[Senate Hearing 118-619]
[From the U.S. Government Publishing Office]
S. Hrg. 118-619
ENTERPRISE CYBERSECURITY TO PROTECT THE
DEPARTMENT OF DEFENSE INFORMATION
NETWORKS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY
OF THE
COMMITTEE ON ARMED SERVICES
UNITED STATES SENATE
ONE HUNDRED EIGHTEENTH CONGRESS
FIRST SESSION
__________
MARCH 29, 2023
__________
Printed for the use of the Committee on Armed Services
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
60-012 PDF WASHINGTON : 2025
-----------------------------------------------------------------------------------
COMMITTEE ON ARMED SERVICES
JACK REED, Rhode Island, Chairman
JEANNE SHAHEEN, New Hampshire ROGER F. WICKER, Mississippi
KIRSTEN E. GILLIBRAND, New York DEB FISCHER, Nebraska
RICHARD BLUMENTHAL, Connecticut TOM COTTON, Arkansas
MAZIE K. HIRONO, Hawaii MIKE ROUNDS, South Dakota
TIM KAINE, Virginia JONI ERNST, Iowa
ANGUS S. KING, Jr., Maine DAN SULLIVAN, Alaska
ELIZABETH WARREN, Massachusetts KEVIN CRAMER, North Dakota
GARY C. PETERS, Michigan RICK SCOTT, Florida
JOE MANCHIN III, West Virginia TOMMY TUBERVILLE, Alabama
TAMMY DUCKWORTH, Illinois MARKWAYNE MULLIN, Oklahoma
JACKY ROSEN, Nevada TED BUDD, North Carolina
MARK KELLY, Arizona ERIC SCHMITT, Missouri
Elizabeth L. King, Staff Director
John P. Keast, Minority Staff Director
_________________________________________________________________
Subcommittee on Cybersecurity
JOE MANCHIN III, West Virginia,
Chairman
KIRSTEN E. GILLIBRAND, New York MIKE ROUNDS, South Dakota
GARY C. PETERS, Michigan JONI ERNST, Iowa
TAMMY DUCKWORTH, Illinois TED BUDD, North Carolina
JACKY ROSEN, Nevada ERIC SCHMITT, Missouri
(ii)
C O N T E N T S
_________________________________________________________________
March 29, 2024
Page
Enterprise Cybersecurity to Protect the Department of Defense 1
Information Networks.
Members Statements
Statement of Senator Joe Manchin................................. 1
Statement of Senator Mike Rounds................................. 3
Witness Statements
Sherman, Honorable John B., Chief Information Officer, Department 4
of
Defense.
Skinner, Lieutenant General Robert J., USAF, Director, Defense 6
Information Systems Agency.
Questions for the Record......................................... 28
(iii)
ENTERPRISE CYBERSECURITY TO PROTECT THE DEPARTMENT OF DEFENSE
INFORMATION NETWORKS
----------
WEDNESDAY, MARCH 29, 2023
United States Senate,
Subcommittee on Cybersecurity,
Committee on Armed Services,
Washington, DC.
The Subcommittee met, pursuant to notice, at 9:33 a.m. in
room SR-232A, Russell Senate Office Building, Senator Joe
Manchin III (Chairman of the Subcommittee) presiding.
Committee Members present: Senators Manchin, Gillibrand,
Peters, Duckworth, Rosen, Rounds, Ernst, Budd, and Schmitt.
OPENING STATEMENT OF SENATOR JOE MANCHIN
Senator Manchin. Good morning.
The Subcommittee meets this morning to receive testimony
from Department of Defense (DOD) cybersecurity leaders on what
the Department is doing to substantially improve the
cybersecurity at the enterprise level across the Department and
the Defense Industrial Base (DIB).
Our witnesses today are Hon. John Sherman, the Chief
Information Officer (CIO) of the Department of Defense, and
Lieutenant General Robert Skinner, who is dual hatted as the
director of the Defense Information Systems Agency (DISA) and
the commander of the Joint Force Headquarters (JFHQ)
responsible for operating and defending the DOD Information
Network known as DODIN.
We welcome our witnesses in the Committee and thank you for
being here and all the men and women that you represent in the
services. Thank you so much.
As we see every day in Putin's illegal war against Ukraine,
cyber attacks are no longer a novel tactic in warfare. They are
a primary tool for destabilizing both offenses and defenses on
the battlefield and in advance of preplanned attacks.
This is precisely why we are holding this hearing this
morning to ensure that our defensive capabilities and awareness
in our networks are up to the same standard as our offensive
cyber capabilities, just as important as our internal defenses
are, the defenses and standards that protect our industrial
base partners and the critical infrastructure and supports
DOD's mobilization efforts in addition to these two major
concepts of internal and external defense.
We hope to receive updates from our witnesses on the major
initiatives that they have undertaken and participate and these
include the Cybersecurity Maturity Model Certification program,
the Cybersecurity Collaboration Center, the Locked Shield Cyber
Defense Exercise, the so-called zero trust cybersecurity
architectural model, a perimeter defense system deployed at the
gateways that connect DOD's internal networks to the global
internet, the decision to acquire a bundled set of
cybersecurity tools and applications for the DOD enterprise
from Microsoft, and the revitalization of the Cyber Excepted
Services as a means to improve the cyber workforce across the
Department.
Both the Cybersecurity Maturity Model Certification program
and the Cybersecurity Collaboration Center are crucial
guidelines and resources for our private industry partners.
I would ask Mr. Sherman to summarize the results of the
Cybersecurity Maturity Model Certification reviews Deputy
Secretary Hicks completed last February to explain how the new
direction will relieve the cost and implementation burden on
many small businesses, as well as provide an update on the
rulemaking process underway for the defense Federal acquisition
regulation.
While I am aware the Cybersecurity Collaboration Center is
a National Security Agency (NSA)-led effort, I hope both of you
are able to share how you interact with the program to protect
our industrial base partners.
Just as important as these programs and resources are we
must adequately train in the whole-of-government manner to
respond to cyber attacks in a red team versus blue team
scenario.
I would like our witnesses to expand on the importance of
the Locked Shield Cyber Defense Exercise, which pits teams of
international allies up against NATO's [North Atlantic Treaty
Organization] experts at the Cooperative Cyber Defense Center
of Excellence in Estonia to simulate these attacks on critical
infrastructure across an entire week.
I will also proudly note this exercise is coordinated and
implemented annually by our expert personnel within the West
Virginia National Guard's Army Interagency Training and
Education Center, Morgantown, West Virginia.
The next exercise is scheduled to take place in April, and
if any members or our staff would like to attend my office
would be happy to coordinate that effort.
Additionally, the new zero trust security paradigm calls
for reengineering our networks and security practices on the
assumption that our networks have already been penetrated by
adversaries, requiring that we constantly watch the behavior
and validate the identity and access privileges of all users
and devices on the network.
NSA and DISA have developed a zero trust reference
architecture for the Department, which will require a lot of
cooperation from the military departments and defense agencies
to implement these changes consistently across the whole of the
DOD, cooperation which historically has been notably absent.
Turning to DOD's perimeter defense capabilities, I would
note that while this shift to the zero trust security paradigm
reduces the importance of reliance on the castle wall mentality
of cyber defense, it does not eliminate the requirements for
automated systems that can detect and block most cyber threats
at high speed and high volume at the major gateways and connect
DOD's network to the global internet.
It is, therefore, of concern to us to hear reports that NSA
plans to cease support for the system currently performing this
task before the Department has developed and tested a
replacement.
Congress added funds to the DOD budget in fiscal year 2023
to begin operations for a modern replacement while conducting a
demonstration to prove that a new system can function as
planned. We will ask our witnesses to explain how we got in
this situation and whether they feel confident that the
solution in hand will be equal to the task.
Next, I would like to congratulate Mr. Sherman and his
predecessor, Dan Deasy, for breathing new life into the Cyber
Excepted Service program and was designed by Congress to
provide flexible hiring, promotion, and pay authorities for the
DOD to manage its civilian personnel engaged in cyber-related
work roles and we hope it is working.
I would ask Mr. Sherman to explain how this program is now
working and how we can help him to improve the system even
further.
Finally, I would note the DOD recently completed a posture
review of the cyber mission and an update of the Department's
cyber strategy. I would ask our witnesses to summarize the
conclusion of the posture review and indicate how that review
and the revised strategy will drive changes in the Department.
I turn now to my friend, Senator Rounds, for his remarks.
STATEMENT OF SENATOR MIKE ROUNDS
Senator Rounds. Thank you, Senator Manchin.
I most certainly appreciate the opportunity to participate
in our first Cybersecurity Subcommittee hearing of the 118th
Congress. I would also like to thank our witnesses for
appearing at today's hearing and for their service to our
country.
The Department of Defense Information Network, also known
as the DODIN, is a global conglomeration of thousands of
information systems and networks that enable military
operations across all warfighting domains.
Millions of DOD, military, and civilian personnel rely upon
the DODIN to share intelligence and access information
capabilities that are critical to the national security of the
United States.
As the information infrastructure underpinning all DOD
missions, the DODIN remains a top target for cyber attacks.
Recent threat intelligence reports confirm that cyber threats
from nation states and their surrogates will remain acute and
that cyber criminals will expand their cyber operations against
the United States to steal information, conduct influence
operations, and destroy our critical infrastructure.
This should serve as a stark reminder that our near peer
adversaries and competitors are intensifying their attempts to
exploit any vulnerabilities within the DODIN to gain strategic
military advantage and compromise the integrity and
effectiveness of this capability for future missions.
Today's hearing is an opportunity to discuss ongoing
efforts to strengthen the cybersecurity of the DODIN across the
enterprise, particularly as malicious cyber activities grow in
number and sophistication.
To deter and defend against threats in the cyber
environment I welcome the implementation of the zero trust
architecture to help increase the visibility into network
systems and reduce cyber risks.
I look forward to discussing how the principles that embody
the zero trust framework, such as identity, credential, and
access management, are enhancing the Department's ability to
identify vulnerabilities, mitigate threats, and strengthen the
DODIN's cyber posture.
Last year this Subcommittee learned about the promise and
lethality of artificial intelligence (AI) and automated
applications in the cyber domain. I hope our witnesses will
discuss how the continued development of AI capabilities are
informing our cybersecurity strategy and how we are preparing
to defend the DODIN from our AI-capable adversaries.
I also hope witnesses will address how AI and automated
applications are being employed to monitor the threat
environment, prioritize cyber risks, and mitigate
vulnerabilities throughout this complex network of information
systems.
Also critical to enhancing the security of the DODIN is
strengthening the supply chain security of the Defense
Industrial Base, which provides essential components to the
functionality of the DODIN. I would appreciate the witnesses
sharing their thoughts on how acquisition policies and
strategies are keeping pace with the evolving cyber threat
while promoting innovation and open competition.
Of course, efforts to recruit and retain a pipeline of
skilled cyber operators to manage the DODIN is foundational to
its enduring security.
I look forward to the witnesses discussing their efforts in
this important area. Clearly, there is much to discuss today.
Thank you, again, to our witnesses for appearing.
Senator Manchin?
Senator Manchin. Thank you, Senator Rounds.
Now I am going to turn to the witnesses for your opening
statements.
Mr. Sherman?
STATEMENT OF HONORABLE JOHN B. SHERMAN, CHIEF INFORMATION
OFFICER, DEPARTMENT OF DEFENSE
Mr. Sherman. Good morning, Chairman Manchin, Ranking Member
Rounds, and distinguished Members of the Subcommittee.
I am honored to have the chance to testify before you today
on what we are doing in the Department of Defense to modernize
our technology and protect our networks and data in an
increasingly complex cyber environment.
I am privileged to appear today with Lieutenant General Bob
Skinner, who both heads the Defense Information Systems Agency
and serves as commander of the Joint Force Headquarters
Department of Defense Information Network.
We work together every day to ensure the DOD enterprise is
ready both--for both today and tomorrow's missions, especially
those that might involve our pacing challenge of the People's
Republic of China (PRC).
