[Senate Hearing 117-926]
[From the U.S. Government Publishing Office]



 
59-468 PDF

                                 ______

2025

                                                        S. Hrg. 117-926

THE CURRENT AND FUTURE CYBER WORKFORCE IN THE DEPARTMENT OF DEFENSE AND 
                         THE MILITARY SERVICES

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                               PERSONNEL

                                 of the

                      COMMITTEE ON ARMED SERVICES
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 21, 2021

                               __________

         Printed for the use of the Committee on Armed Services


                  Available via http://www.govinfo.gov
?

                      COMMITTEE ON ARMED SERVICES

 JACK REED, Rhode Island, Chairman
JEANNE SHAHEEN, New Hampshire
KIRSTEN E. GILLIBRAND, New York
RICHARD BLUMENTHAL, Connecticut
MAZIE K. HIRONO, Hawaii
TIM KAINE, Virginia
ANGUS S. KING, Jr., Maine
ELIZABETH WARREN, Massachusetts
GARY C. PETERS, Michigan
JOE MANCHIN III, West Virginia
TAMMY DUCKWORTH, Illinois
JACKY ROSEN, Nevada
MARK KELLY, Arizona                  JAMES M. INHOFE, Oklahoma
                                     ROGER F. WICKER, Mississippi
                                     DEB FISCHER, Nebraska
                                     TOM COTTON, Arkansas
                                     MIKE ROUNDS, South Dakota
                                     JONI ERNST, Iowa
                                     THOM TILLIS, North Carolina
                                     DAN SULLIVAN, Alaska
                                     KEVIN CRAMER, North Dakota
                                     RICK SCOTT, Florida
                                     MARSHA BLACKBURN, Tennessee
                                     JOSH HAWLEY, Missouri
                                     TOMMY TUBERVILLE, Alabama
 Elizabeth L. King, Staff Director
  John D. Wason, Minority Staff 
             Director

_________________________________________________________________

                       Subcommittee on Personnel

 KIRSTEN E. GILLIBRAND, New York, 
               Chair
MAZIE K. HIRONO, Hawaii
ELIZABETH WARREN, Massachusetts      THOM TILLIS, North Carolina
                                     JOSH HAWLEY, Missouri
                                     TOMMY TUBERVILLE, Alabama

                                  (ii)
?

                         C O N T E N T S

_________________________________________________________________

                             April 21, 2021

                                                                   Page

The Current and Future Cyber Workforce in the Department of
  Defense and the Military Services                                   1

                           Member Statements

Statement of Senator Kirsten Gillibrand..........................     1

Statement of Senator Senator Thom Tillis.........................     9

                           Witness Statements

Litton, Leonard G., III, Acting Deputy Assistant Secretary for        2
  Defense for Military Personnel Policy.

Sherman, John, Acting Department of Defense Chief Information         4
  Officer.

Hinton, Veronica E., Acting Deputy Assistant Secretary for           10
  Defense for
  Civilian Personnel Policy.

Crall, Lieutenant General Dennis A., USMC, Director, Command,        16
  Control Communications and Computers/Cyber and Chief 
  Information Officer, Joint Staff, J6.

                                 (iii)

 
THE CURRENT AND FUTURE CYBER WORKFORCE IN THE DEPARTMENT OF DEFENSE AND 
                         THE MILITARY SERVICES

                              ----------                              


                       WEDNESDAY, APRIL 21, 2021

                      United States Senate,
                         Subcommittee on Personnel,
                               Committee on Armed Services,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:30 p.m. in room 
SR-232A, Russell Senate Office Building, Senator Kirsten 
Gillibrand (Chairman of the Subcommittee) presiding.
    Committee Members present: Gillibrand, Hirono, Tillis, and 
Hawley.

        OPENING STATEMENT OF SENATOR KIRSTEN GILLIBRAND

    Senator Gillibrand. Good afternoon, everybody. The 
subcommittee meets today to receive testimony on the current 
and future cyber workforce requirements of the Department of 
Defense and Military Services. Our witnesses include Mr. John 
Sherman, Acting Department of Defense Chief Information 
Officer; Ms. Veronica Hinton, Acting Deputy Assistant Secretary 
for Defense for Civilian Personnel Policy; Mr. Leonard Litton, 
acting Deputy Assistant Secretary for Defense for Military 
Personnel Policy; and Lieutenant General Dennis Crall, 
Director, Command, Control Communications and Computers/Cyber 
and Chief Information Officer, Joint Staff, J6. Welcome. Thank 
you.
    In March, General Nakasone testified to the full committee 
that USCYBERCOM conducted two dozen operations to counter 
foreign threats to the 2020 election, and threats that followed 
on the heels of Russia's tampering with the 2016 election. In 
December, we learned that foreign hackers had penetrated 
software widely used by the U.S. Government the private sector 
and went undetected for months, exposing thousands of public 
and private networks to exploitation.
    This election interference and SolarWinds hack recently 
prompted President Biden to issue a new round of sanctions 
against Russia. But make no mistake about it--Russia is not our 
only adversary. Cyber intrusions and attacks from all quarters 
will only increase moving forward, and it is our responsibility 
to ensure that we have the capability to defend the United 
States on this new front. The need for an effective, talented, 
and diverse cyber workforce within the Department of Defense 
(DOD), the Military Services, and really across the whole of 
government has never been clearer.
    Growing and maintaining a cyber capability sufficient to 
prevent these attacks and to meet national defense objectives 
starts with the people behind the keyboard. Our ability to 
field the world's strongest military has always come from the 
collective talent and dedication of our servicemembers and the 
civilian workforce who support them. We must recognize and 
commit to meeting these new threats by developing, fielding, 
and maintaining the world's most capable cyber force.
    That brings us to the topic we will discuss today. In 
short, how do we recruit and retain the very best for civilian 
and military service in the cyber workforce? How do we attract 
top talent, hire them, pay them, manage them, and keep them? 
How do we keep their skills fresh and provide meaningful career 
progression and professional development to ensure we have a 
cyber workforce for the defensive capability to protect the 
nation's networks and the offensive capability to deter 
aggression, not just by traditional cyber adversaries like 
China and Russia, but also by the likes of Iran, North Korea, 
non-state actors, and criminal cartels. What is the proper role 
for the reserve component, especially the National Guard? What 
are the personnel policy implications of sustainable and 
effective management with the private sector?
    I am especially interested in our witnesses' views on the 
proper civilian-military mix for the cyber workforce of 
tomorrow, how we set the course to achieve that mix, and how we 
ensure that our cyber workforce possesses the very best talent 
America has to offer.
    Lastly, I want to know why the Department of Defense has 
been slow to implement some of the authorities it already has 
to hire and retain the best cyber personnel, such as the 
ability to directly hire cyber personel we enacted in Section 
502 in fiscal year 2019 NDAA.
    I am also interested in the status of the authorities 
Congress passed in last year's NDAA regarding Cyber Reserve, 
Cyber Mission Force, and the National Guard Cyber Workforce. 
Have these and other previous authorities to attract and retain 
the best cyber personnel resulted in the expansion and 
improvements necessary for the DOD to detect and defeat the 
cyber intrusions and attacks we are now facing? A
    Again, I am so grateful to our witnesses here today. I 
welcome them all and appreciate hearing your testimony.
    What we will do is we will take your testimony now, but 
when Senator Tillis returns we will pause in your testimony so 
he can give his opening remarks, I will run and go vote, and 
then I will come back, and you can continue your testimony. But 
we will not postpone the hearing for the vote. We will just 
keep it running.
    Our first witness, Mr. Litton, would you like to go first?

  STATEMENT OF LEONARD G. LITTON III, ACTING DEPUTY ASSISTANT 
      SECRETARY FOR DEFENSE FOR MILITARY PERSONNEL POLICY

    Mr. Litton. Yes, ma'am. Thank you. Chairwoman Gillibrand 
and distinguished members, thank you for the opportunity to 
appear before you to today to discuss the health of the DOD 
cyber workforce. I appreciate your support on this very 
important issue.
    My role in performing the duties of the Deputy Assistant 
Secretary for Military Personnel Policy is primarily an 
enabling one, so I will speak to the overarching military 
personnel policies that support the Services and enable them to 
access, support, and attain and retain a highly ready force.
    The Department does desire to be the employer of choice, 
not only for individuals with cyber-related skills but for all 
Americans who are looking and working hard every day to join 
the military. Enabling our cyber forces to operate and defend 
against today's threats will require us to maintain the 
authorities and resources we have now, but also ensure that our 
warriors are properly assessed, compensated, and retained to 
fight and win against these threats.
    As you know, ma'am, the Military Services conduct a whole-
person assessment of each candidate who applies for either an 
officer commissioning or the enlisted force. This holistic 
process looks at a number of factors, including citizenship, 
age, education, physical fitness, conduct, and aptitude. The 
general model is to recruit and assess a qualified field of 
applicants, placing them in a best-fit occupational specialty 
and career trajectory, and provide them the necessary technical 
training to meet those operational objectives. This process 
provides a steady pipeline of highly qualified personnel for 
the required tasks.
    The Military Services can also employ an accession option 
known as ``lateral entry.'' This process allows the active and 
reserve components to recruit highly qualified individuals 
directly from industry to fill those critical requirements and 
bring them in at advanced grades, based on their previous level 
of education and experience.
    The Military Service Academies and Reserve Officer Training 
Corps also have programs focused on attracting young, talented 
officers into the cyber fields.
    For enlisted accessions, the Services utilize an array of 
assessments designed to understand the technical training, 
including cyber. For example, in enlisted cyber specialties, 
the Services utilize a combination of the Armed Services 
Vocational Aptitude Battery (ASVAB) and a targeted cyber 
knowledge test, called the Cyber Test, to identify applicants 
with specific aptitude for cyber career field accessions.
    Additionally, we continuously evaluate new types of 
assessments, for example, a fluid intelligence test called 
``Complex Reasoning'' was recently developed, and we hope to 
have that ready in the 2024 time frame to help us better 
attract and identify cyber capabilities among those who apply.
    The Department realizes that military members with cyber 
experience are in great demand and can command top salaries 
within the private sector. In addition, we have a robust 
military compensation package and a toolkit of bonuses and 
incentives and special pays designed to attract and retain 
these servicemembers with cyber skills.
    We have the authority for enlistment bonuses, and we thank 
you for that, up to $50,000 for those who agree to serve at 
least 2 years in a specified career field, as well as retention 
bonuses up to $30,000 per year of service obligation. The 
Services also have the authority to offer other monetary and 
non-monetary incentives for service in certain cyber-related 
occupational specialties. Non-monetary incentives may include 
choice of duty assignment, guaranteed training, advanced 
education, and other professional development opportunities. 
Additional monetary incentives include the authority for 
assignment incentives and special duty pays that can be as much 
as $5,000 per month.
    The Department prides itself on building a strong and 
viable total force that delivers combat capability around the 
globe. Our cyber personnel are and will remain a critical 
component of the Department's ability to defend the nation.
    I look forward to your questions. Thank you.
    [The joint prepared statement of Ms. Hinton and Mr. Litton 
proceeds Ms. Hinton's statement.]
    Senator Gillibrand. Thank you. Mr. Sherman?

 STATEMENT OF JOHN SHERMAN, ACTING DEPARTMENT OF DEFENSE CHIEF 
                      INFORMATION OFFICER

    Mr. Sherman. Ma'am, good afternoon, and thank you for the 
opportunity to testify today regarding the efforts of the 
Department of Defense to enhance the cyber workforce across our 
enterprise.
    My name is John Sherman. I am the Acting Department of 
Defense Chief Information Officer, a position I have held since 
20 January. I work alongside my colleagues to establish policy 
and provide oversight, direction, and guidance for the cyber 
workforce. We have come far in focusing our efforts to be 
proactive, agile, and competitive in order to recruit and 
retain the most innovative individuals with high-demand skill 
sets while also encouraging increased representation of 
minorities and women.
    I would like to highlight how my office is developing the 
cyber workforce through new policies and governance, using my 
existing oversight. I will speak to how we are leveraging 
special hiring authorities granted to us by Congress and how we 
are recruiting from a diverse pool of candidates.
    However, there is still work to be done. We have put many 
of the key foundational mechanisms in place and have actively 
leveraged the tools at our disposal, but we must build on the 
progress by updating our overarching strategy to ensure our 
workforce is prepared to implement zero trust and the other 
latest approaches to defending our enterprise.
    Our existing cyber strategy from 2018 provides some key 
points on the cyber workforce, but we need a more holistic 
North Star to guide our future cyber workforce efforts. I have 
given my office direction that drafting and coordinating this 
new strategy is a priority going forward.
    Our DOD cyber workforce is comprised of individuals 
including military, civilian, and contractor personnel. Our 
goal has been to refine and hone this critical workforce, but 
we first had to define its composition and ensure we had a 
solid workforce management structure.
    To do this, we created and implemented the DOD's Cyber 
Workforce Framework, which has enabled my office to establish a 
standard lexicon to describe the scope of work in the cyber 
field. We then identified and analyzed cyber work roles with 
greater specificity in order to inform workforce priorities and 
initiatives beyond the legacy occupational descriptions, which 
are too broad in many cases.
    To fully realize the potential of this framework, we are 
developing a new policy serves called 8140, which will drive 
implementation and compliance of our vision. In 2015, 
Department leadership signed the associated DOD directive and 
then updated it late last year. The instruction and manual for 
this policy series are in the final stages of coordination, and 
we are working with Department stakeholders to get these over 
the goal line in the coming months, if not sooner.
    Additionally, we established a tri-chaired form called the 
Cyber Workforce Management Board to govern and oversee 
implementation of the activities in the policy series with 
representation from my office, the Under Secretary for 
Personnel and Readiness, and the Principal Cyber Advisor. We 
recognize this whole-of-department challenge and our approach 
must match.
    Very importantly, we have leveraged the Cyber Excepted 
Services, or CES, personnel system to meet more quickly the 
immediate need of the Department. We now have over 9,000 
positions designed for CES across 10 DOD components, and we 
plan to increase this number even more later this year as Army 
Cyber comes into the fold. Moreover, we are taking lessons 
learned on workforce feedback related to their decisions on 
moving into the CES to inform ways we can socialize this great 
opportunity even more effectively in the future.
    Meanwhile, we are also conducting the congressionally 
directed zero-based review of cybersecurity personnel. Once 
complete, the zero based review (ZBR) will provide us with the 
input to conduct data-driven analysis of our current and future 
workforce needs. We are aiming to complete the initial phase of 
data-gathering by September, and look forward to updating the 
committee later this year, as directed in legislation.
    While we have improved our ability to identify and develop 
the cyber workforce in the past 3 years, I recognize we still 
have work to do, especially as we move out on zero trust. This 
is an approach based on extensive network segmentation and 
protection of the data in the systems, with an assumption that 
adversaries have already breached the perimeter at some point. 
For this and other evolving cyber strategies, we can expect to 
draw an even wider range of skill sets in areas like data and 
artificial intelligence.
    I am confident that our workforce, now and in the future, 
is up to the challenge, and am proud of their ongoing work to 
build, secure, operate, defend, conduct intelligence 
activities, and enable operations through cyberspace. We 
realize that it is an ever-changing space. However, our 
continual workforce updates and upskilling will be critical. 
Our adversaries are definitely not standing still, and we must 
not either.
    Finally, I am committed to continue our efforts to reach 
out to all of this nation's human capital through an ongoing 
focus of the National Security Agency's Cyber Scholarship 
Program and Centers of Academic Excellence accreditation.
    Thank you for the opportunity to speak with you today, and 
I am grateful for the attention you have dedicated to Secretary 
Austin's top three priorities on taking care of our people. I 
stand ready to answer questions.
    [The prepared statement of Mr. Sherman follows:]

