusions; however, 
you indicated that you are looking at the requirements for rapid 
detection and response, as well as metrics. What requirements and 
metrics does the DOD use when analyzing cyber incidents and events to 
prevent future occurrences?
    Vice Admiral Norton. The DODIN is comprised of multiple networks, 
with multiple layers of security across multiple classifications. There 
are varying levels of cyber professionals securing and defending the 
thousands of networks that comprise the DODIN. CJCSM 6510.01B Cyber 
Incident Handling Program is the directive that identifies the system 
of record (JIMS) and minimum requirements for incident response, and 
specifies the categories of response along with the requirement for 
reporting.
    Brigadier General Crall. My fellow witness, VADM Norton, is best 
positioned to provide a response regarding the requirements and metrics 
used by the DOD when analyzing cyber incidents and events and the 
prevention of future occurrences.
                            cyber investment
    13. Senator Rounds. Mr. Deasy, China and Russia are making 
investments in state-sponsored companies to pursue machine learning and 
AI capabilities. What investments should be the focus of our industrial 
base to maintain the advantage over China, Russia, and other 
competitors?
    Mr. Deasy. In pursuit of military AI, China relies on both its 
traditional, state-owned defense enterprises and privately-owned 
technology companies. For instance, China's large and diverse 
technology sector is fiercely competitive and entrepreneurial, which 
provides significant advantages in developing AI systems for both 
commercial and military applications, compared to Russia. Whereas, the 
United States must upon its companies to voluntarily support national 
security; the Chinese government has many tools available to induce and 
even coerce the cooperation of Chinese technology firms for military 
and espionage activities. There are two categories of investments that 
the Department of Defense needs to make in order to improve our overall 
competitive position in AI: those that pick low-hanging fruit, and 
those that address the long-lead items of AI transformation. Low 
hanging fruit project opportunities are those in which the Department 
already possesses a great deal of data in a format for which there is 
mature AI technology available. An example would be Project Maven's use 
of drone video imagery; as, image analysis AI technology is mature in 
the commercial and academic technology community. Additionally, the 
Department of Defense had collected far more drone video data than its 
human analyst community could ever hope to analyze. Currently, the 
Department of Defense is engaged in an effort to identify other 
existing datasets that are strong candidates for AI projects. Long-
lead, AI transformation projects address those aspects of DOD 
operations where AI could make a powerful impact, but data is not being 
collected or stored in a way that is easily amenable to machine 
learning analysis and AI system development. Currently, the DOD 
possesses large and potentially very useful datasets that continue to 
be recorded using outdated practices. Even when digital data collection 
is the norm, the use of different dataset structures and processes may 
make machine learning data analysis difficult. Over the last decade, 
leading commercial AI companies began addressing data collection, 
standardization, and quality improvement activities, to their benefits 
today.. Improving DOD's data management to better enable AI 
applications development will not be quick or simple. However, 
addressing data integrity and other AI long lead items is a vital 
prerequisite to our goal of transforming the Department of Defense 
through AI. We are committed to fulfilling the promise of the DOD AI 
Strategy to ensure that the U.S. military retains its competitive edge.
                               __________
              Questions Submitted by Senator David Perdue
                           cyber investments
    14. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, our adversaries are making significant investments in 
their cyber capabilities to include artificial intelligence and machine 
learning capabilities. What investments is the DOD making to improve 
our cyber capabilities to include artificial intelligence and machine 
learning - R&D, industry, universities, personnel, education & 
training?
    Mr. Deasy. The JAIC is establishing a National Mission Initiative 
for Cyberspace Sensemaking. This effort is meant to bring advanced, but 
ready AI, approaches to improve cybersecurity and cyberspace 
operations. Our first product lines for this initiative will be: 1) 
novel event detection; 2) detecting misused user accounts; and 3) 
network mapping for the cyber mission force. Future product lines will 
be identified through collaborations with cyber teams, and government 
and commercial research and development efforts. DSS and the NBIS PEO, 
in partnership with the Army Analytics Group, are investing in AI 
enabled capabilities to look across enterprise cyber audit and user 
monitoring data, detect minor anomalies, combine it with available 
contextual information, characterize events/patterns as internal or 
external threats, then route the evidence packages to the appropriate 
authorities for action.