My job as DOD chief information officer is to set the
overall strategies, conduct oversight, promulgate policies, and
lead governance, and Lieutenant General Skinner's role is to
lead and ensure the operational and technical execution. Our
teaming on this point is hard to overestimate.
Given this close partnership, you will hear today how we
work--how our work dovetails on every aspect of our
modernization efforts. We have made great strides to posture
the Department for peer and near peer competitors. Notably, our
teams worked together to award the joint warfighting cloud
capability contract in December.
At last the Department has access to enterprise cloud
capabilities from four world class U.S. vendors at all three
security classification levels from the continental United
States to the tactical edge, which can mean an island in the
western Pacific, key terrain in Eastern Europe, or even a ship
at sea.
This enterprise cloud is critical for Joint All-Domain
Command and Control, the development of cutting-edge artificial
intelligence and machine learning (ML) initiatives, software
modernization, and strengthened cybersecurity.
It is this emphasis on cybersecurity that also drives so
much of what we do as we shift away from dated perimeter-based
approaches to a new paradigm, as noted, called zero trust,
which is predicated on the assumption that an adversary might
already be on our network and we must prevent them from moving
laterally and gaining access to our most critical data.
In October we released a flagship strategy on zero trust,
which has become a North Star document for not only the
Department of Defense but, indeed, other parts of the Federal
Government, and Lieutenant General Skinner and his team provide
key capabilities for this new approach through an effort they
call Project Thunder Dome.
We have committed to implementing zero trust across the DOD
by 2027, which is an ambitious yet critical milestone, given
the geopolitical threats we face.
These modern threats demand that we maintain a relentless
focus on eliminating technical debt. All of our systems, be
they for weapons, enterprise IT, command and control, business
systems, or defense critical infrastructure must be equipped
with the most modern cyber defenses that can stand up to savvy
and determined State and nonState actors.
As we have seen in Ukraine, today's battlefields are
increasingly digital and connected with all the opportunities
and vulnerabilities that environment presents.
Nation State challengers will present threats like we have
not seen since the cold war, if not more severe, and we must
ensure all our systems, networks, and data are ready. This
includes working closely with our Defense Industrial Base,
which remains a target for cyber exploitation and attack.
We must ensure that companies and other entities handling
sensitive information are doing so properly and accountably,
albeit with an approach that does not present overly cumbersome
or stifling requirements, especially to small and medium
businesses.
Additionally, and most importantly, we never forget that
the best technology in the world means nothing without a
trained, motivated, and diverse workforce. We recently released
a cyber workforce strategy that will continue to drive us to
new and more effective approaches to how we identify, recruit,
retain, and upskill our sovereign digital personnel, all the
while emphasizing our drive to have a workforce that might not
be seeking a 30-year government career and which looks like
America.
We are determined to get this right and we know that our
Nation's talent and innovation is something that our
authoritarian competitors will never be able to match.
Finally, I wish to thank this Subcommittee for your strong
and continued support, which has been critical to all of our
modernization efforts, and I look forward to your questions.
Thank you.
Senator Manchin. Thank you, sir, and now to General
Skinner.
STATEMENT OF LIEUTENANT GENERAL ROBERT J. SKINNER, USAF,
DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY
Lieutenant General Skinner. Good morning, Chairman Manchin,
Ranking Member Rounds, and distinguished Members of the
Subcommittee.
I am honored to represent the approximately 19,000
personnel of the Defense Information Systems Agency and the
Joint Force Headquarters Department of Defense Information
Networks.
I am also honored to sit alongside one of my two bosses and
key ally in the campaign to modernize, secure, and defend the
Department's networks, systems, and data, Hon. John Sherman.
The tight relationship between him and my other boss,
General Paul Nakasone, is critical in driving the Department to
unparalleled cybersecurity heights. Every day that we come to
work we are focused on ensuring the joint force is postured,
ready to compete, and have the velocity of action to win
against our pacing challenge, the People's Republic of China,
as well as any other nation or group that desires to harm us or
our allies.
Through that lens we continue to leverage lessons learned
from the conflict in Ukraine, global cyber events, and the
great work of our intelligence professionals to strengthen our
digital technologies, the agility of our maneuver forces, and
the partnerships with allies, industry, research, and academia.
Driven by this focus, we have made great strides along many
fronts over the last year. In December, we awarded the new
joint warfighting cloud capability contract, which will provide
us with enterprise cloud capability, at all three security
classification levels, from the continental United States to
the tactical edge.
We just awarded the first task order last week and many
others are working through the process. Additionally, we have
initiated pilots to enable outside the continental United
States cloud access leveraging both a commercial, as well as
government solutions, inside our overseas data centers.
To help facilitate the rapid adoption of cloud we have
deployed several accelerators, which streamline the cloud
adoption process from a normal 45-day timeline to within hours
or minutes. This is helping to accelerate our pace to the cloud
to improve our overall user experience while also increasing
our cybersecurity.
As Honorable Sherman highlighted, we have made great
strides on the zero trust journey. As DOD released the zero
trust strategy we had already started our Thunder Dome
initiative, which brings modern and commercial digital trust
technologies to the Department.
We recently completed our successful prototype and are
working with Honorable Sherman's team on the acquisition
strategy and expansion of these capabilities across the
enterprise.
As we combine Thunder Dome with our endpoint security
strategy, with the connect capabilities and host of others, we
are on pace to meet the Department's aggressive zero trust
milestones.
A foundational element of zero trust is identity,
credential, and access management, which provides the ability
to accurately identify that a user is actually who they say
they are and limits access to only those assets that they have
been authorized to use.
Our enterprise capabilities are fully operational and
already supporting 200-plus unclassified applications while
delivering new capabilities monthly. We are also continuing to
work with our mission partners to ensure federation and
interoperability at all levels.
A final area to highlight are the initiatives we have
undertaken to strengthen our command and control capabilities.
We made significant investment in nuclear command and control
communications, continuity of operations, and special access
program improvements.
Just last week we decommissioned our legacy special access
network at over 70 global sites. These are just a few of the
examples that our innovative spirit is tackling our toughest
challenges and providing the Department and the warfighter
readiness advantages.
While we have made significant strides, our work is not
done. Our success will ultimately come down to our people and
partnerships. As the Department has released a new cyber
workforce strategy we have also released our Workforce 2025
initiative.
We have laid out a plan to aggressively and creatively
recruit in places we have not recruited previously. We will
personally and professionally develop our next-generation
forces and find innovative ways to retain the top notch talent.
We will continue to foster a culture of diverse and
critical thinking, continuous improvement, and accountability.
We will also not be successful without increased partnerships.
Thanks to your support, we are in the middle of planning
exercise Locked Shields, which is a multinational cybersecurity
exercise to share best practices and improve daily connectivity
with our key allies.
Finally, our overall readiness, increased resilience, and
warfighter success relies on the strong support that this
Subcommittee has provided for many years. I am grateful for
your support and look forward to your questions.
[The joint prepared statement of John B. Sherman and
Lieutenant General Robert J. Skinner follows:]
Joint Prepared Statement by John B. Sherman and Lieutenant General
Robert J. Skinner
introduction
Good morning, Chairman Manchin, Ranking Member Rounds, and
distinguished Members of the Subcommittee. Thank you for the
opportunity to testify before you today. Alongside me is Lieutenant
General Robert Skinner who is the Director of the Defense Information
Systems Agency.
Chairman Manchin, Lieutenant General Skinner and I look forward to
working with you and this committee to deliver operational and digital
transformation while strengthening our readiness position in the 118th
Congress. The leadership from this committee has empowered the
Department of Defense (DOD) Chief Information Officer (CIO) to manage
the Department's information technology (IT) portfolio, including
oversight of each of the Military Departments (MILDEPs) and Defense
Agency's IT and cybersecurity's budgets and has supported DISA's
ability to secure and defend the Department of Defense Information
Networks (DODIN).
CIO and DISA work together to protect the information technology
supporting our current and next-generation warfighters and weapons
systems from intrusion and attack while creating secure access to
critical information--anytime, anywhere. We are leveraging advances in
automation to deliver and modernize capability at speed, while unifying
security and the end-user experience to achieve an optimized enterprise
IT environment. We are consolidating and standardizing IT services,
adopting proactive early warning monitoring or sensing practices,
automating responses, migrating legacy services and capabilities to
cloud-based offerings, and developing mobile capabilities at all
classification levels to enable mission success and drive to a more
secure, seamless and cost-effective DOD IT architecture.
budget certification authorities and the capability programming
guidance
In accordance with 10 United States Code (U.S.C) Sec. 142, the DOD
CIO annually executes its budget and certification authority. An annual
Capability Programming Guidance (CPG) is provided to components,
ensuring a clear, manageable, and repeatable process to review the
proposed components' budgets for those capability areas under my
statutory authority. This guidance identifies investment focus areas
for the DOD CIO's assessment and is consistent with the National
Defense Strategy and Defense Planning Guidance. The document continues
to improve by focusing on outcome-based metrics & critical
capabilities. In conjunction with the Department's broader budget
guidance, the components build their budgets, which are then assessed
against the priorities identified in our CPG.
The DOD CIO successfully completed five Fiscal Year budget
assessments and determinations, beginning with the fiscal year 2020
President's Budget. The certification review process identifies
capability areas at risk. We then work with the MILDEPs, and other
components, to address these risk areas in future budgets.
The DOD fiscal year 2024 information technology/cyberspace
activities (IT/CA) budget request is $58.5 billion, which includes
$13.5 billion in cyber investments. The fiscal year 2024 request
reflects an overall increase of 6.0 percent from the DOD fiscal year
2023 enacted IT/CA budget.
The fiscal year 2024 cyberspace activities budget of $13.5 billion
supports the Department's efforts to defend forward in the cyber domain
and meet advanced and persistent cyber adversaries and disrupt their
efforts; accelerates the DOD's transition to Zero Trust as the next
generation cybersecurity architecture; and increases the defense of
critical infrastructure. Additionally, this budget request implements
enhanced budget control for U.S. Cyber Command, reflecting the transfer
of resources for the Joint Cyber Mission Force from the Military
Departments and Defense Agencies to U.S. Cyber Command. The $13.5
billion includes funding for the Department's cybersecurity
initiatives, some of which are highlighted below.
workforce
We are continuing to develop a workforce that will thrive in a
dynamic and agile cyber environment, postured to defend against skilled
adversaries and deliver innovative initiatives alongside our
government, industry, research, and academic partners. In early March,
the Department released its Cyber Workforce Strategy to close workforce
gaps while expanding its cyber workforce and developing talent to
securely build, operate and maintain its digital and critical
infrastructures to protect and defend our data against cyber
adversaries.
This strategy establishes the direction for unified management of
the cyber workforce and outlines a roadmap for its advancement through
four goals: 1) Execute consistent capability assessment and analysis
processes to stay ahead of force needs, 2) Establish an enterprise-wide
talent management program to better align force capabilities with
current and future requirements, 3) Facilitate a cultural shift to
optimize Department-wide personnel management activities, and 4) Foster
partnerships to enhance capability development, operational
effectiveness, and career broadening experiences.
Our goals align to four key pillars: 1) Identification of needs 2)
Recruitment 3) Development, and 4) Retention. First, we need to
identify workforce needs and requirements. Second, it is critical we
cast a wide net to attract the talent needed to meet these requirements
and continually evaluate these efforts. Once the need is identified,
and the talent acquired, teams and individuals must be provided the
resources to be successful. Finally, incentive programs enable the
Department to retain critical talent. We are using these pillars to
drive the cultural shift necessary at the Department to ensure our
workforce is agile, flexible, and responsive to the changing cyber
domain, its threats, and its challenges.
To achieve these goals, we must pursue meaningful actions that
reduce the talent pipeline gap, increase the quality and diversity of
our cyber workforce, and prioritize professional development. DISA's
Workforce 2025 initiative exemplifies these actions by expanding
traditional methods of communicating to employees and incorporating new
training tools, activities, and programs to connect the workforce to
the mission. This initiative will define and prioritize the skills and
equipment personnel need to accomplish DISA's combat support mission.
Cyber Workforce Strategy Implementation Plan
We are shaping an agile and innovative implementation plan with
clear measures of effectiveness to successfully enhance recruitment and
retention of a cyber workforce.