                   Prepared Statement by John Sherman
                              introduction
    Good afternoon Chairwoman Gillibrand, Ranking Member Tillis, and 
other members of the Committee. Thank you for the opportunity to speak 
with you today on our most valuable resource to our national security: 
our workforce. In order to continue to lead the way in cyberspace, we 
must continue to modernize our approach to recruit and maintain talent.
    In the modern cyber environment, the race to recruit and retain the 
most innovative individuals with high-demand skillsets is a top 
priority for government and industry leaders alike. Emerging cyber 
talent are faced with an abundance of employment opportunities across 
the private sector where lucrative incentives are available to those 
with high-demand skillsets.
    To maintain a viable cyber-talent pipeline, the DOD CIO is focused 
on a strategy that attracts high-demand skillsets while encouraging 
increased representation of minorities and women. Additionally, the 
strategy recognizes that prospective candidates tend to have a 
preference to have many diverse jobs over the span of a career and seek 
the flexibility to move between industry and the DOD untethered by 
unnecessary barriers. The strategy is built around the DOD Cyber 
Workforce Framework and an associated policy series (8140), which is 
used to govern the workforce and define the work roles necessary to 
achieve success in the cyber domain and information environment. We are 
also working to recruit, train, develop, and retain the best and most 
diverse talent through the Cyber Excepted Service personnel system, the 
Cyber Scholarship Program, and the creation of a platform that helps 
better match a job opportunity with a candidate.
                         defining the workforce
    The DOD cyber workforce is comprised of individuals including 
military, civilian, and contractor personnel. The Department is 
implementing policies and procedures to synchronize the management of 
cyber talent across each of these populations, and across the various 
mission sets required to establish and maintain a competitive advantage 
in the cyberspace domain. The DOD has developed targeted approaches to 
identify critical skill gaps and, subsequently, recruit, retain, and 
develop cyber professionals in an agile manner. As we move through this 
discussion, you will see that the DOD Cyber Workforce Framework, or 
DCWF, is central to DOD's approach for cyber talent.
    The DCWF establishes a standard lexicon to describe the work of DOD 
personnel who build, secure, operate, defend, and protect DOD and U.S. 
cyberspace resources; conduct related intelligence activities; enable 
future operations in and through cyberspace; and project power in or 
through cyberspace. We developed the DCWF by incorporating content from 
both the National Initiative for Cybersecurity Education Cybersecurity 
Workforce Framework and the Department's Joint Cyberspace Training and 
Certification Standards (JCT&CS) to enhance communication and 
coordination with our partners across government, industry and 
academia, while maintaining a mission focus. Notably, the DCWF provides 
the foundation for a broad range of cyber workforce management 
activities across the DOD enterprise.
    This Framework contains 54 `work roles' covering the full spectrum 
of cyber skill sets required for the conduct and support of missions 
within the cyberspace domain. As a result, the DCWF enables the 
Department to understand specific and varied cyber skill requirements, 
and to drive cyber work in a targeted manner independent of historical 
occupational structures that are too generic or rigid to properly 
support our cyber workforce. Specifically, we are using the DCWF to 
conduct targeted identification and analyses of the DOD cyber workforce 
and, subsequently, inform workforce priorities and initiatives. 
Similarly, the DCWF enables us to identify the work roles of critical 
need and develop the mitigation strategies for identified gaps in both 
staffing levels and workforce development activities. Additionally, and 
very importantly, we are leveraging the DCWF to inform for targeted 
recruitment under Cyber Excepted Service, as well as comprehensive 
qualification and management activities as defined under a DOD policy 
series that guide this activity (8140).
    To keep pace with advancements in technology, tactics, techniques 
and procedures within this arena, we designed the DCWF to be updated 
periodically. This approach provides us with a more responsive 
mechanism, as compared to traditional government occupations and human 
resources practices, whereby we can ensure workforce specifications are 
based in current standards. In fact, we are currently engaged in 
refresh activities, which are (in part) focused on expansion of the 
DCWF to include related emerging technologies such as control systems 
security, advanced data analysis, software development, artificial 
intelligence (AI) and machine learning. The Framework allows the 
Department to be agile in its approach to the cyber workforce, as it is 
able to include new emerging technologies under a common umbrella to 
meet the mission needs of our operational stakeholders.
                     developing the workforce . . .
                       . . . through new policies
    To facilitate strategic cyber workforce management activities, we 
are developing the 8140 policy series, which will drive implementation 
of our vision for a robust and trained workforce necessary to meet our 
current and future cyber challenges. These policies accomplish this 
goal by providing a targeted, role-based approach to identify, develop 
and qualify cyber personnel leveraging the DCWF. This series includes 
three components:
    1)  The DOD 8140 Directive, first signed in 2015 and recently 
updated in late 2020, establishes the DCWF as the Department's primary 
mechanism for cyber human capital and talent management at the 
Enterprise level. It unifies the cyber workforce according to cyber 
workforce elements (i.e., IT, Cybersecurity, Cyber Effects, Cyber 
Intelligence, and Cyber Enablers) and defines the roles and 
responsibilities across the DOD enterprise.
    2)  The DOD 8140 Instruction, which is currently in Legal 
Sufficiency Review (a final stage of coordination), will establish the 
procedures for the identification, tracking and reporting of cyber 
workforce requirements. Specifically, every DOD position requiring the 
performance of cyber work will be required to be coded with the 
appropriate DCWF work role. The Instruction also requires the reporting 
of vacancy information and key position designators which will allow 
the Department to engage in strategic workforce planning activities.
    3)  The 8140 Manual, which is also in final coordination, will 
establish enterprise-baseline qualifications program for the DOD cyber 
workforce and encourage the responsible DOD Component or Command to 
augment the baseline standards with environment-specific requirements 
based on specific technology and known threat vectors. This policy will 
provide the DOD with flexibility needed across varied cyber mission 
sets, while moving away from a legacy compliance-based approach to 
focus on demonstration of capability.
                 . . . through governance and oversight
    To govern and oversee implementation of the activities specified in 
the policy series, we have established the Cyber Workforce Management 
Board (CWMB) to provide executive level oversight over the 
implementation of the DCWF and the human capital and management 
policies described in the 8140 policy series. This forum is tri-chaired 
by representatives from my office, the Undersecretary of Defense for 
Personnel and Readiness (USD (P&R)), and the Principal Cyber Advisor. 
The CWMB Charter also includes other aspects of management across the 
functional communities that comprise our cyber workforce, to include 
coordination and communication of recruitment and retention activities, 
identification and management of hiring authorities, and implementation 
of the Cyber Excepted Service Personnel System.
             . . . by leveraging special hiring authorities
    The Department faces a range of challenges centered on Talent 
Management of the Cyberspace workforce. Employing the authority to 
establish the Cyber Excepted Service (CES) via Section 1599f of title 
10, U.S.C. addresses these challenges head-on. Working together DOD CIO 
and USD (P&R) have focused on tools for The CES which currently applies 
to 89,000 identified positions covered under CES with 6,500 who have 
been converted or appointed for (1) classification and recruitment and 
(2) pay setting/compensation flexibilities with the capability to 
expand beyond the current CES workforce.
    (1)  Classification and Recruitment: The ability to recruit top-
tier talent starts with changing how organizations and HR professionals 
source job opportunities and reducing the amount of time it takes to 
hire talent. In order to recruit the sort of diverse and sought-after 
cyber talent we need here at DOD, we've found that we need to leverage 
alternate talent resources outside of USAJobs (i.e., virtual job fairs, 
organization-specific job announcement websites, and on the spot job 
offers) to hire and onboard cyber candidates, as well as leverage the 
flexibilities afforded in the CES Personnel System. Starting in fiscal 
year 2021, we in DOD CIO provided access for CES organizations to 
leverage the DOD Emerging Technologies Talent Marketplace, AI platform 
that contains a broad Federal Occupational Database with job/position 
classification standards and DCWF work role codes. The expedited 
position classification streamlines the recruitment process. 
Additionally, the platform serves as an open talent marketplace with a 
Candidate-Centric design, focusing on the needs, objectives, and Point 
of View (POV), for long-term relationship building.
        It also means relying less on traditional measures, like the 
length of experience, in favor of matching candidate competencies and 
skills to positions in the organization holistically. This candidate-
centric approach allows non-traditional sources of talent (ex: self-
taught technologist) to gain access to jobs and that, in turn, expands 
diversity as well as employee engagement by targeting non-traditional 
sources (reference artifact) of talent.
    (2)  Pay Setting/Compensation Flexibilities: Hiring, training, and 
developing a highly-skilled workforce will remain a constant struggle 
without equal importance being placed on retaining a qualified 
workforce. To address this, in January 2021, the DOD CIO working 
through USD(P&R), deployed a CES Targeted Local Market Supplement 
(TLMS) applicable to seven mission-critical DCWF work roles. The TLMS 
is designed to reduce attrition of critical civilian employee segments, 
as well as, attract, engage, and retain high-potential cyber talent.
              . . . and through educational opportunities
    The DOD Cyber Scholarship Program (CySP) is a useful tool to 
enhance the skills of our workforce, as well as to offer opportunities 
to new and more diverse entrants to our team. This program is a result 
of commitment from DOD and Congress to support higher education as a 
means to prepare the DOD workforce to deal with threats against the 
Department's critical information system and networks. It is authorized 
by Chapter 112 of U.S.C., Section 2200, designed to encourage the 
recruitment of the nation's top cyber talent and the retention of DOD 
personnel who have skills necessary to meet DOD's cyber requirements. 
It provides scholarships to students in pursuit of cyber-related degree 
at National Centers of Academic Excellence in Cybersecurity (NCAE-C), 
Cyber Defense Research (CAE-R) or Cyber Operations (CAE-CO).
    There is an additional option for NCAE-C's to apply for modest 
institutional capacity building. DOD CIO will outline the projects for 
each application cycle in the annual solicitation. The projects may be 
tied to two specific DOD-focused initiatives: DOD Partnerships and 
Outreach to K-12, Minority-Serving Institutions, Community Colleges; 
and technical schools.
                      looking ahead to the future
    While we have improved our ability to identify and develop the 
cyber workforce over the past three years, we still have work to do 
with regards to other high-tech skillsets. As noted earlier, we are 
pushing forward an expansion of the DCWF to include related emerging 
technologies such as control systems security, advanced data analysis, 
software development, AI, and machine learning. Additionally, we are 
working to make the current DOD Talent Marketplace platform operational 
so that it can be used to recruit the entire emerging technologies 
workforce. Unlike traditional Federal hiring platforms The ``Talent 
Marketplace'' platform enables an understanding of each candidate's 
unique preferences to enable a ``Smart Match'' of candidates to the 
jobs that align with their needs and desires. Content is regularly 
pushed to candidates to keep them abreast of new opportunities and new 
developments. Digital personalization is made possible by artificial 
intelligence and data analytics algorithms to allow for a scalable 
process that is, at the same time, very engaging.
    Meanwhile, as directed by the Fiscal Year 2020 National Defense 
Authorization Act (NDAA), we are conducting a zero-based review (ZBR) 
following a phased approach using representative organizations for each 
Military Service/Component and the 4th Estate to review Civilian and 
Military workforce positions in Cyber Security and Cyber IT functional 
areas for the workforce. Every Component will conduct a ZBR and submit 
reports to the Tri-Chair (which includes DOD CIO, PCA, and USD (P&R)) 
by December 2021; the Tri-Chair will then brief Congress and recommend 
changes by June 2022.
    To date, the ZBR has provided us with a useful metric to 
demonstrate the effectiveness of the DCWF and the forthcoming 8140 
policy series. We plan to use the findings of the current ZBR effort to 
inform our decisions regarding the direction of the workforce and 
related workforce management activities. Furthermore, a process is 
being established as part of the ZBR NDAA 1652 requirement. The CWMB 
established an initial plan, put in the individual steps and lessons 
learned during Phase 1 (Singular pilot organization) and are currently 
testing and refining the process with the remaining organizations 
during Phase 2. Once completed it will be an official process in the 
form of a ZBR ``How to Guide'', used to repeat the evaluation of other 
functional areas of the cyber workforce, be used on any size effort at 
multiple echelons; positioning the Services and Components to 
proactively assess their current workforce state across all cyber 
functional areas; enabling the development of well-justified plans for 
the future that ensures alignment to the Department's strategic 
priorities.
    Thank you for the opportunity to address the committee today and 
for your continued partnership. We would also like to take this 
opportunity to thank our dedicated and talented workforce who work 
every day to defend our Warfighters against our adversaries in 
cyberspace. These professionals are our frontline in an unending 
battle, and we owe our continued ability to accomplish our mission to 
their steadfast determination and expertise.

