[Senate Hearing 117-930]
[From the U.S. Government Publishing Office]
S. Hrg. 117-930
CYBERSECURITY OF THE DEFENSE
INDUSTRIAL BASE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY
of the
COMMITTEE ON ARMED SERVICES
UNITED STATES SENATE
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
MAY 18, 2021
__________
Printed for the use of the Committee on Armed Services
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via: http://www.govinfo.gov
_______
U.S. GOVERNMENT PUBLISHING OFFICE
59-478 PDF WASHINGTON : 2025
COMMITTEE ON ARMED SERVICES
JACK REED, Rhode Island, Chairman
JEANNE SHAHEEN, New Hampshire JAMES M. INHOFE, Oklahoma
KIRSTEN E. GILLIBRAND, New York ROGER F. WICKER, Mississippi
RICHARD BLUMENTHAL, Connecticut DEB FISCHER, Nebraska
MAZIE K. HIRONO, Hawaii TOM COTTON, Arkansas
TIM KAINE, Virginia MIKE ROUNDS, South Dakota
ANGUS S. KING, Jr., Maine JONI ERNST, Iowa
ELIZABETH WARREN, Massachusetts THOM TILLIS, North Carolina
GARY C. PETERS, Michigan DAN SULLIVAN, Alaska
JOE MANCHIN III, West Virginia KEVIN CRAMER, North Dakota
TAMMY DUCKWORTH, Illinois RICK SCOTT, Florida
JACKY ROSEN, Nevada MARSHA BLACKBURN, Tennessee
MARK KELLY, Arizona JOSH HAWLEY, Missouri
TOMMY TUBERVILLE, Alabama
Elizabeth L. King, Staff Director
John D. Wason, Minority Staff Director
____________
Subcommittee on Cybersecurity
JOE MANCHIN III, West Virginia, Chairman
KIRSTEN E. GILLIBRAND, New York MIKE ROUNDS, South Dakota
RICHARD BLUMENTHAL, Connecticut ROGER F. WICKER, Mississippi
JACKY ROSEN, Nevada JONI ERNST, Iowa
ARSHA BLACKBURN, Tennessee
(ii)
C O N T E N T S
____________
May 18, 2021
Page
Cybersecurity of the Defense Industrial Base..................... 1
Member Statements
Statement of Senator Joe Manchin III............................. 1
Statement of Senator Mike Rounds................................. 3
Witness Statements
Salazar, Jesse, Deputy Assistant Secretary of Defense for 5
Industrial Policy.
Chase, Rear Admiral William, III, Deputy Principal Cyber Advisor
to the Secretary of Defense, Director of Protecting Critical 10
Technology Task Force.
Questions for the Record......................................... 30
(iii)
CYBERSECURITY OF THE DEFENSE
INDUSTRIAL BASE
----------
TUESDAY, MAY 18, 2021
United States Senate,
Subcommittee on Cybersecurity,
Committee on Armed Services,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:28 p.m. in
room SR-222, Russell Senate Office Building, Senator Joe
Manchin III (Chairman of the Subcommittee) presiding.
Subcommittee Members present: Senators Manchin, Gillibrand,
Blumenthal, Rosen, Rounds, Wicker, Ernst, and Blackburn.
OPENING STATEMENT OF SENATOR JOE MANCHIN III
Senator Manchin. We are going to welcome our Members and
our two witnesses and I have called this hearing to update the
subcommittee on the Department of Defense's (DOD) efforts to
improve the cybersecurity of the Defense Industrial Base (DIB).
The Defense Industrial Base cybersecurity is a broad and
complex undertaking with many significant facets that need to
be examined today; for instance, the Cybersecurity Maturity
Model Certification, or the CMMC for short, is intended to
establish a minimum guideline for DOD's industrial base
partners as to what standards must be met to conduct business
with the DOD or section 1648 of the National Defense
Authorization Act (NDAA) for fiscal year 2020, they direct the
DOD to establish a framework for the cybersecurity of the
Defense Industrial Base (DIB) which included numerous elements
and options for the Department, beyond just the CMMC
initiative.
In addition to section 1648, this subcommittee has enacted
a dozen or more legislative provisions relating to the
industrial base cybersecurity in the last several years,
including recommendations from the Cyberspace Solarium
Commission. Of particular interest to me is how DOD is going to
hold prime contractors for the cybersecurity performance of
their subcontractors in the conduct of the programs for the
DOD. I have been making this point for a couple of years now
and I hope the Department has taken this to heart.
But in order to build out our cybersecurity protection with
the Defense Industrial Base, we must set a baseline of
standards with the CMMC initiative. Previously, DOD required
that companies executing Defense contracts implement a series
of control and cyber hygiene practices developed by the
National Institute for Standards and Technology. Companies were
required to certify that they met the standards or to present a
plan of action that would bring them into compliance.
Because this program involved self-certification,
compliance would suspect and that lack of verified compliance
that DOD to propose a CMMC model. To perform contract for DOD,
contract work for DOD, a company would have to meet one of the
five specified security maturity levels and receive a
certification to that effect.
DOD has issued a so-called interim rule under the Defense
Federal Acquisition Regulation Process and is beginning a
series of pilot programs to test and implement CMMC. CMMC is
intended to be financially self-sustaining with companies
paying for their assessments and certifications, and those
companies then recouping compliance costs as part of their cost
estimates to the DOD.
Industrial-based companies, especially smaller contractors,
are very concerned about the costs involved in regular on-site
assessments, the complexity of complying with cybersecurity
practices that they have difficulty understanding and the
degree of consistency and fairness in assessing compliance
across the expected large number of assessing organizations and
many tens of thousands of other companies.
In response to those concerns, Deputy Secretary Hicks, in
March, directed an independent review of CMMC. That review was
intended to last about a month. We postponed a scheduled
subcommittee hearing in April in the hope that we would know
the results of this view on this date, May 18. Unfortunately,
we have not received the details of the review today. While the
review itself is complete, the review team's recommendations
are still being finalized and the review is officially
connected to internal deliberations and modifications to the
interim rule on CMMC.
We do understand, however, that Secretary Hicks will be
making significant modifications to the program. I hope that
what we hear today will be welcome to Congress and the Defense
Industrial Base, particularly, our small businesses. In
addition to your updates on this CMMC review, I hope to hear
concrete plans for how each of you plan to ensure our entire
Defense Industrial Base receives the support and guidance they
need to keep our warfighters well supplied and safe.
The relationship between DOD and its private industry
contractors should be the gold standard for cybersecurity
across the Federal Government and provide an example to other
Federal Agencies who secure private critical infrastructure. I
know this hearing is focused on Defense Industrial Base today,
but improving cyber defense is only one side of the coin in our
cyber posture.
From the quarterly updates the subcommittee receives on
cyber operations, it appears to me that DOD is doing an
excellent job at taking the fight to our adversaries, but what
concerns me is our inability to know exactly what groups are
posing a threat to industry so that we can adequately monitor,
intercept, and if required, target them. I make this point
because I am worried about the lack of a formalized and
concerted whole-of-government response to both, foreign and
domestic cyber threats and the lack of authority in a central
figure to give these threats the attention they deserve.
The Colonial Pipeline hack is only a recent public example
of the threats we face on a daily basis. In order to increase
our federal coordination, and I know this is not a perfect
comparison, I look at the examples set by a position such as
the Director of National Intelligence, which has crucial
awareness and the opportunity to coordinate the intelligence
efforts of 17 independent agencies. We have yet to see how
successful the national cyber director will be in their role,
but it seems to me that each department in the Federal
Government must reinvent the wheel every time a cyber event
happens, which costs us time that we could be using to respond,
let alone the ability to be aware of the threat before its
impacts are critical to our infrastructure.
I am well aware that this falls a bit out of the
jurisdiction of this subcommittee, but it is imperative that we
are coordinating as seamlessly as possible with private
industry, and I believe DOD is on the way to developing a
scalable model for that coordination.
I look forward to working with my colleagues to identify a
pathway forward to provide better congressional oversight on a
whole-of-government approach on our cyber vulnerabilities.
With that, I am going to ask my friend Senator Rounds for
his opening statement.
OPENING STATEMENT OF SENATOR MIKE ROUNDS
Senator Rounds. Senator Manchin, thank you.
I would also like to thank our witnesses, Mr. Jesse Salazar
and Rear Admiral William Chase, for appearing before us today
to discuss this important topic.
Our hearing today addresses an issue of great concern to me
that our subcommittee has been focusing on for the last several
years: the cybersecurity of the Defense Industrial Base. Over
the last few years, our subcommittee has held several hearings
on this topic and we have included many legislative provisions
in both, the fiscal year 2020 and fiscal year 2021, National
Defense Authorization Acts.
We have heard from the Defense Industrial Base and outside
experts who presented a number of concerns that they had with
the Department policy. Two years ago on April 10, 2019, the
subcommittee held a classified hearing with the Department of
Defense witnesses on Defense Industrial Base cybersecurity
policy. Unfortunately, we still face many of the same problems
today that we faced back then.
In looking back at my opening remarks from that hearing,
many of the comments I made are still very much relevant to
today's hearings, so I will reiterate those comments in my
public statement here today. I think you will find that they
mirror what Senator Manchin has indicated earlier.
Our adversaries have realized that targeting the vulnerable
contract base is an extremely profitable enterprise and an
alternate method to accessing valuable Department of Defense
information. As a result, Russia and China are stealing
critical design secrets effectively subsidizing their own
defense involvement.
Over the last few years, we have arrived at a few
conclusions. First, this is an immensely complex issue that
will require a number of small solutions, implemented by a
number of different entities across the Department and the
Defense Industrial Base. Second, verifying compliance with a
security checklist or certification, like the Cybersecurity
Maturity Model Certification, or CMMC, being developed by the
Department of Defense, while useful, is not a complete solution
to the problem.
I am concerned that this approach does little to help
businesses meet those standards and certification. It does not
account for the particulars of the threat and does not help
businesses prioritize personnel or investments.
Third, the Defense Industrial Base must help smaller
businesses with the protection of DOD data from malicious cyber
actors. The Department cannot simply burden its contractors
with increasingly stringent cybersecurity requirements. Doing
so, without subsidy or assistance, is unlikely to particularly
improve the cybersecurity of the Defense Industrial Base and
will likely drive the most innovative small businesses away
from doing business with the Department.
Finally, any solution must emphasize reducing the attack
surface of these companies. I see no reason why, for example,
smaller contractors at the base of the supply chain, have
substantial amounts of classified or control unclassified data
about the larger program. We need to look at implementing
concepts that reduce the most common cybersecurity risks and
attack vectors.
The Fiscal Year 2020 NDAA included a comprehensive
provision that we led, requiring the Department to develop a
Defense Industrial Base cybersecurity framework that includes a
wide-ranging set of elements, beyond just CMMC.
I look forward hearing today what the Department is doing
to address each of those required elements. I am eager to hear
from each of you about the Department's efforts in this area
and encourage you to discuss the Department's current and
planned efforts. I also am interested in hearing what Congress,
this subcommittee in particular, can do to help in these
efforts.
Thank you for your willingness to testify today. I look
forward to our conversation.
Senator Manchin. Thank you, Senator Rounds.
I will now introduce our witnesses. First, we have, joined
today by Mr. Jesse Salazar, who, about 3 months ago, was
appointed to so I have as the Deputy Assistant Secretary of
Defense for Industrial Policy within the office of the Under
Secretary of Defense for acquisition and sustainment. This is
Mr. Salazar's first visit to Armed Services Committee, so
welcome, Mr. Salazar.
Our other witness is Rear Admiral William Chase, who was
recently promoted to two-star rank. Congratulations. Admiral
Chase serves as the Deputy Principal Cyber Advisor to the
Secretary of Defense and Director of Protecting Critical
Technology Task Force. Admiral Chase has testified before the
committee multiple times on cybersecurity.
I want to thank both of you for appearing today and for
your service to our Nation. Mr. Salazar, we will begin with
your opening statement.
STATEMNENT OF JESSE SALAZAR, DEPUTY ASSISTANT SECRETARY OF
DEFENSE FOR INDUSTRIAL POLICY
Mr. Salazar. Chairman Manchin, Ranking Member Rounds, thank
you for the opportunity to testify on the importance of
mitigating cybersecurity risk within America's defense
industrial base, or DIB.
Because of its sophistication, diversity, and a capacity to
innovate for warfighter, the U.S. Defense Industrial Base
remains the envy of the world. Every day, people across this
country are designing and manufacturing the capabilities that
ensure our armed forces have every advantage they need. We must
do everything we can to protect these hard-working,
entrepreneurial companies and workers.
Increasingly sophisticated cyberattacks, including state-
sponsored espionage are threatening the U.S. and the rules-
based economic order. That is why DIB cybersecurity is and will
remain a top priority for U.S. defense industrial policy. I
consider this committee to be a critical partner in these
efforts.