    Vice Admiral Norton. DISA is currently making several investments 
in the Artificial Intelligence and Machine Learning (AI & ML) solution 
arena as well as taking advantage of existing investments within the 
Department. DISA began teaming with advanced research groups such as 
DARPA and MIT Lincoln Labs to begin development of cyber focused AI & 
ML capabilities, these efforts include a robust cloud-based environment 
to support the development of advanced AI & ML algorithms. Working with 
the DOD High Performance Computing Center (HPCC), DISA has been able to 
leverage the use of super computers that will greatly support 
performance gains on advanced AI & ML solutions. These investments into 
research will help determine not only the benefits but the strategy for 
DISA's future implementation of AI & ML architectures. DISA is also 
currently utilizing the Rapid Innovation Fund (RIF) program, sponsored 
by the DOD Small Business Office, to contract with small innovative 
companies who specialize in AI/ML solutions.
    Brigadier General Crall. I support the responses from my fellow 
witnesses, Mr. Deasy and VADM Norton, on this specific question 
regarding the investments the DOD is making to improve our cyber 
capabilities to include artificial intelligence and machine learning.

    15. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, Secretary Deasy testified that DOD is in the initial 
phases of identifying and possibly certifying certain private companies 
that can be used to vet expertise within the cybersecurity field that 
can be used to help in its cybersecurity efforts. Has DOD considered 
including universities in this effort?
    Mr. Deasy. As the DOD CIO has previously testified, the DOD is 
reviewing the right approaches to assess the ability of private 
companies and their suppliers to protect DOD sensitive information on 
their systems and networks. One approach being evaluated is identifying 
and possibly even certifying companies that can play this role using 
the National Institute of Science and Technology (NIST) standards 
assess private companies and their second-, third-tier suppliers 
capability to protect DOD information. While at this time no decision 
has been made, universities may be able assist the Department.
    Vice Admiral Norton. As the DOD CIO has previously testified, the 
DOD is reviewing the right approaches to assess the ability of private 
companies and their suppliers to protect DOD sensitive information on 
their systems and networks. One approach being evaluated is identifying 
and possibly even certifying companies that can play this role using 
the National Institute of Science and Technology (NIST) standards 
assess private companies and their second-, third-tier suppliers 
capability to protect DOD information. While at this time no decision 
has been made, universities may be able assist the Department.
    Brigadier General Crall. My fellow witness, Mr. Deasy, is best 
positioned to provide a response regarding the use of universities to 
vet expertise within the cybersecurity field that can be used to help 
in our cybersecurity efforts.

    16. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, what investments has DOD made in our universities to 
grow our cyber force to include artificial intelligence, machine 
learning, and engineering?
    Mr. Deasy. DOD uses a variety of programs to invest in 
universities. These may be individual partnerships at the DOD 
Component-level, or enterprise-level investments. For example, in 
fiscal year 2018, DOD announced awards to 175 university researchers at 
91 institutions in 36 states, totaling $53 million through the Defense 
University Research Instrumentation Program (DURIP). DURIP augments 
research capabilities at universities conducting cutting edge research 
for DOD, through the procurement of state-of-the-art equipment. 
Research areas include: Intelligence Collaborative Wireless networks 
Research to Maximize Warrior Performance Distributed Deep Learning 
Mobile Sensor System Quantitative Metabarcoding of Pollen for Security-
Related Forensics Observational System for Monitoring and Modeling 
Group Social Dynamics Internet of Things (IoT) Testing capability 
Learning-based Autonomous Systems Secure Data Processing Infrastructure 
Another example is the DOD Historically Black Colleges & Universities/
Minority Institutions (HBCU/MI) Science Program. DOD awarded $25.8M to 
HBCU/MI institutions in fiscal year 2018 to increase the research and 
educational capacity of these colleges and universities and foster the 
entry of underrepresented minorities into STEM disciplines.