DOD Cyber Workforce Framework Expansion
While the strategy sets the direction for unifying the cyber
workforce, the DOD Cyber Workforce Framework (DCWF) provides the
foundation for targeted human capital management and establishes a
common data model for data-driven decisionmaking. The DCWF has been
used across the DOD to advance our understanding of cyber work roles,
identify critical needs and gaps, and take action to advance a
workforce capable of protecting our Nation against ever evolving
threats. Given its success the Deputy Secretary of Defense directed the
Department to expand the DCWF. Recently, the DOD CIO and the Chief
Digital and Artificial Intelligence Office included new work roles for
artificial intelligence, data and analytics, and software engineering.
This expansion shows the utility of the framework methodology. The data
driven framework is now used to assess and report on the health of the
broader innovation workforce. We will continue expansion efforts to
support other critical mission sets.
DOD Manual 8140
DOD Manual 8140 sets the foundation for identifying, qualifying,
and upskilling our workforce according to the DCWF. DOD Manual 8140
policy series consists of a directive, instruction, and manual and was
published in February of this year. The manual is critical to our
workforce as it establishes the qualification criteria for each DCWF
work role to ensure personnel filling cyber positions are capable of
meeting mission requirements.
Using the DCWF, the manual enhances interoperability and cyber
readiness across the Department by providing a common baseline and
understanding of cyber concepts, principles, and applications. The
program also provides a continuing professional development mechanism
for the Department to ensure the workforce maintains current knowledge
and capabilities in the rapidly changing cyber domain.
Through the manual, DOD is expanding the qualification program from
a population of less than 90,000 to more than approximately 225,000
military, civilian and contractor positions by establishing
foundational and residential qualification criteria for each DCWF work
role. Together, the strategy, implementation plan, and 8140 policy
series will enable the DOD to develop and deploy an agile, capable, and
ready cyber workforce.
Cyber Excepted Service
The DOD Cyber Excepted Service (CES) personnel system was
established to ensure that the cyber warfighters are the first
positions to be filled by utilizing a wide range of tools and program
elements that is unmatched with current competitive service system
opportunities. CES works in coordination with the DCWF coding of our
workforce.
We are implementing a unique set of tools and programs, such as on-
the-spot job offers, pay-setting flexibilities, no time-in-grade
requirements, qualified-based promotions, target local market
supplements, and advancement and development opportunities to achieve
recruitment, retention, and development flexibilities across the
Department.
Analytics
Data is key to all our initiatives. We developed an authoritative
data analytics platform that provides leadership with enterprise-wide
visibility into the cyber workforce using the DCWF work roles. This
real-time data aggregation enables DOD leaders to make information-
driven decisions to fill gaps through an enhanced way of identifying
its workforce mix and conducting a more targeted analysis for fixing
recruiting and retention challenges.
outreach / development / retention
Professional development, through education and training, plays a
vital role in supporting and enhancing our cyber workforce
capabilities. We have several ongoing partnerships and rotation
programs to provide professional development opportunities to our
workforce.
We offer the DOD Cyber Scholarship Program (CySP) that provides
scholarships to students in pursuit of cyber-related degrees at
designated institutions. Each recipient is provided with a DOD
internship, giving them hands-on experience and exposure to DOD
cultures and agencies. This results in workforce members who are better
qualified and better equipped, and it starts the clearance process with
interns so that applicants are pre-cleared before beginning full-time
work. In addition, we work with the Centers of Academic Excellence
(CAE) program that consists of direct relationships with over 400
universities, colleges, and community colleges with verified curriculum
aligned to requirements outlined by the DCWF. CAE students work
directly with grant-recipient professors to perform DOD research.
In November 2022, the DOD expanded the cybersecurity workforce by
eliminating educational barriers and leveraging registered
apprenticeship programs. Removing formal education barriers, combined
with the use of apprenticeship programs, provides a faster pipeline to
acquire talent, increases talent pool, and enhances diversity by
allowing applicants to enter the workforce through nontraditional
pathways. Efforts including registered apprenticeship programs enhance
our cybersecurity workforce and complement the Administration's focus
on diversity, equity, inclusion, and accessibility. Closing the talent
gap is critical to strengthen and safeguard our Nation's cybersecurity.
Moreover, removing formal education barriers and providing
nontraditional skills-based pathways is a step that brings DOD closer
to our goal of scaling up a workforce that are critical to mission
readiness.
zero trust
The DOD has made great strides in establishing a strong foundation
for Zero Trust (ZT) adoption and implementation. In January 2022 we
established the ZT Portfolio Management Office (ZT PfMO). In July 2022
we released the ZT Reference Architecture and subsequently, in October
2022, the ZT Strategy and Implementation Roadmap. This document
provides strategic guidance, direct alignment of efforts, and
prioritize resources for accelerating ZT adoption across the DOD. This
includes defining capabilities and activities required to achieve
Target Level ZT, which all of DOD must achieve, and Advanced Level ZT,
necessary for some systems and data, applications, assets, and
services. Working with DISA, the DOD ZT PfMO hosted quarterly technical
exchange meetings with the MILDEPs, Joint Staff, Unified Combatant
Commands (CCMDs), National Security Agency (NSA), and the Office of the
Director of National Intelligence, to ensure a clear understanding and
alignment of the ZT mission, goals and objectives, and strategy
roadmap.
The ZT PfMO collaborated and shared updates with the Department of
Homeland Security Cybersecurity and Infrastructure Security Agency,
NATO, and our international partners to ensure the Federal Government
and our allies and partners are moving toward successful adoption and
implementation of ZT. DOD is striving to be a leader in the Federal
Government on implementing ZT at scale, starting with our most critical
networks and systems. With full buy-in from the DOD and its partners,
this will be readily achievable.
ZT Pilots and Training Activities
The DOD ZT PfMO will ensure DOD components have the technical
options available to implement ZT. The DOD ZT PfMO, working with DISA,
will initiate a series of ZT pilot scenarios in mid-2023. Additionally,
the DOD CIO and DISA are working with NSA to develop a Native ZT Cloud
which will be a government-owned private cloud designed to achieve more
advanced levels of ZT.
We have also been working with the Defense Acquisition University
to develop ZT curricula and training courses. Through this
collaboration, the DOD ZT PfMO published the DOD ZT Awareness Course on
the DOD's Joint Knowledge Online Platform, enabling the DOD's workforce
to receive foundational training on ZT. The DOD ZT PfMO is continually
developing training curricula, including a Practitioner's Workshop
course to upskill the DOD's workforce. With continued intra-
departmental collaboration, the DOD can be a leader in the ZT cultural
shift across the Federal Government.
identity credential and access management
DOD Identity Credential and Access Management (ICAM) efforts
provide key foundational support for the implementation of numerous key
DOD initiatives to include ZT, Joint All Domain Command and Control
(JADC2), and Mission Partner Environment. The Department established an
ICAM Executive Board with the objective of empowering decisionmaking to
ensure clear direction, messaging, and prioritization of ICAM efforts
across DOD. In 2022, DISA, in coordination with the DOD CIO and DOD
Comptroller, completed several pilots to see how we can leverage ICAM's
capabilities to address access control and segregation of duties of
financial systems and fielded several new Enterprise ICAM capabilities.
DOD CIO will also require components to implement the enterprise
capabilities or leverage a DOD CIO approved ICAM offering if the
enterprise capability cannot meet the mission requirement. DISA and NSA
will continue to work together to develop an enterprise ICAM approach
for dynamic access, which is a key capability to enable attribute-based
access control that relies on user and environmental attributes for
access.
cryptographic modernization
Cryptographic Modernization is another area that DISA provides
capabilities in the form of the Department's Public Key Infrastructure
(PKI). The emergence of a viable quantum computing capability increases
the risk of our adversaries acquiring this technology to disrupt and
compromise our National Security Systems (NSS). The Department must
develop modern, quantum-resistant encryption solutions to outpace the
threats from our adversaries. The DOD's current Cryptographic
Modernization 2 initiative is designed to address a large portion of
these concerns.
cybersecurity maturity model certification 2.0
The Department is committed to working with the defense industrial
base (DIB) and other stakeholders to achieve our shared objective of
protecting national security information. In November 2021, we launched
Cybersecurity Maturity Model Certification (CMMC) 2.0 to meet evolving
threats and safeguard the information that supports and enables our
warfighters, with a simplified approach to compliance. We are currently
in the process of codifying the CMMC 2.0 program through the rulemaking
process to update the Title 32 of the Code of Federal Regulations
(CFR). We will be supporting the Office of the Under Secretary of
Defense for Acquisition and Sustainment (USD(A&S)), as they lead the
effort to update the Defense Federal Acquisition Regulation Supplement
(DFARS) through the 48 CFR rulemaking process.
We understand how consequential these changes will be for DIB
members whose contracts with the Department that process Controlled
Unclassified Information (CUI), and we are especially sensitive to how
this program might affect small and medium-size businesses. Our
outreach efforts include working with DOD's Office of Small Business
Programs, and which is providing resources to small businesses to
improve their cyber readiness, others across the Department, to ensure
that all potential partners in the DIB and academia understand the
National Institute of Standards and Technology (NIST)-based standards
that already contractually apply to those who are handling CUI. We also
have had industry roundtables and town halls where our DOD Deputy CIO
for Cybersecurity (DCIO(CS)) discussed how to advance DOD's and
industry's shared objectives in cybersecurity risk assessment and
management, information sharing, emergency preparedness, incident
management, and response coordination. In addition, we continue to
expand our programs for assisting industry in understanding and
applying the cybersecurity practices necessary to protect themselves
and DOD's sensitive information.
implementing and integrating cybersecurity guidance and policies
The DOD CIO plays an enterprise oversight and advisory role for
cybersecurity across the Department.
Strategic Cybersecurity Program
The USD(A&S) oversees the Strategic Cybersecurity Program (SCP),
with an NSA program management office (PMO) performing execution. DOD
CIO's role has been supporting USD(A&S) efforts, providing oversight to
the NSA SCP PMO, and using CIO budget authorities to ensure components
are resourcing for SCP efforts and mitigations and verifying their
execution through the cybersecurity budget certification process.
National Security Memorandum-8
DOD is improving the cybersecurity of its NSS following guidance
from National Security Memorandum 8, ``Improving the Cybersecurity of
National Security, DOD, and Intelligence Community Systems,'' which
requires all agencies with NSS to ensure that their systems are
upgraded to more rigorous, cybersecurity standards. DOD CIO published
Department guidance to incorporate the NSS Checklist into components
authoritative inventory tools and categorize each DOD system
accordingly.
DOD Risk Management Framework
The updated DOD Instruction 8510.01 ``Risk Management Framework
(RMF) for DOD Systems,'' incorporates greater cyberspace accountability
for DOD components and information systems by executive program
officers, program managers, authorizing officials, and cyberspace and
functional operational commanders throughout system lifecycles. It
applies an integrated enterprise-wide decision structure for the RMF
that includes and integrates DOD mission areas and risk governance
process. Finally, it provides guidance on reciprocity of system
authorization decisions for the DOD in coordination with other Federal
agencies to reduce redundant testing, assessing, documenting, and the
associated costs in time and resources.
Comply to Connect (C2C)
This process is designed to restrict unauthorized device access;
reduce vulnerabilities; take action to detect and deter anomalous
behaviors associated with malware or with the unauthorized activities
of users and to maintain the secure configuration of the network and
its information resources.
mitigating supply chain risk for information and communication
technology and services
OMB Memorandum 22-18 Implementation
In implementing EO 14028, the Office of Management and Budget
directed in M-22-18 that all Federal agencies seek attestations from
software producers about secure software development practices (pending
OMB's identification of minimum elements of NIST 800-218) for software
in use by agencies that fall within the scope of M-22-18. The DOD CIO
is collaborating across the DOD to meet the various requirements of the
memorandum, which will by necessity, require rulemaking for an
anticipated Federal Acquisition Regulation, and possible DOD
supplement.