Recent examples of malicious cyber activity such as the
Colonial Pipeline ransomware attack and SolarWinds espionage
campaign have shown that our adversaries continue evolving. The
complexity and size of the DIB offers numerous pathways for
adversaries for access sensitive systems and information.
We are in the dawn of the fourth industrial revolution,
which will create more than 64 billion Internet-of-Things (IOT)
devices by 2025. Today, the average American aerospace company
has more than 12,000 companies in its supply chain, most of
which are small businesses.
Having spent my career in the private sector, I can attest
that these small businesses work hard to stay profitable. Few
have a full-time information technology (IT) or cybersecurity
professional on staff, increasing the likelihood that predatory
cyber actors will target them.
Enabled by recent legislation from Congress, the DOD has
designed a multifaceted cybersecurity framework to frustrate,
disrupt, and defeat adversaries' efforts to infiltrate DIB
companies. I recently assumed oversight of one component of
this expansive effort, the Cybersecurity Maturity Model
Certification program, which incorporates cybersecurity into
the Defense Acquisition System.
The CMMC framework has three broad objectives. The first,
to incorporate a unified set of cybersecurity requirements into
acquisition processes and contracting language. Second, to hold
primes accountable and provide the Department assurance, via
external assessment, that contractors and subcontractors meet
DOD's security requirements. Third, to support businesses with
resources, information, and training to improve DIB cyber
readiness.
CMMC represents a major leap forward in the Department's
approach to cybersecurity and underscores our commitment to
accountability in the DIB. That is why we published an interim
Defense Federal Acquisition Regulation Supplement (DFARS) rule
establishing CMMC in November 2020. The Department has received
more than 850 comments in response; in addition, my American
Nuclear Society (ANS). colleagues have hosted more than a
thousand conversations on cybersecurity with Congress, DIB
companies, industrial associations, international partners, and
allies.
I am grateful to the organizations and individuals who gave
such a high volume of feedback on the regulatory and
programmatic way forward. In March, A.N.S., under the direction
of Deputy Secretary Hicks, initiated an internal assessment of
the CMMC, which is common for major programs to help us refine
our policy and program implementation.
I want to underscore with this subcommittee that this we
are listening to the feedback we are receiving on the CMMC
program. The rule-making process around programs such as this
typically takes a year. As we adjudicate inputs in the months
ahead, the Department is guided by the following policy
considerations. First, we are really focused on managing costs
of cybersecurity for small businesses.
In my role, I also oversee the Office of Small Business
Programs, so I can say with certainty that small businesses are
under immense market pressures. The number of DIB small
businesses has shrunk by more than 40 percent over the last
decade. After the pandemic, one in seven small businesses
within the DIB says that they are unlikely to return to pre-
pandemic profitability.
Second, we aim to clarify cybersecurity regulatory policy
and contracting requirements. The Department's requirements are
complex and challenging to navigate. We want to de-conflict and
streamline them to add clarity.
Our third consideration is that we will reenforce trust and
confidence in the maturing CMMC assessment ecosystem. The
Department is ensuring that we can operationalize our
requirements through a sufficient number of assessors. The DOD
must also clearly define roles and responsibilities, standards
of conduct, and audit mechanisms within the external assessment
ecosystem.
Finally, the DOD is exploring initiatives complementary to
CMMC that expand and increase the DIB's access to cyberthreat
information sharing programs, cybersecurity as a service
program, such as protective Domain Name System (DNS), and
education and training programs. We seek great value and
resources to help small businesses improve their cyber
readiness.
Ultimately, the Department's goal is to ensure that the DIB
embeds cybersecurity into core operational and business
practices to build a culture of cybersecurity that keeps pace
with rapidly evolving threats. Cyberspace has never been more
important than it is today. The United States of America does
not get dissuaded by the perseverances of the challenges we
face; we always rise to meet any and all threats to the Nation.
Thank you for your time and I look forward to your questions.
[The statement of Mr. Salazar follows:]
Prepared Statement by Mr. Jesse Salazar
Chairman Manchin, Ranking Member Rounds, and distinguished Members
of the Cybersecurity Subcommittee, thank you for the opportunity to
testify on the importance of mitigating cybersecurity risk within
America's defense industrial base (DIB). I am pleased to be here with
Rear Admiral Bill Chase, Deputy Principal Cyber Advisor to the
Secretary of Defense. I assumed the position of Deputy Assistant
Secretary of Defense for Industrial Policy three months ago with an aim
to build a healthier and more resilient industrial base that deters
conflict, protects our national security, and enables global economic
leadership.
The U.S. defense industrial base remains the envy of the world
because of its sophistication, diversity, and capacity to innovate for
the needs of the warfighter. Every day, people across this country are
working to ensure that our armed forces have every advantage they need.
In my role, I work with colleagues across the Department to ensure
that we are meeting our responsibility to protect American industrial
capabilities and the companies and people that make them possible.
Increasingly sophisticated, well-resourced, and pervasive cyber-
attacks, including state-sponsored espionage, are threatening the
United States and the rules-based order on which the global economy
relies. That's why DIB cybersecurity remains a top priority. I consider
this Committee to be a critical partner in these efforts.
current threat landscape
Recent examples of malicious cyber activity have shown that our
adversaries are evolving their exploitation of cyberspace to steal
sensitive, albeit unclassified, information from the government and the
industries who make our work possible. Fallout continues from Russia's
Solarwinds cyber espionage campaign that breached 16,800 users through
exploitation of what was observed to be a routine software update.
Advanced persistent threat groups have recently attacked U.S. defense
targets through security flaws in VPN devices and email exchange
servers.
Highly capable and motivated adversaries are maneuvering to
infiltrate where they can, especially where they see weak links in the
supply chain. Protecting the complex network of interconnected firms
that comprise the defense industrial base has never been more
challenging. The average American aerospace company today has about 200
tier 1 suppliers. The second and third tiers of the supply chain may be
comprised of more than 12,000 companies, offering numerous pathways for
adversaries to access sensitive private and public sector information.
Nearly all firms in the third and fourth tiers of the supply chain, or
74% of the defense industrial base, are small businesses according to
the Department's contracting data.
Having worked in the private sector, I can attest that these small
businesses work hard to stay profitable. Few, if any, have a full-time
IT or cybersecurity professional on staff. Predatory cyber actors are
more likely to target these smaller firms to gain access--a task which
they find more difficult with larger contractors. Moreover, we are in
the dawn of the Fourth Industrial Revolution, so entry points into the
defense industrial base are multiplying as firms invest in more digital
capabilities, from cloud-based data management platforms to IoT-enabled
factories to remote-work technology. The same pace of technological
advancement and digital connectivity that contributes to America's
global military edge is also challenging us in cyberspace.
A 2020 CSIS-McAfee report estimated that global losses from
cybercrime now total over $1 trillion annually. Nearly 80% of senior IT
and security leaders believe their organizations lack sufficient
protection against cyberattacks, despite increased IT security
investments made in 2020. In fact, the number of breaches in 2020 set a
record, hitting a level greater than the previous 15 years combined. On
average, data breaches cost companies nearly $4 million in 2020, and
resulted in increased downtime, reduced efficiency, and long-term
reputational damage.
To frustrate, disrupt, and defeat adversaries' efforts to
infiltrate our cyberspace, the Department must ensure that the DIB
continues to build cyber resilience. Our challenge is to determine how
to prioritize limited resources to manage cyber risk across the entire
attack surface--from the Department and the primes to the
subcontractors delivering major weapons systems and small businesses
that manufacture components. To protect the whole supply chain, the DOD
must promote a culture of cyber-resilience by including requirements
for appropriate and effective cybersecurity measures in our contracts
and ensuring that these contractual requirements are being met. Because
of the national security interests at stake, we will continue seeking
assurances that firms are meeting these requirements and safeguarding
the controlled unclassified and classified national security
information entrusted to them. A combination of education, information-
sharing, and cybersecurity tools and services at a reasonable cost can
help us achieve these aims, especially for small- and medium-sized
businesses.
cybersecurity maturity model certification program
As Rear Admiral Chase outlines in his testimony, the Department has
numerous programs and thousands of personnel working to improve the
cybersecurity posture of the DIB. I have recently assumed oversight of
one key component of this expansive effort: the Cybersecurity Maturity
Model Certification program (CMMC). CMMC operationalizes the
Department's commitment to incorporate cybersecurity into the defense
acquisition system, with a focus on protecting controlled unclassified
information, particularly the controlled technical information, which
makes our warfighting advantages possible. As this sub-committee has
underscored through its leadership and legislation, security is
foundational to acquisition and should not be traded along with cost,
schedule, and performance.
In connection with the CMMC program, the Department has put in
motion a substantial effort to update acquisitions processes and
practices to manage information and associated cybersecurity
requirements at all levels in the supply chain, from the prime
contractors down to the smallest firms delivering component parts.
Developed in coordination with DOD stakeholders, University Affiliated
Research Centers (UARCs), Federally Funded Research and Development
Centers (FFRDC), and industry, the CMMC framework has three broad
objectives that are critically important to the protection of sensitive
information:
1. To incorporate a unified set of cybersecurity requirements into
acquisition processes and contracting language. Recognizing that
cybersecurity should not be ``one-size-fits-all,'' the program includes
several levels of cyber requirements, that allow flexibility to apply
requirements appropriate to the defined sensitivity level of
information at issue.
2. To provide the Department assurance, via external assessment,
that all contractors and subcontractors participating in a given award
meet mandatory cybersecurity requirements. The certification framework
also facilitates the Department's ability to hold prime contractors
accountable for ensuring that their suppliers are, in fact,
implementing appropriate cybersecurity requirements.
3. To develop supporting resources, information, and training to
help contractors improve cyber readiness and comply with the
Department's requirements.
The CMMC program represents a major leap forward in the
Department's approach to cybersecurity, and it has already led to DIB
companies taking action to improve their cybersecurity posture.
In contrast to self-attestation, CMMC enables increased visibility
into whether cybersecurity requirements are being met and passed on to
subcontractors, requires discipline and awareness around the type of
information that is flowed down through the supply chain, and provides
the Department with a mechanism to ensure that contractual
cybersecurity requirements are fulfilled.
As the Department's most ambitious cybersecurity program for the
DIB to date, CMMC also raises additional policy and implementation
considerations. I am grateful to the organizations and individuals that
submitted more than 850 comments in response to the DFARS interim rule
establishing CMMC. In addition, my office has hosted more than a
thousand conversations with members of Congress and Congressional
staff, DIB companies and industry associations, and international
allies and partners to understand further the challenges and
outstanding questions the Department must address in navigating a path
forward on DIB cybersecurity. In March, Deputy Secretary Hicks directed
an internal programmatic assessment of CMMC which engaged cybersecurity
and acquisitions stakeholders from across the Department to complement
the feedback we have received from external stakeholders. Our completed
`pathfinders' and upcoming pilot development phase will further help us
understand the best ways to achieve our goals through program
implementation.
The Department is currently working with internal stakeholders on
adjudicating these inputs.
Our outreach and analysis on the best pathways to implement the
policy objectives of CMMC are ongoing, and we will continue to engage
with Congress, industry, international partners, and other stakeholders
as we chart the way forward. I, along with senior colleagues in the
Department, are particularly focused on the following policy
considerations:
1. Managing costs of cybersecurity for small businesses
About three-quarters of the DIB is comprised of small businesses
that produce many innovative capabilities and emerging technologies.
This segment is already under immense pressure - according to federal
procurement data, the number of small businesses in the DIB has shrunk
by more than 40% over the last decade against the prevailing forces of
consolidation and concentration among defense contractors. Small
businesses have told us loud and clear that they face additional
resiliency issues in the face of COVID-19. According to a Defense One
survey, one in seven believe they will never return to pre-pandemic
levels of business performance. The Department's approach to
cybersecurity must balance the need for accountability with a
recognition of the challenges facing small businesses.
2. Clarifying cybersecurity regulatory, policy and, contracting
requirements
As part of the CMMC certification process, the Department needs to
de-conflict and streamline multiple cybersecurity requirements to
prevent duplicative assessments. This includes providing clear guidance
on the alignment of the NIST SP 800-171 DOD Assessment Methodology and
CMMC, as they pertain to safeguarding controlled unclassified
information (CUI), as well as the requirements and assessment approach
for contractors that use cloud service provider offerings. Moreover,
the Department is committed to working with our allies and
international partners to better understand how the CMMC framework
compares with other nations' cybersecurity requirements and better
align these requirements to help protect the Department's mission
critical supply chain.