    Vice Admiral Norton. DISA has established a partnership through the 
Office of Personnel Management's CyberCorps Scholarship for Service 
Program. The program provides funds to colleges and universities for 
student scholarships in support of education in areas relevant to 
cybersecurity. In return for the scholarships, recipients agree to work 
after graduation for the federal government or a federally funded 
research and development center, in a cybersecurity-related position 
for a period equal to the length of the scholarship. DISA uses this 
program to hire students from over 70 colleges and universities across 
the United States. DISA has also partnered with NSA to administer the 
DOD Cybersecurity Scholarship Program. This program provides full 
undergraduate tuition and a $25,000 stipend to students pursuing 
degrees in information technology, cybersecurity, and information 
assurance. Participants are obligated to work for the DOD as a civilian 
employee for one calendar year for each year of scholarship assistance.
    Brigadier General Crall. I support the responses from my fellow 
witnesses, Mr. Deasy and VADM Norton, on this specific question 
regarding the investments the Department has made with universities to 
grow our cyber force to include artificial intelligence, machine 
learning, and engineering.

    17. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, is DOD partnering with universities on cyber education 
and training to include curriculum, courseware, instruction and 
instructors?
    Mr. Deasy. DOD CIO is a supporting partner and collaborator with 
the National Security Agency/Department of Homeland Security (NSA/DHS) 
Centers of Academic Excellence in Cyber Defense (CAE-CD). There are 
currently 270 colleges and universities designated in the program, 
including 76 research universities. New CAE designees are announced 
annually. Requirements for designation include alignment of curriculum, 
Carnegie research classification, and faculty qualifications to cyber 
excellence academic standards established by NSA in collaboration with 
participating colleges and universities. Additionally, under the DOD 
Cyber Scholarship Authority in Title 10, DOD provides capacity building 
grants to selected CAEs each year to enhance faculty and curriculum 
development.
    Vice Admiral Norton. I agree with the DOD CIO in our effort to 
equip the Warfighter, under his leadership the CIO is employing 
cutting-edge approaches to deliver advanced military technologies. This 
includes Winner Take All competitions (WTAC), Bug Bounties, and 
Hackathons, as well as traditional acquisition processes. The 
Department of Defense spends billions of dollars every year on 
information security. However, until Hack the Pentagon, the DOD had not 
yet taken advantage of the crowdsourced approach to identifying 
security vulnerabilities that has gained traction in the private 
sector. Crowdsourced security brings in world-class security talent 
that may not otherwise engage with the DOD and allows these experts to 
contribute to national security missions. More than 6,000 
vulnerabilities have been reported in government systems through the 
Defense Department's crowdsourced security programs and hundreds of 
thousands of dollars have been paid to ethical hackers. The program has 
also helped the DOD save millions of dollars across multiple 
challenges. For instance, the first pilot cost $150,000, while the 
normal process of hiring an outside firm to do an audit would have cost 
over $1 million. Effectively executed, Winner Take All speeds 
acquisition, delivering modernized systems faster, mitigating risk from 
outdated tools and systems. The competition yields a single winner 
which streamlines implementation, smoothing what is already a complex 
operating environment, minimizing unnecessary friction in battlefield 
technology. There are potential dangers in WTAC, too; underscoring the 
need for transparency and fairness in conducting acquisition this way. 
WTAC could lead to frustration in the competitive space, potentially 
stymying competition and even innovation in the global technology 
market, in the most extreme WTAC worst-case-scenario. Given the 
importance of private sector engineering and innovation, fair and open 
WTAC are in both the government and industry's fervent best interest. 
WTAC enables an innovative private sector to deliver focused 
technologies and development to the warfighter at the required pace and 
agility.
    Brigadier General Crall. My fellow witness, Mr. Deasy, is best 
positioned to provide a response regarding the Department's partnership 
with universities on cyber education and training to include 
curriculum, courseware, instruction and instructors.