    Senator Gillibrand. Now I would like to introduce Senator 
Tillis for his opening remarks. I will run and go vote, and 
then when you are completed you can call on Ms. Hinton and then 
Lieutenant General Crall, and I will be back ASAP.

                STATEMENT OF SENATOR THOM TILLIS

    Senator Tillis. Thank you, Madam Chair, and thank you all 
for being here today. I am sorry I was late. We are doing the 
tag team for voting.
    I just want to say the success in the cyber domain is 
uniquely reliant on highly skilled personnel. We all know that. 
We have had several discussions and meetings about it. Where 
stealth technology and smart weapons provide the United States 
with a discernable advantage in traditional warfighting 
domains, the U.S. military does enjoy a similar technological 
advance when it comes to cyberspace. Rather, we must rely on 
the intelligence, creativity, and cunning of our people if we 
are to be successful with this rapidly changing environment.
    Fortunately, this country still produces the world's most 
innovative cyber talent. The Department of Defense's challenge 
is to make itself appealing to that talent. Since success in 
cyberspace is so heavily dependent on skilled people, the last 
several NDAAs included numerous provisions focused on military 
and DOD civilian workforce.
    I look forward to asking questions about the creative 
recruiting and retention ideas, some of the authorities we have 
given, whether or not they have been fully implemented, and 
what more authorities and creative thinking we should consider 
to be absolutely certain we are bringing the best and brightest 
into the cyber domain within the Department of Defense.
    So thank you all for being here. We will continue the 
introductions. Ms. Hinton?

   STATEMENT OF VERONICA E. HINTON, ACTING DEPUTY ASSISTANT 
      SECRETARY FOR DEFENSE FOR CIVILIAN PERSONNEL POLICY

    Ms. Hinton. Ranking Member Tillis, thank you for the 
opportunity to appear at today's hearing to discuss the health 
and readiness of the DOD's cyber workforce.
    Today, as the Acting Deputy Assistant Secretary of Defense 
for Civilian Personnel Policy, I am representing the Office of 
the Under Secretary of Defense for Personnel and Readiness, the 
Department's chief human capital officer, to discuss matters 
related to the civilian cyber workforce.
    Important to this discussion is the acknowledgement that we 
live in a relentlessly evolving and fiercely competitive world 
where technological achievements are driving immense change 
across political, economic, and social landscapes. As such, the 
Department strives to cultivate a technologically dominant 
force that is strategically ready, globally relevant, and 
flexibly sustainable. Competition for high-quality, experienced 
cyber workforce personnel is constant and increasingly 
aggressive. However, the Department shares your vision and 
commitment to pursuing, recruiting and retaining world-class 
cyber talent to advance and achieve the DOD's unique mission.
    DOD is one of the three largest markets for cyber talent in 
the United States due to its size, its continuous adoption and 
adaptation of technology, and its extensive mission 
requirements. Therefore, we must be tenacious in not only fully 
utilizing the appointment and compensation flexibilities that 
Congress has provided but must increasingly invest in human 
capital initiatives, training and development for the civilian 
cyber workforce. This focus includes designing and implementing 
programs and policies that eliminate any barriers and 
inefficiencies that may detract from our ability to acquire 
needed and diversified talent, expand pathways to service, and 
enable a flexible workplace essential to the future of work.
    Additionally, we are expanding our outreach, including with 
the private sector, to recruit top talent from across all 
segments of society, while retaining and compensating current 
technical talent and closing mission-critical gaps.
    To assess our progress, the Department has established 
capability to identify, evaluate, and manage the civilian cyber 
workforce, and is also leaning forward utilizing advanced data 
analytics and technological tools to better match potential 
candidates and current employees against talent and competency 
gaps in various locations across the globe, proving real-time 
solutions to organizational needs. We are working closely with 
industry experts in the cyber community to build hiring 
assessments that will better match top talent to specific 
competency and skills needs, reducing time to hire, and 
equipping hiring managers with the best talent.
    In recent years, Congress has provided several DOD-
exclusive civilian hiring authorities that are helping to meet 
our objectives. In particular, Section 1109 of the National 
Defense Authorization Act of fiscal year 2020 granted 
streamlined and enhanced direct hire authorities, including an 
expanded direct hire authority for cyber workforce positions. 
The expansion of this coverage has been beneficial in that it 
has allowed the Department the ability to directly hire for any 
and all critical cyber skill sets.
    The Department is also utilizing a variety of compensation 
tools, including the use of Federal-wide special salary rates 
and the added flexibility of the cyber-accepted service that 
allows the Department to implement targeted local market 
supplements for certain cyber occupations and locations. The 
Department appreciate such authorities which expand our 
toolkit, and are much needed to attract and retain the best 
talent and compete with the private sector for the same skill 
sets.
    The Department further acknowledges that civilian personnel 
policies should be as clear and concise as possible. We are 
committed to ensuring that we are training and assisting human 
resource professionals and managers alike in the use of cyber 
personnel management authorities and flexibilities. This not 
only includes streamlined and efficient guidance on the use of 
the authorities and implementation procedures, but also 
gathering and analyzing data to better equip practitioners with 
the necessary information to proactively address emerging 
requirements.
    The Office of Personnel and Readiness continues to ensure 
that information disseminated across the Department encompasses 
the full spectrum of hiring options that enable hiring managers 
to reach the right talent, at the right time.
    We thank you for your continued interest and support of the 
DOD civilian workforce. I look forward to your questions.
    [The joint prepared statement of Ms. Hinton and Mr. Litton 
follows:]

