[House Hearing, 112 Congress]
[From the U.S. Government Printing Office]
[H.A.S.C. No. 112-39]
IMPROVING MANAGEMENT AND
ACQUISITION OF INFORMATION
TECHNOLOGY SYSTEMS IN THE
DEPARTMENT OF DEFENSE
__________
HEARING
BEFORE THE
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
HEARING HELD
APRIL 6, 2011
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
U.S. GOVERNMENT PRINTING OFFICE
65-810 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office, http://bookstore.gpo.gov. For more information, contact the
GPO Customer Contact Center, U.S. Government Printing Office.
Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com.
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota LORETTA SANCHEZ, California
BILL SHUSTER, Pennsylvania ROBERT ANDREWS, New Jersey
K. MICHAEL CONAWAY, Texas SUSAN A. DAVIS, California
CHRIS GIBSON, New York TIM RYAN, Ohio
BOBBY SCHILLING, Illinois C.A. DUTCH RUPPERSBERGER, Maryland
ALLEN B. WEST, Florida HANK JOHNSON, Georgia
TRENT FRANKS, Arizona KATHY CASTOR, Florida
DUNCAN HUNTER, California
Kevin Gates, Professional Staff Member
Mark Lewis, Professional Staff Member
Jeff Cullen, Staff Assistant
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2011
Page
Hearing:
Wednesday, April 6, 2011, Improving Management and Acquisition of
Information Technology Systems in the Department of Defense.... 1
Appendix:
Wednesday, April 6, 2011......................................... 27
----------
WEDNESDAY, APRIL 6, 2011
IMPROVING MANAGEMENT AND ACQUISITION OF INFORMATION TECHNOLOGY SYSTEMS
IN THE DEPARTMENT OF DEFENSE
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Emerging Threats and
Capabilities................................................... 1
Thornberry, Hon. Mac, a Representative from Texas, Chairman,
Subcommittee on Emerging Threats and Capabilities.............. 1
WITNESSES
McGrath, Hon. Elizabeth A., Deputy Chief Management Officer, U.S.
Department of Defense.......................................... 3
Takai, Hon. Teresa M., Acting Assistant Secretary of Defense for
Networks and Information Integration, and Chief Information
Officer, U.S. Department of Defense............................ 4
APPENDIX
Prepared Statements:
Langevin, Hon. James R....................................... 31
McGrath, Hon. Elizabeth A.................................... 32
Takai, Hon. Teresa M......................................... 44
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
[There were no Questions submitted during the hearing.]
Questions Submitted by Members Post Hearing:
[There were no Questions submitted post hearing.]
IMPROVING MANAGEMENT AND ACQUISITION OF INFORMATION TECHNOLOGY SYSTEMS
IN THE DEPARTMENT OF DEFENSE
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Emerging Threats and Capabilities,
Washington, DC, Wednesday, April 6, 2011.
The subcommittee met, pursuant to call, at 2:46 p.m., in
room 2212, Rayburn House Office Building, Hon. Mac Thornberry
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM
TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND
CAPABILITIES
Mr. Thornberry. The hearing will come to order. And we
thank you all for your patience as we had some votes that have
just concluded.
The subcommittee meets today to receive testimony on the
impact of recent initiatives that affect the capability of the
Department of Defense to acquire and manage information
technology systems. The advent of the information revolution
has not only changed how we as a Nation do business, but it has
significantly impacted how we provide for the common defense.
Information technology includes everything from hardware
and software, to data standards, to commonly agreed-upon
architectural frameworks, and has completely permeated the
national security enterprise, at least the information
technology portion of the budget that has been submitted by the
President. It is approximately $38\1/2\ billion, so a not
inconsiderable sum of money. Obviously we are interested in how
that money is spent, whether it is spent efficiently. Most
importantly to me is whether it enables the warfighter to do
what we ask them to do.
But as you all know, this subcommittee is also particularly
interested in the security of our systems this year and
cybersecurity for the Nation. So we are interested in what we
are buying and how secure it is. So we appreciate our witnesses
and the ability to discuss this topic today.
And I would yield to the ranking member, the gentleman from
Rhode Island, for any comments he would like to make.
STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS
AND CAPABILITIES
Mr. Langevin. Thank you, Mr. Chairman.
I would also like to welcome our witnesses here today. It
is good to have the Honorable Elizabeth McGrath and the
Honorable Teresa Takai here, and I look forward to their
testimony.