    18. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, is DOD working with our universities to improve their 
support and cooperation with DOD?
    Mr. Deasy. As the DOD CIO has emphasized, the DOD has numerous 
partnerships with academic institutions to provide research 
opportunities, faculty development fellowships, curriculum development 
support, and student scholarships, fellowships, and internships. We 
also continue to seek new avenues for meaningful collaboration in STEM, 
cyber, and artificial intelligence topic areas. For example, within the 
cyber community, the NSA/DHS CAE program has developed a collaborative 
CAE consortium. Through various grants, these institutions are 
developing solutions to produce more cybersecurity educators, share 
curriculum modules, and provide regional assistance to new academic 
institutions to support their designation as a CAE in Cyber Defense. 
While some DOD activities are enterprise-level engagements, others 
benefit specific DOD Components. For example, DOD organizations have 
participated in the Information Security Research and Education 
(INSuRE) project. Through the project, students engage in 
interdisciplinary, distributed-team research on tasks in the national 
information security domain. Students bid on and propose work on 
problems that have been contributed by problem sponsors at government 
laboratories and research organizations. Research teams are formed and 
check in with technical advisors at these sponsors. Teleconferencing 
technology is used to connect students in simultaneous class sessions 
for problem overviews, student presentations, and other resource 
presentations. Students prepare formal proposal and report documents, 
and learn to work with mentors (and sometimes teammates) who are not 
co-located.
    Vice Admiral Norton. As the DOD CIO has emphasized, the DOD has 
numerous partnerships with academic institutions to provide research 
opportunities, faculty development fellowships, curriculum development 
support, and student scholarships, fellowships, and internships. We 
also continue to seek new avenues for meaningful collaboration in STEM, 
cyber, and artificial intelligence topic areas. For example, within the 
cyber community, the NSA/DHS CAE program has developed a collaborative 
CAE consortium. Through various grants, these institutions are 
developing solutions to produce more cybersecurity educators, share 
curriculum modules, and provide regional assistance to new academic 
institutions to support their designation as a CAE in Cyber Defense. 
While some DOD activities are enterprise-level engagements, others 
benefit specific DOD Components. For example, DOD organizations have 
participated in the Information Security Research and Education 
(INSuRE) project. Through the project, students engage in 
interdisciplinary, distributed-team research on tasks in the national 
information security domain. Students bid on and propose work on 
problems that have been contributed by problem sponsors at government 
laboratories and research organizations. Research teams are formed and 
check in with technical advisors at these sponsors. Teleconferencing 
technology is used to connect students in simultaneous class sessions 
for problem overviews, student presentations, and other resource 
presentations. Students prepare formal proposal and report documents, 
and learn to work with mentors (and sometimes teammates) who are not 
co-located.
    Brigadier General Crall. My fellow witness, Mr. Deasy, is best 
positioned to provide a response on the working relationship with our 
universities and the current level of support and cooperation with the 
DOD.
                               __________
             Questions Submitted by Senator Jeanne Shaheen
                  fiscal year 2019 ndaa implementation
    19. Senator Shaheen. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, how does the Department of Defense plan to implement 
sections 1654 and 1655 of the Fiscal Year 2019 NDAA? What is the 
timeline for implementation? Which offices in DOD will be responsible 
for the implementation of section 1655? Will DOD seek industry's input 
while creating corresponding regulations?
    Mr. Deasy. The Department is currently engaged on working through 
the timeline and offices for implementation for Sec. 1654 and Sec. 1655 
of the Fiscal Year 2019 NDAA.
    Vice Admiral Norton. The Department is currently engaged on working 
through the timeline and offices for implementation for Sec. 1654 and 
Sec. 1655 of the Fiscal Year 2019 NDAA.
    Brigadier General Crall. The Department is currently engaged on 
working through the timeline and offices for implementation for 
Sec. 1654 and Sec. 1655 of the Fiscal Year 2019 NDAA.