 Joint Prepared Statement by Ms. Veronica Hinton and Mr. Leonard Litton
    Chairwoman Gillibrand, Ranking Member Tillis, and distinguished 
members of the subcommittee, thank you for the opportunity to appear 
before you today to discuss the role of the Office of the 
Undersecretary of Defense for Personnel and Readiness (OUSD(P&R)) in 
supporting and maintaining the health of the Department of Defense (DOD 
or Department) cyber workforce.
    The Department is committed to pursuing, recruiting, and retaining 
world-class cyber talent, enhancing and improving the lifecycle 
management of the cyber workforce, and modernizing personnel policies 
and programs which best support the cyber critical functions and 
personnel needed to advance and achieve the DOD's unique mission. We 
recognize that in order to defeat our adversaries, now and into the 
future, we must keep pace with the dynamic security environment and 
ensure that our policies and procedures are rapidly adapted to equip 
our workforce with the tools needed to address emergent national 
security cyber requirements.
    The DOD cyber workforce consists of both a civilian and military 
component, and we continue to pursue and employ the necessary 
authorities to efficiently recruit and retain top cyber and other 
technical talent. We are working diligently to close critical talent 
gaps, enhance professional development, and build a robust student 
pipeline that will position the Department of Defense for future 
success. Furthermore, DOD supports the removal of barriers necessary to 
facilitate the acquisition of critical talent, expand pathways to 
service, and enable the flexible workplace essential to the future of 
work. The Department appreciates, and continues to exercise the 
flexibilities granted by Congress to design and implement programs and 
policies that promote the health of the cyber workforce.
                             civilian force
    The civilian cyber workforce is overseen by a single overarching 
Department-level cyber governance structure that ensures successful 
implementation, and proper and effective use of Congressionally 
approved authorities and flexibilities. The governance structure, known 
as the Cyber Workforce Management Board (CWMB), includes stakeholders 
from across DOD, including the USD(P&R), the Principal Cyber Advisor, 
and the DOD Chief Information Officer (CIO), as well as the Under 
Secretary of Defense for Intelligence and Security, the U.S. Cyber 
Command (USCYBERCOM), and representatives from each of the Military 
Departments.
    The USD(P&R), who also serves as the DOD Chief Human Capital 
Officer, exercises broad oversight for civilian personnel programs and 
functional communities for the Department, and is responsible for 
providing key advice and assistance to the CWMB on cyber workforce 
matters. The USD(P&R) partners with the DOD CIO to develop, manage, and 
evaluate cyber workforce policies and programs, including those related 
to hiring, compensation, and the development of civilian cyber talent.
    OUSD(P&R) remains actively engaged in the oversight of the Cyber 
Excepted Service (CES), including its training and implementation 
objectives, and serves as an active participant in the planning and 
phased execution of the Department's Zero-Based Review of cyber and 
technology personnel. Pursuant to this governance structure and 
engagement, the Department is well positioned to manage, evaluate, and 
advance the cyber civilian workforce.
Cyber Civilian Workforce
    The Federal Cybersecurity Workforce Assessment Act of 2015 required 
all Federal Agencies to develop procedures and code positions 
performing information technology (IT), cybersecurity, and other cyber-
related functions. The DOD CIO issued implementing guidance, which 
required DOD Components to code all civilian cyber workforce positions, 
including legacy IT positions, those involved in cybersecurity, and key 
positions engaged in research and development, test and evaluation, 
program management, acquisition, software development, engineering, 
intelligence, and other relevant activities. Given the complexity of 
defining these roles in certain populations, this effort remains 
ongoing; however, it has proven crucial to the Department's ability to 
manage, evaluate, and educate the cyber civilian workforce.
    To that end, the USD(P&R) supports the DOD CIO's efforts to track 
and monitor the cyber civilian workforce by providing regular, 
recurring personnel data reports on the cyber coded workforce, and in 
collaboration, develops new reports and provides additional analyses of 
the workforce's health and behaviors. Currently, the DOD cyber coded 
workforce is made up of over 65,000 personnel, including over 6,500 who 
have been converted or appointed into the CES. Ten DOD organizations 
have converted into the CES, with the Army Cyber Command expected to 
begin conversion in fiscal year 2022.
    The cyber civilian workforce is demographically consistent to the 
appropriated fund civilian workforce; however, in comparison, the 
civilian cyber workforce has a higher percentage of those holding 
Bachelor's and Master's degrees to those of the broader population 
(Cyber Bachelor: 38.17 percent versus APF: 28.76 percent; Cyber Master: 
20.26 percent versus APF: 17.62 percent). Between fiscal year 2018 and 
fiscal year 2020, the overall cyber workforce increased an average of 6 
percent (fiscal year 2018: 6.9 percent; fiscal year 2019: 7.8 percent; 
fiscal year 2020: 3.4 percent). When coupled with that of average 
annual loss, 0.7 percent, and the number of those currently eligible to 
retire (13.93 percent), the Department is postured to continue to renew 
its talent and expertise while maintaining continuity of mission.
Civilian Hiring Authorities and Compensation Flexibilities
    In recent years, Congress has provided several DOD-exclusive 
civilian hiring and compensation authorities that have better postured 
the DOD to be able to recruit and retain an effective and highly 
qualified cyber civilian workforce. We appreciate Congress' recognition 
of our need for increased flexibilities to attract, hire, and retain 
high quality civilian personnel in a timely manner. The Department 
continues to proactively ensure their effective application across 
cyber-specific functional/organizational areas, and assess the need for 
new authorities to aid recruitment and retention. It is through 
partnership with CIO, the DOD Components, and the cyber functional 
community, as well as with private industry, that we will continue to 
effectively implement our flexibilities and further expand our outreach 
and pathways to recruit and hire top talent from across all segments of 
society, while retaining current technical talent and closing mission-
critical gaps.
  DOD Hiring Authorities
    The CES, codified in section 1599f of title 10, United States Code 
(U.S.C), authorizes the Secretary of Defense to hire cyber personnel to 
positions in the excepted service in the USCYBERCOM headquarters, 
elements of USCYBERCOM enterprise relating to cyberspace operations, 
and in supporting elements of the Military Departments. This authority, 
coupled with certain enhanced pay flexibilities, provides agility, 
mitigates challenges of recruiting and retaining quality civilian 
talent, and thus, helpful to the Department in competing with the 
private sector for cyber talent.
    Additionally, in Fiscal Year 2017, section 1643(a)(3) of the 
National Defense Authorization Act (NDAA), authorized the Secretary of 
Defense to appoint qualified individuals directly into the USCYBERCOM 
and its enterprise in positions in the competitive service. This 
Direct-Hire Authority (DHA) provides interim authority to improve the 
Department's ability to hire civilian personnel necessary to support 
the cyber mission, and is intended to be superseded upon full 
implementation of the CES. Like other DHAs granted to the Department, 
this authority provides flexibility to hire critical cyber talent 
without applying traditional title 5 competitive procedures.
    The Department recently sought streamlined, simplified, and 
standardized authorities to enable efficient hiring for mission 
critical positions that enhance readiness. Section 1109 of the NDAA for 
fiscal year 2020 granted such streamlining and enhanced certain 
existing DOD DHAs, including an expanded DHA for cyber workforce 
positions. The expansion of coverage has been beneficial in that it has 
allowed the Department the ability to directly hire for any and all 
critical cyber skillsets. The streamlined authority, which has been in 
use for a part fiscal year 2020 and fiscal year 2021, garnered a 
significant average decrease in time-to-hire from fiscal year 2019 
(fiscal year 2019: 117 and fiscal year 2020/21: 89). The Department 
expects to see continued decreases under the streamlined approach.
    Between fiscal year 2019 and fiscal year 2021, the utilization of 
direct hiring authorities for cyber security professionals has yielded 
over 4,200 cyber professionals to date, with hires expected to increase 
each fiscal year. During the same timeframe, the Department utilized 
other hiring authorities to appoint over 12,500 cyber coded civilians. 
Of note, in fiscal year 2021, DOD utilized the expanded cyber DHA about 
32 percent of the time, while continuing to utilize the full range of 
delegated examining, veterans hiring, and other competitive and 
noncompetitive authorities to reach qualified and diverse cyber talent.
  Compensation Flexibilities
    The Department utilizes a variety of compensation flexibilities in 
order to recruit and retain its top cyber talent. Entry and 
developmental computer engineers, computer science specialists, and IT 
specialists are all brought in under the Federal-wide special salary 
rates, which are higher than normal rates of basic pay which allows the 
Department to more comparatively compensate these specialties to that 
of the private sector. The added flexibility of the CES has also 
allowed the Department to implement targeted local market supplements 
for certain cyber occupations and locations, and to extend the pay 
scale to the equivalent of step 11/12 on the GS pay scale. 
Additionally, the Department utilizes advanced-in rates to recruit its 
talent, bringing 39.9 percent of the cyber workforce new hires in 
fiscal year 2020 at a step 2 or higher (36 percent in fiscal year 2018; 
39.5 percent in fiscal year 2019).
    Furthermore, we utilize recruitment, relocation, and retention, as 
well as student loan repayment incentives to better attract and retain 
this in-demand talent. In fiscal year 2020, of the 2,143 cyber 
workforce hires, 30.3 percent were given a recruitment or relocation 
incentive, a 21 percent increase from fiscal year 2019 (9.27 percent); 
3.87 percent were given student loan repayment (3.1 percent in fiscal 
year 2019); and 1.68 percent (1,058) of the total cyber workforce in 
fiscal year 2020 were given a retention incentive (0.33 percent in 
fiscal year 2019 (194)).
    Finally, section 241 of the NDAA for fiscal year 2021 afforded the 
Department the authority to provide special pay incentives for 
proficiencies beneficial to national security interests, including in 
computer or digital programming languages. The Department is working in 
partnership with the DOD CIO to implement the policy for this section 
of law. Such authorities expand the Department's toolkit of 
compensation authorities much needed to attract and retain the best 
talent and to compete with the private sector for the same skillsets.
Human Resource (HR) Training
    The Department acknowledges that civilian policies should be as 
clear and concise as possible to enable DOD organizations to acquire 
talent where and when needed to increase readiness and lethality across 
the Department. This requires the effective professional development of 
our HR workforce. The Department is committed to ensuring that we are 
training and assisting HR professionals and managers alike in the use 
of cyber personnel management authorities and flexibilities, and 
increasing our partnerships with hiring managers and organizations to 
achieve the common objective of bringing on new talent. This not only 
includes streamlined and efficient guidance on the use of the 
authorities and implementation procedures, but also proactively 
gathering and analyzing data to better equip practitioners with the 
necessary information to proactively address emerging requirements.
    In implementing our cyber authorities, the OUSD(P&R) worked closely 
with the DOD CIO and cyber functional community in its development and 
delivery of CES training for the affected workforce, leadership, and HR 
professionals. Encapsulated within the DOD Cyber Exchange public facing 
site are online courses and job aids that cover concepts from CES 
history; understanding employment and placement authorities and 
flexibilities; compensation administration; and the overall execution 
of the HR lifecycle for the CES workforce.
    Additionally, OUSD(P&R), in its functional oversight role, 
continues efforts to ensure that information provided to HR personnel 
across the Department encompasses the full spectrum of hiring options 
that enable hiring managers to reach the right talent at the right 
time. Information is disseminated regularly through policy, memoranda, 
community messaging, job aids, and recruitment, compensation, and 
functional community-specific working groups to ensure the HR workforce 
is prepared to meet their customer's needs.
    Specific to this role, most recently, section 246 of the NDAA for 
fiscal year 2021 required the Department to develop a training program 
for HR personnel in best public and practices for attracting and 
retaining technical talent, which would include cyber talent. The 
Department is working with the Under Secretary of Defense for Research 
and Engineering and other functional managers of technical, digital, 
and cyber workforces to implement a pilot program by January 2022 
focused on the use of DHAs, competitive and excepted service 
authorities, special pay authorities, and private sector practices.
                             military force
    Maintaining a strong military force requires Service end-strengths 
that are appropriate and cost-effective. The Department manages the 
total military workforce through broad-based personnel policies 
promulgated to allow the Services and functional communities to have 
the tools and flexibility they need to meet their manning requirements.
    Threats in the cyberspace domain are constantly evolving and 
emerging. Enabling our cyber forces to operate and defend against these 
threats will mean maintaining the military authorities and resources we 
have today, while also ensuring our cyber warfighters are properly 
accessed, compensated, and retained to prepare for these threats.
Military Accession Standards and Recruiting
    The Military Services conduct a ``whole person assessment'' of each 
candidate who applies for either an officer commissioning program or 
the enlisted force. This holistic process reviews a number of factors 
including citizenship, age, education, medical/physical fitness, drug 
and alcohol abuse, conduct, and aptitude. This process is continuously 
evaluated, ensuring we use valid, reliable, and fair criteria and 
measures. Continuous refinements result in an improved ability to 
select a talented and diverse cohort, which in turn contributes to 
improved training graduation, lower attrition, greater lethality, and 
improved retention. The general DOD model is to recruit and access a 
qualified field of applicants, place them on best-fit occupational 
career trajectories, and provide the necessary technical training 
required to meet operational objectives. This process provides a stable 
pipeline of highly qualified personnel for education and training in 
emerging fields, such as cyber and artificial intelligence.
    The Services can also employ an accession option known as ``lateral 
entry.'' This process allows the active and reserve components to 
recruit highly qualified individuals directly from the civilian 
population to fill critical requirements. These individuals are allowed 
to enter at advanced grades based on the level of their education and 
experience.
    The basic eligibility criteria and screening process for cyber 
recruits is the same as it is for all other candidates: each must meet 
Service and DOD standards for enlisting or entering an officer 
commissioning program. Once qualified, the process for assigning 
officer candidates and enlisted recruits into occupational specialties 
is based on a talent management model which includes measures of 
operational requirements, cognitive ability, personality, and interest.
    The Military Academies and Reserve Officer Training Corps programs 
have been successful at attracting talented young officers into the 
cyber fields. The Academies and Senior ROTC (Reserve Officer Training 
Corp) all have a cyber-focused program, with a curriculum that immerses 
students in the cybersecurity discipline while educating them to become 
future military leaders. These programs exist to educate Cadets/
Midshipmen on the needs of the national cyberspace operations 
community, helping them develop skills necessary to fight and win in 
the cyber domain.
    The Services' ongoing collaboration with industry leaders to 
further the skills sets of these officers also provides an incentive 
for individuals to consider military service. For enlisted accessions, 
the Services utilize an array of assessments to assign individuals to 
technical training, including cyber. For example, in enlisted cyber 
specialties the Services utilize a combination of general aptitude 
assessment based on the Armed Services Vocational Aptitude Battery, and 
a targeted cyber knowledge test, called the Cyber Test (CT) to identify 
applicants with aptitude and applicable knowledge in the cyber career 
field. CT was developed to specifically predict performance in cyber-
related training, and includes items to assess knowledge and ability 
across four dimensions: Computer Operations, Networking and 
Communications, Security and Compliance, and Software Programming and 
Web Design.
    Additionally, the Office of the Secretary of Defense and the 
Services are continuously evaluating new types of assessments that can 
provide added information in identifying applicants with the highest 
aptitude for cyber. For example, a fluid intelligence test called 
``Complex Reasoning'' was recently developed. This assessment will 
further complement the current battery of tests by measuring abilities 
such as problem decomposition, abstraction, pattern recognition, and 
analytic ability, all of which have been shown to be indicators of 
success in the cyber field.
Military Compensation
    The Department realizes that military members with cyber experience 
are in great demand and can command top salaries within the private 
sector. In addition to the robust military compensation package the 
Department offers, the Services can also offer bonuses and incentives 
to attract and retain Service members in all specialties, to include 
those in the cyber community.
    Today, the military offers a range of enlistment, reenlistment, and 
Selective Retention Bonuses to encourage individuals to enlist, re-
enlist, or extend their enlistments. Similarly, the Department also has 
the ability to offer a variety of bonuses and incentives to attract and 
retain officers who commit to serve in cyber warfare communities for 
specified periods.
    The Department has the authority, pursuant to title 37, U.S.C. 
section 331, to offer a general bonus for enlisted members. This 
enlistment bonus is up to $50,000 for those who agree to serve for at 
least two years in a specified career field--such as cyber--as well as 
a retention bonus of up to $30,000 per year of service obligation. A 
companion authority for officers, 37
    U.S.C. section 332, allows bonus payments of up to $60,000 for an 
initial minimum of 3 years of service upon commissioning, and an annual 
retention bonus of up to $50,000. The Reserve Component also has 
retention bonuses available--up to $12,000 annually for officers.
    The Services have the authority to offer other monetary and non-
monetary incentives for service in certain cyber-related occupational 
specialties and duty assignments. Non-monetary incentives may include 
choice of duty assignment, guaranteed training, advanced education, and 
other professional development opportunities. Additional monetary 
incentives currently include the authorities for assignment incentives 
and special duty assignment pays. These pays can cumulatively be as 
much as $5,000 per month ($60,000 annually).
    Overall, the monetary and non-monetary incentive authorities 
available to the Department and Military Services are robust, and 
provide the Department with the ability to selectively target 
incentives to members in specific skills and cyber-career fields. This 
allows the Department to remain competitive in attracting and retaining 
our military cyber workforce.
Military retention
    The Department continues to exhibit strong retention through the 
first two quarters of the fiscal year and is projected to meet fiscal 
year 2021 retention goals. Although shortages in specialty areas do 
exist, in addition to the statutory requirements directed at the 
Department to increase retention, our Department of Defense 
Instructions govern bonuses/incentive pays that establish the minimum 
service obligations/additional service obligations members must fulfill 
in exchange for receiving training and or a bonus/payment. 
Additionally, in order to mitigate these shortages, the Services 
utilize retention levers in the form of monetary and non-monetary 
incentives (e.g. bonuses, stabilizations, station of choice, etc.) to 
retain the best and brightest in all of our specialties which would 
include our cyber community.
    We are confident that our retention polices are adequate to present 
a mission-ready cyber workforce, and the Military Services do not 
currently feel additional authorities are required to achieve our cyber 
personnel targets.
                               conclusion
    The Department prides itself in building a strong and viable Total 
Force that delivers combat capability around the globe. Our cyber 
personnel are and will remain a critical component of the Department's 
ability to defend the Nation. Through the use of the processes, 
procedures, and policies we have in place, we can attract, 
appropriately compensate, and retain the best Total Force in the world. 
We look forward to any questions you may have at this time.

    Senator Tillis. [Presiding.] Thank you, Ms. Hinton. General 
Crall.

    STATEMENT OF LIEUTENANT GENERAL DENNIS A. CRALL, USMC, 
 DIRECTOR, COMMAND, CONTROL COMMUNICATIONS AND COMPUTERS/CYBER 
         AND CHIEF INFORMATION OFFICER, JOINT STAFF, J6

    General Crall. Sir, thank you for the opportunity to share 
a few thoughts and then certainly get into your questions.
    It is very clear that the committee knows the challenge we 
face. You know, we are about warfighting businesses in the 
Joint Staff, and the digital nature of the fight that we 
expect, especially at pace and speed, is going to demand 
workforce and talent level that we have not seen before. The 
human-machine interface brings a demand that is going to have 
to be found, cultivated, educated, and implemented to get that 
level of experience as we learn and work our way through this 
new capability set.
    You have heard from my partners up here the number of 
efforts that are underway, but I take maybe a more sobering 
look at where the need lies ahead, to make sure we fulfill your 
charge. You said be absolutely certain that we are getting the 
right talent, basically delivered at the right time, and I am 
not absolutely certain.
    I had the opportunity to do some traveling with the Vice 
Chairman the week before and talk to some industry leaders, and 
I specifically challenged them as to how they went about 
finding the talent to fill the same billets that we are looking 
to fill, the same people with the same skill sets. We always 
talk about money as being maybe the driving factor, but I 
learned some things that challenged my previous thinking on our 
approach to this.
    So while many of the endeavors that you have heard about 
and will hear today are certainly worthwhile as we work our way 
through feeling out what works best for us, I do not think we 
know our target audience as well as we need to. We need to find 
out what really motivates individuals to want to serve in the 
capacity that we are offering.
    We also need to do a better job in evaluating the very 
programs that we are describing. I do not believe that while 
they are interesting to approach and employ, they may not all 
deliver in the way that we expect, and we certainly want to 
tweak the ones that can be maximized to deliver that output, 
and maybe retire some that are not working. So we owe a better 
understanding and study of our own efforts and our own 
audience.
    So while I am excited and optimistic at the opportunity to 
get after fulfilling this talent range that we need, I am 
concerned about pace. I think the divide between the need is 
growing, compared to what we are able to fulfill. I am not sure 
we are closing the gap, and I think time is ticking for us to 
do so. So the challenge is certainly understood, I think on 
both ends, and we are looking to maximize the very empowerments 
that Congress gave us to get after this. But I think more time 
and more effort and a faster pace is needed, and probably a new 
approach to our thinking, to make sure that we can meet the 
need.
    Thank you, sir. I look forward to your questions.
    [The prepared statement of General Crall follows:]