The issue of information technology is critically important
to the Department of Defense, and I want to thank Chairman
Thornberry for calling this hearing. IT [information
technology] is a crucial factor in every aspect of the
Department's activities. From the routine e-mail to the flight
controls of the most sophisticated fighter jets in world, the
Department depends on the smooth functioning of a myriad of IT
systems. As the information age matures, we find that IT
systems have expanded both in complexity and pervasiveness. As
a result, today they represent one of the largest investments
for the Department, and it presents a significant potential
vulnerability if they should fail or be attacked.
The business complexities are only made worse by the
evolving cyberthreats that have begun to challenge the
integrity of our current systems. Therefore, it is important
for the Department to be properly organized and pursue IT
acquisition, implementation, modernization and performance
evaluation. Oversight is required for the full spectrum of
activities, but bureaucratic redundancy creates confusion and
complexity.
Now, the DOD [Department of Defense] IT enterprise must be
as streamlined and efficient as possible. I understand that as
part of the Secretary of Defense's efficiency initiative, we
will see some changes in how the Department manages IT and
perhaps some cost savings along with it. Now, this is welcome
news, provided it achieves the desired effect without reducing
capability or injecting unnecessary risk into the process.
We must also be vigilant that as we move forward, the
security of our systems is at the forefront of our efforts. Our
acquisition systems furthermore are barely suitable to large-
scale weapons projects requirements for IT systems that evolve
rapidly, and the systems need more flexibility if it is to
manage proper acquisitions of these systems.
As Mr. Thornberry mentioned previously, last year's 2010
National Defense Authorization directed the DOD to develop and
implement a new acquisition process for IT, and I certainly
look forward to hearing more about how that process is
proceeding today.
With that, I yield back and look forward to our witnesses'
testimony.
[The prepared statement of Mr. Langevin can be found in the
Appendix on page 31.]
Mr. Thornberry. I thank the gentleman.
It would be no surprise to you all that there are a number
of meetings going on now, including a Republican conference on
the funding situation with the government, so we may have
Members coming in and out at strange times. But I appreciate
your patience with that.
The witnesses today, as the gentleman mentioned, is the
Honorable Teresa Takai, Acting Assistant Secretary of Defense
for Networks and Information Integration and the Department of
Defense Chief Information Officer; and the Honorable Elizabeth
McGrath, Deputy Chief Management Officer of the Department of
Defense.
Without objection, your full written statements will be
made part of the record, and you are both certainly welcome to
summarize them in any way that you see fit now. Thanks for
being here.
STATEMENT OF HON. ELIZABETH A. MCGRATH, DEPUTY CHIEF MANAGEMENT
OFFICER, U.S. DEPARTMENT OF DEFENSE
Ms. McGrath. Good afternoon, Mr. Chairman, Congressman
Langevin. Thank you for the opportunity to discuss the Defense
Department's efforts to improve its business operations, and
specifically its acquisition and management of business
information technology systems.
As the DOD Deputy Chief Management Officer, I am
responsible for instituting a framework to define clear
business goals, develop meaningful performance measures and
align activities through established and repeatable processes.
The purpose of DOD's overarching management agenda is the
establishment of an effective, agile and innovative business
environment that is fiscally responsible.
The Department has taken decisive action to improve its
business processes, has identified areas where further work is
required, and has several achievements to bring to your
attention. My written statement addresses these in detail. I
will briefly touch on some of these topics, as I am eager to
discuss with you the areas that interest you most.
I would like to highlight our IT acquisition reform
efforts, other business IT initiatives, and successful cross-
agency management efforts in which my office plays a key role.
Fundamentally, the Department's business IT systems are
essential enablers of a broader set of integrated business
operations rather than an end to themselves. We have identified
15 essential what we call end-to-end processes, such as Hire-
to-Retire and Procure-to-Pay. Our Business Enterprise
Architecture and senior governance bodies, including the
Investment Review Boards and the Defense Business Systems
Management Committee, both given to us by Congress, are better
aligned to manage within the end-to-end construct to identify
data standards, performance measures and policies necessary to
improve our business and make more informed enterprisewide
decisions.
End-to-end focus and strong governance are joined by a new
approach to acquiring information capabilities. There has been
no shortage of studies and reports, including one by this
committee last year, that concluded the Defense Department's
current method for acquiring IT systems must change. Steps are
being taken to address these issues.
Section 804 of the Fiscal Year 2010 National Defense
Authorization Act required us to develop and implement a new IT
acquisition process with its focus on the Department's IT
Acquisition Task Force, which I chair. The guiding principles
adopted by the task force incorporate recommendations from the
Defense Science Board report, including deliver early and
often, with delivery capability in 12 to 18 months; incremental
and iterative development and testing; rationalized
requirements; tailored and flexible processes; and finally, a
knowledgeable and experienced information technology workforce.