3. Reinforcing trust and confidence in the maturing assessment
ecosystem
CMMC's implementation process, which requires companies to obtain a
cybersecurity certification once every three years, is an important,
first-of-its-kind effort to validate that the DIB is meeting the
requisite security requirements. The Department must ensure that we can
operationalize our requirements by confirming there are sufficient
numbers of assessors to deliver independent, rigorous, and timely
assessments to support our acquisition requirements. Further, the DOD
must ensure there are clearly defined roles and responsibilities,
standards of conduct, and audit mechanisms governing relationships with
private sector entities within the external assessment system.
broader efforts to protect the cybersecurity of the defense industrial
base
In addition to CMMC, which is primarily focused on holding
companies accountable for the implementation of rigorous cybersecurity
programs, the Department is pursuing a number of complementary
initiatives that enable and support companies in meeting our
requirements. To help address some of the challenges I laid out above
regarding cost and implementation, and particularly to support small
businesses to shore up their cyber defenses, my office is exploring, in
partnership with Rear Admiral Chase, how we can expand and increase DIB
firms' access to:
Education and training programs such as Project Spectrum.
Supported by the Industrial Policy office, this program offers
cybersecurity online courses, training videos, risk assessments, and
other resources to help small companies improve cyber readiness and
comply with DOD requirements.
Cyber threat information sharing programs such as the
Defense Industrial Base Cybersecurity (DIB CS) program, which
crowdsources information about cyber incidents from individual DIB
companies and provides centralized threat analysis back to the DIB in
order to reduce collective risk.
Cybersecurity-as-a-service programs, such as ``Protective
DNS'', as described in detail by Deputy PCA Chase, and the Cyber
Resilience Analysis program (CRA). CRA is managed by the Department of
Defense Cyber Crime Center (DC3) and conducts facilitated assessments
of DIB firms to assist in reviewing and assessing cyber threats when
requested.
Ultimately, the Department's goal is to ensure that all members of
the defense industrial base, from the largest prime to the smallest
business, embed cybersecurity into core operational and business
practices and build a culture of cybersecurity and cyber resilience to
keep pace with the rapidly evolving threat.
path forward
I, along with other senior leaders in the Department, are devoted
to further strengthening and operationalizing this program.
Over coming weeks and months, we will incorporate the inputs we
have received with an eye toward continually increasing DIB
cybersecurity, minimizing barriers for small businesses, maintaining
public trust, and operationalizing this vital effort. Our adjudication
of these inputs will be guided by two central principles.
First, we will continue to emphasize requirements to protect
controlled unclassified information that is shared with and developed
by the DIB. The Department should be resolute in its commitment to
safeguarding warfighters and the systems they need to win.
Second, we will seek ways to implement these requirements without
creating unnecessary barriers to entry or costs that discourage the
most innovative companies from joining the DIB. By working with
industry, Congress, international partners, and other key stakeholders
inside and outside the Department, we will continue to strengthen this
program with an aim to frustrate, disrupt, and defeat our adversaries'
efforts in cyberspace.
Cyberspace has never been more important, nor more contested, than
it is today. Together, we face an enormous challenge in securing the
DIB in the cyber domain. Still, the United States of America does not
get dissuaded by the prevalence of the challenges we face; we always
rise to meet any and all threats to the Nation.
Thank you for providing me an opportunity to testify before you
today. I look forward to your questions.
Senator Manchin. Admiral?
STATEMENT OF REAR ADMIRAL WILLIAM CHASE III, DEPUTY PRINCIPAL
CYBER ADVISOR TO THE SECRETARY OF DEFENSE, DIRECTOR OF
PROTECTING CRITICAL TECHNOLOGY TASK FORCE
Admiral Chase. Thank you, Chairman Manchin, Ranking Member
Rounds. Thank you, again, to your invitation to appear, again,
before this subcommittee.
I am here today as the Deputy Principal Cyber Advisor to
Secretary of Defense representing my civilian senior, the
acting principal cyber advisor, who is responsible for driving
implementation of the DOD's cyber strategy, oversight of U.S.
Cyber Command, manning, training, and equipping issues, and
pursuant to section 1724 of the Fiscal Year 2021 NDAA, serving
as the coordinating authority for the Defense Industrial Base
cybersecurity.
My remarks today reflect two complementary imperatives:
first, the need to improve the Defense Industrial Base's
cybersecurity across the board from small to large and also its
scale, and the need to focus protection resources on programs
of particular importance.
Neither the Department, nor the Defense Industrial Base may
never be able to completely secure industry's networks and
controlled information, but our goal must be to complicate and
frustrate adversary planning and operations, such that they
cannot conduct them with impunity or at scale. To accomplish
this objective and address these imperatives, the Department is
taking a multifaceted approach, including holding Defense
Industrial Base companies accountable to cybersecurity
requirements, rapidly moving out on activities to
systematically disrupt cybersecurity espionage and sabotage
through partnerships with cybersecurity, IT, and internet
communications companies, prioritize and expanding information
sharing, exploring direct provisioning of cybersecurity
capabilities, and on focused counterintelligence and program
protection efforts.
Jesse Salazar spoke to the Cybersecurity Maturity Model
Certification program. I will focus on some of the other
Defense-wide and pilot efforts that the Department is
undertaking, many of which are referenced in section 1648 of
the 2020 NDAA, which laid out a set of potential programs for
the Department to implement to protect the Defense Industrial
Base.
On partnerships and information sharing, the Department is
exploring means to disrupt adversary espionage by leveraging
the unique information available to the Government and the
Defense Industrial Base, specifically, the Department is
working, ensuring threat data with major service providers
across the cybersecurity, IT, and internet industries to help
these companies detect and disrupt cyber activities before they
reach the Defense Industrial Base networks.
This approach, by bolstering the core services and internet
intermediaries will add a layer of protection, not only to the
Defense Industrial Base, but to the broader customer base, the
American people. The Defense Cyber Crimes Centers threat
sharing program, which focuses on Defense Industrial Base
companies is also currently under expansion. While this program
was originally designed to share indicators of compromise and
malware analysis services with clear Defense contractors,
meaning those members of the industrial base that have security
clearances and access to classified information, the Department
of Defense Chief Information Officer (CIO) is working to amend
relevant regulations so as to allow inclusion of non-cleared
Defense contractors, enabling small- and immediate-sized
companies to receive the same signatures, indicators of malign
IP addresses and threat advisories that the larger, cleared
primes receive as part of the program.
The Defense Cyber Crime Center is also expanding other
services available to the DIB piloting efforts such as
penetration testing to address contractor's external-facing
vulnerabilities, as well as about adversary emulation program.
The National Security Agency is conducting a number of
pilot, leveraging their authorities to share unique, actionable
threat information and cybersecurity guidance with the members
of the DIB and their service providers and to provide unique
cybersecurity capabilities to the DIB, among the most promising
of which is the provision of free and secured domain system
lookup services to the DIB. Domain name systems is colloquially
referred to as the phone book of the internet, translating
readily remembered website names to IP addresses, appropriate
for internet routing.
The NSA is offering a cybersecurity service called
protective DNS, or PDNS, in partnership with an advanced
commercial DNS provider and is currently enrolling members of
its industrial base. This capability combines a commercial DNS
sensor architecture with real time analytics to quickly
understand malicious activity targeting the DIB and to deploy
immediate countermeasures.
Not all of these technical concepts demand the Defense
Cyber Crime Center, NSA, or Government providing such services.
The primes, through the Defense Industrial Base Sector
Coordinating Council, are also piloting a number of concepts
that could be applied across their supply chains, including the
provisioning the secure messaging, secure cloud environments,
and sensors for subcontractor networks.
We must continue to pilot these concepts of operation and
capabilities and then scale the successful ones. The direct
provisioning of cybersecurity capabilities to contractors,
including the provision of secure environments for development
and the storage of controlled, unclassified information is
incredibly promising.
The Department of Defense counterintelligence community,
specifically, the Defense Counterintelligence Security Agency,
and the military Department counterintelligence organizations
are also making significant progress in reducing cyber threats
to the DIB. Each entity is growing and improving its programs
and posturing to counter cyber threat, proactively detect
adversary cyber activities and working with partners in the IC
to address intelligence gaps, integrating law enforcement, and
counterintelligence situational awareness and operations.
I am particularly impressed by the growth of the Defense
Counterintelligence Security Agency, which not only runs the
National Industrial Security Program, that ensures physical and
cybersecurity of our clear defense contractors, but also is
leading programs in cyber counterintelligence and supply chain
risk identification, including data analysis programs that
provide impressive visibility of adversary cyber operations.
Progress in the Defense Industrial Base cybersecurity is
also being driven through program protection efforts and from
acquisition program offices in industry. The Department the
currently refining its supply chain risk management and program
protection efforts, including leverage available to program
managers to shape prime and subcontractor behavior in
protecting their programs. The prime contractors, in addition
to conducting the pilots mentioned earlier, have been key
partners in reenforcing their own supply chain security
programs, standing up resources, such as secured messaging, and
making them available to their subcontractors.
The Department relies on the primes to ensure the sanctity
and operational security of critical information germane to its
programs through close coordination, cyber conscious program
management, and the establishment of appropriate incentives.
Thank you for providing me the opportunity to testify
before you today and we look forward to your questions.
[The statement of Admiral Chase follows:]
Prepared Statement by Rear Admiral William Chase
Chairman Manchin, Ranking Member Rounds, thank you for your
invitation to appear again before this subcommittee. The last time I
was in the Senate, I provided testimony on the Department's zero trust
cybersecurity initiative. Today, I am here as the Deputy Principal
Cyber Advisor to the Secretary of Defense, representing my civilian
senior, the Principal Cyber Advisor, who is responsible for driving
implementation of the DOD Cyber Strategy, oversight of U.S. Cyber
Command, and, pursuant to section 1724 of the National Defense
Authorization Act for fiscal year 2021, serving as the coordinating
authority for Defense Industrial Base, or DIB, cybersecurity.
My remarks today reflect two complementary imperatives: the need to
improve DIB cybersecurity across the board and at scale and the need to
focus protection resources on programs of particular importance. The
Department has many programs and thousands of personnel working on DIB
cybersecurity in some form or fashion. Today, I will cover a slice of
the policies, plans, and activities that are making an impact and the
actions that we are taking both to raise the costs of committing cyber
espionage and actively defend the Department's most critical programs
and technologies. Neither the Department nor the DIB will ever be able
to secure industry's networks and controlled unclassified information
completely, but our goal over the short, medium, and long terms is to
complicate and frustrate adversary planning and operations so that our
adversaries cannot act with impunity or at scale.
Since at least 2006, the Department has recognized and taken action
to diminish the threat of adversary cyber espionage of the Defense
Industrial Base. Still, that threat continued to grow, and, in 2018,
the Department of Defense faced a threat to its military advantage by
determined adversaries and their intent to steal plans, documentation,
designs, and intellectual property for key weapon systems. Our
adversaries had limited access to key networks on the well-defended
Department of Defense Information Network (DODIN) but were considerably
more successful in compromising the unclassified networks of the DIB,
particularly those of small- and medium-sized subcontractors, where
much of the same valuable data resides. Cyber espionage is, in many
cases, the preferred espionage vector for our adversaries, allowing for
persistent access to the Department's data at low-cost and permitting
remote operations at scale. Adversaries are, however, also employing
foreign intelligence officers and non-traditional collectors--using
academic researchers to gain technical insight, for example--importing
dual-use technologies, and using foreign direct investment to acquire
defense companies, promising startups, and companies adjacent to
military bases and ranges.
In response to this threat, the Department established the
Protecting Critical Technology Task Force (PCTTF) in 2018, which,
across four lines of effort, aimed to improve the cybersecurity of the
Defense Industrial Base, secure the Department of Defense research and
development enterprise, stop technology leakage through export and
foreign ownership, and impose costs on adversary intelligence
campaigns. The PCTTF, the Under Secretary of Defense for Acquisition
and Sustainment, the Under Secretary of Defense for Research and
Engineering, the Under Secretary of Defense for Intelligence and
Security, the Department of Defense Chief Information Officer, and the
Military Services all realized that the status quo means of ensuring
DIB cybersecurity and the protection of sensitive controlled
information on DIB systems were fundamentally inadequate. The Defense
Federal Acquisition Regulation Supplement was amended in 2013 to
require contractors--and subcontractors, to whom these requirements
were to be passed down--to safeguard covered defense information
residing on or transiting through a contractor's internal information
system or network and to provide adequate security for such systems,
including implementing the controls established in NIST Special
Publication 800-171. The contract clause also established reporting
requirements for cyber incidents affecting such systems or the covered
defense information therein.
These contractual requirements often appeared to be addressed in a
perfunctory manner, and the Department identified the need to enhance
DOD's ability to ensure that such cybersecurity requirements were, in
fact, being implemented. A Chief Information Security Officer position
was created within the Office of the Under Secretary of Defense for
Acquisition and Sustainment to help drive change in the way
cybersecurity risk is addressed in connection with the Department's
acquisition efforts. In conjunction with the Carnegie Mellon Software
Engineering Institute and Johns Hopkins University Applied Physics
Laboratory, the Under Secretary of Defense for Acquisition and
Sustainment created the Cybersecurity Maturity Model Certification
model, and later established the CMMC program, which involves use of
accredited and trained third-party assessors to assess contractors' and
subcontractors' cybersecurity prior to contract award. This program
addresses two critical issues: first, by only awarding contracts to
contractors with a valid CMMC certification, awarded in the last three
years, the program incents contractors to, in fact, implement needed
cybersecurity measures; and second, the program flows down the
requirements to ensure subcontractors are similarly certified.