        Prepared Statement by Lieutenant General Dennis A. Crall
    Thank you Chairwoman Gillibrand, Ranking Member Tillis, and Members 
of the Personnel Subcommittee. It is an honor to appear before you to 
discuss the military requirements relating to the cyber workforce 
within the Department of Defense. I appear before you today in my role 
as the Director for Command, Control, Communications and Computers/ 
Cyber and Chief Information Officer for the Chairman and Vice Chairman 
of the Joint Chiefs of Staff.
    My testimony will focus on the cyber workforce required to meet 
current and future defense requirements and mission demands as well as 
the talent management required for recruiting and retaining world-
class, cyber professionals. These comments serve to complement my DOD 
CIO colleague's discussion of Department-wide cyber workforce 
initiatives, and my Personnel and Readiness colleagues' civilian and 
military workforce policy review.
    Requirements. The Cyber Mission Force consisting of approximately 
6,187 personnel, comprising 133 active component teams, grew out of the 
DOD Requirements process in fiscal year 2012--USCYBERCOM initially 
submitted a Program Budget Review (PBR) 2014 issue paper requesting 
1,204 billets to ``Defend the Nation,'' which was composed of 479 
National Security Agency billets and 725 Service billets. This was 
focused on deterring/ defeating cyber-attacks against the US.
    During the PBR 2014 process, United States Cyber Command 
(USCYBERCOM) briefed emerging operational requirements to the Joint 
Chiefs of Staff, identifying the need for additional offensive and 
defensive manpower to address Combatant Command warfighting 
requirements. This expanded the original manpower requirements issue 
paper request from 1,204 to 6,244 billets in the active component, 
distributed across the United States Army, Air Force, Navy and Marine 
Corps. Chairmen of the Joint Chiefs of Staff (General Martin Edward 
Dempsey, at the time) endorsed the requirement. It was approved at the 
Deputy's Management Action Group (DMAG), fully sourcing in the 2014 
Program Decision Memorandum. This remains, by and large, the Cyber 
Mission Force that we have today. I will note that in fiscal year 2014 
the Department of the Army also made an internal Service decision to 
establish 21 Cyber Protection Teams (11 in the Army National Guard and 
10 in the Army Reserve), the development of which would be phased over 
time with them all becoming fully mission capable by fiscal year 2022.
    In June of 2020, the Commander USCYBERCOM briefed the Secretary of 
Defense as part the Combatant Command Review process on the need for 
assessed force growth to address ever emerging threats presented by 
persistent adversaries. Accordingly, USCYBERCOM submitted a new Issue 
Paper for 14 additional Cyber Mission Force Teams during the fiscal 
year 2022-2026 Program Review.
    Talent Management. The Department must seek all opportunities to 
garner new talent whether through traditional recruiting offerings or 
authorities provided through initiatives such as the Cyber Excepted 
Service (CES) personnel system. The Fiscal Year 2020 NDAA House Armed 
Services Committee encouraged the Department to better utilize 
statutory authorities for recruitment and retention. Within my 
Directorate of the Joint Staff, I worked with the Cyber Workforce 
Management Board to identify areas where we can leverage the existing 
authorities in section 1599f of title 10, U.S. Code, to further efforts 
to recruit and retain talent as part of the CES. Within the Department, 
more components are currently assessing where that authority can best 
be leveraged.
    The Department must also re-think our perspectives related to 
recruitment and retention, a lesson we may be able to learn from 
industry. For example, industry leaders have explained to me that new 
recruiting successes are those that allow individuals to work where 
they desire to live. The nature of many of these digital work roles may 
lend themselves to remote work if the facilities are provided to 
accommodate classified work (when required). Additionally, private 
sector corporations are abandoning conventional recruiting campaigns 
where they advertise billets and pay for leads of prospective 
applicants. Instead, they are increasing partnerships with universities 
to create a ``human supply chain'' of sorts where they set education / 
experience requirements and hire from these sources almost exclusively. 
Participating schools agree to align their curricula with the skillsets 
required for their mission-specific work roles and thus have direct 
placement at higher rates than those who do not follow a like model.
    Security Clearance Reform. Critical to recruiting and hiring our 
cyber warriors for the ever-changing and growing challenges within the 
cyberspace domain are the Department's processes, practices, and 
onboarding efforts. Our lengthy security clearance process timelines 
continue to hinder the onboarding of talent, often resulting in 
applicants deciding to pursue employment in the private sector. There 
are two components to this challenge: eligibility and access. The 
Department has made great strides in determining eligibility through 
the establishment of the Defense Counterintelligence and Security 
Agency (DCSA). As for access, we continue to work with the Intelligence 
Community refining processes that allow new cyber workforce civilians 
and military personnel to utilize the tools of their new trade. That 
work is ongoing and continues to improve. Identifying applicants early 
in the process has proven the most promising to date. For example, the 
University of South Carolina Reserve Officer Training Corps program has 
taken the innovative approach to ensure Midshipman graduate with a Top-
Secret clearance so they are prepared to support their respective 
Service mission on day one. This concept should also work for 
internships and other similar programs where applicants can be 
evaluated over time and in an environment related to their cyber 
training and education.
    Retention. The Department continues to face retention challenges. 
While more study is needed to ensure we have a thorough understanding 
of this dynamic, an area to strengthen retention opportunities is 
likely through enhanced and expanded student loan repayment authorities 
and appropriations for the Department to leverage.
    Way-Ahead. The Department must continue to explore traditional and 
non-traditional options for recruitment, develop, and retain our 
workforce by potentially assessing and leveraging our Reserve 
Components; seek partnerships with Academia and Research institutions; 
decrease our security clearance timeline to efficiently onboard our 
talent; assess and obtain a greater understanding of our talent pool's 
motivations; and assess the viability of a strengthened talent 
management exchange between government and industry. To that end, I 
will continue to partner across the Department as an advocate for the 
cyber workforce and cyber-related initiatives. I am grateful for 
Congress's strong support towards the Department of Defense in building 
the cyber forces needed to be lethal and deter in cyberspace. I thank 
the Subcommittee's interest in these issues and look forward to your 
questions.

    Senator Tillis. I am going to--we will wait on, or we will 
see Senator Gillibrand go back, but I will go ahead and ask 
some questions, and if she takes a little time I will ask more 
questions.
    General, I am going to ask Ms. Hinton a question second, 
but your comments made me reflect on a discussion I had 
yesterday with the Personnel Subcommittee staff. I worked in 
research and development and product management back in the 
'80s, and I was trying to think about, we were having a tough 
time attracting talent back then. This is a perpetual problem 
in the private sector, and even more difficult, I think, in the 
government sector.
    But one thing that we had in place that I do not even know 
how we would structure it here, but you had these highly 
motivated, technically competent software and hardware 
engineers that we created an economic incentive, on their day 
job, work on fulfilling their mission set, to use your terms, 
but if they chose on weekends and nights to come up with 
something creative that was relevant to what you were doing but 
was creative, we had an economic and other reward systems that 
encouraged that sort of extracurricular activity.
    Any thought, for any of the panelists, any thought on the 
applicability of that same sort of thing, that still continues 
to this day in a lot of the software and hardware research and 
development shops, how something like that would even work or 
whether or not it would make sense, given your mission goals?
    General Crall. Sir, it is interesting because that overlaps 
quite well. You know, even the time frame that you said. I will 
be careful because my observations, I believe, are anecdotal. I 
had a chance to talk to probably a few dozen individuals who 
are right squarely in the market of the type of individual we 
want to recruit. What I found interesting was their answers 
were almost identical, so not a true statistical sampling that 
I would trust, necessarily, but this is what has me some pause.
    Not only did the CEOs [Chief Executive Officers] and CIOs 
[Chief Information Officers] tell me this, I discovered it for 
myself. The number one area that came back in feedback to me 
was people want to live where they want to live. The idea of 
moving to someplace they do not want to live, no matter what 
other feature is offered, is apparently quite unattractive. If 
you look at some of the hubs that we have to offer, that is 
going to be a challenge for us.
    There are some interesting solutions, given the work and 
the nature that maybe we need to explore about creating spaces 
where that work can be done literally anywhere, as long as the 
security environment is set for that. But living in the 
community they want to live in seemed to be a strong driving 
factor.
    The other one was in team composition, which gets after 
what you described. The hierarchy of the government isn't 
something that is really motivating to them at all. They want a 
flat organization where everyone has equal input into driving 
an outcome. For many of them, wearing the uniform was not 
attractive. They like working hours from noon until 3 a.m., is 
their prime working hours, and again, does it matter if 
productivity is there? Our organizations do not normally look 
like that.
    Senator Tillis. I even had a ponytail back in the day.
    [Laughter.]
    General Crall. Yes, sir.
    Senator Tillis. It was not a good look.
    General Crall. Student debt was more important than the 
salary itself, which seemed odd to me, because it appeared that 
higher salaries could retire student debt, you know, maybe over 
time, but they looked certainly at the idea of what programs 
could address the debt they are in.
    The last piece that we did very well in, the reason we were 
even having the conversation, was cause. They want to work for 
a cause, something that is meaningful, something that is 
viable, not just simply to make money. The government, 
especially the Department of Defense, was unusually attractive 
to them, to give back some level of service, and to do 
activities they could not do in other jobs.
    So, you know, again, sir, that is maybe just a few ideas 
that I learned.
    Senator Tillis. Well, thank you. I am going to yield back 
to the chair and then reserve the right for a second round, if 
that is okay.
    Senator Gillibrand. [Presiding.] Absolutely, and you can 
ask another question if you prefer.
    Senator Tillis. Well, Ms. Hinton, I will ask you a 
question. I do have some for the other witnesses, but I am kind 
of curious about your view of the Cyber Excepted Service, what 
is working, what is not working. I am particularly interested 
in loan repayment benefit.
    Ms. Hinton. Yes, sir. So Cyber Excepted Service has given 
us incredible flexibilities that are not resident in 
traditional civil service authorities. In particular, we have 
found great use in the hiring authorities that are associated 
with Cyber Excepted Service, that ability to target recruitment 
opportunities to get the talent that we need.
    Another piece of the Cyber Excepted Service that has been 
beneficial has been the compensation authorities. In 
particular, we have recently rolled out targeted local market 
supplements that enable us to compensate at a higher level for 
seven areas. So it gives us that ability, while General Crall 
mentions that compensation is not the only factor that weighs 
in an individual's decision to serve, it certainly is a factor, 
and our ability to compete with the industry through those 
compensation flexibilities helps us get at that targeted skill 
set that we need.
    Additionally, with the Cyber Excepted Service, it gives us 
some authorities to think about how we classify work, how we 
organize work, how we describe work, and how we look at the 
qualifications associated with the individuals that we need.
    I will say that there are some challenges with Cyber 
Excepted Service, and I would really back that up to a broader 
perspective in the whole cyber-coded workforce, which is not 
just Cyber Excepted Service.
    So first, as we think about compensation authorities that 
we were given, we are still held to the existing pay caps that 
we have under Title 5. So while we have some flexibility to 
change policies and processes associated with how we 
compensate, we are still held to the higher limits. So that 
really does not make us, in certain areas, as competitive as we 
could be to get certain talent.
    The other sort of nexus with Cyber Excepted Service that I 
would highlight is that it is tied to United States Cyber 
Command and those supporting elements, and so when we think 
about the cyber workforce writ large, Cyber Excepted Service is 
just one subcomponent of a broader cyber mission set. So as we 
think about where there are opportunities to expand the use of 
Cyber Excepted Service, we have had to look at what are some 
different ways that we can determine what are elements that are 
supporting Cyber Command on a position-by-position basis, to be 
able to expand that authority. So that is one area where I 
think there is opportunity to look at the authority and see 
does it have broader application, broader use.
    Additionally, there are some authorities in some of our 
sister alternative personnel systems, like Acquisition Demo 
demonstration project or our Defense Civilian Intelligence 
Personnel System, that allow for some additional flexibilities 
around streamlined classification that I think would bolster 
the Cyber Excepted Service.
    But all in all, we are very thankful for this authority. It 
has given us additional flexibility, and I will defer to Mr. 
Sherman for additional information about that.
    Senator Tillis. I am going to come back with questions for 
Mr. Sherman. I particularly want to know about the current loan 
benefit, and back to General Crall's point, I do think that 
they place a value on that. Even though the compensation may be 
offsetting, there is something attractive about just getting 
that debt retired as quickly as possible.
    But I am going to ask some additional questions. I will 
defer back to the chair.
    Senator Gillibrand. Thank you very much. For the whole 
panel, the National Security Commission on Artificial 
Intelligence has recommended a digital academy to address the 
skills gap in cyber workforce hiring, which will be fully 
accredited and independent from the government, with students 
doing government and private sector internships during breaks.
    The Department of Defense does have some existing 
authorities to address the skills gap now. We talked about the 
CES program. There also exists authority for the Department of 
Defense to grant cyber scholarships, paying for up to 3 years 
of college, and there is, of course, the ROTC commissioning 
programs that currently pay for up to 4 years of college, and 
even for graduate and professional school beyond 4 years, in 
some cases.
    So for each of you, I would like to start with Ms. Hinton 
and then go to Lieutenant General Crall, then Mr. Sherman, then 
Mr. Litton, what are the most important components to consider 
regarding this recommendation for a digital academy? Is this a 
necessary step? Could we also work to fill the skills gap from 
diverse sources, using existing authorities such as the cyber 
scholarships or a generous ROTC program?
    Ms. Hinton. Thank you, Senator Gillibrand. That is a great 
question, and we are very interested in the digital academy as 
another potential Federal-wide avenue to reach the talent that 
we need. Certainly, in the Department, as we look through 
standing up the Defense Civilian Training Corps, which is an 
authority that we received recently, we thought through how and 
what type of academic programs we need in order to reach this 
talent, and the digital academy would be another complementary 
avenue for us to be able to identify that diverse segment of 
the population and to bring them into Federal service, and to 
entice them into Federal service.
    In particular, to Senator Tillis' point around student loan 
repayments, the ability to offer paid education in exchange for 
service to the country is an area where we think that will 
enable us to reach this talent and entice them and attract them 
to support not just the Department of Defense but from a U.S. 
digital academy perspective, benefit to the entire government.
    In terms of authorities that we use to attract a diverse 
workforce, I will mention again that the streamlined direct 
hire authority that Congress has granted us, has so generously 
granted us, has been an incredible tool for us, to be able to 
target our recruitment and outreach, in complement with our 
scholarship programs. In particular, when we look at our cyber 
student hiring authorities, we see that even if I look at 
fiscal year 2021, we have been able to attract 20 percent of 
our student hires, cyber student hires, have been Asian 
Americans. We see in our Cyber Excepted Service 20 percent of 
our Cyber Excepted Service hires have been African American.
    So these hiring flexibilities make a difference for us to 
go out and target the diverse segments of the country, and then 
the scholarship programs add that additional bonus of enticing 
them to serve in exchange for their paid education. Thank you.
    Senator Gillibrand. Thank you. Lieutenant General Crall?
    General Crall. Ma'am, to your specific question about the 
digital academy, I really do not know whether that is a good 
idea or not a good idea. I think through the throughput and 
what the volume of that academy might produce might really be 
the answer.
    What I have found interesting is attending two universities 
last week, meeting with staffs and what degrees they offer and 
what motivates them and how they build curricula, it seems 
there is a very willing audience in the university system writ 
large to cater to this audience. Some of our more technical 
universities have created what is almost a human supply chain 
with industry, to build the very individual that can be placed 
immediately into the corporate world, and that means they come 
with security clearances, background, training for the years 
and internships that build up to that. That long-term 
relationship, that may be buttressed by the ROTC programs at 
large, for all the services, to include service in the Guard. 
There are a lot of opportunities.
    But the National Center of Academic Excellence in 
Cybersecurity, that whole apparatus, which is a formal 
partnership, I think is up to over 80 schools now. The last two 
schools that we looked at were just joining that consortium, 
which lays out that curricula and provides an interface with 
the Department, again, to build that cyber warrior for which we 
are looking. Then all these things can be applied on top of it, 
to include the internships, scholarships, et cetera.
    What I find lacking in this, though, is that the colleges 
and universities that have signed up for this thus far do not 
represent the full scope that we ought to be interacting with. 
I believe there is room for more diversity in the schools and 
outreach to make sure that we get greater participation.
    Senator Gillibrand. Mr. Sherman?
    Mr. Sherman. Thank you, ma'am. I would agree with my 
colleagues' comments on this, and I want to build on what 
General Crall said. From my view as CIO, the Centers for 
Academic Excellence for Cyber, they do offer a pretty broad and 
diverse set of schools we can get to, everything from North 
Carolina A&T to NYU, from University of Missouri-Columbia to 
Honolulu Community College. It is a broad swath there.
    I would certainly welcome a digital academy as an 
additional pipeline, but I would not want to do it at the 
expense of this broad swath of schools, from rural, urban, all 
across the country, historically black colleges and 
universities (HBCUs), larger universities, et cetera.
    What we have through the National Security Agency (NSA) 
Cybersecurity Scholarship Program, leveraging these Centers for 
Academic Excellence, back to what General Crall was saying 
about the pipeline of talent, I think it has been diverse, as 
Ms. Hinton indicated, for African Americans, Asian Americans, I 
would add Hispanic Americans, Latinos, Latinas coming into our 
workforce. I would want to continue to leverage that.
    So I think a digital academy would be a good complement to 
that, but what we are doing on the CIE front, with the broad 
swathe of opportunity, I would want to keep that up as well, 
because we are seeing return on investment there. Thank you.
    Senator Gillibrand. Mr. Litton.
    Mr. Litton. Yes, ma'am. Each year the Military Service 
Academies and senior ROTC programs produce approximately 450 
cyber officers for the military. Most of these universities 
with senior ROTC programs, and, of course, the academies, are 
certified as National Centers for Academic Excellence in cyber 
defense education by the National Security Agency, and most, as 
well, have a cyber institute dedicated to research to promote 
the understanding of cyber and cyber to be used in defense.
    The Citadel, along with the five other senior military 
colleges, have each received approximately $1.5 million of 
Federal funds to establish these cyber institutes as pilot 
programs on their campuses, and so I think your idea is very 
well taken, ma'am.
    Senator Gillibrand. Thank you. Mr. Tillis--Senator Tillis.
    Senator Tillis. Thank you. Mr. Sherman, last Congress we 
authorized the CYBERCOM enhanced pay authority. It was based on 
a generally viewed successful program out of Defense Advanced 
Research Project Agency (DARPA). I understand that CYBERCOM has 
chosen not to implement that. Is that true, and what was the 
rationale for not doing it?
    Mr. Sherman. Sir, I am going to tell you I am frankly not 
sure on that particular authority there. I would have to go 
back and take that one for the record and check with General 
Nakasone on that, sir.
    Senator Tillis. Okay. Thank you.
    [The information referred to follows:]