I welcome the chance to elaborate here on how the task
force is addressing these areas. We expect to promulgate these
in a policy later this year, such as establishing metrics to
assess overall health of a program, combining certification and
accreditation with traditional tests and evaluation activities,
and assessing contracting strategies that enable a more modular
delivery of capabilities. Our pilot-based approach to validate
this new policy will allow us to modify as necessary based on
lessons learned before the final issuance. We are currently
testing these changes to ensure they are working.
The Under Secretary of Defense for Acquisition, Technology
and Logistics signed out new acquisition policy for defense
business systems called the Business Capability Lifecycle, or
BCL, which provides a streamlined framework for development,
testing, production, deployment and support of a defense IT
business systems. The principal focus of Business Capability
Lifecycle is program implementation.
In my written testimony, I have an example of an Air Force
program that was originally on a path to deliver capability
many years out. Using an innovative streamlined approach, we
were able to move that deployment 2 years earlier.
I also welcome the chance to describe for you our cross-
agency efforts in modernizing health information technology and
security clearance processing. In particular, the Government
Accountability Office's removal of the DOD Personal Security
Clearance Program from its high-risk list is a significant
first for the Department and owes its success to our commitment
to this results-oriented, end-to-end approach.
In closing, we are committed to improving management and
acquisition of IT systems, as well as our overall business
operations. These issues received significant management
attention and are a key part of our overarching strategy to
build better business processes that will create lasting
results for the men and women in uniform.
I look forward to continuing our work with this committee
in the months and years ahead as we work toward greater
efficiency and effectiveness and furthering the agility in the
business space of the Department, certainly enabled by modern,
interoperable IT capabilities. I look forward to your
questions. Thank you.
[The prepared statement of Ms. McGrath can be found in the
Appendix on page 32.]
Mr. Thornberry. Thank you.
Ms. Takai.
STATEMENT OF HON. TERESA M. TAKAI, ACTING ASSISTANT SECRETARY
OF DEFENSE FOR NETWORKS AND INFORMATION INTEGRATION, AND CHIEF
INFORMATION OFFICER, U.S. DEPARTMENT OF DEFENSE
Ms. Takai. Good afternoon. Good afternoon, Mr. Chairman and
Congressman Langevin. Thank you very much for the opportunity
to testify today on the importance of information technology to
the transformation of the Department of Defense. My testimony
today will focus on how the DOD is leveraging information
technology to securely deliver mission-critical information
capabilities to the men and women of the Department of Defense
and our mission partners.
The Department's fiscal year 2012 IT budget request, as you
mentioned, of 38.4 billion, includes funding for everything
from our desktop computers, tactical radios, identity
management technology, commercial satellite communications, and
the large information technology projects, some of which Ms.
McGrath spoke of. These investments support mission-critical
operations that must be delivered in an environment of ever-
changing requirements and ever-increasing demand.
Where in the past the Department sought to balance the need
to know with the need to share, today the warfighter expects to
have and needs to have the latest information in order to
complete the mission. That coupled with the increasing use of
social media, smart phones and tablet computers has made
information-sharing an expectation, and this requires new
capability, particularly at the edge or in our tactical
environments that have limited availability of persistent and
broad-range network capabilities.
Our challenge today is ensuring our networks can securely
support the information demands of our users, who require that
information anywhere and any time across our enterprise. To
meet this challenge, our networks must be designed and
optimized to more effectively and efficiently support these
mission operations while ensuring security.
DOD networks are under constant attack from cybersecurity
threats launched from the Internet or from malicious software
embedded in e-mail attachments, removable media, or even
embedded in the hardware the Department procures. Every device
connected to the network is susceptible to cyber
vulnerabilities. While working to efficiently respond to the
information demands of our users, we must be ever-vigilant in
protecting our information environment.
Just over $2.8 billion of the Department's overall budget
is devoted to information assurance or cybersecurity activities
that defend our information systems and networks. The
Department's fiscal year 2012 information assurance budget
request ensures increased funding to address insider threat and
cyber vulnerabilities, such as those identified in the
WikiLeaks incident. Specifically, we have requested funding to
support the deployment of a Public Key Infrastructure-based
identity credential on a hardened smart card for use on our
Secret classified network, a successful technology very similar
to the Common Access Card we use on our unclassified network.