The Chief Information Security Officer for Acquisition and
Sustainment, who is responsible for the CMMC program, reports to Mr.
Salazar as Deputy Assistant Secretary of Defense for Industrial Policy,
so I will defer to his expertise for further discussion of the CMMC.
From a cybersecurity perspective, we recognize the gap the CMMC is
intended to address and also the concerns that industry, particularly
small businesses, has raised regarding: the investments required to
achieve CMMC compliance prior to contract award; the need to deconflict
and streamline multiple cybersecurity standards and assessments; and
the uncertainty surrounding the CMMC ecosystem. Although we should not
apologize for imposing cybersecurity requirements to protect key
information regarding our warfighting systems, we must also be
pragmatic and avoid imposing unnecessary compliance costs on industry
and sacrificing innovation as a result. We must focus our attention and
resources on the supply chains of the Department's most critical
programs and program elements, systematically segmenting risk and then
limiting these programs' exposure to cyberattacks. For the DIB as a
whole, we must consider provisioning cybersecurity capabilities in
partnership with key cybersecurity, information technology, and
Internet-related players in industry.
Pursuant to these imperatives, the Department is taking a multi-
faceted approach towards ensuring the cybersecurity of the Defense
Industrial Base. DOD CIO is in the process of expanding its DIB Cyber
Security information-sharing program through the Defense Cyber Crime
Center (DC3) under the U.S. Air Force. Although this program was
designed to share indicators of compromise and malware analysis
services with cleared defense contractors--those members of the
industrial base that have security clearances and access to classified
information--the DOD CIO is working to amend relevant regulations to
expand the program to include non-cleared defense contractors, thus
enabling small- and medium-sized contractors to receive important
information, including the same signatures, malign IP addresses, and
threat advisories that the larger cleared primes receive as part of the
program. DC3 is also expanding the services available to the DIB,
piloting efforts such as penetration testing to address contractors'
external-facing vulnerabilities and an adversary emulation program.
The National Security Agency (NSA) is also conducting a number of
pilots, leveraging authorities to share unique, actionable threat
information and cybersecurity guidance with members of the DIB and
their service providers and to provide unique cybersecurity
capabilities to the DIB, among the most promising of which is the
provision of free and secure Domain Name System (DNS) lookup services
to the DIB. The DNS is colloquially referred to as the phonebook of the
Internet, translating readily remembered website names (e.g.,
defense.gov) to IP addresses appropriate for internet routing. The NSA
is offering this cybersecurity service--called Protective DNS, or
pDNS--in partnership with an advanced commercial DNS provider and is
currently enrolling members of its industrial base. This capability
combines a commercial DNS sensor architecture with real-time analytics
to quickly understand malicious activity targeting the DIB and to
deploy immediate countermeasures. The efficacy of this service has been
widely demonstrated--it does not require access to internal contractor
networks and has the potential to prevent or disrupt adversary cyber
exploitation activities.
I am especially excited about a number of these pilots in which
cybersecurity capability is directly offered to contractors and
subcontractors, because they offer the promise of cost-efficient,
scalable solutions that can be provided to contractors of any size or
profitability. Unlike approaches that depend on the DIB's sensoring,
instrumentation, configuration, and operation of cybersecurity tools on
their own networks, a number of the initiatives being piloted by the
NSA and DC3 include direct cybersecurity services provisioned and
managed by cybersecurity and IT service providers. This approach
institutionally buys down cybersecurity risk across entire industry
segments rather than relying on individual small- and medium-sized
businesses to defend their networks as if they were large prime
contractors.
Not all of these technical concepts require the government to
provide such services--industry stakeholders, through the DIB Sector
Coordinating Council, are also piloting a number of concepts that could
be applied across their supply chains, including the provision of
secure e-mail, secure cloud environments, and sensors for subcontractor
networks. We must continue to pilot these concepts of operation and
capabilities and then scale the successful ones. The direct
provisioning of cybersecurity capabilities to contractors, including
the provisioning of secure environments for development and storage of
controlled unclassified information, is incredibly promising.
The Department of Defense counterintelligence community--the
Defense Counterintelligence and Security Agency and Military Department
Counterintelligence Organizations--is also making significant progress
in reducing cyber threats to the DIB. Each entity is growing and
improving its programs and posture to counter the cyber threat,
proactively detecting adversary cyber activity, working with partners
in the Intelligence Community to address intelligence gaps, and
integrating law enforcement, counterintelligence, and intelligence
situational awareness and operations. Their technical modernization
programs are improving interoperability and collaboration across the
community through the Collect, Analyze, Disseminate, and Operationalize
initiative. This is an important and underemphasized component of the
Department's DIB cybersecurity plans, policy, and programs.
Counterintelligence has a mutually beneficial relationship with
security, and the community is investing increasingly in programs and
partnerships that allow for improved visibility of adversary activity
at scale. This progress is matched by activities across the U.S.
Government, including the NSA, the Federal Bureau of Investigation,
other elements of the Intelligence Community, U.S. Cyber Command, and
the Cybersecurity and Infrastructure Security Agency, to detect cyber
targeting and defend the DIB.
Most of the Department's programs and policies to protect the DIB
are ultimately implemented through program managers in the DOD
Components, particularly within the Military Departments and Services.
Each of the Military Services has developed programs, policies, and
guidance and apportioned resources for program managers to be able to
evaluate and address the cyber risk posed to their supply chains more
effectively. Although this progress is often invisible at the Office of
the Secretary of Defense level, it is absolutely crucial. The Military
Services--and DOD Components with acquisition authorities like the
Missile Defense Agency and U.S. Special Operations Command--ultimately
issue contracts, manage programs, and implement policy. We must ensure
that they have a clear grasp of the persistently evolving nature of the
cyber operating environment, an understanding of the types of risks
their programs and systems are subject to, and the steps they must take
to drive DIB cybersecurity.
The Under Secretary of Defense for Research and Engineering, the
Under Secretary of Defense for Acquisition and Sustainment, the Under
Secretary of Defense for Intelligence and Security, and the Protecting
Critical Technology Task Force have each played a significant role in
shifting the Department's culture and have taken a number of steps to
ensure that program managers are required and able to address
cybersecurity risks. The Under Secretary of Defense for Research and
Engineering has reinforced responsibilities and procedures for science
and technology managers and the engineering workforce. These procedures
enable and protect technology innovation in our warfighting
capabilities through superior program protection practices and secure,
cyber-resilient engineering design. The Under Secretary of Defense for
Acquisition and Sustainment has developed acquisition policy to
establish a number of program manager-specific requirements for
cybersecurity, program protection, and supply chain risk management.
The Under Secretary of Defense for Acquisition and Sustainment is also
modernizing program manager training, education, and guidebooks to
ensure that program managers account for cybersecurity in all phases of
the acquisition lifecycle. The Under Secretary of Defense for
Intelligence and Security has implemented the controlled unclassified
information program and continues to carry out assessments of cleared
defense contractors via the National Industrial Security Program. The
Protecting Critical Technology Task Force has established and
coordinated a Critical Programs and Technology list to identify clearly
and drive components to protect the Department's most important
science, technology, and acquisition programs.
Progress in DIB cybersecurity is also being driven from industry.
Industry stakeholders, including large defense prime contractors, in
addition to conducting the pilots mentioned earlier, have been key
partners in reinforcing their own supply chain security programs,
making resources available to their subcontractors, and working with
Department of Defense program managers to ensure the security of their
supply chains. The Department relies on its prime contractors to ensure
the sanctity and operational security of critical information
integrated in its programs--close coordination, cyber-conscious program
management, and the establishment of appropriate incentives are
critical.
Last year's National Defense Authorization Act requires that the
Principal Cyber Advisor serve as the coordinating authority for DIB
cybersecurity issues in the Department of Defense. This is a familiar
role for the Office of the Principal Cyber Advisor (OPCA) as the
coordinator and facilitator of numerous initiatives germane to
cyberspace, and we are excited to take it on. The OPCA will leverage
existing governance fora and coordination mechanisms to identify gaps
and redundancies across the Department's DIB cybersecurity programs and
raise barriers and critical issues to the attention of the Deputy
Secretary of Defense, the Under Secretaries of Defense, the Joint
Staff, and the Military Departments and Services so that they may
address them.
Thank you for providing me an opportunity to testify before you
today. I look forward to your questions.
Senator Manchin. Thank you, Admiral Chase.
Now we will start our questions. Mr. Salazar, you have been
in your position for only a few months, but expect you are
aware of my longstanding interest and that of the subcommittee
in seeing DOD hold prime contractors responsible and
accountable for ensuring that their subcontractors are
protecting DOD technology and confidential information. My
reason for that is we understand that most of our sabotage is
done through the backdoor of the smaller subcontractors and
going in from that end.
So, my question, what does the Department currently do to
hold prime contractors accountable for the cybersecurity of
their subcontractors?
Mr. Salazar. Thank you, Senator.
The Department should never shy away from requiring
contractors to safeguard the information that we entrust to
them and, in turn, if they are going to subcontract with other
companies, they should be sure that they have the same
assurances that they have given to us. We hold them accountable
through our contracts and we have a number of ways to ensure
that they are meeting those responsibilities, like performance
reviews and contract actions.
The essence of the CMMC model is that primes have a special
place in the Defense ecosystem that involves helping others to
mature their capabilities and we have been impressed by the way
in which a number of the primes have lent their expertise to
our efforts, shared information through my office through the
Office of Small Business Programs. We have a program called the
Mentor Protege where the primes actually coach the
subcontractors and small businesses in the responsibilities of
handling this kind of information. Similarly, we have a new
platform called Project Spectrum where primes are sharing what
they know in real time with small businesses that could be 5
people or it could be 50 employees.
Senator Manchin. Yeah, but let me ask you this, the primes
right now, is there any penalty or any fines or any cost or
reprisal of losing, maybe their contract, if they don't secure?
Are you making the primes secure that the subcontractors or
subprimes are being protected hardened?
Mr. Salazar. Yes, Senator. Through our contracts process,
through our requirements process. I have had a number of----
Senator Manchin. They have to prove to you that their subs
are secured? Do you all go into it in that depth?
Mr. Salazar. So, when we entrust specific types of
information of a national security interest to the primes, we
also require that they mark and identify that information and
that they ensure that the subcontractors are trained and
capable of handling that information.
Senator Manchin. But if you find out they haven't done it,
what is the penalty? If you find out they haven't done it, do
they lose----
Mr. Salazar. We have a number of possible answers. Usually,
the Project Management Office (PMO) office will identify the
opportunity to improve. We will also hold them accountable
through the contracts and we can use a number of acquisition
levers to----
Senator Manchin. Do you know if that has ever been enforced
or implemented? Well, you have only been there a couple of
months.
Mr. Salazar. I would have to take that for the record and
see what recent actions there are.
[The information referred to follows:]
Mr. Salazar. Prime contractors are fully responsible for
compliance with all contractual terms and conditions, to
include all performance obligations under the prime contract,
even if they use a subcontractor to execute the work. We know
the courts are looking at this issue, and there is ongoing
False Claims Act (FCA) litigation regarding prime contractor
compliance with DFARS 252.204-7012. As an example of holding
primes accountable under the FCA for cybersecurity-related
claims, in 2019, Cisco Systems agreed to enter into a
settlement to resolve FCA allegations that in 2011 it
improperly sold video surveillance software with known
vulnerabilities to the Federal and state governments, including
the Army, Navy, Air Force, and Marines.
The Department requires prime contractors to flow the
cybersecurity requirements of Defense Federal Acquisition
Regulation Supplement Clause 252.204-7012 to its subcontractors
at all tiers as applicable, and those subcontractors also must
r provide adequate cybersecurity and report certain cyber
incidents as required by the clause.
Potential DOD actions when a prime contractor is non-
compliant with contractual terms and conditions, including
noncompliance with cybersecurity requirements, may include
reduction of contract price, reduction of fee, contract
termination, and recording negative past performance
information.
Senator Manchin. If you could get back to me on that once
you get your feet wet a little bit more and find out to my
staff and find out if they have implemented any type of actions
against them. We are finding out that doesn't happen.
But, anyway, Admiral, if you would, several provisions of
the Fiscal Year 2021 NDAA are directly pertinent to this
hearing and involve the principal cyber advisor, for whom you
work. So, my question, section 1724, designated the principal
cyber advisor to be responsible for coordinating DOD and DIB
cybersecurity efforts.
How are you finding that role?
Admiral Chase. Sir, as the deputy principal cyber advisor,
this is a working group I host regularly as one of our lines of
effort in partnership. We have had two of these meetings at the
flag level to understand all the stakeholder roles and
responsibilities. These include also some of, and one of my
other hats as protecting critical technologies task force,
making sure that we understand all of the objectives that that
entity and task force has been stood up to exercise to include
protecting the critical programs and technologies list, making
sure we understand where those efforts are specific. That list
has been tiered and looking to be more granular in order to
provide a smaller attack surface for the broader DIB.