    Mr. Sherman. USCYBERCOM endorses this authorization and is 
exploring and identifying up to 10 scientific and engineering 
positions that coincide with the use of this authority granted 
to USCYBERCOM by Congress and contained in Section 1708 of the 
Fiscal Year 2021National Defense Authorization Act.

    Mr. Litton, I just had a question, I think it was the 
Fiscal Year 2019 NDAA. It included several provisions to 
disrupt the standard tenure-based military career path. We were 
especially concerned with cyber careers. The alternative 
promotion authority, in particular, meant to provide more 
flexibility for promotions. What is the current status?
    Mr. Litton. Yes, sir. My understanding is that we have 
largely implemented that. If you are referring to our ability 
to rank officers on the promotion list based on their skills 
and abilities, and our need for them in the service to be 
promoted before the other----
    Senator Tillis. The military departments are authorized to 
use it?
    Mr. Litton. Yes, sir, they are.
    Senator Tillis. Thank you.
    General Crall, the Defense Digital Service, DDS, put in 
place some innovative personnel policies, and we have seen some 
of the best cyber officers that enlisted spend time at DDS. 
What is special about it, and should we extend this kind of 
mindset to the broader military cyber workforce?
    General Crall. Yes, sir. I am personally a huge fan of DDS 
for the very reasons you have mentioned. They approach problems 
in a non-conventional way. They are not intimidated by rank, 
structure, hierarchy. They seem to get to----
    Senator Tillis. Well, that too.
    General Crall.--yes, sir, a very flat organization. They do 
not look like us. They do not act like us. But I have found 
that the value of getting to the truth and getting to the 
bottom of something, that they operate at much greater speed. 
Again, their ability to, you know, recruit such a diverse 
population, from all backgrounds, from all experiences, make 
the team composition one that is fairly complete. No blind 
spots. They are able to really fill some holes neatly, and 
tailor their workforce to our very specific problem set.
    The last piece I would offer is they appear to be very 
current, because their operations and their influence in what 
they read and who they interact with comes from sources well 
outside of the Department. So they have been extremely 
valuable, and I do agree that those lessons learned export 
quite well to the condition that I offered in my opening 
statement.
    Senator Tillis. Yeah, I think that kind of creates a--sort 
of casts a wider net for that organizational framework that I 
think works and that exists.
    Senator Gillibrand. Senator Tillis? Can you describe, for 
the record, what DDS is, how many people you have? Just 
describe it from start to finish.
    General Crall. Well, I apologize that I do not know the 
exact numbers that they have, but they are a small force, and 
that small force was created a few years back to get after 
these problem sets in an unconventional way. The recruitment 
for that team has been largely left up to the DDS leadership, 
and was managed by the Secretary of Defense proper, and they 
had a pretty wide authority in their hiring. They could onboard 
very quickly, they could go seek the talent they needed, and 
they are very independent. In fact, when I first met them, they 
were almost inspector general-like, meaning their level of 
independence, not beholden to anyone in the building, but to 
really get after truth was pretty impressive. The speed with 
which they delivered was also impressive.
    Senator Tillis. If we can get back those details for the 
record.
    Senator Gillibrand. Yeah, for the record. So who do they 
report to, how many people are there, what is the salary range, 
just so we can describe the program accurately, to know if we 
should replicate it or augment it or make it bigger than it is 
today.
    General Crall. Yes, ma'am. I have that for action.
    Senator Tillis. I did have a question that goes to 
education. I will ask anybody on the panel that may want to 
answer it. I like the idea that we are investing in some of the 
military-oriented institutes, but what kind of a net have we 
cast? This may sound parochial, but if there are institutions 
like this elsewhere then they should be included.
    But Montreat College, for example, in western North 
Carolina, just outside of Asheville, has had a four-year cyber 
program for several years. It actually dates back to the time 
that I was Speaker of the House. We provided funding to help 
them stand up facilities and get that program going. They have 
had a couple of graduated classes now.
    So to what extent have we cast a wide net for any 
institutions, public or private, that look like they would be 
good feed stock and good places for investment to vector people 
into government service, either uniformed service or civilian 
service?
    Mr. Sherman. So with the program, sir, with the ROTCs that 
I think you are referring to, at six universities--Texas A&M, 
my alma mater; North Georgia; Virginia Tech; VMI, Virginia 
Military Institute; Citadel, and Norwich. So six of the 
civilian institutions with rather large ROTCs, core cadets type 
functions. That was the initial group here with the initial 
grant investment, as Mr. Litton indicated just a minute ago. I 
think in terms of expanding the net, or expanding the 
applicability to this, we are very early in this, to see how 
the return on investment turns out. But this was just an 
initial group of institutions that have established ROTCs, sir, 
and so I would not see why we would not want to expand in the 
future, perhaps to similar institutions.
    Senator Tillis. Senator Gillibrand, if I can just ask one 
more question. Another discussion that came up in brainstorming 
about this is almost a civilian analog to the ROTC, programs 
where you would put them in place, they would provide civilian 
service to the government. Where are we with that thinking, and 
to what extent do you all think that is a good idea?
    Ms. Hinton. Yes, sir. As mentioned previously, we are 
working through establishing the Defense Civilian Training 
Corps, which is the concept that you mentioned, the ROTC-like 
program. We have developed an initial implementation plan and 
are still exploring and building out what that will look like.
    But to your point, we are looking across the nation at what 
institutions would have the right capabilities and program and 
curricula to support not just acquisition, which is a priority 
area we are looking at under the Defense Civilian Training 
Corps, but also our modernization priorities. So when we look 
at that program, coupled with the Defense Science, Mathematics, 
and Research for Transformation, the SMART Defense fellows 
program--sorry, I had to look down to get that correct--which 
is one of our many scholarship programs that is offered 
throughout the country, we are going after those science, 
technology, engineering and mathematics (STEM), technical areas 
to find that talent. That is another area where we are looking 
at, are there new outreach, new partnerships that we need to 
explore to find the diverse talent.
    Senator Tillis. You can do that under current authorities?
    Ms. Hinton. Yes, sir.
    Senator Tillis. The last open question, really, for maybe 
feedback for the record--I may have a couple of questions for 
the record too--would be any additional authorities or 
modification of current authorities that would help you better 
tackle this problem, please get it to us. I am sure that the 
Chair agrees that that would be helpful, as we lead up to the 
NDAA process. Thank you.
    [The information referred to follows:]

    Ms. Hinton. The Department appreciates the many civilian 
personnel hiring authorities provided by Congress, including 
those that afford the ability to streamline hiring for critical 
cyber talent. The Department needs to operate with agility and 
aggressiveness, not only in recruitment, but in our ability to 
provide attractive incentive packages in the competitive global 
market.
    Authorities such as the cyber excepted service and similar 
alternative personnel systems provide the flexibility to 
recruit, compensate, and retain highly qualified talent to meet 
our unique and extensive mission requirements. They enable the 
Department to compete for talent with an unconstrained private 
sector by allowing for expeditious recruitment with 
corresponding compensation and incentive flexibilities, such as 
pay banding for pay setting flexibility and/or targeted market 
pay. However, full use of these authorities is constrained by 
limitations on organizational or functional coverage and, in 
certain technical areas, by uncompetitive salary caps.
    The Department finds that it is increasingly reliant on the 
full use of recruitment and retention incentives, often at the 
maximum authorized levels, in order to successfully attract and 
retain critical cyber talent. Additionally, the student loan 
repayment program has grown into a crucial recruiting tool, yet 
the program is becoming less attractive to effectively recruit 
and retain highly desired personnel due to statutory 
limitations.

    Senator Gillibrand. Our future military leaders across all 
specialties must be educated on cyber issues to ensure that our 
military remains the world's most effective fighting force. 
Professional military education institutions can ensure that 
world-class cyber faculty are positioned to teach our officers 
about the ways in which cyber strategy, policy, and operations 
affect the Armed Forces and shape future conflict.
    Several questions. When it comes to institution on topics 
like cyber policy, strategy, and operations, how effective are 
professional military education institutions across the service 
branches, number one? How is the effectiveness of professional 
military education institutions evaluated? To what extent are 
cyber programs and curricula standardized across the service 
branches? What is the expected standard of performance for 
professional military education institutions and educational 
cyber programs across the service branches? Lieutenant General 
Crall?
    General Crall. Yes, ma'am. There is a lot there. So I would 
say that maybe taking it from the highest question and working 
down. I know that the National Defense University, for example, 
that has a program, its cyber college was the first that I was 
aware of to offer a senior-level program, rather than curricula 
off to the side or maybe electives, but really a full 
discipline aimed at building that cyber policy professional. 
That is kind of a rarity. Yes, ma'am.
    Senator Gillibrand. So there is a lot of concern right now 
regarding the DOD's potential elimination of the College of 
Information and Cyberspace (CIC) as a component institution of 
the National Defense University. As you mentioned, CIC provides 
critical mission of consolidating intellectual resources and 
providing joint higher education for the nation's defense 
community. Now more than ever, we need every resource available 
to bring together and grow our military's knowledge base on 
cyber issues, and we really should not miss an opportunity to 
impart that knowledge on the military's rising leaders.
    With these concerns in mind, what is your long-term vision 
for the College of Information and Cyberspace at the National 
Defense University, and how can Congress help achieve that 
vision?

    Mr. Sherman. The Under Secretary of Defense for Policy 
provided a report on April 9, 2021, to the Armed Services 
Committees regarding the future plans for the National Defense 
University's College of Information and Cyberspace (CIC), as 
required by Section 1741 of the Fiscal Year 2021 National 
Defense Authorization Act. One of the recommendations in the 
report is for a follow-on study regarding future requirements 
in order to educate DOD leaders (civilian and military) in the 
Information Environment / Cyberspace Domain). The Under 
Secretary for Policy is sponsoring a Federally Funded Research 
and Development Centers (FFRDC) study that will begin in June 
2021 and end approximately one year later.