                               __________
             Questions Submitted by Senator Martin Heinrich
                       chinese cyber investments
    20. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, do you have concerns about the investments China is 
making in Chinese companies to pursue Artificial and Machine Learning 
capabilities? If so, how important is it for the U.S. to have a robust 
technology industrial base?
    Mr. Deasy. I agree with the DOD CIO, having a robust technology 
industrial base is vital to executing our A.I. strategy. One of the 
JAIC's foundational goals is to developing strong, forward-looking 
partnerships with industry, and, also, academia. That are based on the 
Department's steadfast commitment to ethics, safety, and international 
law. AI in the DOD will be working to solve really big problems. 
Commerciality is at the center of what we're trying to accomplish, when 
it comes to the actual algorithms. The Department has to build more 
expertise with people who have the skills needed. The President's 
Executive Order speaks to the need to build that in the United States 
over the next 10 years. With the Defense Industrial Base, the 
Department will build mutual capacity through AI or data sharing 
initiatives, communicating key areas of focus for AI, and coordinating 
missions that link defense firms with non-traditional AI providers for 
teaming opportunities.
    Vice Admiral Norton. I agree with the DOD CIO in our effort to 
equip the Warfighter, under his leadership the CIO is employing 
cutting-edge approaches to deliver advanced military technologies. This 
includes Winner Take All competitions (WTAC), Bug Bounties, and 
Hackathons, as well as traditional acquisition processes. The 
Department of Defense spends billions of dollars every year on 
information security. However, until Hack the Pentagon, the DOD had not 
yet taken advantage of the crowdsourced approach to identifying 
security vulnerabilities that has gained traction in the private 
sector. Crowdsourced security brings in world-class security talent 
that may not otherwise engage with the DOD and allows these experts to 
contribute to national security missions. More than 6,000 
vulnerabilities have been reported in government systems through the 
Defense Department's crowdsourced security programs and hundreds of 
thousands of dollars have been paid to ethical hackers. The program has 
also helped the DOD save millions of dollars across multiple 
challenges. For instance, the first pilot cost $150,000, while the 
normal process of hiring an outside firm to do an audit would have cost 
over $1 million. Effectively executed, Winner Take All speeds 
acquisition, delivering modernized systems faster, mitigating risk from 
outdated tools and systems. The competition yields a single winner 
which streamlines implementation, smoothing what is already a complex 
operating environment, minimizing unnecessary friction in battlefield 
technology. There are potential dangers in WTAC, too; underscoring the 
need for transparency and fairness in conducting acquisition this way. 
WTAC could lead to frustration in the competitive space, potentially 
stymying competition and even innovation in the global technology 
market, in the most extreme WTAC worst-case-scenario. Given the 
importance of private sector engineering and innovation, fair and open 
WTAC are in both the government and industry's fervent best interest. 
WTAC enables an innovative private sector to deliver focused 
technologies and development to the warfighter at the required pace and 
agility.
    Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM 
Norton, are better positioned to provide a response regarding China's 
investments in Chinese companies pursuing Artificial and Machine 
Learning capabilities as well as the gauge of importance for the U.S. 
to have a robust technology industrial base.

    21. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, how do winner take all competitions help bolster or 
hinder a robust industrial base?
    Mr. Deasy. In our effort to equip the Warfighter, under my 
leadership the CIO is employing cutting-edge approaches to deliver 
advanced military technologies. This includes Winner Take All 
competitions (WTAC), Bug Bounties, and Hackathons, as well as 
traditional acquisition processes. The Department of Defense spends 
billions of dollars every year on information security. However, until 
Hack the Pentagon, the DOD had not yet taken advantage of the 
crowdsourced approach to identifying security vulnerabilities that has 
gained traction in the private sector. Crowdsourced security brings in 
world-class security talent that may not otherwise engage with the DOD 
and allows these experts to contribute to national security missions. 
More than 6,000 vulnerabilities have been reported in government 
systems through the Defense Department's crowdsourced security programs 
and hundreds of thousands of dollars have been paid to ethical hackers. 