Senator Manchin. If you could answer this, this is two
parts. Section 1736, okay, I will go over it with you. Section
1736, the director of the principal cyber advisor assesses the
feasibility of working with the DIB to place sense source
inside and outside DIB companies to help detect intrusion
compromises.
So, on that one there, if you could answer that, is this
work now underway that you know of?
Admiral Chase. Yes, sir, it.
Senator Manchin. It is.
Section 1737 requires DOD to assess the practicality of a
comprehensive threat intelligence sharing program with DIB
companies. What is the status of that program?
Admiral Chase. That one is also, we have several efforts
that have been piloted. The adversary emulation is one of
those. Another is called, this is through the Defense Cyber
Crime Center, another called Crystal Ball, which is an outside
looking in. They have partnered with, to identify the
vulnerabilities and threats inbound, and those were used to
identify and notify 13 DIB partners of a Chinese malicious
actors, attacks on the Microsoft Exchange server
vulnerabilities. On the previous adversary emulation, that one
was also used in this effort. DIB vulnerability program
disclosures, that is a 12-month pilot that is ongoing to help
with, broadly, the cyber hygiene. Then looking to expand these
into non-cleared pilots for the non-cleared actors to go from
800 clear Defense contractors up to the broader DIB, overall.
Senator Manchin. Thank you.
Senator Rounds?
Senator Rounds. Thank you, Mr. Chairman.
Mr. Salazar, recognizing that you have only been on the job
for a few months, I am not going to burden you with a lot of
the questions on this, and I mean no disrespect, but I think
will focus on the Admiral.
Admiral Chase, let's start by talking about communications
and the availability. If there is an incursion by an outside
source into one of our contractors, are they required to report
the incursion if it is on a project that isn't DOD-oriented?
Admiral Chase. Yeah, there are mandatory reporting criteria
that the DIB contractors have to report to the defense
cybercrime entity. In things like SolarWinds, the Department
specifically asked for the number of intrusions and reports
that we had on that. I believe we had 37 companies that
reported specific, 44 different reports.
Senator Rounds. So, if it is a private entity and they are
doing DOD contract work and there is a discovered security leak
through cyber means, they do have to report today to the
appropriate office within DOD?
Admiral Chase. Yes, sir. There is mandatory reporting
criteria and then there is voluntary reporting is certainly
encouraged for attempted attacks, not necessarily successful,
but we welcome those. We believe that we will get their faster
if we can get to voluntary reporting, which should really be
led by information sharing of the threat. The partnerships with
industry really go much farther when the Government has
something to share, timely, relevant, threat-intelligence
information, malicious signatures, things that we can put into
virus total, using our unique insights through NSA, United
States Cyber Command's (CYBERCOM) hunt forward operations that
generate insights, et cetera.
Senator Rounds. That is the part that I wanted to follow-up
with. Once there is a notification of an incursion or a leak
and it has been reported to the Department of Defense, what
happens in terms of trying to stop it from happening again or
assisting that contractor in dealing with it, which office is
responsible for that?
Admiral Chase. The Defense Cyber Crime Center is the first
point of report and that will get sent out to law enforcement
officials, as well. The counterintelligence community would be
brought to bear from the Department's standpoint, but largely,
that is viewed as a private crime until such time as we give
more.
Senator Rounds. You have been there long enough to where
you have seen this occur already, fair statement?
Admiral Chase. Fair statement.
Senator Rounds. Okay. Let's take a look at an organization
now such as what just happened with the pipeline. Granted, not
in this particular case, I am assuming that it is not a DOD
contractor. In this particular case, there is no evidence that
they reported this to anyone, they are a private entity, and,
you know, at the same time, it has a national consequence to
it.
Is there, at some point, the need in order to address this
type of an issue, the need for some sort of a communication or
an expectation of a communication between a private business
and either Homeland Security, the Department of Justice, the
FBI, and thus back into the appropriate level at the Department
of Defense, who really is the only source who can work outside
of the United States to try to stop the attack from happening
in the future. I ask it only because your role is not just with
regard to the Defense Industrial Base, but because you also
carry the titles of the Senior Military Advisor for Cyber
Policy to the Under Secretary of Defense for Policy and the
Deputy Principal Cyber Advisor to the Secretary of Defense and
the Director of Protecting Critical Technology Task Force.
I am looking for advice.
Admiral Chase. So, Senator, malicious cyber campaigns
absolutely threaten the public sector, the private sector, and
individuals. So, we, the Federal Government, have to improve
our own cybersecurity and this is of critical importance, but
it does extend down all the way to the private sector and we
have to do that on premises, on cloud, IT systems, or
operational technology systems like you see in the pipeline
attack. We have to do this and the Government Government's
undertaking Zero Trust is a best practice for cybersecurity. We
are clearly in the latest executive order on improving the
Nation's cybersecurity. These things are all called out as we
need standards of these across the Federal Government.
Senator Rounds. I appreciate the comments, but I think what
we are talking here is we have silos. We have silos between the
different agencies and those silos need to be coordinated; in
other words, at some point, we need to recognize that we need
to, at a national level, coordinate between Homeland Security,
the Department of Justice, specifically, the FBI, and the
Department of Defense, if we are going to have a coordinated
effort to not just defend, but then to go out and then to stop
these attacks from occurring again in the future. It is not
just within DOD, but it is a matter of on the national level
coordinating all of the different, very capable entities that
make up our cybersecurity defense within the Nation to protect
those individuals who may not be subcontractors or contractors
to the Department of Defense, but who I suspect would most
certainly appreciate the ability to appreciate and benefit from
the capabilities that the Department of Defense has in stopping
the attacks in the future. So, that is the reason for my----
Admiral Chase. No, Senator, I think you bring up a great
point. We need to remove barriers to information sharing to
dispel all of those silos. That probably does need to start
with the threat, because in the world of cybersecurity, if you
don't have the threat information, the best you ever do is
break even. So, we should start there, making sure we that we
can get some tipping and queueing and bring the whole DIB up.
Senator Rounds. Thank you.
Thank you, Mr. Chairman.
Senator Manchin. Senator Gillibrand, via Webex.
Senator Gillibrand. Thank you, Mr. Chairman.
Let's start with Admiral Chase. Okay. As you know, DOD's
announcement to move towards Zero Trust policy not only applies
to cybersecurity but also to buying microelectronics and other
national security essentials technology. The shift towards Zero
Trust policy will be demanding and the volume of
microelectronics required security measures is outpacing that
shift.
How do we ensure that the pace of Zero Trust implementation
matches the pace of the growth with microelectronics?
Admiral Chase. Thank you for the question, Senator.
I think first and foremost, we understand that Zero Trust
is really about that we don't give privileges to person or non-
person entities in the cybersecurity world. So, at its core,
this is about access control and making sure that everyone
doesn't have access to everything. We would move from an
enclave-based world where once you get in the doors, you are
free to move about. I think probably a better description would
be banking where I have access to my account. We may have the
same bank, but I can't see yours, and even my children, I may
have access to their accounts, but they can only do certain
things with it. So, it is not just access, but what can you do
with each level of privilege to be able to see what needs to be
done with it, and those need to be baked in from the start.
So, as microelectronics, their purpose is known, we need to
make sure that they have the ability to control access and that
we have the ability to reconfigure on the fly, the
configuration controls required to protect that end use
appropriately.
Senator Gillibrand. Okay. In her past testimony, Deputy
Assistant Secretary Eoyang noted that there can be a lot of
ambiguity when it comes to attributing who is responsible for
cyber intrusions, cyberattacks, especially when it comes to
organizations working as proxies of nation states. In the case
of financial cybercrimes where the FBI or the Department of
Justice (DOJ) may have jurisdiction over investigating a
cybercrime or intrusion, how well and how quickly is DOD
working with other agencies to attribute these open-ended
intrusions that can either be criminals or state adversaries,
what could be improved?
Admiral Chase. I will start with the first part of that.
There is quite a bit of sharing going on throughout the
intelligence community and cybersecurity specifically, that
begins with CYBERCOM defending forward, gaining insights as to
where some of our adversaries are attacking our partner nations
and taking those insights, bringing them back, and sharing them
broadly within the intelligence community, as well as within
industry, where appropriate. Then, as you come back within the
Federal Government, that threat information sharing is robust
and really begins with tactics, techniques, procedures,
sometimes down in the malware itself, requiring forensics
experts to take a look at that. You get lots of hints from what
language it is written in, where there are other places we have
seen it, and where it has been attributed in those aspects.
So, I think within the Federal Government, the sharing is
high. It gets more challenging and we have not had a good track
record, history with sharing that with the broader Defense
Industrial Base, and so I think there is significant effort
going into pilots now to do that.
Senator Gillibrand. Given the recent Colonial Pipeline
hack, I am especially concerned about ransomware attacks that
can paralyze some of our important industrial partners. Are you
confident in DOD's ability to respond and be helpful if an
important DIB entity, industrial partner or business, was hit
with a ransomware attack and required DOD assistance?
Admiral Chase. Well, I think first pass at that would go to
the law enforcement agencies. If asked, the Department is
prepared to assist there, but only in rare cases would that
likely happen in national emergencies, but it would go through
the same defense support system requested that any other
request of the Department would go to.
Senator Gillibrand. Thank you, Mr. Chairman. Thank you.
Senator Manchin. Thank you, Senator.
Now Senator Wicker. Senator Wicker? Not there.
Senator Ernst?
Senator Ernst. Thank you, Mr. Chair, and thank you,
gentlemen, as well, for your service and for being here today
to share some thoughts on safeguarding our industries. I really
appreciate that.
Cyberspace has been a growing conflict domain for quite a
while now, but the American people have really seen over the
past several months, that cyberattacks are striking ever-
increasingly close to home. Of course, we have seen a variety
of adversaries attacking water-treatment systems, oil
pipelines, and our cloud computing infrastructure. We know that
they will continue targeting our Defense Industrial Base in
years to come, as well, so I would like to focus on that a
little bit.
The Defense Industrial Base's development and protection
process are linked with the DOD beginning at the earliest
stages of development. While this is necessary, I am concerned
about the burden of cost the Government's required security
measures levy on our smaller companies. We have a lot of small
businesses that engage with DOD.
From your perspective, when it comes to cybersecurity, how
do we strike the right balance between our private and public
responsibility for cyber protection, especially as it applies
to those smaller businesses? Mr. Salazar, if we could start
with you and then, Admiral, if you would like to add any
thoughts.
Mr. Salazar. Within the Defense Industrial Base, we see
small businesses really as the engines of innovation and
vitality that make our capabilities possible. We want to make
sure, as a policy matter, that we are doing everything we can
to maintain a thriving small business segment. The recent state
of supply chain attacks and disruptions have shown that many
adversaries are viewing these small businesses as a weak link,
that they recognize that they might not have the same cyber
resilience.
Now, that said, every day, I am thinking about the
challenges that these small businesses are facing and there are
ways that we can, as a Department, be driving down the cost for
cyber hygiene. Many of the things these companies can do to
ensure that they have good cyber hygiene, good cyber resilience
are low-cost. When it comes to building systems, the Department
reimburses the costs for increasing cyber resilience, but as
part of our adjudication process of the CMMC system, one of the
things we have heard over and over again from industry is that
the barriers are quite high to ensure that these companies are
meeting our requirements.
So, we are looking at this very closely and thinking about,
one, how can we reduce the costs for reaching a level of cyber
maturity to meet our requirements and, two, what tools and
resources can we make available today to make sure that these
businesses are more resilient?
We have actually stood up a website called
ProjectSpectrum.IO, which actually had been very helpful. We
have had more than 500,000 views, 10,000 trainings disseminated
on cyber hygiene. Small businesses can go and says where they
currently stand today. These are the kinds of resources that we
are trying to make available so that we can drive down the cost
and start protecting these companies today.
Senator Ernst. Thank you very much.
Admiral?
Admiral Chase. Certainly. The Defense Cyber Crime Center
has also a tool if you go to their website. It is free and
downloadable to the DIB, a cyber resilience analysis tool, and
this is something that covers 300 different security areas of a
company across 10 different domains. These map directly to five
maturity levels that are in CMMC to help understand where you
are, so you don't have to go and spend a lot of money for it,
so you can understand what your posture is and understand where
it needs to be shored up. That is really important because the
requirements are set based on adversary and threats, not what
the government believes we need. So, as part of the Defense
Industrial Base, they are more likely to become attacked than
the more hardened Federal Government aspects are, so we want
them to be successful, and this is why we believe that
increasing Defense Industrial Base cybersecurity is superbly
important. We can also scale this at low cost, for things like
the protective DNS system, where if you go into every query
that goes out to the internet that is now enriched with
potentially malicious site names so you don't get back and
bring that traffic back in. It is an incredibly low-cost way to
scale cybersecurity for the entirety of the DIB on a per-
person, or so smaller companies wouldn't have to pay as much
as, say, the large primes.