    General Crall. So, ma'am, I will leave the chairman to 
maybe inform what his personal vision is. I will give you my 
personal vision is I am a big believer in that college, and I 
have hired many of the graduates from that program, and have 
employed them, and I actually seek them. So I think there has 
been tremendous value added with that program.
    The other aspect, as far as standardized training for 
leadership across all the Services, we are clearly not there. 
There is a greater interest, and I find that our younger 
servicemembers and civilians come better trained and probably 
just more experienced, based on their age. But I have seen 
training programs in the Services. I just do not know that they 
are necessarily aligned and they are all equal. There certainly 
needs to be more work done to make sure that that level of 
training is consistent and effective.
    Senator Gillibrand. Thank you. Ms. Hinton? You can answer 
any of the questions I posed on this topic.
    Ms. Hinton. Yes, ma'am. So I would take the question for 
the record as it applies to the civilian workforce and joint 
professional military education. We certainly, as part of our 
leadership development competencies for our civilian workforce 
use the joint professional military education venues as an 
avenue for our civilians to grow and develop the same 
competencies as our military. But I will have to take your 
question for the record.
    Senator Gillibrand. Mr. Sherman?
    Mr. Sherman. Ma'am, I would agree with everything my 
colleagues said, and also for the record, the one thing I would 
add is on the College of Information and Cyber at National 
Defense University. This is, of course, aligned to Joint Staff 
and support them, but as a functional advocate for them we are 
strongly supportive of them, and as General Crall indicated, 
they turn out many, many good graduates, many of whom work for 
me as well, and we think it should be sustained and continued. 
We are a big fan of it. Thank you.
    Senator Gillibrand. Mr. Litton?
    Mr. Litton. Yes, ma'am. If I might, a tangentially related 
issue is one of the most exciting things to me in this area is 
the U.S. Space Force. They are creating a digital service from 
the ground up. The Chief of Space Operations, Jay Raymond, has 
directed his leaders to improve digital education across all 
members of the Space Force. To that end, the Space Force has 
stood up a digital university which gives air and space 
professionals access to over 7,000 training courses in which 
they can access on duty, off duty, and receive qualifications 
and certifications to that end.
    He has also directed his leaders in the U.S. Space Force to 
build a cadre of software developers, ``supercoders,'' he is 
calling them, with the skills, knowledge, and ability to access 
the right and deploy software to military systems at the speed 
of relevance. Yes, ma'am.
    Senator Gillibrand. We do not have a Space Force Academy. 
Should we?
    Mr. Litton. Ma'am, that is a good question. I think right 
now that the United States Air Force Academy is doing an 
adequate job. I think as the Space Force grows and matures, 
that is something that the Department should take a hard look 
at.
    Senator Gillibrand. Do you believe that the U.S. Air Force 
has the state of the art cyber technology department?
    Mr. Litton. Well, all of the Services have cyber 
capability. All of the Services are really doing their best and 
trying really hard to acquire that talent and develop them to 
meet the need of the warfighters. That is more kind of in 
General Crall's lane than mine. Mine is the policy to access 
and enable the Services to retain and support those members.
    Senator Gillibrand. Lieutenant General Crall, can you speak 
to having a Space Force Academy, whether the Air Force has 
enough expertise in developing it, and speak to perhaps--I know 
West Point has a cyber program. Can you speak to each of these 
departments and whether they need to augment what they offer or 
whether they are doing what they need to do sufficiently?
    General Crall. So, ma'am, I will have to take the comment 
on the academy and whether the Air Force has an adequate, you 
know, presence, I would have to take that for the record 
because I do not know.
    Senator Gillibrand. Okay.
    General Crall. But to the other question about where the 
talent comes from across all the Services, I think it is 
important to note that if we believe--and I do believe--that 
United States Cyber Command has amassed, really, our most 
technical individuals in the cyber community, it is important 
to note from where they come. Those are service-provided 
individuals. So as Cyber Command sets, as a joint force 
provider and joint force trainer, that common curricula and 
standard, it is the Services who are recruiting and putting 
those individuals through the pipeline.
    So I think the Services do have pretty good footing and a 
pretty equitable talent base.
    Senator Gillibrand. Could we get a report on that, of what 
is the personnel makeup of Cyber Command, and an analysis to 
the question about whether we should be standardizing the 
teaching across service academies, but also the question of do 
we need a Space Force Academy? Then, which you have already 
said, you do believe that we could have a separate Federal 
cyber academy for all Federal workforce needs, not just the 
Services.
    General Crall. Yes, ma'am. I will take that for the record.
    Senator Gillibrand. I would like your opinion on it.
    Mr. Tillis?
    Senator Tillis. Just for my part----
    Senator Gillibrand. Oh, sorry. Senator Hirono is on Webex. 
Senator Hirono.
    Senator Hirono. Hello? Thank you, Madam Chair.
    Senator Gillibrand. We can hear you.
    Senator Hirono. This is for the panel. In Hawaii we have 
several cyber education programs that work collaboratively with 
the NSA and Department of Homeland Security (DHS), such as the 
National Centers of Academic Excellence in Cyber Defense and 
Center of Academic Excellence in Research. However, we also 
struggle to retain these trained cybersecurity experts in 
Hawaii. One thing that we find in Hawaii is that we can have a 
lot of excellent people who come to Hawaii but if they do not 
particularly have ties to the community, they tend to cycle 
out.
    So my first question is how is the Cyber Workforce 
Management Board, CWMB, collaborating with other Federal and 
state agencies, where relevant, to continue investments in 
education, particularly in STEM programs, to meet the growing 
need of cybersecurity professionals? Particular, probably, in a 
state like Hawaii, how do we go out and reach the local 
community to engage in these kinds of educational programs, 
because they are more inclined to stay in Hawaii once they get 
their education. Panel?
    Ms. Hinton. Senator Hirono, this is Ms. Hinton. I will 
touch on two areas and then I will ask my colleague, Mr. 
Sherman, to talk a little bit about the broader interagency 
collaboration.
    Through the Chief Human Capital Officers Council, the 
Federal Human Capital Officers Council, we look at these broad-
reaching interagency challenges and work in partnership with 
the Federal Chief Information Officers Council to identify 
innovative programs, solutions that get to the problems that 
you identify specifically, whether it is retention or 
recruitment. We work together to identify those best practices, 
that if one agency has found a way to solve an issue, how do we 
share that across the interagency space?
    We are particularly doing that as well within the national 
security workforce in identifying are there specific challenges 
associated with the recruitment and retention of, say, the 
cyber workforce, and how can we learn from each other.
    To Hawaii, specifically, I would mention the Department's 
ability to retain our talent in some of our remote locations or 
locations where we have seen throughput, we have relied and 
leaned heavily on our authorities to offer incentives, to 
incentivize talent to stay in those locations where we need 
them. We have found success in using those incentive programs, 
but we have also found that we have to go pretty close to the 
cap of our authority in order to retain talent in these places. 
So as we use our incentives more and more, we are finding that 
it is taking us to that 25 percent cap, which the Department is 
authorized to use for these relocation and retention 
incentives, and we can envision a future state where we will 
need higher authority to compete with industry to retain 
individuals in these locations.
    Senator Hirono. Thank you. Anyone else want to weigh in?
    Mr. Sherman. Senator, this is John Sherman, Acting CIO, 
ma'am. Just to thank Ms. Hinton, who hit many of the key 
points, and we are proud of the five Centers of Academic 
Excellence within the State of Hawaii that we are able to work 
with through the NSA accreditation there.
    With regard to working across interagency, Ms. Hinton 
talked about the Federal CIO Council, where best practices are 
shared. We are also doing things in terms of, say, how career 
succession happens. We have something called the Cyber Pathways 
tool that we developed in concert with Department of Homeland 
Security (DHS) and VA, to show cyber professionals how they can 
work across different trade crafts, what their career path 
could look like, and that was a good interagency effort between 
VA, DHS, and the Department of Defense.
    We are sharing best practices. Of course, within the 
Department of Defense we are very pleased to have the Cyber 
Excepted Service authorities you all in Congress have provided 
to us, and we do use those aggressively and are continuing to 
expand those and then share our lessons learned with some of 
our interagency partners. So there is an active dialogue on 
that, and we are trying to be forward-leaning in that regard. 
Thank you.
    Senator Hirono. I am glad to hear that there are efforts to 
work with the other departments, because there are some common 
challenges with regard to recruiting and retaining a cyber-
educated force.
    How is DOD partnering or working with universities across 
the country to provide a pipeline to DOD's cyber workforce? Any 
of the panelists.
    Mr. Sherman. Senator, this is John Sherman again, the 
Acting CIO. You noted the Centers for Academic Excellence, an 
NSA-accredited program that we advocate for here at the 
Department of Defense level, across many dozens of institutions 
all across the country, constantly adding more to that. The 
neat thing about this is as schools come in, other schools can 
help shepherd them to get their accreditation, and it really is 
a truly, truly diverse grouping of schools.
    I was noting a minute ago, it is everything from Tuskegee 
University to Honolulu Community College, from University of 
Missouri-Columbia to North Carolina A&T. There are many, many 
schools in this, and the goodness of this is bringing in the 
different institutions across a very diverse population--rural, 
urban, otherwise--to get to a broader, more diverse set of 
candidates and students, in places where it cannot only apply 
the scholarships to and get them on board through there, but to 
get people interested in working in the Department of Defense, 
who might not otherwise think about a cyber career in national 
security.
    So this is something we are very excited about. It is an 
ongoing effort. It requires effort by the schools to get the 
accreditation. But it is very diverse, as I said, through 
community colleges all the way to much larger institutions, 
ma'am.
    Senator Hirono. I am running out of time. This may have 
been touched upon before, but are you making concerted efforts 
to recruit women and minority people?
    Ms. Hinton. Senator, this is Veronica Hinton. Absolutely, 
and we appreciate the authorities Congress has given us, in 
particular around direct hiring authorities to enable us to 
target our recruitment to underrepresented, underserved 
communities. We have found that using these authorities have 
enabled us to expand our outreach, to go where the talent it, 
and to attract them into the Department.
    We see that through these authorities, whether they are 
student direct hire authorities or general streamlined direct 
hire authorities that we have had results in increasing 
minority hires, in particular with our student authorities. As 
I mentioned earlier, we have, in the past fiscal year, 20 
percent of our student cyber hires have been 20 percent Asian 
American. We have seen growth in our African American as well 
as our female representation.
    So we really appreciate the authorities that enable us to 
diversify the workforce and really find where the talent pools 
are, to partner with minority-serving institutions and other 
colleges and universities to get at this issue.
    Senator Hirono. Thank you very much. Thank you, Madam 
Chair.
    Senator Gillibrand. Thank you, Senator Hirono. Senator 
Tillis.
    Senator Tillis. Thank you, Madam Chair. I will not ask any 
more questions here, but Mr. Litton, I am going to offer a 
couple of questions for the record, particularly around the 
temporary promotion authority for the DDS, kind of an idea of 
what slots have been provided, or if none have, why not. Also 
on constructive credit, I think the Army is the only one that 
seems to be using it now. I am curious why there is a 
reluctance, or why it has not been implemented in the other 
service lines.
    Mr. Sherman, I want to dig a little bit deeper, for the 
purposes of future considerations, the clearance issue. When we 
do security clearance you have got maybe a hotshot that is 
going to take 90 days or more to get a clearance. We had given 
some authority to provide, I think, unclassified workspace to 
onboard them. That may work, but I would like to talk more, we 
can talk about after the hearing, give us feedback on how we 
can accelerate that.
    The clearance process is a problem across the whole of 
government, but in this particular field, where they are highly 
sought after resources, we can have a lot of leakage if we do 
not get better at it, onboard them as quickly as possible. So 
we will talk about that after the hearing and make sure my 
staff follow up.
    Madam Chair, thank you for the hearing. This is very 
important, and again, we welcome your feedback on things that 
we should be looking at to either tune or introduce additional 
authorities to tackle this, because I tend to agree with 
General Crall's sobering mindset. We have got a lot of work to 
do here if we want to get the run right where we need it. Thank 
you, all.
    Senator Gillibrand. If anybody wants to answer Senator 
Tillis' question now, because you know the answer, please do, 
because I have the same question about how do we increase the 
time for security clearances, how do we speed it up?
    Mr. Sherman. I would just add, ma'am, we will need to take 
that for the record. As we work with the Under Secretary of 
Defense for Intelligence and Security and the Defense--I am 
sorry, DCSA; I always get backwards on that--DCSA, to make sure 
we have their input on that, we will take that for the record 
and make sure we get you a holistic answer back on that, ma'am.

    Mr. Sherman. The Under Secretary of Defense for 
Intelligence and Security (USD(I&S)) is responsible for the 
personnel security clearance policy and processes. I understand 
that USD(I&S) is working in collaboration with the Office of 
the Director of the National Security Agency and the Office of 
Personnel Management on a new vetting concept, Trusted 
Workforce (TW) 2.0. TW 2.0 is a new framework designed to 
transform the Federal Government's personnel vetting process 
resulting in faster, less expensive investigations for the 
Federal Government. Additional questions regarding personnel 
security clearances should be referred to USD(I&S).