We have also identified funds needed to deploy our Host-Based
Security System to secure our classified systems; to provide an
automated capability to continually monitor the configuration
and security of our network; and improve identity management
across the Department.
The DOD is planning for the investment and implementation
of these IT and information-assurance capabilities within
today's current resource-constrained environment. Recognizing
this, in August, the Secretary directed a number of initiatives
to achieve savings in acquisition, sustainment and manpower
costs, while not degrading our ability to execute our mission.
Among these is the consolidation of our IT infrastructure while
simultaneously defending that infrastructure.
My office is responsible for leading the development of a
strategy and plan for consolidating the Department's IT
infrastructure in five broad areas: Our network services, our
computing services, application and data services, our end-user
services, and our IT contracts and purchasing. I plan to issue
the DOD IT Enterprise Infrastructure Optimization Strategy this
quarter. The plan represents the Department's strategy and
initial roadmap to achieve the goals of improving our
effectiveness while heightening our security posture. This plan
commits us to changing policies, cultural norms and
organizational processes to provide lasting results. The
initial focus is on obtaining tangible results in fiscal years
2011 and 2012 while planning for aggressive consolidation
through fiscal year 2015. It really positions us to embrace
emerging technology and provide cutting-edge capability to our
warfighters.
The transformation of our IT capabilities described above
is a very ambitious undertaking, one that will reap tremendous
benefits to the Department and our Nation when completed. It
will require agility as well as new processes to both keep
abreast of technological advances and defend the network.
My office is working closely with the Office of the Deputy
Chief Management Officer on efforts to develop a flexible,
agile acquisition process that also addresses the DOD's
requirements and budgeting processes.
As you know, we have also been addressing the development,
education and continuous training of our workforce. The
Information Technology Exchange Program pilot reauthorized by
the fiscal year 2010 National Defense Authorization Act for DOD
is one mechanism that we are pursuing. Under this collaborative
effort, we have a pilot which will involve 10 individuals
exchanging both industry and Department expertise to enhance
our employees' IT competencies and technical skills, and infuse
both DOD and the industry with new ideas in this fast-evolving
discipline. My office is responsible for implementing ITEP [the
Information Technology Exchange Program], and we have created a
guide to assist participating DOD components with the
implementation.
Maintaining an information advantage for our users is
critical to our national interest. The efforts outlined in this
brief will ensure that the Department's information
capabilities provide better mission effectiveness and security
and are delivered in a manner that makes the most efficient use
of our resources.
I want to thank you for your interest in our efforts, and I
am happy to answer any questions that you have.
[The prepared statement of Ms. Takai can be found in the
Appendix on page 44.]
Mr. Thornberry. Thank you.
Let me start out with, I guess, some rather broad kind of
questions. Ms. McGrath, about 10 years ago, the Defense Science
Board did a study that found 16 percent of all IT projects
complete on time and on budget; 31 percent were cancelled
before completion; 53 percent were late and over budget. Of
those that were completed, the final product contained only 61
percent of the originally specified features 10 years ago. How
much better is it now, do you think?
Ms. McGrath. From a percentage perspective, I don't think I
would be able to articulate percentage-wise how much better I
think it is. I do think that the Department is taking a more
holistic look at how IT fits into our broader capability needs.
I would say 10 years ago, we would have a handful of people who
are interested and focus on how IT worked and enabled in the
entire environment, and today we are taking a much more
enterprise perspective.
I can talk about the many studies and reports that have
been done in terms of how the acquisition process needs to be
better to enable a more rapid capability and delivery of the
information technology. Maintaining a standard, stable baseline
of requirements, I think, can be found in every single one of
the studies and reports that have been completed. So a lot of
the focus of the Department not only on the IT side, but the
weapon systems side has been to identify and stabilize those
requirements such that we can meet them in a more--I am going
to say to chunk the capabilities such that they are delivered
in a spiral fashion and not try and solve the entire issue at
the get-go.
So, you know, percentage-wise, specifically I am not sure
how to counter those numbers that you articulated, but I can
say certainly within the last 5 years that there is a lot more
management attention and focus on the requirement
stabilization, the spiral implementation so that I do feel that
we are moving in the right direction.
Mr. Thornberry. And I want to talk more in a minute about
some of the acquisition points that you make.
Somewhat on behalf of one of my colleagues, let me ask you
this: From time to time, we have asked about the ability of the
Department of Defense to withstand an audit, and a lot of the
answers that have come back to me over the years is, well, we
just don't have the computer systems that can talk to one
another, you know. So basically the business systems were not
compatible in order to put all the pieces together. And I
realize it is not your responsibility to audit the Department,
but just from the business systems technology part of this,
where are we now?