Authorities to Exclude and Remove
The DOD CIO is leading the effort to address high-risk information
and communication technology vendors by leveraging 10 U.S.C. Sec. 3252
and interagency engagement with the Federal Acquisition Security
Council.
Implementation of Guidance
To address information and communications technology and services
(ICTS) supply chain risk, NIST has updated multiple guides, to include
Special Publications 800-53 Rev. 5 ``Security and Privacy Controls for
Information Systems and Organizations,'' and 800-161 Rev. 1
``Cybersecurity Supply Chain Risk Management Practices for Systems and
Organizations.'' DOD is adopting these updated guides to drive ICTS
supply chain considerations into systems designs.
improving user experience
The Department must take an enterprise-wide approach to improve
user experience and enable the faster delivery of IT capabilities. We
are committed to modernizing the digital backbone that supports the
warfighter by accelerating the DOD enterprise cloud environment,
modernizing business systems, optimizing networks, and buying down
technical debt. These efforts will improve user experience by making
critical IT infrastructure investments to reduce latency and improve
cybersecurity while leveraging cloud for speed, agility, and
scalability in support of emerging capabilities and mission readiness.
accelerate the dod enterprise cloud environment
Cloud computing remains a fundamental component of the Department's
global IT infrastructure and modernization strategy. With battlefield
success increasingly relying on digital capabilities, cloud computing
provides the IT platform needed to satisfy the warfighter's
requirements for rapid access to data, innovative capabilities, and
assured support.
Joint Warfighting Cloud Capability
Last December, the Department awarded the Joint Warfighting Cloud
Capability (JWCC) fulfilling our commitment to deliver an enterprise-
level multi-vendor, multi-cloud ecosystem to address longstanding
requirements and capability gaps in support of the warfighter.
JWCC enables mission owners to contract directly with these Cloud
Service Providers (CSP) to create a strategic technological advantage
on future battlefields at all three classification levels--
Unclassified, Secret, and Top Secret. JWCC provides foundational
commercial cloud services and capabilities that enable transformational
initiatives such as JADC2 and the Artificial Intelligence and Data
Accelerator in coordination with CDAO. JWCC allows for streamlined
provisioning of cloud services, fortified security, and commercial
pricing parity. Features of JWCC include capabilities and parity of
services at all three classification levels, integrated cross domain
solutions, global availability inclusive of tactical edge locations,
and enhance Cybersecurity controls. We will guide and ensure that the
Department utilizes JWCC to the maximum extent possible.
Outside the Continental United States Cloud
JWCC provides enterprise-level delivery of commercial cloud
services and technology from the strategic to the tactical level, to
include austere and Outside the Continental United States environments.
These CSPs give the Department access to multiple, global fabrics that
ensure our warfighters can conduct operations anywhere in the world.
The current crisis in Ukraine and JADC2 experiments are
demonstrating the need for rapid extension of enhanced edge computing
capabilities globally to reduce network latency, enable advanced data
processing such as AI, and improve operational resilience. The DOD CIO,
DISA, CDAO, and Under Secretary of Defense for Intelligence and
Security are engaged with the CCMDs, the MILDEPs, and forward deployed
partners to deliver the latest cloud computing and communications
technologies to meet these requirements.
Cloud and Data Center Optimization
Through our strong partnership with DOD Components our Cloud and
Data Center Optimization initiative is enabling the Department to
achieve its vision for a more agile and resilient defense posture. We
continue to facilitate the modernization of DOD application/systems,
close legacy data centers, and prepare to support emerging
capabilities. This initiative focuses on the migration of applications/
systems from 13 organizations to more optimal hosting environments and
optimizing or closing vulnerable legacy data centers. We have
successfully migrated or decommissioned over 760 systems and closed 49
data centers with plans to close 11 additional data centers by fiscal
year 2025.
dod software modernization
Last February, we released the Department's Software Modernization
Strategy, highlighting the Department's adaptability increasingly
relies on software and the ability to deliver secure and resilient
software at speed of mission while ensuring software supply chain
control.
Transforming software delivery times from years to minutes requires
significant changes to our processes, policies, workforce, and
technology. The Department is preparing to release the Software
Modernization Implementation Plan that identifies key fiscal year 2023
and fiscal year 2024 activities, milestones, and responsibilities for
driving process improvements and new capabilities to achieve the
Software Modernization Strategy goals.
The JWCC award brings us closer to achieving our goal of
accelerating the adoption of the Department's enterprise cloud
environment, which is a core enabler of our software modernization
initiatives, especially the development of Department-wide software
factory ecosystem enabling advanced modern software practice such as
Development, Security, and Operations (DevSecOps). DevSecOps allows for
continuous monitoring of the DOD network and enables us to integrate
the cybersecurity and cloud-native technologies into the DOD computing
platforms used to integrate software development and system operations
for accelerated capability delivery. Our workforce and process
transformation are aiming to expand the DOD CES approach to offer
flexibilities for the recruitment, retention, and development of
software professionals across the Department.
4th estate network optimization
Today's challenges require that we implement a digital enterprise
that maintains pace with commercial innovation and delivers IT
efficiently. Through 4th EState Network Optimization (4ENO), the
Department is modernizing DOD IT infrastructure and streamlining the
digital enterprise. DISA has been designated as the Department's Single
Service Provider (SSP) for 4ENO which will consolidate the commodity IT
local area networks and service desks associated with Defense Agencies
and Field Activities (DAFAs). 4ENO converges the 26 networks that the
Defense Agencies and Field Activities (DAFAs) independently own,
operate, and manage to a single unclassified network domain and a
single classified network domain while eliminating redundant networks,
and supporting global access that reduces barriers for joint
information sharing, strengthens cybersecurity, and improves end user
experience.
To date, four DAFAs completed their migration to the Global Service
Desk (GSD) and three DAFAs have migrated 700 users across six sites to
the new single service network known as DODNET. This resulted in the
consolidation of six legacy networks and a refresh of network hardware.
Between fiscal year 2023 and fiscal year 2026, 4ENO aims to migrate an
additional 96,000 users from over 470 sites and transfer nearly 800
more FTEs to the GSD. While 4ENO is a long-term effort, it reflects the
Department's commitment to enhance efficiencies, modernize
capabilities, and improve operational effectiveness.
defense business systems modernization
DOD must deploy an enterprise approach to deliver modern business
capabilities throughout the Department in an increasingly digital
landscape. Business systems, which offer common functions across
organizations like health, logistics, human resourcing, and training,
offer an opportunity to ensure that modern and integrated business
processes are in place to support the mission. We are actively working
to identify opportunities to consolidate or streamline business
functions and data at the enterprise level by improving our processes,
enabling data integration, and reducing complex system interfaces.
These enhancements will lead to a faster response to mission and
provide business data for holistic decisionmaking. Our enterprise,
data-driven Defense Business Systems (DBS) portfolio management
approach will drive rationalization across the portfolio to buy-down
technical debt, and enhance user experience across the Department,
ultimately transforming the way the Department does business.
The Department is committed to managing DBS as a strategic asset.
We have successfully transitioned business system responsibilities to
DOD CIO, including the annual certification, as the result of the
repeal of the Chief Management Officer. The Department will use
functional and technical criteria to lead a more data-driven annual
certification process per 10 U.S.C Sec. 2222 authorities and ensure our
DBS portfolio aligns to the strategic priorities and direction of the
Department. We are driving to fundamentally transform processes to
enable a highly efficient business environment that effectively
supports our national defense priorities.
warfighting command control and communications
Command, Control, and Communications C3 systems are fundamental to
all military operations to deliver the critical information necessary
to plan, coordinate, and control forces and operations across the full
range of Department's missions. DOD CIO is leading the way ahead for
future development, implementation, fielding, and sustainment of
strategic and tactical C3 capabilities. The critical capabilities in
this portfolio are a priority for the enterprise.
Electromagnetic Spectrum
Electromagnetic spectrum (EMS) is important to every DOD mission,
in every domain. Spectrum not only provides the critical connective
tissue that enables all-domain operations but represents a natural seam
and critical vulnerability across Joint Force operations. China and
Russia have taken significant steps to challenge U.S. control of the
spectrum and seek to exploit U.S. vulnerabilities in the spectrum.
Ensuring the U.S. military can train and operate in the spectrum--both
at home and abroad--is a strategic imperative.
As the Department's senior official responsible for coordinating
across the EMS Enterprise, we are employing and refining our governance
processes to ensure synchronization and harmonization of all
developments and activities necessary for the successful implementation
of the 2020 Electromagnetic Superiority Spectrum Strategy (EMS3). The
C3 Leadership Board and the EMS Senior Steering Group has broad
participation from stakeholders across the Department, and work to
drive toward the EMS3 vision of achieving freedom of action within the
EMS at the time, place, and parameters of our choosing while denying
the enemy the same.
The Department acknowledges it cannot achieve spectrum superiority
without a whole-of-government, whole-of-industry, and whole-of-nation
commitment. Accordingly, we also continue robust engagement with our
partners in the interagency, industry, and academia to deliver the best
spectrum outcomes for the Department and the Nation.
Spectrum Sharing
The DOD supports efforts to ensure U.S. dominance in 5G and next-G
development. Previous DOD success in making spectrum available for
commercial use through the Advanced Wireless Services, Citizens
Broadband Radio Service, and America's Mid-Band Initiatives Teams are
testaments to this commitment. DOD maintains numerous operational
equities throughout the spectrum which must be preserved to enable DOD
the ability to protect the homeland, test equipment, train for overseas
contingencies and operate in all domains. As I testified during my
confirmation hearing before the Senate Armed Services Committee in
2021, ``Spectrum sharing must be our watchword going forward'' for the
U.S. to maintain both its global leadership position and the
capabilities of our armed forces.
The Department remains committed to making mid-band spectrum
available for industry while meeting our mission requirements. Within
the 3100-3450 band, the DOD relies on hundreds of air, sea, and land-
based radars for a wide range of missions.
We continue to make strong progress in the spectrum sharing study
of the 3100-3450 band, our as required by the Infrastructure Investment
and Jobs Act (IIJA). To inform this study, DOD is coordinating closely
with the Department of Commerce. Indeed, Secretary Austin and Secretary
Raimondo jointly signed a letter to Congress on these issues. DOD is
also leveraging the technical expertise of government, industry, and
academia. We will report our findings to the Department of Commerce by
September 2023 as required by the IIJA.
Our efforts build on previous sharing initiatives led by the
Department. We are committed to helping maximize U.S. 5G and Next G
dominance while also ensuring that the Joint Force can both train and
conduct operations in and near the continental U.S. where use of
terrestrial, airborne, and sea-based radars operating in the mid-band
are critical for success.
5G
The DOD CIO continues to work on 5G through contributions to
international standards development organizations, and through
participation in the Under Secretary of Defense for Research and
Engineering (USD(R&E)) led 5G Cross Functional Team (CFT), to identify
and provide implementation guidance for both dual-use commercial and
military focused 5G technology applications that provide the optimum
return on investment to the Department. Our current focus is on the
development of required enterprise capabilities, and associated
security policy/infrastructure to support the MILDEPs in their
implementation of 5G Information and Communications Technology across
all military installations in line with the fiscal year 2023 NDAA.
Finally, in accordance with the fiscal year 2021 NDAA, the DOD CIO is
preparing to assume leadership of the CFT on October 1, 2023, and will
continue to work in close coordination with USD(R&E) and USD(A&S).
Positioning, Navigation, and Timing
The DOD CIO is fully engaged in leading the implementation of the
Department's positioning, navigation, and timing (PNT) Strategy to
provide robust and resilient PNT for the Joint Force. This is critical
to enabling advanced weapon systems to function in today's highly
contested navigation warfare environment. Current efforts are focused
on modernization of the Global Positioning System (GPS), including
acquisition and fielding of GPS M-code equipment, modernized GPS
satellites, and the next generation operational control segment. In
order to ensure that PNT is accessible to support international U.S.
and coalition operations, resilience efforts also concentrate on
alternative and complementary capabilities to GPS to provide multi--
source PNT in a modular open system approach (MOSA).