Senator Ernst. Exceptional.
I am glad that you are so well tied into the small business
community and understanding low-cost, yet effective is
certainly something that we need to enable they'd them to do.
I am running out of time, so I will leave it there and
maybe submit some questions for the record. Thank you very
much, gentlemen.
Senator Manchin. Thank you, Senator.
Senator Blumenthal?
Senator Blumenthal. Thanks, Mr. Chairman, and thank you to
and the Ranking Member for having this hearing. Thank you for
being back.
Have there been any cyberattacks on the Defense Industrial
Base since we were here during the last hearing?
Admiral Chase. I am absolutely certain of it, I am just not
sure which ones and where they are, Senator.
Senator Blumenthal. Have there been any successful ones?
Admiral Chase. I think that probably sadly falls into the
same category.
Senator Blumenthal. Let me ask you about the SolarWinds and
the Microsoft Exchange attacks. I think at the last hearing,
you reported that neither was successful in penetrating our
Department of Defense, correct?
Admiral Chase. Yes, Senator.
Senator Blumenthal. Were they successful in penetrating any
of the subcontractors or contractors?
Admiral Chase. So, we had exposure of the DIB was 37
companies made 44 reports on SolarWinds exposure.
Senator Blumenthal. Those are the 44 reports of targeting
or of successful intrusion?
Admiral Chase. A mixture. Those were 44 reports on
exposure, the level of which I am not prepared to go into here
today. I can take that one for the record.
Senator Blumenthal. But the word ``exposure'' refers to?
Admiral Chase. The SolarWinds attack, in particular, a
supply chain attack where the SolarWinds software itself,
adversaries, malicious actors compromised the software patch,
itself, and so when companies normally downloaded patches as
part of good cyber maintenance practice, they downloaded the
malware. That malware led to command and control signals going
outbound. At a minimum, this is probably where those reports
would start, generically speaking. I don't have access to those
at the moment, but just to understand what I say exposure, that
is the exposure we are talking about.
Details of successful attacks or when that malware, that
command and control call-out was brought back in additional
malware and other details.
Senator Blumenthal. Would the security controls required
under the CMMC have stopped those intrusions?
Admiral Chase. They would not guarantee it, but they would
have enabled them to see, possibly. Probably the best example
is FireEye very publicly reported they caught the SolarWinds
from observing lateral movement and privilege escalation within
their own environment. If say, a level 5 CMMC would have
probably had sufficient tools to give them a shot at seeing
this similar lateral movement, provided they had the tipping
and queueing in place. So, it would certainly enable, but it
would not guarantee it.
Senator Blumenthal. What procedures are you taking to
assure that contractors actually adopt these controls? I know
you have, I think you have mentioned some of the reporting
requirements, but what kind of additional scrutiny and
oversight are you taking just to make sure that they are doing
what they are saying they are doing?
Admiral Chase. So, there are a number of innovative pilots
outside of the CMMC proper that would enable to see CMMC
things. There are, we have talked about one of the them,
adversary emulation on the outside would show what the threats
are exposing. The Crystal Ball is an outside-in looking
program. There is another that is an in-line program that would
allow traffic coming in see, if adopted, would send it back to
a centralized repository and give us more of a, both, the
Government and other entities, some idea of what threats are
being presented and be able to advise on next steps, playbooks,
those sorts of things.
Senator Blumenthal. Do you need more staff or more
resources to do your work?
Admiral Chase. We certainly stay busy all the time, sir.
Senator Blumenthal. Thank you.
Thanks, Mr. Chairman.
Senator Manchin. Senator Blackburn?
Senator Blackburn. Thank you, Mr. Chairman.
Admiral Chase, I want to come to you and talk about the
small and medium-sized manufacturers (SMMs). As we have looked
at some of these cyberattacks, we have begun to talk with some
of our suppliers that are such an important part of our supply
chain, but, of course, they do not have the financial, the
technical, or the cybersecurity support systems for their
equipment and these DIB companies across Tennessee really are
interested to see what is going to happen with operational
cybersecurity for the U.S. manufacturing supply chain.
We know that this would be a cost-effective way not only to
protect them, but to protect ourselves. So, if you would walk
me through what you see as the necessary actions in the short-
form and then also the longer term for DOD to take to improve
that cybersecurity posture for these SMMs.
Admiral Chase. So, for small business, the single, and
really for any enterprise undertaking cybersecurity, the most
important thing is getting visibility of the things you own.
So, making sure that you have both, the sensing and the ability
to understand what it is that you are looking at, and these are
becoming available as a service, so I am excited about that.
Security as a service platform as a service for companies that
do their businesses as cloud. These are increasingly prevalent,
so we are excited about that.
You mentioned operational technology. This is probably the,
in cybersecurity at large, the least understood, because
operational technology is aware, cybersecurity is meaning
controlling of machines and many times, those are not even
under the same internet protocols that we see under traditional
cybersecurity, so it requires a unique workforce. So, whether
we put a cyber wrapper around that to understand the flows that
are going in so we can look at that in Zero Trust and make sure
that are the right people controlling this, does this order
coming from the right, the place that orders to this piece of
machinery should normally come from, these are the sorts of
things that a control system company would want to know and
make sure that they could see happening and be able to
intervene.
Senator Blackburn. Do you all have sufficient authority to
work with these SMMs, and to improve their, or help them harden
their systems and properly integrate their systems with yours?
Admiral Chase. I certainly believe the Department has
enough to be able to share what we know about the threat and we
have our own operational control systems, operational
technology systems and we can share, certainly share the best
practices. I would say as the executive order is tasked with a
lot of these same topics to make a lot of progress and share
those out, work with National Institute of Standards and
Technology (NIST) to develop standards for all of the above, I
think those are areas where we can bring the Department of
Defense to bear.
Senator Blackburn. What about Zero Trust architecture, how
does that inform your efforts as you look at cybersecurity and
hardening for the supply chain?
Admiral Chase. So, Zero Trust principles include at their
core, access control and configuration management, and these
are common cybersecurity principles, however, doing so at a
much more granular level is the knack here. So, understanding
your flows, who should have access to data inside even a small
company network. For small businesses, that is a relatively
straightforward task. As you start to move up in scale, these
need to be able to be done at an enterprise level, so are
probably more challenging.
Senator Blackburn. Let me ask you this, do you all have any
training or best practice protocols that you are sharing with
or training your providing to some of the SMMs, so they know
how to assess vulnerabilities and they know what is going to be
a preferred platform for integrating their work with yours?
Admiral Chase. So, the Defense Cyber Crime Center, I think
has a number of pilot programs. They do a significant amount of
training and so does the counterintelligence community;
however, those are not DIB and widely exported to the DIB and I
think that is probably an area as we come to learn more
internally, we can share that, but that is an area for growth,
not something we have today.
Senator Blackburn. Okay. Well, you know, in Tennessee, the
Y12 complex is co-leading the supply chain cybersecurity
initiative and we are really proud of the work that they have
doing and I will submit a question to you in that regard. I see
that I have run out of time. Thank you.
Thanks, Mr. Chairman.
Senator Manchin. Thank you, Senator.
Senator Rosen? Not here?
Admiral Chase, the whole thing of what happened, first, the
United States Government, Department of Defense, do we pay
ransoms?
Admiral Chase. No, sir, we do not.
Senator Manchin. Do we counter attack?
Admiral Chase. That would be a whole-of-government
approach, based on a preponderance of other factors and
national policy.
Senator Manchin. The reason I am saying that, knowing that
we do not pay ransoms, but the private sector, there is no rule
or law against the private sector paying them, as we just
Colonial pay.
Admiral Chase. A true statement. I believe one of the other
challenges I have seen in popular reporting, depending on who
you look at, somewhere between a 15 and 22 percent rate, even
if you pay the ransom, that you will actually get your
decrypted data back.
Senator Manchin. I think----
Admiral Chase. That is what I am reading in open press.
Senator Manchin. Sure. Sure.
Well, I am just saying, it sets up, you know, this illegal,
criminal activity that will continue to grow, knowing that the
American public or that the American businesses will pay, or
thinking they will if Colonial sets the standard. That is
probably the highest profile I have heard of, of paying that
type of a ransom, what, 4.9 million in crypto? I believe that
was the amount.
Admiral Chase. I believe that is what I heard was asked.
Senator Manchin. Yeah, that is what we heard.
Admiral Chase. I don't have any knowledge of what was paid.
Senator Manchin. The thing I am trying to say is, we have
so many different cyber agencies and different, I mean cyber
departments and different agencies, but there is only one, I
think, that would have the ability to hit back and hit it
pretty good would be you all.
Admiral Chase. Senator, I think one of the challenges, at
cybersecurity level, you are left with two things: espionage
and sabotage. So, depending on how those are, one is a crime
and the other would be, if done by foreign actors, and this is
one of the challenges of attribution even from some of the
latest ones, is with the commoditization of malware becomes, it
may have been developed by one entity and used by another and
employed by a far-less sophisticated actor in the case of an
unprotected customer. So, I think that is----
Senator Manchin. I think we were able to detect where it
came from and who did it. It didn't seem like it took that long
for them to identify.
Admiral Chase. We know that the malware was written in some
Russian code or to not attack certain Russian actors, but I am
not seen any attribution of who actually did the act.
Senator Manchin. I am just saying there has to be something
that we, as a country and our Government, is going to use to
deter this from happening again or continuing to happen.
Admiral Chase. Absolutely, Senator. I mean, I think the
most recent one with the dark side shows that this is
effectively organized crime and the international community has
to come to terms with how we are going to deal with this. Not
just the United States, but it is a worldwide problem.
Senator Manchin. Is there discussions going on?
Admiral Chase. I believe that there is certainly a
recognition that this is a problem. I tend to spend more of my
time on the cybersecurity side than on the policy side.
Senator Manchin. Okay. Thank you.
Senator Rounds?
Senator Rounds. Thank you, Mr. Chairman.
Mr. Salazar, I want to come back to you for just a minute.
In your opening statement, you indicated that the CMMC rules
were being vetted at this time and that it would probably be
at, I think you said about 10 months yet or close to a year
from the beginning until the end.
Would you except that the finals on the CMMC rules would be
in place by the end of this year?
Mr. Salazar. As I mentioned, it typically takes about a
year to adjudicate comments for this kind of DFARS rule. Eight
hundred and fifty comments is what we would consider a very
high volume of comments and on top of that, we have the
recommendations from our internal policy review. So, about half
of the comments that we received to the DFARS rule were not
about the rule itself, but about the program and so that is
why, as part of our look, we are trying to assess how we bring
clarity to the requirements that we are asking, looking at the
barriers to small businesses and then making sure that we have
trust in this assessment ecosystem.
Senator Rounds. Thank you. You know, during that time
period until CMMC is implemented, we are going to find, you
know, we are still going to have those openings and the risk
that CMMC is trying to address is still there. So, I am going
to come back over to Admiral Chase.
I think where the Chairman is going with regard to his line
on this in terms of how do we coordinate to be able to protect
not just the DOD, but all of the different entities that the
American public rely on from cyberattack is so critical, and I
think it would surprise a lot of the folks out there to realize
that the Department of Defense really doesn't have a role to
play today in defending against cyberattacks coming in from
overseas, at least directly and that they have to be invited in
from Homeland Security in order to respond.
It seems to me that part of the responsibility that we have
here is to be able to coordinate between the different, as we
call them, silos or offices. A lot of that has got to start in
the White House and within the top ends of the Executive Branch
of the government. We wanted, and I think the Cyber Solarium
this last time around, laid out clearly the need for a
principal cyber advisor. When we laid out the principal cyber
advisor to the President, we also, and that would be the
national cyber director, we modeled that in many ways along the
same lines as we wanted to have a principal cyber advisor for
the Secretary of Defense and for each of the separate branches
within the Department of Defense.
I think that is still critical that we have someone there
to provide advice to look at integrating those cybersecurity
needs and a sense of how critical cybersecurity is in all of
the things that we do within the DOD. I sense that there is
almost a blowback to that in terms of we are not seeing the
principal cyber advisors being identified and we are not seeing
the national cyber advisor necessarily being sent in for
approval by the United States Senate.
So, my question, Admiral Chase, and I am just going to
offer this, what does that do in your role here, and as you
hear us asking the questions of you today, do you find a
challenge in terms of just your role to try to respond to the
demands that are out there, with regard to protecting DOD from
the attacks that are ongoing. As you indicated to Senator
Blumenthal, the attacks are ongoing and they are always there
and there are people that are incurring right now.
Is it simply a matter that we haven't lit a fire yet or is
it a matter of we don't have the technical expertise or is it
simply a matter that the bad guys are, the numbers are so large
in numbers that we are going to have a tough time getting ahead
of this whole program. What is it that seems to slow down our
ability to respond quickly, with regard to the cyberattacks
that are going on?