The program has also helped the DOD save millions of dollars across 
multiple challenges. For instance, the first pilot cost $150,000, while 
the normal process of hiring an outside firm to do an audit would have 
cost over $1 million. Effectively executed, Winner Take All speeds 
acquisition, delivering modernized systems faster, mitigating risk from 
outdated tools and systems. The competition yields a single winner 
which streamlines implementation, smoothing what is already a complex 
operating environment, minimizing unnecessary friction in battlefield 
technology. There are potential dangers in WTAC, too; underscoring the 
need for transparency and fairness in conducting acquisition this way. 
WTAC could lead to frustration in the competitive space, potentially 
stymying competition and even innovation in the global technology 
market, in the most extreme WTAC worst-case-scenario. Given the 
importance of private sector engineering and innovation, fair and open 
WTAC are in both the government and industry's fervent best interest. 
WTAC enables an innovative private sector to deliver focused 
technologies and development to the warfighter at the required pace and 
agility.
    Vice Admiral Norton. I agree with the DOD CIO in our effort to 
equip the Warfighter, under his leadership the CIO is employing 
cutting-edge approaches to deliver advanced military technologies. This 
includes Winner Take All competitions (WTAC), Bug Bounties, and 
Hackathons, as well as traditional acquisition processes. The 
Department of Defense spends billions of dollars every year on 
information security. However, until Hack the Pentagon, the DOD had not 
yet taken advantage of the crowdsourced approach to identifying 
security vulnerabilities that has gained traction in the private 
sector. Crowdsourced security brings in world-class security talent 
that may not otherwise engage with the DOD and allows these experts to 
contribute to national security missions. More than 6,000 
vulnerabilities have been reported in government systems through the 
Defense Department's crowdsourced security programs and hundreds of 
thousands of dollars have been paid to ethical hackers. The program has 
also helped the DOD save millions of dollars across multiple 
challenges. For instance, the first pilot cost $150,000, while the 
normal process of hiring an outside firm to do an audit would have cost 
over $1 million. Effectively executed, Winner Take All speeds 
acquisition, delivering modernized systems faster, mitigating risk from 
outdated tools and systems. The competition yields a single winner 
which streamlines implementation, smoothing what is already a complex 
operating environment, minimizing unnecessary friction in battlefield 
technology. There are potential dangers in WTAC, too; underscoring the 
need for transparency and fairness in conducting acquisition this way. 
WTAC could lead to frustration in the competitive space, potentially 
stymying competition and even innovation in the global technology 
market, in the most extreme WTAC worst-case-scenario. Given the 
importance of private sector engineering and innovation, fair and open 
WTAC are in both the government and industry's fervent best interest. 
WTAC enables an innovative private sector to deliver focused 
technologies and development to the warfighter at the required pace and 
agility.
    Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM 
Norton, are better positioned to provide a response regarding the 
industrial base.
       artificial intelligence and machine learning capabilities
    22. Senator Heinrich. Mr. Deasy, in the last 3 years, how much has 
the DOD invested in classified and unclassified accounts on Artificial 
Intelligence and Machine Learning capabilities? Please delineate by 
budget accounts and line items.
    Mr. Deasy. In the past, the Department of Defense has not 
delineated the budget/costs for Artificial Intelligence (AI) or Machine 
Learning capabilities. In fiscal year 2018 the DOD CIO established the 
Joint Artificial Intelligence Center (JAIC) and, in June 2018, 
published a DOD Artificial Intelligence Strategy. Additionally, on 
December 4, 2018 my office issued supplemental budget guidance 
requiring DOD Components to report their AI budget requests for JAIC, 
AI National Mission Initiatives, and AI Component Initiatives within 
the DOD IT/Cyberspace Activities budget.
                   cyber infrastructure and security
    23. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, what are the benefits and risks of placing most of our 
national security sensitive data within the infrastructure of a single 
cloud provider?
    Mr. Deasy. Applications and data within a single cloud environment 
are able to maximize the native security features of cloud technology, 
which includes robust and automated failover and redundancy features. 