To date, the Services accomplishments include the fielding of GPS
M-code ground receivers in key systems that include the Army's Mounted
Assured PNT System or MAPS which is in the Patriot System, currently in
South Korea. The Navy has started fielding the GPS-Based Positioning,
Navigation and Timing Service, known as GPNTS, and Non-GPS aided PNT
for Surface Ships or NoGAPSS into the surface fleet. The Air Force is
developing the MOSA compliant Resilient Embedded Global Positioning
System Inertial Navigation System (REGI) for use in critical DOD
aviation platforms. In a joint effort by the Navy and DISA, global
timing resiliency is being achieved though the Critical Time
Dissemination initiative and Defense Regional Clocks.
Enterprise Satellite Communications Modernization
The DOD is rapidly accelerating its satellite communication
(SATCOM) services modernization, with particular focus on our
international and commercial partnerships. The Department is nearing
the conclusion of a ground teleport sharing arrangement with Australia
that will offer both participants increased operational capacity and
resiliency. As the Department shifts to a Future SATCOM Force Design,
diverse commercial and military services will be blended into a single
operational enterprise, achieving more agile and scalable communication
transport.
Recently, the Department released its Enterprise SATCOM Management
and Control Reference Architecture, Implementation Plan, and SATCOM
Terminal Reference Architecture for delivering automated SATCOM
resource allocation to the warfighter quickly. We are now implementing
a solution that establishes cloud-based enterprise services and secure
automated resource allocation across military and commercial SATCOM
communication service provided networks.
Following commercial SATCOM industry's lead, we are changing
decades old analogue business and operational processes used to
allocate SATCOM and creating the necessary rules-based processes to
deliver machine-to-machine information flows allowing SATCOM resource
allocation in minutes and seconds.
As the Department integrates commercial SATCOM, we must stay
focused on protecting our infrastructure and networks from adversarial
threats. The Department worked with industry over the past 2 years and
issued the ``Information Assurance--Pre'' program where commercial
solutions are assessed and graded on the ability to protect the
Departments information streams.
sap it
The Deputy CIO for Special Access Program (SAP) IT is responsible
for policy, oversight, and governance of all need to know SAP IT
programs and cybersecurity activities across the Department. The office
has made significant progress in establishing, enhancing, and maturing
SAP IT policy and governance. Working closely with the team in DISA, we
have implemented repeatable and reliable approaches for managing,
coordinating, and protecting SAP IT. These efforts include
modernization of the legacy stand-alone ``Chinstrap'' desktop hardware
system. The Compartmentalized Enterprise Desktop (CED) is DOD's new
cloud-based virtualized desktop. CED installation and Chinstrap
decommissioning is underway and is on track to be completed by the end
of the month of March 2023.
conclusion
It would not be possible to continue all this work without the
consistent and dedicated support of this subcommittee and partnership
with Congress. We are committed in our combined mission success and
combat any challenges to our national security. We look forward to
continuing to work with you all. Thank you for the opportunity to
testify this morning, we look forward to your questions.
Senator Manchin. Thank you, both of you, for your opening
statements and now we will start with our questions. I will
begin and go right over to Senator Mike Rounds.
First, General Skinner, as I mentioned in my opening
statement, we have to train for scenarios where we are
preparing for across the whole of our Federal Government in
coordination with State, local, and industry partners.
That is why I have provided $2 million in appropriations
last year for this exercise to ensure that we have the
infrastructure and manpower to not only continue to participate
but also to win in these exercises, and you might want to
comment on that how we have been able to fare.
But I have been impressed with Lockheed Shields exercise
for this very purpose. But has the exercise been meeting your
expectations or what you thought it could be?
Lieutenant General Skinner. Senator, the exercise is
definitely meeting our expectations. The way we really sharpen
our swords and sharpen our ability and our tactics, techniques,
and procedures is through exercises like this, not only with
our Guard forces that are a key part of our overall posture but
also with our allies and partners.
The best way to learn is to learn through these type of
exercises and these type of capabilities, which is really very
realistic scenarios to really sharpen our swords, as I
mentioned, and also make sure that our teams are working
together, because as we look at potential conflict and/or
crisis we are not going to do that alone. Having our allies and
partners next to us and having our Guards personnel as part of
that overall team is very important.
Senator Manchin. How can we do a better job of coordinating
these participations across all lines of Government as far as
what we are responsible for and the private sector, to bring
them in, too?
Lieutenant General Skinner. Senator, I think working
through CISA [Cybersecurity and Infrastructure Agency], and
working through them to get down to the State and local levels,
I think, is a key area that we can continue to leverage to get
more participation.
Senator Manchin. Can we do it with what we have now? Is it
going to take more--is it going to take more finances or do we
have the ability to be flexible enough to get that done now
under the current scenario?
Lieutenant General Skinner. Senator, I think there is a lot
of flexibility and we will continue to----
Senator Manchin. You can do that?
Lieutenant General Skinner.--leverage the things that you
have given us to----
Senator Manchin. We want you to make sure that you move as
fast as you can and get us quickly as far as the results that
we are going to be needing to be prepared.
Mr. Sherman, I am sure that you are aware of the practical
implementation of artificial intelligence probably more than
most. It is a top priority for Ranking Member Rounds and
myself. We have been speaking about that and learning a lot
more about that.
I am saving the majority of my questions on this topic for
our next hearing focusing solely on AI, and there is no doubt
the benefits of AI could bring to both yours and General
Skinner's job in the Department I think is coming very rapidly.
My question would be what tangible AI application do you
believe has been most successful? Which one?
Mr. Sherman. Sir, if I had to judge--and our chief digital
and AI officer is truly our lead. I empower him through what we
are doing on cloud, cybersecurity, and transport.
But one I will take out or highlight here is what we have
done on preventative maintenance on helicopters, for example,
using AI out at the tactical edge there to help our special
operators on Blackhawk helicopter maintenance using AI.
That is the one of many examples, Senator. But as a former
Army officer I am pretty impressed with that one and not doing
preventative maintenance checks and services like we have done
in the 1990's or somewhere earlier but using AI to allow our
maintainers to get ahead of what they need to do to keep our
helicopters flying.
Senator Manchin. Do you have a metric as far as savings and
using AI on that?
Mr. Sherman. Sir, I would have to take that for the record.
But I know it has been well used by special operations----
Senator Manchin. If you can let us know the savings and we
can show that we could be moving AI in many other arenas other
than just that would be very, very helpful.
Mr. Sherman. Yes, sir.
Senator Manchin. Also, how can we do a better job on the
Committee and on Appropriations, which I am also a member of,
to organize DOD's wealth of data and put it to use with AI? Are
you getting all the input you need?
Mr. Sherman. Yes, sir. We are getting the input, and as my
colleague, Dr. Martell, the CDAO [Chief Data and Analytics
Officer], has noted, this is where the pick and shovel work
comes in for AI is organizing our data, exposing it, creating
APIs, or application product interfaces, where we can get to
that data where it rests, not trying to bring it all together
in one place.
Very importantly, sir, you noted in your opening remarks
about zero trust is really about protecting our data, which is
what we are really doing here. It is not just protecting the
systems but making sure that data is secure so we can have
accurate algorithms for all the use cases we will need, sir.
Senator Manchin. I have further questions but I will turn
to Senator Rounds now.
Senator Rounds. Thank you, Mr. Chairman.
Let me begin just with General Skinner. How is the
Department measuring its progress to secure the DODIN, and I
guess what I am really asking is is what metrics are being used
by the Department to assess the strength or weaknesses within
the DODIN's cyber posture?
Lieutenant General Skinner. Senator, we have a host of
metrics that we are using on a day-to-day basis. To give you
just a couple of examples, we have command cyber readiness
inspections that go out and assess a base, post, camp, or
station's ability to perform their cybersecurity mission and we
actually give them a grade at each of those and then we wrap
all those up to look at a holistic look at the Department.
At our boundaries and our perimeter we are using artificial
intelligence to look--to determine where we have potential
malware and zero-day malware and as we continue to highlight
those we are tracking how much of that is actually occurring.
We are working with the Defense Cyber Crime Center and they
are using white hackers to test our boundary and we are
treating that as part of our metrics.
Then the final area I would offer is we are scanning on a
day-to-day basis the vulnerabilities of our front doors and we
are loading that into our performance metrics to see what the
trends are and where the artificial intelligence in our
perimeter defenses are working.
Senator Rounds. Leads me right into my next question. Once
again for General Skinner, I understand that the NSA is
planning to phaseout a system that contributes to the security
of the DODIN's perimeter defenses.
How is this preparing to defend the DODIN's perimeter
defenses if or when the NSA cybersecurity systems are retired?
Lieutenant General Skinner. Senator, we have an amazing
relationship with the National Security Agency and we are--we
continue to partner at the perimeter defense to make sure that
we are working together in protecting and securing.
As the Joint Force Headquarters DODIN has stood up and as
Cyber Command has stood up we continue to evaluate the things
that NSA is doing and the things that the Department is doing
and where it actually belongs, and we have conditions-based
approach as we move capabilities from the NSA to the Department
of Defense.
One of the things I want to thank you for is we have a
pilot ongoing for full packet inspection of our boundary. We
just started that pilot. We put it on contract in March, and
within the next 6 months we are going to determine if the
capability meets what the marketing says as well as is it
scalable, and that is going to be another addition to the
capabilities that we have at our boundary.
Senator Rounds. So you do have a plan in place so that as
the NSA product is removed you have other products to replace
them in a timely fashion without any holes in the coverages?
Lieutenant General Skinner. Yes, sir.
Senator Rounds. Okay.
Mr. Sherman, some of the services are piloting bring your
own device (BYOD) programs, which allow servicemembers to
connect their personal IT devices to the DODIN.
How is the Department confirming harmful applications and
malware from personal devices are not inadvertently being
introduced to the DODIN?
Mr. Sherman. Sir, those bring your own approved device
pilots that are going on across all the military services and
the National Guard Bureau, we assess this through our chief
information security officer (CISO) and also working with
General Skinner at the Joint Force Headquarters DODIN to--and
the service cyber elements to make sure we are monitoring each
of these pilots carefully, and right now all these under
exceptions for policy given their pilots right now as we assess
the different offerings from Hypori, from Microsoft, and others
on what may work best.
But watching this closely, and as we allow other
capabilities--for example, allowing documents and so on to be
worked on there, allowing mission use but also not opening the
door where there could be some sort of malicious capability or
something else to come into the DODIN through the BYOD
capability.
So we are rigorously watching this through our CISO
counsel, service cyber elements, and others to make sure that
these pilot programs which are pretty constrained right now--
still in the thousands of people but not all across the
services--as we make decisions on how we are going to scale
this out, and we know, for example, it is very important for
the National Guard Bureau on a number of these things how can
we do this to be mission effective but cyber safe, sir.
Senator Rounds. Okay.
General Skinner, I understand that there is a significant
amount of automation within DISA's ecosystem and you have
alluded to that already. How are those capabilities being
extended across the DODIN enterprise?
How are you working it through? Is it a timeframe issue? Is
it a package by package? What is the sequence?
Lieutenant General Skinner. Yes, sir. As we develop these
capabilities we either put them in a library for others to be
able to access them or we put it on a SharePoint site. But we
enable it and we have a catalog of these different capabilities
that any organization can leverage.
As an example, we have a bunch of templates that we use as
infrastructure as code that enables individuals to get to the
cloud faster and we--and those templates are available to
anyone to use, which increases their time to get to the cloud
and improve their security and performance.
Senator Rounds. Thank you, sir. My time has expired.
Senator Manchin. Thank you, Senator.
Senator Budd?
Senator Budd. Thank you, Chairman, and, again, thank you
all both for being here. It was great to meet you all earlier.
I appreciate your work and your service.
So I am interested in the DISA Thunder Dome prototype, the
pilot program that recently concluded. Can you give me, General
Skinner, an update on that and let me know if it met all
original requirements?
Lieutenant General Skinner. Senator, yes, it met all the
original requirements. We called that prototype a success and
we are working with Honorable Sherman's team on the acquisition
strategy to expand this to the enterprise.
Senator Budd. Can you in this setting share kind of top
line what those original requirements were?