Admiral Chase. For the Department, I mean, I think we spend
a fair bit of our time making sure that we don't have stove
pipes and that is to your point, exactly what I believe
Congress stood up the principal cyber advisor to do and I think
we, on a day-in day-out basis, we run up to 10 or 11 cross-
functional teams kind of by subject matter, covering broadly
four areas: one, the DOD; two, the DIB; three, mission
assurance and weapons systems critical infrastructure that are
not traditionally cyber things, but were created before those
thoughts were prevalent and yet, we still have some of the
older weapon systems, so how do we deal with those, and this is
where the strategic cybersecurity program, mission assurance
pieces come in; and then we have workforce to work across all
of those, as well.
So, we spend a lot of time in those cross-functional areas
with others as the lead and just making sure doing
introductions, hey, do we have this particular aspect cover
done. So, I find that our organization is most successful by
asking questions, rather than by trying to be forceful at
certain pieces, because seldom are we the lead, except for
areas like in DIB coordination, but again, that is making sure
left and right and know who is coordinating which part.
So, I think you are absolutely right about breaking down
barriers. Minimizing the barrier to entry is a principle I
think we all want for improving cybersecurity, whether or not
we are talking about the DIB, the DOD, or areas of weapons
systems and critical infrastructure.
Senator Rounds. You know, Mr. Chairman, I think that is one
of the things here that as we challenge these leaders within
cybersecurity, it is really the public policy part of this that
we have yet to fix, in my opinion, and that is, that we have
folks from outside of the United States that are clearly
interested in reading our intellectual properties at all levels
and yet we have the multiple silos within the whole-of-
government that because of our public policy, we don't want to
inflict the DOD onto the public here and we don't want the DOD
directly involved in the day-to-day lives or within the Defense
Industrial Base or any of the other industries in the country,
and yet I think the public has this expectation that we have
the capability to defend them, and yet because of our own
public policy, even if we know about it, Homeland Security
can't reach out and stop the guy who is throwing the systems in
or the weapons in and the Department of Defense, who really
have a lot of great capabilities really can't go out and get
them until they find out about the attacks themselves.
So, we find ourselves at a point in which we have to
coordinate it and we are not doing a good job of that yet.
Senator Manchin. Senator, you know, and this is a
discussion for you all and for us too, but the Department of
Defense is going to intervene to prevent something from
happening once they identify it. I am just looking at the
Colonial. I have been concerned about this because I know of
our infrastructure has so much. We know what Mother Nature did
to Texas and how that shut down and the lives were at danger
and everything that happened. We know what happened with the
Colonial Pipeline, what it did to the economic. I mean, all up
and down the East Coast, just about, especially in the South,
it just destroyed it for that period of time, about a week. So,
that is an attack to me, as far as on our country.
Admiral Chase. Yes, sir. The threat is very real. It is not
just cybersecurity. It is to the reality of the DIB's business
and the private sector at large is under the same attack. We
think the fastest way we can bring that to bear and not be
completely reactive is to share the threat information we have
at the cybersecurity level, the tactics, techniques, and
procedures. After we saw AB, the next thing that is going to
happen is C, and we can----
Senator Manchin. Well, we have had SolarWinds. We have had
so many different things happening back and forth and we are
still trying to, but do you know, did we have any knowledge at
all of this Colonial Pipeline that you know of? Did we see
anything?
Admiral Chase. We do not. I believe even the history of
that particular actor only goes back about a year, if you look
in public internet, it will tell you that it springs up. This
is what I spoke to earlier about the commoditization of malware
and actors, it has been made relatively straightforward and
easy for criminals to do so. What is unique about this one is
they seemed to have a network of subordinate actors to do some
of the work after packaging up the malware. So, I think that is
a sad statement on the sign of our times, but it is also the
reality that every member of the private sector is under as
well.
Senator Rounds. But with regard to that particular one, if
my knowledge is correct, and I will ask the Admiral if he could
confirm it for us, number one, there is no rule that says that
the private company needs to notify either Homeland Security or
the FBI or the Department of Justice and then second of all,
even if they did notify the FBI, the Department of Justice, and
so forth, there is no established ongoing process in which to
gather that information and then deliver it to the Department
of Defense to respond to those threats coming in from overseas
unless they specifically request. To the best of my knowledge,
number one, we are not aware that Homeland Security was even
advised of what occurred and second of all, to the best of our
knowledge, and I will ask you to confirm this part, I don't
think the Department of Defense was ever asked to intervene or
to assist in this particular case, were you?
Admiral Chase. I am not aware of it and if we are, I will
take that one for the record and come back and tell you.
Senator Rounds. Thank you.
Senator Manchin. If you could, any information you can.
The other thing, you know, with crypto coming in, the way
it is coming on, all over the world, it makes it much more
difficult for us to follow as we could with currency and that
has been the problem that we have had. Have you all been
looking at the crypto and how we might be able to have better
tabs on that or be able to have identity and follow that?
Admiral Chase. Are you talking about cryptocurrency as a
means of payment?
Senator Manchin. Yeah.
Admiral Chase. That is not something my office has
particularly studied. We have been on the other side of
cryptography, protecting our weapons systems and critical
infrastructure.
Senator Manchin. Gotcha. Well, we are going to have to use
all of our expertise we have, I think, to defend our country.
Mr. Salazar, do you have anything you want to add to the
conversation? It is kind of random here.
Mr. Salazar. Only that across the [inaudible].
[Audio Malfunction.]
Senator Manchin. Admiral, anything else?
Admiral Chase. No, Senator, thank you.
Senator Manchin. Senator Rounds?
Well, if not, let me thank you both for coming. It was very
enlightening and we appreciate very much your service to our
country. I really do appreciate that very much. I know that
Senator Rounds feels very strongly about that, too.
So, with that, we are adjourned.
[Whereupon, at 3:37 p.m., the Subcommittee adjourned.]
[Questions for the record with answers supplied follow:]
Questions Submitted by Senator Jacky Rosen
public-private coordination
1. Senator Rosen. Mr. Salazar and Rear Admiral Chase, do you
believe the voluntary Defense Industrial Base (DIB) Cybersecurity
program is effectively supplementing private sector participants'
abilities to safeguard critical Department of Defense (DOD)
information?
Mr. Salazar. Yes, the Defense Industrial Base (DIB) Cybersecurity
(CS) Program--a voluntary, public-private information sharing program--
enhances and supplements DIB participants' capabilities to safeguard
DOD information that resides on, or transits, DIB unclassified
information systems. The DIB CS Program creates a trusted relationship
between the Department and DIB participants to share cyber threat
information, which aligns to the National Defense Strategy, strengthens
partnerships, and protects the supply chain. Last year, the program
assessed cyber threat data for more than 60 commercial threat feeds and
found that the majority of the threat data provided by DIB companies
was unique. The program's most recent survey of DIB partner companies
indicated that a strong majority of the participants believed that the
program has reduced risk to their networks and alerted them to cyber
threats they did not previously know about. As we assess evolving cyber
threats and look to the future, the DIB CS Program will continue to
adapt to ensure that it provides the greatest amount of value to our
defense industry participants and the Department.
Rear Admiral Chase. Yes, the Defense Industrial Base (DIB)
Cybersecurity Program's most recent survey of DIB partner companies
indicated that a strong majority of the participants believed that the
program has reduced risk to their networks and alerted them to cyber
threats they did not previously know about. As we assess the evolving
cyber threats and look to the future, the Program will continue to
adapt to ensure the greatest effectiveness is being provided to our
defense industry participants and the Department.
2. Senator Rosen. Mr. Salazar and Rear Admiral Chase, what is the
current participation in the DIB Cybersecurity program from defense
industrial base entities looks like? What percentage of entities are
currently participating?
Mr. Salazar. A participant in the DIB Cybersecurity (CS) Program is
a company that meets the eligibility requirements enumerated in 32 CFR
Part 236 and that has executed a signed Framework Agreement (FA) with
the Department of Defense. The FA is a bilateral standardized agreement
between DOD and a company that formalizes a cyber threat information
sharing relationship between the two entities. Under the FA, DIB CS
Program participants receive Government-Furnished Information that
provides participating companies with insights into malicious activity
targeting the DIB.
Participants are able to submit voluntary cyber threat information
reports, as well as meet their mandatory reporting requirements,
through the DIBNet portal (https://dibnet.dod.mil). Cyber threat
information gained from voluntary reporting is then shared with DIB CS
Program participants in a non-attributional manner, helping the DIB to
counter active threats.
In addition, the program offers a variety of other programmatic
touchpoints for participants to engage in, such as tool usage,
mitigation and remediation strategy meetings through Analyst-to-Analyst
and Business-to-Business exchanges, forensic malware analysis, virtual
forums on DIBNet, surveys, and virtual and in-person meetings. The FA
does not stipulate how a company must engage to be considered
``participating,'' as the DIB CS Program is voluntary.
Currently, over 850 defense contractors, representing nine
different industries, have signed a FA with the voluntary DIB CS
Program. These participants range in corporate size from less than 250
employees to 10,000+ employees, the latter representing a significant
percentage of the largest Defense contractors covering a great extent
of the Department's critical infrastructure.
Rear Admiral Chase. There are currently more than 850 defense
contractors representing nine different industries that have signed a
Framework Agreement with the voluntary Program and, in turn, are
eligible to receive cyber threat information. Generally speaking, the
DIB Cybersecurity Program participants range in corporate size from
fewer than 250 employees to 10,000+ employees, with heavy participation
among the large and medium-sized members of the DIB.
3. Senator Rosen. Mr. Salazar and Rear Admiral Chase, how might
private sector interest and engagement in the DIB Cybersecurity program
change in light of other federal cybersecurity efforts--including the
Cybersecurity Maturity Model Certification (CMMC)--that require
entities to affirmatively prove or otherwise certify that in-house
cybersecurity practices and processes meet certain standards? In other
words, will these efforts hurt or help the DIB Cybersecurity program?
Mr. Salazar. Efforts to drive improvements in cybersecurity should
increase interest in joining the DIB CS Program, driving increased
investment in and attention paid to cybersecurity across the DIB. While
CMMC Level 3 requires that Industry share threat information with the
United States Government, the DIB CS Program is a voluntary cyber
threat information-sharing program between the Department and Industry.
The DIB CS Program has been the program of record for the
Department of Defense since 2008, and has built a trusted relationship
with both Industry and USG stakeholders. The Department is confident
that participation in the DIB CS Program will continue to grow in
coming years, independent of or in conjunction with CMMC. This is
partially because the program continuously develops products and tools
that help participants improve their cyber hygiene. For example, DOD
Cyber Crime Center created the Cyber Resilience Analysis diagnostic
tool that covers 300 questions across 10 security domains and addresses
four different asset types to measure a company's cyber resilience
across five maturity levels. This tool provides DIB companies with a
better understanding of their cyber resilience, which, in turn, can
indicate how well they would perform on a CMMC assessment.
Rear Admiral Chase. Efforts to drive improvements in cybersecurity
should increase interest in joining the DIB Cybersecurity Program, as
it should drive increased investment in and attention paid to
cybersecurity across the DIB. Although there are a few other cyber-
threat-sharing programs available to the DIB, the DIB Cybersecurity
Program has been the program of record for the Department of Defense
since 2008, and it has built trusted relationships among both industry
and U.S. Government stakeholders.
protecting defense businesses from cyber attacks
4. Senator Rosen. Mr. Salazar and Rear Admiral Chase, how does DOD
assess cybersecurity risks to defense industrial base vendors, inform
them of those risks, and educate them on what they can do about those
risks? Is there a regular reporting mechanism?
Mr. Salazar. The DOD Cyber Crime Center (DC3) has services and
pilots intended to assess the cybersecurity risks implicit in DIB
companies' systems and posture, for example:
Krystal Ball: This pilot was derived from the concept of notifying
a DIB partner on a potential event before it happens by using open
source information to identify vulnerabilities and the threats that may
try to leverage those vulnerabilities. Krystal Ball was pivotal in
notifying DIB partners about potential HAFNIUM vulnerabilities within
their publicly facing infrastructure. DC3 continually refines the pilot
to yield better results and potentially to perform risk assessments on
companies' publicly facing infrastructure using this tool.
CRA: This service involves a six to eight-hour interview, broken up
over one or two days, to cover 300 questions spanning 10 security
domains that focuses on four asset areas: people, infrastructure,
information, and technology. This is strictly an interview-based
assessment with no evidence required to measure the process maturity of
a DIB Partner's cyber resilience. Once completed, the DIB partner gets
a debrief, which includes a product with depictions using a traffic
light protocol showing their maturity level within those 10 security
domains of cyber resilience.
DIB-VDP: DC3's VDP (Vulnerability Disclosure Program) Directorate
expanded, through this pilot, from only externally facing devices of
the DOD to include a limited number of DIB companies' externally facing
devices. Under this pilot, a DIB company signs up for the service, and
vetted white hat hackers are used to discover vulnerabilities on the
DIB company's networks. Once a vulnerability is discovered, it is
reported back to the DIB company. No proof of concept is conducted
during this process, so no loss of data or downtime of systems should
occur.