    Senator Gillibrand. Thank you. Mr. Litton, in your 
testimony, you mentioned that the basis eligibility criteria 
and screening process for Military Service is the same for 
recruits as it is for non-cyber military occupational 
specialties. Are current Military Service standards restricting 
our ability to fill the ranks with the cyber talent we need? If 
so, how do you recommend addressing this issue, and how do we 
balance the need for officers to possess the cyber-specific 
skills and knowledge necessary for their branch, but also the 
leadership skills necessary for them to enjoy meaningful career 
progression and be competitive for leadership and command 
opportunities?
    Mr. Litton. Yes, ma'am. Thank you for that question. 
Overall, recruiting, both in the enlisted and the officer 
corps, in general, has been very good. I think the military 
incident processing command has done a tremendous job during 
this COVID environment, keeping the Military Entrance 
Processing Station (MEPS) stations open and keeping that 
pipeline flowing for those that want to serve their country, 
and filling the ranks in the Military Services.
    Right now our retention is really excellent. I think it has 
been a benefit, if you will, for the Department of this 
uncertain environment that we currently find ourselves in, that 
all the retention numbers are well over 100 percent.
    So that being said, our recruiting and retention 
specifically for our cyber warriors is good. There are some 
specific areas in which we are below our needs. But generally 
those are because we have increased the requirements on the 
other end. So we are fighting on one end to bring in the right 
person, but also those requirements increasing on the other end 
make it a dual challenge, if you will.
    Senator Gillibrand. Does anyone else want to add to that 
answer?
    Ms. Hinton. Senator, I would echo Mr. Litton's comments. We 
find the same dynamic on the civilian side. Our retention 
rates, in particular for our cyber workforce, are generally 
good, and generally across the Department we see that folks are 
not really leaving right now, just because of the uncertain 
dynamic. But we find that there are pockets of challenges 
within the cyber workforce. In particular as we talk to Army 
Cyber Command and some of the very specific, very highly 
technical areas, we do see some churn there, that we are using 
in leveraging all of our authorities to close those gaps.
    But there is a dearth of expertise in the country in some 
of these instances, and so we bring to bear what we can, but 
certainly we can do more.
    Senator Gillibrand. What are the differences--maybe for 
Lieutenant General Crall and Mr. Sherman--what are the 
differences between civilian versus uniformed employees in our 
cyber workforce? What strategic advantages do each bring, and 
what percentage of current cyber workforce is civilian versus 
military? What do you think the proper mix should be, and how 
do we ensure we have the proper mix 5 years and 10 years from 
now?
    Mr. Sherman. I will go on that first part about the current 
mix, ma'am. We have what is called the Defense Cyber Workforce 
Framework, where we capture this data. We have roughly, as we 
have got the skill sets coded, 65,000 civilians and 67,000 
military in the ranks there.
    In terms of the mix, I will defer to General Crall to 
amplify this. The military brings longer consistency, longer-
term time on target there. The civilians, you may have a little 
bit different turnover, and, of course, the different richness 
of skill set and experiences, perhaps from industry or academia 
or elsewhere.
    My personal view, as Acting CIO, is that this is about the 
right mix we have now, in terms of about the half and half, to 
keep that modulated. Just to build on what Ms. Hinton said, we 
do have certain skill sets that are very applicable, as Senator 
Tillis was indicating at the outset, out in the civilian 
workforce. Cyber operators, for example, is one of the coded 
ones. Network assessors. Jobs that could get very quickly 
picked up in the private sector.
    Using this framework, blocking and tackling we have, we can 
watch as these get above a 10 percent rate that we need to 
start, when the vacancies get above a certain area, that we can 
start amping up the hiring and using the cyber-accepted service 
authorities you all have granted to us to start doing things 
like targeted local markets, supplement TMLS for living in the 
National Capital region, and so on. So we try to use that to 
modulate, but the mix, I believe, is about right, but I will 
defer to General Crall and the others for their views.
    General Crall. I think in a generic sense the mix is about 
right the way it sits now. There are tradeoffs, and those 
tradeoffs, I agree with the Action CIO in that you get some 
consistency on the military side. People that make careers of 
it stick around, and they have a unique experience that relates 
very well to the combatant commands. Make no mistake, from the 
Joint Staff, focused on warfighting and looking at meeting 
combatant command needs, those relationships work out quite 
well.
    What you trade, though, however, is some of the experience 
and currency that we tend to get from our civilian workforce, 
especially those who move in and out from industry back to 
service with us. So I would probably like to keep both of those 
pipelines open.
    But your most difficult question that you asked was not so 
much how are things working out today but what does that mix 
look like five years. I think that is the unknown. I do not 
know the answer to that. But my guess is it probably will not 
look like it looks today, because we have not onboarded the 
very capabilities that we need to employ--machine learning, 
autonomy, artificial intelligence, a real cloud-based 
environment, pushing that processing to the tactical edge, and 
a reformed network.
    So the speed with which that is going to require us to 
operate is going to have a level of human-machine interface we 
have never had before, and it is hard for me to believe that 
the force we are looking at today is necessarily rightly 
aligned to that new mission set. We are going to have to lead 
turn this, and keep a careful eye on what those skill sets are 
necessary to bring this on board, and we might have to throttle 
that mix and that balance to get there.
    Mr. Sherman. I am sorry, ma'am. I was just going to add one 
other thing to what General Crall is saying. Absolutely, on the 
cloud-based capabilities, data, AI, some of the things I 
mentioned in my opening statement. The one thing we are going 
to have to get our head around is, as we do, particularly on 
the civilian side, bringing them in, we might not be bringing 
them in for 30 years. Indeed, they may come in for 4 years and 
go out to industry and then come back to us in 5, 6, 7, 8 
years, and that is not a bad thing to stay super current with 
industry practices, academia, and elsewhere. With our Cyber 
Excepted Service authorities, we are able to operate in that 
space, but this is a different mindset, particular with our 
civilians. We may not want to hire data scientists for more 
than 3 or 4 years. We may want them to go back to industry, 
reaffirm their technological bona fides, and then come back to 
us later. It is a different mindset we need to get around.
    Senator Gillibrand. Go ahead, Ms. Hinton.
    Ms. Hinton. We need the pathways and the pipeline to be 
able to do that, the authorities to be able to do that, to have 
the fungible workforce that gets their experience in industry, 
comes back into the Department, and maybe goes back out, and 
so----
    Senator Gillibrand. So you are saying we do need additional 
authorities to do that?
    Ms. Hinton. Correct.
    Senator Gillibrand. Okay. So I would like everyone on this 
panel to write a letter to the committee what those authorities 
would look like, to have the flexibility we will need 5 years, 
10 years out, to get people coming in and out of the private 
sector, to keep their knowledge current.
    Anything else? I cut you off. Did you want to say more?
    Ms. Hinton. Nothing.
    Senator Gillibrand. Okay. Thank you. Senator Hawley.
    Senator Hawley. Thank you, Madam Chair. Ms. Hinton, let me 
come back to you, if I could, and ask you a question about our 
friends at the big tech companies. Just give us a sense, on the 
committee, have they been supportive of DOD's efforts to 
attract cyber talent that we need to protect our national 
security, or are you seeing these companies counter and compete 
and stand in the way of DOD's recruitment efforts?
    Ms. Hinton. I would not couch it in an adversarial manner--
thank you for the question, Senator. Certainly we are in a 
competition with the big tech, but at the same time, they have 
also been friends to the Department. We have used the private-
public talent exchange authority that Congress has given us to 
open up those pathways, to allow our employees to go learn from 
industry, and to allow industry to come learn from the 
Department. We are in the process of expanding that authority, 
based on direction in the last NDAA.
    But certainly as we look at our compensation authorities 
and try to compete, we cannot compete based on money, quite 
frankly. In some areas we can--we do have some authorities--but 
across the board, generally we cannot win the money 
competition, so we win the service competition, the call to 
service, to serve the country. We work on some incredibly 
advanced opportunities, and that is where we win the 
universities, we win the industry.
    So I would say a mix of partnership, but also a mix of 
competition.
    Senator Hawley. Very good. Speaking of universities, I am 
curious how the Department has used scholarships or other 
programs for high school students and college students to 
attract top quality talent.
    Ms. Hinton. We have a mix of programs, Senator, that we 
use, whether it is the Cyber Scholarship Program, whether it is 
the STEM Scholarship Program. We have a plethora of 
scholarships, fellowships, internships, where we use that to go 
after talent. We are also looking at the Defense Civilian 
Training Corps, which is a new authority we received in the 
Fiscal Year 2020 NDAA, to stand up a ROTC-like program. We use 
our direct hire authority. We have a student direct hire 
authority that enables us to reach out and directly hire 
students into the Department. That has proven to be a 
successful authority, albeit with some limitations. So we have 
a variety of tools available to us.
    Senator Hawley. I am curious if there are any particular 
regions that you have targeted or types of schools.
    Ms. Hinton. We target a variety of universities, a variety 
of schools, depending on the mission sets that we need. We have 
a diverse network of partnerships with a variety of 
universities, a variety of outreach programs that help us find 
talent. Mr. Sherman, if you have some specifics?
    Mr. Sherman. Sure. There are dozens and dozens, Senator, of 
schools, and we were talking about this a little bit earlier, 
from community colleges all the way up to University of 
Missouri-Columbia, to very large schools, everything from rural 
to urban. So we are aiming for a very broad swath of talent, to 
get these Centers of Academic Excellence accreditations to be 
able to do that.
    Also, Ms. Hinton mentioned these ROTC-focused efforts we 
have going on. There are six institutions--Texas A&M, North 
Georgia, Virginia Tech, VMI, Citadel, and Norwich--all schools 
that have large ROTC programs, to encourage the cadets there to 
focus on cyber. Within some of them, for example, Citadel 
within the Charleston area, is reaching out to schools within 
the area, high schools and so on. So they are taking this kind 
of a step further there, as well.
    So the bottom line, sir, is a pretty broad shot group there 
of what we are trying to go after, getting the most diverse 
talent and folks who may not have thought of a career at the 
Department of Defense or national security.
    One of the things Ms. Hinton noted, if I can go to this, 
about why do people come to work, and it goes to the education 
piece. They can make more money in tech, but where else can you 
go after ISIS, or help us stand up against the Chinese, or 
thwart the Russians? There is a certain amount of, you cannot 
do this anywhere else. So we may get them for 4 years, maybe 
they go off to industry and make more money. The key is getting 
them back after that, for the next bite at the apple, for a 
higher level of management or technical capacity they would 
have, sir.
    Senator Hawley. Let me ask you in, in closing, when you 
think about the mix of programs and recruitment tools that you 
have just been talking about, have any proved particularly 
successful or effective, that you would look at and say, ``That 
has really been good for us"?
    Ms. Hinton. Sir, I feel like a broken record, but I really 
am very thankful, the Department is very thankful and 
appreciative of the direct hire authorities, because they 
enable us to get through the hurdles and the inefficiencies in 
some of the Title 5 hiring authorities, and really get to where 
is the talent, how do we bring them in, how do we attract them 
without having to go through the overly burdensome hiring 
process that we had.
    So they have proven to be effective tools, and I would 
couple that with the Cyber Excepted Service authority that we 
have, that we are growing, that has proven to be another 
effective personnel tool.
    Senator Hawley. Very good. Thank you very much. Thank you, 
Madam Chair.
    General Crall. Sir, if I could offer one piece to that, not 
often well received, but I think important to note. Not all of 
our talent comes from credentialed degree holders. We have a 
lot of talent that comes in our enlisted forces, or maybe with 
no degree whatsoever, that have shown unbelievable prowess and 
acumen in this field. While I would never dismiss the idea of 
pursuing the formally trained university partnerships, which go 
a long way, to some of our high-end performers, we have a lot 
of performers who do not hold degrees, and they have proven 
extremely valuable to our work.
    Senator Hawley. That is great.
    Senator Gillibrand. Just a couple questions on our Cyber 
Reserve and our National Guard. In the fiscal year 2021 
National Defense Authorization Act, it required leaders in the 
DOD to evaluate reserve models tailored to support cyberspace 
operations. I am interested in the possibility of creating more 
flexible options for personnel who want to serve but want 
alternatives to full-time, active-duty service. We look forward 
to receiving that report.
    To inform our reading of it, when it comes--thank you, 
Senator--how is the Department currently thinking of non-
traditional military reserve models for service on cyber 
issues? What are the current military reserve options for 
individuals who have cyber skills and are interested in 
service? Then on the National Guard question, we asked for a 
report to evaluate the use of National Guard for the response 
to and recovery from significant cyber incidents. As you 
conduct that evaluation, what is your long-term vision for the 
successful integration of the National Guard into cyber 
incident response, and what should the collaboration be between 
the National Guard Bureau and Federal agencies looking like and 
preparing for and establishing resilience to future cyber 
incidents?
    Whoever wants to address it can address it.
    General Crall. I see everyone looking at me. So, ma'am, we 
certainly owe you the details in the reports that you had 
mentioned. You know, I had a chance recently, the week before 
last, to get up to Washington State and talk to one of their 
elite Guard units there on cyber. Incredibly impressive. 
Clearly they are not the only one--those are starting to grow, 
both in numbers and competency. It offers the very thing that I 
opened up with. People want to live where they want to live, 
and do the work that they want to do. I think it also gets 
after the comment that the Senator asked about, how do you 
retain that talent in the state? In your state, for example, 
Hawaii, that is certainly one way to get after that. It offers 
the financial incentives that go after that.
    But nobody knows your local territory like your Guard. So 
if you think about, you know, election security and the 
infrastructure involved with that state, they know their 
infrastructure better than most.
    So I think that there is a lot of room for both Guard and 
Reserves, to get after your comment on integrating, resilience, 
and that additive feature that appears to be very attractive to 
many. I believe we need more Guard units, specifically with a 
cyber competency, maybe even as a standalone entity, as a 
specialty, would be my opinion on that.
    Senator Gillibrand. Can you please make sure that is 
addressed in the report that is forthcoming?
    Then just one last question for Mr. Sherman and Ms. Hinton, 
and maybe, again, Lieutenant General Crall. This is about the 
private sector and just enhancing our relationship.
    Your opening statement cited the emerging practice of 
private industry to create a human supply chain by partnering 
with universities to supply a ready supply of talented and 
trained individuals into all our cyber forces. Should the DOD 
seek to establish such a reserve via partnerships like the 
private sector, in doing with the nation's colleges and 
universities, and what should that system look like? For 
anyone.

    Ms. Hinton. The Department agrees that it needs the 
flexibility to more rapidly pull from a source of highly 
qualified candidates in the cyber career field to meet mission 
needs. The Department has concerns and recommendations for 
consideration in establishing any such system:
      A civilian cyber reserve system may be 
counterproductive to the Department's efforts to recruit and 
retain professionals in the military reserve, whose cyber 
mission force supports current DoD mission requirements. Such a 
system may also have an effect on the Department's ability to 
recruit career civilian employees to support enduring DoD 
mission requirements. Accordingly, any reserve system must be 
carefully explored to ensure it not only addresses gaps but 
also complements on-going efforts to cultivate the cyber 
workforce.
      Without corresponding incentive structures, as 
well as employer support similar to that afforded to military 
reserve personnel, there is not enough data to assess that 
cyber professionals in private industry would be attracted to 
short-term government work without guaranteed re-employment, 
retention of benefits, and future opportunities.

    Mr. Sherman. I think we could certainly take that on board 
to consider how formalized that should be. As Senator Hawley 
was asking, I was going to pile onto one other thing there 
about, there is not an adversarial relationship. There is a 
very symbiotic relationship right now with much of industry, in 
terms of the tech sector and in terms of support for what we 
are trying to do. Now, there is high competitiveness for those 
very in-demand skill sets, but recognizing the national 
security roles, when folks come in here for a few years and 
then maybe go back out to industry and so on.
    In terms of special authorities, ma'am, we will have to 
take that on board to think about that, but it would also just 
be us, back to the original point a few minutes ago, 
recognizing the permeability of folks coming in and out. 
Whether that requires special authorities or not, we will 
definitely take that on board, and whether that requires 
anything special, vis-a-vis industry, we would have to 
consider. So thank you for the question.
    Ms. Hinton. Yes, ma'am. Thank you for the question. I agree 
with Acting CIO Sherman. We will take it for the record, to 
look at the authorities that we have and the authorities we may 
need. We have had conversations around the notion of opening up 
pathways for individuals to come in and out of service. You 
know, whether or not that translates into a civilian reserve 
corps of individuals to fill talent gaps is a conversation we 
are having right now, and we can come back to you with further 
information.
    Senator Gillibrand. Thank you, everyone, for participating. 
Senator Tillis, do you have anything else?
    Senator Tillis. Thank you very much. We appreciate your 
answers to questions, and again, we will submit a few for the 
record. But thank you for being here. Thank you for having this 
hearing.
    Senator Gillibrand. Thank you for your dedication. 
Adjourned.
    [Whereupon, at 3:53 p.m., the Subcommittee adjourned.]