Lieutenant General Skinner. Yes. The original requirements
were, as we look at the zero trust--the seven pillars of zero
trust--there were three or four of those pillars that we want
to make sure that we were meeting from--both from an identity
standpoint as well as the capabilities that you have at the
perimeter. I will say the new perimeter as we continue to
change the boundary as zero trust principles.
Do we have the right segmentation and the ability to
segment so that if--just as in a house, if a burglar is in your
house part of the zero trust methodology is that you limit them
to go from room to room and to be able to micro segment that
was part of the requirements.
Senator Budd. Thank you. How quickly can that prototype be
scaled beyond DISA?
Lieutenant General Skinner. Senator, I am hoping within
months as we work through to do the acquisition process and we
work through. But we have already--we have about 1,600
individuals who are part of the pilot and as soon as we get
through the acquisition strategy, working with our vendors and
the commercial companies, we want to scale fast.
Senator Budd. Okay. Does the fiscal year 2024 budget--does
it provide DISA enough resources to do the scaling that you
hope to do?
Lieutenant General Skinner. Yes, sir. Within the Department
zero trust is a significant investment the Department is making
in the fiscal year 2024 budget.
Senator Budd. Okay. Could you tell the Committee an idea of
the total attack surface across the DOD Information Network and
is DISA assessing commercial capabilities to actively secure
access points?
Lieutenant General Skinner. Senator, if I talk in other
open forums the Department of Defense Information Network
attack surface is the third largest in the world behind the
United States and China when you talk about address space, and
so it is a significant place--a significant sphere.
We are continually upgrading our abilities and capabilities
at the boundary to protect and secure as well as continually
scanning the boundary from the outside to make sure that what
an adversary may see is what we will see before them and we can
shore that up.
Senator Budd. You mentioned China. There is other
adversaries out there. What is your assessment of the current
level of effort our adversaries have devoted to penetrating
Defense Industrial Base networks?
Lieutenant General Skinner. Senator, I think their effort
is very high. Some of them see the Defense Industrial Base as a
soft underbelly and that is why our work with CMMC
[Cybersecurity Maturity Model Certification] 2.0 and our work
day to day with our Defense Industrial Base partners is
critical, moving forward, because that is where the adversary
is really targeting.
Senator Budd. When they target those networks what do you
see is their aim? Is it intellectual property? Is it other
purposes? What do you usually see?
Lieutenant General Skinner. Senator, I think, as you said,
I think it is intellectual property but also I think they are
looking for a way to go upstream if there is any connection
between that Defense Industrial Base and the Department of
Defense. They are looking for an upstream way also.
Senator Budd. Thank you.
What additional risk management and oversight measures
might be needed to improve information security for the
Department and for those private partners that we just talked
about and particularly the smaller businesses that are part of
the network?
Lieutenant General Skinner. Sir, I think a continuing--our
continuing partnership as we work with them to understand
their--the threat vector and what their security posture is, I
think, is first and foremost because in order to protect you
have to understand, and so the ability for them to sense and
see what their environment is, I think, is the most important
thing that we can continue to do as a partner.
Senator Budd. Very good. Thank you both. Chair, I yield
back.
Senator Manchin. Thank you, Senator.
Senator Schmitt?
Senator Schmitt. Thank you, Mr. Chairman. Great to be on
this Subcommittee.
Senator Manchin. Good to have you.
Senator Schmitt. Mr. Sherman, I know that you have got some
connections previously at NGA [National Geospatial Intelligence
Agency] and St. Louis, of course, is the home of the NGA West.
We are very proud of that. Lieutenant General Skinner, Park
University, right? So anyway, some connections there.
I wanted to ask just a couple of questions. One, we have
been talking a lot about the rising or pacing threat of China
and it seems pretty obvious that one of--the potential conflict
could certainly happen in cyber. That is maybe the most likely,
right?
We have got what you all are doing. We have got assets in
the United States that control water supply, energy. How do you
guys approach this? Because you would not want to have a
situation where you are looking backward and say everybody is
siloed off because if something were going to happen and affect
how the American people view something--I know when there is a
prediction of 3 inches of snow in St. Louis there is a bread
line at the grocery store, right? We need to be ready for this.
How would you guys assess where we are at with that kind of
cooperation and coordination with the private sector?
Mr. Sherman. There is the Defense Industrial Base piece we
were chatting about earlier. But to your point, sir, if the PRC
or another nation State actor were to attack us holistically
our coordination with the Department of Homeland Security and
CISA under Jen Easterly, with whom we work closely to make sure
there is no seams, as we look at things like defense critical
infrastructure, which provides the support on our bases and
installations and posts, as you mentioned, for water, power,
and so on.
But many of those things are off our installations in the
local cities, towns, counties, and making sure as we work with
DHS that if there were to be any cyber attacks or anything like
that through the governance that DHS has that we are working
seamlessly and we do this quite a bit, and we work through, for
example, DOD policy as an interlocutor with DHS.
Working with Cyber Command and with General Skinner's JFHQ
DODIN hat on, we work to make sure there is few seams as
possible in this and realizing the Chinese or anyone else are
not going to see boundaries. They are going to come at us as a
Nation, and making sure that we are able to make sure we can
flow forces as necessary to the West Coast, our installations
are not brought down, we can have all the data we need, and so
we do look at this pretty holistically, sir.
Lieutenant General Skinner. Senator, I would add my
previous position as INDOPACOM J6 I was acutely aware of the
commercial power, commercial water, and the effects that that
would have on our ability to perform our mission.
We worked hand in hand, as Honorable Sherman said, with
CISA and making sure--as an example, we have day to day
discussions from a Joint Force Headquarters DODIN standpoint
and CISA sharing lessons learned, seeing what threats that they
are seeing, what threats that we are seeing so we are all on
the same page and understanding because every base, post, camp,
or station relies on the commercial sector to provide critical
capabilities because from a cyber domain standpoint you cannot
have cyber without power and that is a critical portion that we
are hand in hand and making sure that we all have a good
understanding, not only of the threat, but what is their
security posture, because they have to be just as cyber secure
as we are.
Senator Schmitt. Obviously, on cyber, like so much of what
we need to do to prepare, innovation plays a very, very
important role. How comfortable are both of you with the
breadth or diversity of the--of those contractors that are
going to provide sort of next-generation technology?
Because one of the dangers sometimes is everything--there
is one contractor or prime or something that dominates and it
crowds out some of that innovation. Where do you guys feel we
are at with that?
Mr. Sherman. I think this is a robust market and this is a
national advantage for us across our entire cyber industry
ecosystem here, whether we are looking at our endpoints at the
Department of Defense but also operational technology, Internet
of Things, et cetera, and then, of course, as you noted a
minute ago, sir, working with the civilian sector on that.
I think we have a rich ecosystem. We have--and I will say
this not only on cybersecurity but cloud service providers and
others, we have the best in the world and I will put them all
day long up against whatever China and Russia can bring to the
fight.
Our job is to make sure we are applying the best services
and best capabilities against where it is needed on our cyber
terrain in the Department of Defense. But I feel confident
about this, sir.
General Skinner, I do not know if you want to add to that.
Lieutenant General Skinner. Senator, I think the innovative
spirit of the American public is alive and well. The innovative
spirit of the Department of Defense is alive and well, and I
think together we are ready and we will continue to stay ready
and we are the best in the world.
Senator Schmitt. We will send that demand signal out. Thank
you, Mr. Chairman.
[Laughter.]
Senator Manchin. This will be to both of you. I will start
with General Skinner first.
Zero trust principles include segmenting networks and
resources within an enterprise in a logical and consistent
manner and enforcing access and policy controls at segment and
resource boundaries.
The first CYBERCOM commander, General Alexander, famously
claimed that the DOD has not one network but, rather, more than
15,000 separate networks loosely coupled together.
Do you agree that DOD's networks are not currently
rationally segmented and as many so-called cybersecurity
service providers across all of its components who manage
security operations logically and Cybersecurity Service
Providers (CSSPs) would be aligned with network segments and
our mission threads would be standardized? Where are we on
that? I am sure, hopefully, we corrected the most of it.
Lieutenant General Skinner. Senator, I would offer the
Department of Defense Information Network is a very complex
environment and the standards that Honorable Sherman puts out
as the DOD CIO and the operational maneuver that U.S. Cyber
Command does makes that less complex, and we are continuing on
a day-to-day basis to make it less complex and more simple, and
as we do the zero trust methodologies and as we focus on the
user, and the data, we make it that much less complex and more
secure.
Senator Manchin. Mr. Sherman, do you want to take a shot at
this?
Mr. Sherman. Absolutely. So we have been segmented for a
long time and to your point that we now need to rationally
segment, and as we move to what we call Software Defined Wide
Area Networks, or SDWANs, and making it less about hardware and
less about organizations but a rapidly adaptable software-based
ecosystem where, again, the same principle applies where we are
hindering the enemy's ability to move laterally across that
network.
But we do this in a logical manner consistent with this
very large enterprise that General Skinner described, and it
is, indeed, one of the key pillars of zero trust on networks
and environment. We call it--it is the fifth pillar there and
it matters for other pieces, too.
But that is what Thunder Dome is working on we talked about
earlier, and as we oversee our zero trust architecture that is
a key point, taking what General Alexander noted 10-plus years
ago but making this more rational now and where we can manage
it and be very agile to adapt in a software-centric method to
frustrate an enemy's ability to move laterally, sir.
Senator Manchin. Thank you.
Senator Rounds?
Senator Rounds. Thank you, Mr. Chairman. I just got a
couple of questions.
The first, and recognizing it is in an unclassified
environment here, Mr. Sherman, how will Cybersecurity Maturity
Models Certification process with regard to the DIB
contractors--Defense Industrial Base contractors--streamline
compliance with the program's security requirements and
processes?
I mean, this is an area where if there is a challenge for
all of us it is in that connectivity between the Defense
Industrial Base and the DODIN itself.
Mr. Sherman. Yes, sir. Taking this very seriously because
our Defense Industrial Base, as we were noting a moment ago, is
our national advantage and where cybersecurity is critical
because of what the PRC and others are doing.
We have got to make this understandable and usable by the
Defense Industrial Base. So moving from CMMC 1.0 circa 2021,
which had five different levels and it had an additional layer
of controls DOD had put on top of the National Institute of
Standards and Technology, or NIST, controls, we took a step
back under Deputy Secretary Hicks' leadership to review this
and make it more understandable and executable to where we now,
sir, have three levels and removing that extra layer of
controls and we have 110 controls that NIST put on there.
So trying to put ourselves in the shoes of those companies,
whether they be in South Dakota, sir, or Texas or wherever they
are and say, how is this going to impact me where we are not
surrendering the ground on cybersecurity but making it
implementable in terms of particularly for the small and medium
companies.
So we are in a position right now--this has taken us
longer, frankly, than we wanted to have to do the review. But,
sir, measure twice cut once. We want to do this correctly
before it gets over to OMB into rulemaking and public review.
So we are committed to getting this right, but all the
while a lot of industry engagement so this is understandable to
the companies are going to have to implement this, sir.
Senator Rounds. Thank you.
General Skinner, I understand that DISA has initiated a
pilot assessing new innovative--it is a pilot project that
assesses new and innovative commercial active cybersecurity
capabilities that are intended to protect the DODIN.
How are those efforts going and when do you think you will
be able to expand the capabilities to protect the entire DODIN,
hopefully, in a successful way?
Lieutenant General Skinner. Senator, as I mentioned
earlier, in the March time--about 2 weeks ago we put the pilot
on contract and we are expecting within the next 6 months to
have a good understanding of the pilot's capabilities and
whether it can scale.
While we are doing that we are not sitting on our laurels.
We are also--we have also implemented this thing called cloud-
based internet isolation, which is an innovative way of taking
web traffic and moving it to the left, I will say, into a
sandbox to where we can actually check the traffic out to make
sure that anything that is being downloaded does not have
malware in it.
We are about three-fourths of the way through the entire
Department that will be behind this and that is actually not
only improving our security but also improving our user
performance because some of the information is being discarded
and then it is coming through the internet access points.
So both from a user experience standpoint and a security
standpoint, that is another innovative way that we are
protecting our boundary and protecting our users.