Separately, the Defense Contract Management Agency (DCMA) Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts
cybersecurity assessments on DIB contractors, and DOD's CMMC program
will employ third party assessment organizations to expand the scope of
cybersecurity-based assessments of DIB companies. The results of these
assessments will better inform DIB contractors of risks associated with
their unclassified networks.
Rear Admiral Chase. The DOD Cyber Crime Center (DC3) has a few
pilot programs intended to assess the cybersecurity risks implicit in
systems of DIB companies that have DOD information on their systems.
Krystal Ball: This pilot program was derived from the concept of
notifying a DIB partner about a potential event before it happens by
using open-source information to identify vulnerabilities and the
threats that may be used to exploit those vulnerabilities. The
capability being piloted was pivotal in notifying DIB partners about
potential vulnerabilities to HAFNIUM attacks in their public-facing
infrastructure. The program is being refined to yield better results
and to perform risk assessments on companies' public-facing
infrastructure by using this tool.
Cyber Resiliency Analysis (CRA): This service involves a 6- to 8-
hour interview, broken up over 1 or 2 days, to cover 300 questions
spanning 10 security domains that focus on 4 asset areas: people,
infrastructure, information, and technology. This is strictly an
interview-based assessment with no evidence required to measure the
process maturity of a DIB partner's cyber resilience. Once completed,
the DIB partner gets a debriefing, which includes a report with
depictions using a traffic light protocol showing the DIB partner's
maturity level within those 10 security domains of cyber resilience.
DIB-Vulnerability Disclosure Program (VDP): Through this pilot
program, the VDP Directorate at DC3 has expanded its VDP from only
externally facing devices of the Department to include a limited number
of DIB companies' externally facing devices. Under this program, a DIB
company signs up for the service, and vetted white-hat hackers are used
to discover vulnerabilities on the DIB company's networks. Once a
vulnerability is discovered, it is reported back to the DIB company. No
proof of concept is conducted during this process; therefore, no loss
of data or downtime of systems should occur.
In addition, Project Spectrum provides, and the Cybersecurity
Maturity Model Certification (CMMC) will provide, identification and
communication of cybersecurity risks.
5. Senator Rosen. Mr. Salazar and Rear Admiral Chase, how does DOD
inform vendors of what products they deem to be particularly risky? Is
there a current mechanism in place that allows DOD to bar questionable
products?
Mr. Salazar. DOD does not publish product risk assessments, or
otherwise endorse or rate vendor products. The DOD Chief Information
Officer (CIO) has established a cybersecurity threat-sharing program
that allows DOD and Defense Industrial Base participants to share cyber
threat information, such as threat indicators, mitigation measures, and
best practices.
DOD conducts all procurements in compliance with the statutory and
regulatory requirements for competition and must exercise appropriate
legal authority to exclude a product, risky or otherwise, from a
procurement. DOD has authority under section 2339a of title 10, United
States Code (U.S.C.) to exclude products from acquisition based on a
finding of significant supply chain risk; however, this authority is
limited to procurements for National Security Systems (NSS) only and
does not apply to the many non-NSS IT systems used for routine
administrative and business applications (including payroll, finance,
logistics, and personnel management applications).
DOD also has product exclusion and removal authorities under the
Federal Acquisition Supply Chain Security Act of 2018 (Pub. L. 115-
390). Under 41 U.S.C. Sec. 1323, DOD has authority to issue exclusion
or removal orders for products or covered sources based on supply chain
risk recommendations issued by the Federal Acquisition Security Council
(FASC). In addition, 41 U.S.C. Sec. 4713 provides authority for DOD
and other executive agencies to exclude a source based on a finding of
significant supply chain risk. Both the Sec. 1323 and Sec. 4713
exclusion authorities are in process of being implemented in
acquisition regulations pursuant to Federal Acquisition Regulation
cases 2020-011 and 2019-018, respectively, and thus are not yet
available for use.
Rear Admiral Chase. The DIB Sector Coordinating Council, DIB
Cybersecurity Program, Enduring Security Framework, and informal
coordination with DIB prime contractors and industry associations are
used to provide feedback to this effect--for example, the risks posed
by Huawei and Kaspersky products.
implementation of the cybersecurity maturity model certification
6. Senator Rosen. Mr. Salazar and Rear Admiral Chase, can you
provide us with an overall assessment of the Cybersecurity Maturity
Model Certification's current implementation?
Mr. Salazar. Cybersecurity of the DIB is a top priority for the
Department. As the Department's most ambitious DIB cybersecurity
program to-date, the Cybersecurity Maturity Model Certification (CMMC)
program has, as expected, surfaced implementation considerations since
going into effect in November 2020. The Department is in the process of
adjudicating feedback received from more than 850 comments in response
to the DFARS interim rule that implemented CMMC. In addition, in March
2021, the Department's leadership launched an independent review of
CMMC to identify opportunities for improving its implementation
approach, as it regularly does for key initiatives and programs. This
internal review and adjudication of public comments is ongoing, and the
Department will brief Congress, industry, and other key stakeholders as
it refines the approach. Consistent with the interim DFARS rule, the
Department is pursuing a phased roll out of CMMC from fiscal year 2021
to fiscal year 2025.
Rear Admiral Chase. The Cybersecurity Maturity Model Certification
(CMMC) Program is evolving to address more effectively the feedback
received from relevant stakeholders during the rule-making process and
to ensure that small- and medium-sized companies are able to comply
with the requirements levied upon them. I assess that this evolution is
salutary, and I look forward to seeing how the CMMC pilot programs play
out and inform further implementation.
7. Senator Rosen. Mr. Salazar and Rear Admiral Chase, given that
the number of contractors anticipated to need approval under CMMC is
projected to roughly quintuple between fiscal year 2021 and fiscal year
2022 alone (from 1,500 to 7,500), is DOD still in line to fully
implement the framework within the next five years? What will be the
oversight procedures you will have in place for these third party
accreditors?
Mr. Salazar. The Department is implementing CMMC in a phased roll
out from fiscal year 2021 to fiscal year 2025. During this time period,
CMMC is only prescribed for use in select, USD(A&S) approved
solicitations that will require CMMC certification by the time of
contract award.
On August 4, 2020, the USD(A&S) issued a memorandum to the Service
and Component Acquisition Executives for nominations of candidate
acquisitions for no more than 15 CMMC Pilots starting in fiscal year
2021. The Department's current implementation strategy calls for
increasing the number of CMMC Pilots each subsequent fiscal year (e.g.
no more than 75 DOD CMMC acquisitions in fiscal year 2022) over the
five-year roll-out. The OUSD(A&S) staff will continue coordinating with
the Military Services and Department Agencies to identify candidate
CMMC Pilot acquisitions for each of those five years.
The Department is currently conducting an internal review of the
CMMC program, led by an Executive Steering Group and associated Working
Group to examine approaches to CMMC implementation and identify
associated resource requirements. As part of this effort and the on-
going rulemaking process, the ESG will review and recalibrate the pilot
program, as necessary, to ensure that it is both executable and
informative to the overall implementation effort.
In accordance with the no-cost contract between the Department and
the CMMC Accreditation Body (CMMC-AB), the Department maintains
oversight of the CMMC program, to include CMMC-AB. In this role, the
Department updates, maintains and publishes the CMMC model and all
associated CMMC Assessment Guides used by third party assessors.
Additionally, the Department is responsible for providing CMMC-AB with
specified DOD requirements and mandates that the CMMC-AB and the third
parties they accredit meet International Organization for
Standardization and the International Electro-technical Commission
(ISO/IEC) certification standards.
Rear Admiral Chase. The Cybersecurity Maturity Model Certification
(CMMC) Program is evolving to address more effectively the feedback
received from relevant stakeholders during the rule-making process and
to ensure that small- and medium-sized companies are able to comply
with the requirements levied upon them. The Office of the Under
Secretary of Defense for Acquisition and Sustainment is calibrating the
program to ensure that implementation timetables are realistic and that
the CMMC Accreditation Body and ecosystem are equipped and trusted to
implement the program.
5g vulnerability
8. Senator Rosen. Mr. Salazar and Rear Admiral Chase, 5G networks
will vastly enable more smart devices to connect to the internet;
however, because 5G networks will transport large amounts of sensitive
and government information, they are attractive targets for our
adversaries. What steps is DOD taking to ensure that the DIB is
preparing to protect sensitive government and controlled unclassified
data resident on DIB networks as 5G technologies are being developed
and used, particularly 5G technologies that are developed by nations
that could be considered adversaries, such as China and Russia?
Mr. Salazar. The Department recognizes that the impact of
adversarial cyber activity against the DIB networks can be
significantly amplified with the increased data transport capability
that 5G technologies will bring to networks. The Department has a
number of ongoing efforts to accelerate 5G innovation and adoption
across its many components, principally in the S&T community. Through
development of technology area protection plans and implementation of
associated protection and counterintelligence measures specific to the
relevant 5G community of interest, OUSD(R&E) is well postured to
protect the technology being developed and prototyped.
Rear Admiral Chase. The Department has a number of efforts ongoing
to accelerate 5G innovation and adoption across its many components,
principally in the science and technology (S&T) community. Through
development of technology area protection plans and instantiation of
associated protection and counterintelligence measures, specific to the
relevant 5G community of interest, the Office of the Under Secretary of
Defense for Research and Engineering is well postured to protect the
technology being developed and prototyped under these pilot programs.
the national technology and industrial base
9. Senator Rosen. Mr. Salazar and Rear Admiral Chase, expanding our
industrial base to some of our most economically advanced allies is an
important step we can take to maintain our technological edge well into
the future. The Fiscal Year 2021 National Defense Authorization Act
(NDAA) requires DOD to establish a process to assess whether to include
additional members in the National Technology and Industrial Base
(NTIB). Can you provide us with a status update on this review? What is
your view on adding more partners to NTIB?
Mr. Salazar. DOD is still in the process of assessing the expansion
of the membership in the NTIB. One concern about NTIB expansion is
that, while adding new NTIB members could diversify our shared
industrial bases, there could be a risk of disrupting current efforts
to promote and enhance the seamless integration of the existing NTIB.
DOD is assessing if a focus on deepening cooperation among the current
NTIB would be more beneficial than NTIB expansion at this time. There
is concern that because only U.S. law--and not the laws of NTIB partner
nations--mandates implementation of a ``seamless integration,''
premature efforts to expand the NTIB could diplomatically antagonize
our current NTIB partners, who participate voluntarily because it is in
their diplomatic, national security, and economic interests. Further,
successfully deepening cooperation among the current NTIB membership
could help cement our partners' commitment to the NTIB and help enable
a more efficient potential future expansion.
I would also like to note there are many ways in which the
Department builds relationships with U.S. allies and partners outside
the NTIB, including through security of supply agreements, reciprocal
defense procurement agreements, and via other bilateral and
multilateral fora.
Rear Admiral Chase. This review is ongoing. The NTIB is an
important institution, but its membership must be calibrated in a
manner that balances the dueling imperatives of maximum participation
and maximum streamlining of relevant processes across countries. As
membership increases, this streamlining becomes increasingly
challenging across the NTIB's constituents. I would therefore support
adding new members if doing so did not limit the potential of the body
to achieve convergence in acquisition practices and requirements.
__________
Questions Submitted by Senator Marsha Blackburn
national guard
10. Senator Blackburn. Admiral Chase, what exercises and activities
do you assess to be most important to the success of the National
Guard's provision of cybersecurity assistance relating to the defense
industrial base (DIB)?
Rear Admiral Chase. Since 2019, governors have used National Guard
cyber resources in response to ransomware attacks. This model could be
extended to provision of cybersecurity assistance to DIB companies if
such a mission were to be prioritized by governors.
11. Senator Blackburn. Admiral Chase, could you identify ways in
which DOD could better develop common architectures, tool suites, and
practices for the National Guard and Cyber Mission Forces to provide
cybersecurity assistance to DIB companies?
Rear Admiral Chase. Currently, the Cyber Mission Force does not
deploy to defend or offer cybersecurity assistance to DIB companies.
Generally speaking, however, the National Guard and Cyber Mission Force
should and do cooperate to develop and institute common architectures,
tool suites, tactics, techniques, and procedures to enable
interoperability, minimize additional training costs, and allow for
hypothetical joint operations. This occurs through both informal and
formal mechanisms, including cross-pollination of personnel and the
requirements process.
12. Senator Blackburn. Admiral Chase, what do you identify as best
practices to reduce the physical deployment of cyber protection teams
and to enable a more sophisticated, remote provision of cybersecurity
assistance to DIB companies?
Rear Admiral Chase. Currently, the Cyber Mission Force does not
deploy to defend or offer cybersecurity assistance to DIB companies.
However, the Missile Defense Agency does employ cyber assistance teams
to detect and disrupt malicious cyber activity on certain DIB networks.
Since the onset of the COVID-19 pandemic, these teams have developed
tactics, techniques, and procedures to allow for remote hunting.
[all]