In addition, one of the main benefits is operationalizing data through 
data analytics, machine learning, and artificial intelligence. Having 
the ability to consolidate and pool data significantly reduces barriers 
to providing access to the necessary data where and when needed for our 
warfighters to maximize mission effectiveness. Other examples of 
benefits the Department will see is having data pooled to enhance deep 
synthetic training of machine learning based on robust data sets, which 
will increase readiness and lethality. The general benefits of cloud 
computing, such as rapid provisioning, increased availability, 
elasticity, on demand usage and automated logging, apply to all levels 
of data and are integrated within a single provider environment. The 
risks are managed according to the sensitivity of the data by adding 
controls at the specified security level. It is also important to note 
that a single cloud environment does not mean that all data and 
applications are hosted in a single physical environment where 
everything is vulnerable to a single attack. Rather, the provider will 
have varying levels of logical and physical isolation available, based 
the sensitivity of the data, which will work in concert with the 
Department's existing cyber security tool sets. Leveraging a single 
versus multiple cloud provider environment reduces the number of 
potential vulnerabilities, since with each provider comes additional 
connection points and accreditations, resulting in the possible 
increase in both vulnerabilities and time/cost.
    Vice Admiral Norton. As the DOD CIO has emphasized, applications 
and data within a single cloud environment are able to maximize the 
native security features of cloud technology, which includes robust and 
automated failover and redundancy features. In addition, one of the 
main benefits is operationalizing data through data analytics, machine 
learning, and artificial intelligence. Having the ability to 
consolidate and pool data significantly reduces barriers to providing 
access to the necessary data where and when needed for our warfighters 
to maximize mission effectiveness. Other examples of benefits the 
Department will see is having data pooled to enhance deep synthetic 
training of machine learning based on robust data sets, which will 
increase readiness and lethality. The general benefits of cloud 
computing, such as rapid provisioning, increased availability, 
elasticity, on demand usage and automated logging, apply to all levels 
of data and are integrated within a single provider environment. The 
risks are managed according to the sensitivity of the data by adding 
controls at the specified security level. It is also important to note 
that a single cloud environment does not mean that all data and 
applications are hosted in a single physical environment where 
everything is vulnerable to a single attack. Rather, the provider will 
have varying levels of logical and physical isolation available, based 
the sensitivity of the data, which will work in concert with the 
Department's existing cyber security tool sets. Leveraging a single 
versus multiple cloud provider environment reduces the number of 
potential vulnerabilities, since with each provider comes additional 
connection points and accreditations, resulting in the possible 
increase in both vulnerabilities and time/cost.
    Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM 
Norton, are better positioned to provide a response regarding the 
benefits and risks of placing most of our national security sensitive 
data within the infrastructure of a single cloud provider.

    24. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, what are the security benefits and risks of cloud 
diversity?
    Mr. Deasy. The benefits of cloud diversity include more variety of 
choices in services, partnerships and unique solutions along with the 
increased availability of hosting locations. However, technical 
complexity increases, based on the number of cloud providers and 
available offerings. Cloud diversity may introduce substantial 
technical burden to the Department, because the systems in different 
clouds, even when designed to work together, will require complex 
integration and ongoing management. User training must be specific to 
each cloud environment; thus, it means additional training, and in 
certain circumstances, specific skills must be learned for the 
integration of more than one provider. The greater the number and 
diversity of cloud provider solutions and services, the greater the 
demand for a cyber workforce with varied skills in a Department already 
facing a challenge in hiring and maintaining qualified personnel. Each 
provider offers specific services based on proprietary solutions, which 
will each need individual authorization. These factors increase the 
burdens on the Department's resources.