Senator Rounds. [Presiding.] Great. Thank you.
On behalf of the Chairman, Senator Rosen?
Senator Rosen. Thank you, Senator Rounds. I appreciate that
and I appreciate you both being here to testify today and so I
am going to just get right to it and talk a little bit about
artificial intelligence because we are going to be using it in
some form or fashion as a cybersecurity solution. I mean, we
are already doing it in some way and it is going to continue to
grow.
So, Mr. Sherman, as you know, Senator Manchin already spoke
about this. Our adversaries really could use AI in the future
cyber attacks in the United States--we know it--including on
our DOD networks.
On the other hand, AI also has a great potential as a tool
for the Department of Defense to hunt for malicious software,
search for those irregular behaviors, if you will, that they
could indicate a presence of an intruder posing a threat to our
DOD system.
So could you speak to how the Department of Defense is
leveraging and learning about the advanced AI models to improve
our own networks' intelligence, if you will, for cybersecurity
defenses?
Mr. Sherman. Absolutely, Senator.
So as we bring data together on what is going on on our
networks--and General Skinner can speak to this a little bit as
well--applying AI and ML to look at, as you note,
irregularities on what is going on in there and that is one of
the key pillars of zero trust on automation and orchestration.
That is pillar number six on there on looking across that and
also visibility and analytics, which is the next pillar.
As we apply AI ML to this and--excuse me, and as my
colleague, the CDAO--the Chief Digital and AI officer--often
notes the algorithms are not the tough part of this. It is
getting the data to where it needs to be to be able to run the
algorithms and that is where we are, frankly, putting a lot of
our effort into is making sure we have data with the right
standards, the right points where we can run these algorithms
to look for these anomalous behaviors you note, ma'am, to look
for this and to be able to secure the DODIN.
I would note General Skinner may be able to amplify this
from his role at CYBERCOM there.
Lieutenant General Skinner. Senator, we are using AI in
multiple points within the DODIN at our different endpoints.
Many of the products today have artificial intelligence already
embedded in them. So even as we are purchasing them we are
leveraging it there.
At our boundary we are actually leveraging artificial
intelligence to find those irregularities and those zero-day
malwares that are not known today we are leveraging that
already.
Then, finally, the other area is in our big data platforms
and looking at things retroactively to see, well, did we miss
something. So as we look at all this data and all these sensors
coming in we are leveraging the AI models to find something
that we may have missed initially to holistically get after the
cybersecurity threat.
Senator Rosen. That was going to be one of my questions.
Are we looking in hindsight when we know something was that
helps machines learn better that is machine learning? We look
back, what did we miss, and they put that in their muscle
memory.
But I am going to move on to zero trust really quickly
because in November the Department of Defense, of course,
released a zero trust strategy and the roadmap, and the
strategy does list as a key goal technological acceleration at
a pace that equals or exceeds industry advancements. That is
very ambitious.
So, General Skinner, how are you working to meet this very
ambitious goal? You have just spoken about it a little bit.
What challenges do you face? Do you have the workforce? How can
we help?
Lieutenant General Skinner. Senator, Honorable Sherman has
put a very aggressive goal out there in regards to zero trust
and we are working hand in hand with his team, with Cyber
Command, to continue to move forward.
As an example, we have a Thunder Dome project that we just
finished our prototype on--very successful prototype--and we
are working with his team on the acquisition strategy to put
this out across the entire Department.
That is on the technological standpoint--technological
point. The other part is our workforce, and continuing to
upskill our workforce, continuing to bring in and recruit the
next-generation force that has kind of the understanding of
artificial intelligence, that has the creative thinking, that
has the passion to get at this because it cannot just be
workforce. It cannot just be technology. It has got to be both
as we continue to drive forward on this aggressive schedule.
Senator Rosen. No, I think that is exactly right. I was
going to ask you, too, are you developing all of this in house
or are you purchasing software from the industry?
Lieutenant General Skinner. Senator, we are doing both. We
are leveraging the technology from industry because they are
great partners. We are leveraging what our allies and partners
have learned.
But also we have this innovative spirit within our force
that can take what industry has given them and take it a step
further, and that is what we are continuing to try to empower
and make sure that they are able to do that. So it is a
combination of all the above, ma'am.
Senator Rosen. So are you sure that when you are creating
this that you have a software bill of materials that shows when
you are going to do your analytics on the software you have to
be sure that you are not vulnerable, where every piece of that
software came from, who wrote the code, and its vulnerability?
Lieutenant General Skinner. Yes, ma'am.
Senator Rosen. Thank you. I yield back.
Senator Rounds. Well, and with that, on behalf of Senator
Manchin, Chairman of the Committee, we want to thank our
witnesses and all of the Members that have attended this
Subcommittee briefing today.
We really are proud to see the efforts at this very
successful cyber defense paying off after years of working with
the Department and now, literally, is not the time to relax or
to take our foot off the gas. It is full speed ahead.
We do look forward to continuing our work together,
especially as we look forward to the next set of threats and
opportunities and the role of--that ethical artificial
intelligence will play in our cyber defenses.
As you have indicated, the AI is here already and we are
going to have to expand and we are going to have to take
advantage of all of the opportunities but defend against the
challenges as well.
We want to thank you both for being here with us today, and
with that the hearing is adjourned.
[Whereupon, at 10:23 a.m., the Subcommittee adjourned.]
[Questions for the record with answers supplied follow:]
Questions Submitted by Senator Gary Peters
cybersecurity subcommittee hearing on enterprise cybersecurity
1. Senator Peters. Mr. Sherman and Lieutenant General Skinner,
several vendors the Department of Defense uses have data centers in
China. Do you believe these American cloud companies, such as Amazon
Web Services, Microsoft, IBM and others should continue to host data in
China due to our current strained relationship with the Chinese
government? How do you believe these companies' presence in China
impacts the Department's cybersecurity risk?
Mr. Sherman. and Lieutenant General Skinner. We recognize the
threat China poses and have taken several protective measures to secure
our data and protect it under the jurisdiction of the United States. We
share with our defense industry base, cyber threat indicators and
defensive measures to remediate and mitigate risk and make informed
decisions when selecting a business partner. Recognizing that various
Cloud Service Providers (CSPs) operate Cloud Service Offerings (CSOs)
in overseas locations, the Department of Defense (DOD) mandates data
sovereignty, necessitating all U.S. data be stored within the
Continental U.S. regardless of where the vendor data center resides to
protect against seizure and improper use by non-U.S. persons and
government entities. We developed DOD Cloud Computing Security
Requirements Guide (CC SRG) which requires all data stored and
processed by/for the DOD must reside in a facility under the exclusive
legal jurisdiction of the U.S. including DOD bases on foreign soil
depending upon Status of Forces Agreements (SOFAs). CSPs are required
to maintain all government data, that is not physically located on DOD
premises, within the 50 States, the District of Columbia, and outlying
areas of the U.S. (as defined at FAR 2.10140).
2. Senator Peters. Mr. Sherman and Lieutenant General Skinner,
several technology companies are developing Artificial Intelligence
services in China that may be used in the future, or may be currently
used, by the Department. How do you ensure that any code or technology
that was developed in China is secure for the Department to use? Do you
believe a Software Bill of Materials (SBOM) is needed for all
Department software acquisitions?
Mr. Sherman. and Lieutenant General Skinner. The Department
recognizes that ensuring code or technology developed in China is
secure is a challenging endeavor. Legislation such as the Secure
Technology Act and recent Executive Orders (EO) such as EO 13873, which
prohibits information and communications technology or services
designed, developed, manufactured, or supplied by persons owned by,
controlled by, or subject to the jurisdiction or direction of a foreign
adversary \1\ and EO 14028, which establishes baseline requirements for
enhanced software supply chain security, to include Software Bill of
Materials, have provided needed authorities for the Department to
identify risks to critical software and mitigate or avoid those risks.
---------------------------------------------------------------------------
\1\ Within the FAR, Commerce has named China, among others, as
foreign adversaries solely for the purposes of Executive Order 13873.
---------------------------------------------------------------------------
Artificial Intelligence (AI) is an emerging and maturing capability
DOD is leveraging for enhancing warfighter capability and department
operations. Many AI capabilities are being developed within the DOD and
there is coordination with commercial AI capabilities to leverage the
best capabilities to serve DOD needs. The Department actively
identifies AI components and services for supply chain risk assessment
and analysis to ensure acquired components and services do not pose
undue or unacceptable risk from foreign adversary influence.
Software Bill of Materials (SBOM) are needed to support secure
software supply chains for the Department's acquisitions. SBOM
standards and implementation guidance are still evolving. Current
definitions of SBOMs do not cover all aspects necessary to identify and
describe AI for supply chain risk management. There is currently on-
going work within the Department to identify what an AI bill of
materials would be in order to meet DOD requirements and how this
relates to a SBOM.
3. Senator Peters. Mr. Sherman and Lieutenant General Skinner in
your role protecting the Department of Defense networks, you identify
numerous attacks against your systems, every day. Much of the
information you gain from these attacks--the techniques or
infrastructure adversaries are using--can be used to help protect other
Federal networks. Other Federal agencies--similarly--have information
that would be useful to you. Can you discuss how you work with the
Cybersecurity and Infrastructure Security Agency--CISA--and other
Federal agencies to share information you gain, and use information
they can provide you, to improve our overall Federal cybersecurity
posture?
Mr. Sherman and Lieutenant General Skinner. Pursuant to Executive
Order (14028) on Improving the Nation's Cybersecurity, JFHQ-DODIN and
CISA signed a Memorandum of Agreement for cyber directives sharing and
alignment. This agreement facilitates the sharing of operational plans,
incident response and vulnerability assessment information between the
DOD and DHS, which ensures DOD Cyber Tasking Orders and DHS Emergency
Directives and Binding Operational Directives are consistent. This
coordination occurs through operational synchronization meetings weekly
and more frequent during active incidents.
The DOD Assistant Secretary of Defense for Policy and CIO send
representatives to the weekly National Security Council led Cyber
Response Group where the senior leadership shares information on
current topics and events in Federal cybersecurity.
Additionally, the DOD Cyber Crime Center (DC3) DOD-DIB
Collaborative Information Sharing Environment (DCISE) shares cyber
threat indicators (CTIs) and defensive measures (DMs) with DHS CISA
through the Automated Indicator Sharing (AIS), and other Federal
entities through a series of reports and products posted to the DC3
NIPRNet IntelShare. The list of Federal agencies DC3 shares CTIs and
DMs with are included in the table below:
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
Office of the Secretary of Defense (OSD) Defense Counterintelligence and Security
Agency (DCSA)
----------------------------------------------------------------------------------------------------------------
U.S. Marine Corps Federal Bureau of Investigations (FBI)
----------------------------------------------------------------------------------------------------------------
U.S. Army National Security Agency (NSA)
----------------------------------------------------------------------------------------------------------------
U.S. Navy DOD Combatant Commands
----------------------------------------------------------------------------------------------------------------
U.S. Air Force Central Intelligence Agency (CIA)
----------------------------------------------------------------------------------------------------------------
U.S. Space Force National Geospatial-Intelligence Agency
(NGA)
----------------------------------------------------------------------------------------------------------------
Small Business Administration (SBA) Defense Intelligence Agency (DIA)
----------------------------------------------------------------------------------------------------------------
DOD Inspector General U.S. Department of Treasury
----------------------------------------------------------------------------------------------------------------
Defense Contract Management Agency (DCMA) Federal Aviation Administration (FAA)
----------------------------------------------------------------------------------------------------------------
Department of Homeland Security (DHS) National Ground Intelligence Center
(NGIC)
----------------------------------------------------------------------------------------------------------------
DC3 also assists DHS CISA with the implementation of the Structured
Threat Information eXpression (STIX) standardized language and
serialization format used to exchange cyber threat intelligence, as
well as routinely engages DHS CISA and other agencies to share lessons
learned from the DOD Vulnerability Disclosure Program (VDP)
vulnerability management and reporting.