    Vice Admiral Norton. I agree with the DOD CIO, the benefits of 
cloud diversity include more variety of choices in services, 
partnerships and unique solutions along with the increased availability 
of hosting locations. However, technical complexity increases, based on 
the number of cloud providers and available offerings. Cloud diversity 
may introduce substantial technical burden to the Department, because 
the systems in different clouds, even when designed to work together, 
will require complex integration and ongoing management. User training 
must be specific to each cloud environment; thus, it means additional 
training, and in certain circumstances, specific skills must be learned 
for the integration of more than one provider. The greater the number 
and diversity of cloud provider solutions and services, the greater the 
demand for a cyber workforce with varied skills in a Department already 
facing a challenge in hiring and maintaining qualified personnel. Each 
provider offers specific services based on proprietary solutions, which 
will each need individual authorization. These factors increase the 
burdens on the Department's resources.
    Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM 
Norton, are better positioned to respond regarding the security 
benefits and risks of cloud diversity.

    25. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier 
General Crall, what is the DOD doing to address the risk of insider 
threats?
    Mr. Deasy. In accordance with Executive Order 13587--Structural 
Reforms to Improve the Security of Classified Networks and the 
Responsible Sharing and Safeguarding of Classified Information, DOD is 
implementing a strategic and layered approach to strengthen the 
governance, management and mitigation of insider threats as it relates 
to technology, people, and processes. First, with respect to 
technology, the Department is actively improving both user and network 
monitoring to better mitigate insider threats. DOD organizations are 
employing User Activity Monitoring tools and analysis to monitor 
individual user activities on computers accessing and storing 
information. In addition, we are developing new tactics, techniques, 
and procedures that increase our ability to detect and report cyber 
insider threat events on information networks. Second, with respect to 
people and processes, the insider threat must be addressed through 
understanding the individual and their interaction points with the 
Department. Thus, the Department is investing in the area of insider 
threat social and behavioral sciences (SBS) and considers this one of 
its strategic pillars. DOD researchers and social scientists have 
partnered with industrial and academic entities to conduct a number of 
SBS projects that will help understand the human and the behaviors of 
insiders. Building on the outcome of these projects, we are modernizing 
and strengthening the hiring process and changing organizational 
processes and culture to encourage reporting (including identification 
for self-help). We must be able to detect and manage at-risk employees 
early-on so any potential threats may be mitigated as early as 
possible. Finally, the Department takes a proactive approach to protect 
the privacy and civil liberties of its employees and contractors. 
Accordingly, all Insider Threat and cyber security related policy and 
procedures are reviewed and cleared by the DOD Privacy, Civil 
Liberties, and Transparency Division prior to release or 
implementation.
    Vice Admiral Norton. In accordance with Executive Order 13587--
Structural Reforms to Improve the Security of Classified Networks and 
the Responsible Sharing and Safeguarding of Classified Information, DOD 
is implementing a strategic and layered approach to strengthen the 
governance, management and mitigation of insider threats as it relates 
to technology, people, and processes. First, with respect to 
technology, the Department is actively improving both user and network 
monitoring to better mitigate insider threats. DOD organizations are 
employing User Activity Monitoring tools and analysis to monitor 
individual user activities on computers accessing and storing 
information. In addition, we are developing new tactics, techniques, 
and procedures that increase our ability to detect and report cyber 
insider threat events on information networks. Second, with respect to 
people and processes, the insider threat must be addressed through 
understanding the individual and their interaction points with the 
Department. Thus, the Department is investing in the area of insider 
threat social and behavioral sciences (SBS) and considers this one of 
its strategic pillars. DOD has partnered with industrial and academic 
entities to conduct a number of SBS projects that will help understand 
the behaviors of insiders. Building on the outcome of these projects, 
we are strengthening the hiring process and changing organizational 
processes and culture to encourage reporting (including identification 
for self-help). We must be able to detect and manage at-risk employees 
so any potential threats are mitigated as early as possible. Finally, 
the Department takes a proactive approach to protect the privacy and 
civil liberties of its employees and contractors. Accordingly, all 
Insider Threat and cyber security related policy and procedures are 
reviewed and cleared by the DOD Privacy, Civil Liberties, and 
Transparency Division prior to release or implementation.
    Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM 
Norton, are better positioned to respond to the DOD's efforts to 
address the risk of insider threats.