On some occasions, DC3 shares CTIs and DMs contained within its
published Intelligence Information Reports (IIRs) with Allied Partners
via established relationships with U.S. Combatant Commands, and with
FVEY and other International Partners through U.S. Cyber Command.
4. Senator Peters. Mr. Sherman, last year's National Defense
Authorization Act included the Federal Risk and Authorization
Management Program Authorization Act, a critical piece of cloud
security legislation I led in the Senate. Federal Risk and
Authorization Management Program mandates reciprocity between agencies
for all authorized cloud service providers--CSPs--used by the Federal
Government. Many companies have expressed frustration with the fact
that Department of Defense often refuses to allow reciprocity for Cloud
Service Providers authorized on other Federal agency systems--even
though they are part of the Federal Risk Authorization Management
Program Joint Authorization Board and jointly authorize numerous Cloud
Service Provides as part of that body. What steps will Department of
Defense take, now that the Federal Risk and Authorization Management
Program is law, to ensure greater reciprocity and reduce unnecessary
costs for agencies and industry partners?
Mr. Sherman. DOD acknowledges FedRAMP's Moderate and High Baselines
and incorporates at the impact levels (IL) supplemental controls
detailed in the Committee on National Security Systems Instruction
(CNSSI) 1253, ``Security Categorization and Control Selection for
National Security Systems'' and requirements from the DOD Cloud
Computing Security Requirements Guide (CC SRG). DOD implements full
reciprocity at IL2 and requires the implementation of supplemental
controls for IL4/5/6 for full reciprocity at Moderate and High
Baselines. These reciprocity requirements meet the level of protection
a DOD Cloud environment requires.
5. Senator Peters. Mr. Sherman, I am working to update the Federal
Information Security Management Act--FISMA--which establishes the roles
and responsibilities for agencies when protecting their own systems,
including Department of Defense. While technology and cyber-attacks
continue to evolve, Federal Information Security Management Ac has not
been updated in almost a decade. The law exempts Department of
Defense's national security systems, but many Department of Defense
systems such as payroll, finance, and other business systems are still
covered by Federal Information Systems Management Act. Given that
Federal Information Security Management Act requirements impact
Department of Defense systems, will you commit to working with me to
update this law so we can mature our Federal cybersecurity posture?
Mr. Sherman. I acknowledge the need to modernize FISMA to mature
the Federal cybersecurity posture. For DOD systems, I already
supplemented current FISMA requirements with additional metrics to keep
pace with evolving cyber threats. I am committed to providing
stakeholders appropriate insights into DOD systems and contributing to
the update of the FISMA Act to reflect the changes in cybersecurity
over the past decade.
6. Senator Peters. Lieutenant General Skinner, in fiscal year 2023,
Congress provided $117 million to the Defense Information Systems
Agency (DISA) for implementation of Thunderdome, Defense Information
Systems Agency's successfully prototyped Zero Trust Architecture.
Building off the Fiscal Year 2023 baseline, the Fiscal Year 2024
President's Budget for Defense Information Systems Agency requests an
additional $40.9 million program increase for Thunderdome. With the
Thunderdome justification included in the Agency's Fiscal Year 2024
Budget Estimates document nearly identical to the Thunderdome
justification provided in Fiscal Year 2023, additional information
would help the committee better understand the details of these
investments and measure progress.Please provide a detailed description
of how DISA plans to execute Thunderdome implementation funds provided
in Fiscal Year 2023 and requested in Fiscal Year 2024.
The deliverable should include a summary of the current status of
Thunderdome implementation and what DISA considers ``full
implementation'' in terms of number of seats covered by the Thunderdome
offering, a listing of objectives projected for completion in Fiscal
Years 2023 and 2024, major lines of effort needed to achieve these
objectives, a narrative description of activities included in each line
of effort, deliverables expected for each line of effort, and the
amount of funding allocated for each line of effort. The description
should also include a list of all contracts or procurement vehicles
DISA expects to utilize with these funds, what deliverables are
expected from each procurement, and the amount of funding DISA intends
to obligate to each procurement in Fiscal Years 2023 and 2024. Last,
the deliverable should include a description of plans to promote
Thunderdome subtenants DOD-wide beyond DISA.
Lieutenant General Skinner. The $117 million referenced above
represents funding received for a wide array of Zero Trust activities:
Thunderdome, Enterprise Identity, Credentialing, and Access Management
(ICAM), and Joint Regional Security Stacks (JRSS). I will address the
changes for each and reference the accomplishments and growth shown in
the following table:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Program ($M) Fiscal Year 2022 Fiscal Year 2023 Fiscal Year 2024
--------------------------------------------------------------------------------------------------------------------------------------------------------
Thunderdome $-- $39,500 $102,671
Security Enablers........................... $45,941 $56,985 $64,294
JRSS........................................ $58,304 $75,640 $40,952
--------------------------------------------------------------------------------------------------------------------------------------------------------
During fiscal year 2023, DISA successfully rolled-out protype zero
trust network access capabilities under the Thunderdome program. These
capabilities include:
Customer Edge Security Stacks (CESS) / Software Defined
Wide Area Networking (SD-WAN)--these next generation firewalls provide
improved security close to users and provide network segmentation to
prevent lateral movement throughout the network.
Application Security Stacks (APSS)--The application
security function uses endpoint security data and user identity data to
allow application owners to make fine grained access control decisions.
It is particularly helpful that this technology will support
applications that are hosted on-premises or any of the four JWCC
commercial cloud environments.
Secure Access Service Edge (SASE)--these capabilities are
a modernization of legacy virtual private network (VPN) connections
that enable offsite users to securely connect to DOD data and networks.
These tools also depend upon endpoint and user information to make
critical access decisions.
After successfully testing these capabilities, we embarked on
deploying the Customer Edge Security Stacks to 10 DISA and Fourth
EState sites and secure access service edge capabilities for 1800
users. In fiscal year 2024, DISA will expand this deployment to 60
additional sites and 20,000 users. The fiscal years 2023 to 2024 growth
is entirely associated with scaling out the Thunderdome capabilities
across our cyber terrain. While the justification language is similar
between fiscal year 2023 and fiscal year 2024, these updated deployment
plans exceed the original PB24 performance metrics which targeted 16
site deployments in fiscal year 2023 and 50 in fiscal year 2024.
On 28 July, DISA awarded the Thunderdome production agreement that
will enable delivery of these capabilities as a standard part of the
Department of Defense Network (DODNET) and will continue to synchronize
with the Fourth EState Network Optimization (4ENO) program to ensure as
department agencies migrate to DODNET, they are already leveraging the
Thunderdome Architecture. The production agreement includes sufficient
scope and ceiling to support DISA's deployments as well as military
components that choose to leverage the same solutions on their cyber
terrain.
Enterprise ICAM is delivering three key capabilities:
An Identity Provider (IDP)--leveraged for authentication
to DOD systems and synchronizing user attributes.
Automated Account Provisioning (AAP)--automates the
process of approving and removing account access to provide an audit
trail.
Master User Record (MUR)--includes a record of all access
information for every DOD user.
The ICAM team has delivered all of these capabilities on the Non-
Classified networks in fiscal year 2023. This includes support for the
audit of DOD financial applications and for well over 200 additional
mission applications and 7 Microsoft O365 tenants. Again, this exceeds
the fiscal year 2023 target of 133 applications. In fiscal year 2023,
the ICAM team also delivered the initial IDP functionality on our
Secret-level network and will expand in fiscal year 2024 to include
automated account provisioning and master user record, federation of
these capabilities with the Military Services, and operationalizing
attribute-based access control in partnership with NSA. On the fiscal
year 2024 horizon, we are also working to align ICAM with other Federal
entities and investigating how to leverage identities to support Allied
and Coalition information sharing.
Prior to fiscal year 2024, JRSS was funded with annual budget
transfers from the Military Services and a contribution from DISA. The
fiscal year 2023 funding in the table above looks like a net $17.336
increase but appeared as $45 million reduction followed by a $62
million increase. The $62 million increase is more than half of the
$117 million fiscal year 2023 increase referenced in your question.
This was simply the annual funding transfer to operate, sustain and
tech refresh the components of JRSS. Beginning in fiscal year 2024, you
can see the program on a downward trend as it is slated for sunset in
FY27 and the annual funding process has been replaced by funding across
the FYDP.
__________
Questions Submitted by Senator Mike Rounds
Defending the Department of Defense Information Networks
7. Senator Rounds. Mr. Sherman and Lieutenant General Skinner, how
does the Department of Defense plan to balance the need to adopt ``best
of breed'' cybersecurity solutions with the complexity of buying and
operating a large number of separate cybersecurity tools?
Mr. Sherman and Lieutenant General Skinner. The Department will
continue to leverage a hybrid approach in ensuring best value. We've
found that implementing an integrated, cloud-native cybersecurity suite
increases ease of use and decreases latency, resulting in enhanced
security and accelerating the Department to achieve its Zero Trust
goals. This approach allows the Department to utilize integrated
products that include best of breed solutions and offers the Department
the opportunity to defend against determined cyber adversaries at speed
and scale. However, even the most integrated suites cannot meet all the
Department's cybersecurity requirements and additional tools will be
needed to fill the gaps. To ensure the Department is capable of
efficiently filling these gaps, DOD CIO is implementing enterprise-wide
data standards that will form the backbone of new cyber acquisitions.
These data standards will ease implementation by ensuring new
capabilities are interoperable with existing capabilities from day one.
DOD decisionmaking will continue to be informed by operationally
realistic, threat-based assessments in addition to functional and
architectural requirements identified by the DOD CIO.
8. Senator Rounds. Mr. Sherman and Lieutenant General Skinner, does
Department of Defense plan to issue a new department-wide acquisition
strategy to meet Zero Trust requirements that includes a fair and open
competition for multiple cybersecurity vendors?
Mr. Sherman and Lieutenant General Skinner. The Department is
committed to fair and open competition for the procurement of
cybersecurity solutions. Examples of this commitment are the recently
awarded competitive Joint Warfighting Cloud Capability (JWCC) Contract
or the Department's increased use of competitive Other Transaction
Authority (OTA) contracting processes (e.g. Thunderdome) for cyber
requirements.
There is no anticipation or need for a new department-wide
acquisition strategy. The Components are developing approaches for
acquisition of ZT capabilities and solutions as part of their ZT
Implementation Plans (I-Plans) due in January 2024. Components are
responsible for conducting any market research and requirements
definition to determine if they need to revise their current
acquisition strategies. These ZT requirements will not preclude
Components from meeting fair and open competition requirements as
prescribed in the Federal Acquisition Regulation (FAR) and Defense
Federal Acquisition Regulation Supplement (DFARS).
Additionally, the Department is currently assessing DOD-wide
acquisition guidance and policy for implementing the DOD ZT Strategy.
This includes assessing the need for inclusion of ZT related
acquisition language into existing policy or development of additional
guidance.
9. Senator Rounds. Mr. Sherman and Lieutenant General Skinner,
recognizing that there are many components to a comprehensive
cybersecurity solution, such as endpoint detection and response,
vulnerability management, identity and access management, and security
information and event management, what is your strategy to make sure
that the Department incorporates the best of each component to achieve
reduced cyber risk?
Mr. Sherman and Lieutenant General Skinner. The Department's
migration to leverage data-centric architecture affords the DOD the
capability to validate, acquire, and field tools to satisfy DOD CIO
requirements for the various cybersecurity capabilities that form a
comprehensive cybersecurity solution. To supplement DOD CIO
requirements for component capabilities, DOD CIO will publish and
maintain enterprise-wide data and reporting standards to ensure
information flows efficiently between capabilities. Efficient
information flow enables new tools to interoperate seamlessly with
existing tools, agnostic of operating environment, vendor, and
function. In a data-centric environment, DOD can acquire integrated and
non-integrated solutions that include best-of-breed technologies
rapidly to keep pace with the ever-evolving nature of cybersecurity and
our adversaries' attack vectors. In addition, DOD has released the DOD
Identity, Credential and Access Management (ICAM) Reference Design
reorganized the ICAM Governance Process and has instituted a federated
environment that brings both enterprise and non-enterprise together to
ensure timely integration of modern ICAM capabilities.
[all]