Ms. McGrath. And I would agree, the systems were designed
very locally and not with a broader auditability target in
mind, nor with a common architecture framework in mind. So they
were local solutions to handle local problems to do the sort of
the math, if you will, accurately.
Today the environment is very different. With the Business
Enterprise Architecture standard--financial information of
standards, a standards-based approach to implementing these
Enterprise Resource Planning solutions, we have many ERPs
within the Department that will contribute to the Department's
ability to achieve financial auditability, and they are a very
key factor in our success in that pursuit. And we do recognize
that it is a business goal, a broad business goal, not just an
IT problem, nor is it just a comptroller problem, but it is a
shared responsibility across the functional space, meaning, you
know, logistics, personnel. They all have a part because their
transactions are where it all starts and then end up in the
financial system at the end of the day.
So we are taking, again, a very deliberate, cross-
functional enterprise approach to not only the IT aspect of it,
but the business process, because it requires change in all of
those areas.
Mr. Thornberry. Well, I know there are a number of people
on the committee as a whole that wants to hasten the day when
that is possible. So I appreciate that.
Ms. Takai, I guess the first question that leaps out at me
for you is do you have the authority to do your job? And you
said, I think, in your testimony, this includes everything from
radios, to laptops, to the desktop computers. All of those
spending decisions are made by the services or other entities.
You are there kind of to help coordinate or strategize or
guide, but they don't have to listen to you. Do you have the
power to do your job?
Ms. Takai. There are a couple of answers to that question.
So let me phrase it in a couple of different ways.
Certainly while the budget dollars for the information
technologies expenditures are in the services, there are any
number of the processes in the building that actually review
that spend where my office has a major role. Certainly in the
requirements process that Ms. McGrath talked about not only
from a business systems standpoint, from also the standpoint of
to the point of command-and-control systems for things like
tactical radios, my office is involved in the review of those
programs and certainly have the opportunity at that time, based
on a technical review and based on just an overall project
review, to weigh in on those projects. So there are those
processes. There is also, obviously, our investment process
through the CAPE [Cost Assessment and Program Evaluation]
organization, where we look early on at our investment
decisions.
So while, in fact, we don't control the overall budget,
there are requirements and investment processes. And then
ultimately in the acquisition process, we are also a member of
the groups that actually review the projects going through. So
we do have opportunities certainly to weigh in.
The other piece of it is that in our responsibilities, they
are very definitely two-set policy, and in setting that policy,
we are doing that, as I mentioned in our IT consolidation plan,
in ways that actually direct the expenditure of the dollars,
even though it resides within the services.
Mr. Thornberry. And through these various committees and
all this stuff that you sit on--let me ask this: How often is
your organization's judgment overridden, would you guess?
Ms. Takai. I wouldn't have a good view of that. I am fairly
recent, as you know. I joined the organization in November, and
so I don't, you know, actually have very real specifics or
percentages or anything at this time to be able to give you.
Mr. Thornberry. On the integration strategy that is coming
out this quarter, is that going to be classified or
unclassified?
Ms. Takai. No. It will be available. And certainly as we
complete it, it would be something we would very much like to
share with you.
Mr. Thornberry. But there will not be a classified version
of it.
Ms. Takai. No.
Mr. Thornberry. Okay. Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
Again, I want to thank you both for your testimony here
today.
Secretary Takai, I want to thank you for what you have had
to say today. I would like to in particular discuss a major
concern that I have about the Department's information
technology consolidation. As you are aware, the
Administration's Chief Information Officer, Vivek Kundra, if I
pronounced that correctly, instituted a Federal cloud computing
strategy in February, which mandated that all agencies modify
their IT portfolios to fully take advantage of the benefits of
cloud computing in order to maximize capacity, improve
flexibility and minimize cost.
While the benefits from cloud computing can certainly be
great, I believe that the security of cloud architecture isn't
fully understood, and remain very concerned that organizations
may ignore security concerns in an effort to rapidly glean the
vast cost savings available from migrating to the cloud.
So further, the discussions of specific items such as how
cloud computing will affect law enforcement, intelligence
organizations hasn't also been fully analyzed as well in depth.
Companies that suggest cloud server farms can be adequately
secured overseas really aren't discussing the complex
requirements for background checks and foreign servicing
personnel or our ability to work with foreign governments to
access data harmful to the U.S. when it resides on the same
server amongst benign data from a foreign country.
So, Madam Secretary, with these concerns in mind, what
assurances can you give this committee that all aspects of
security will be considered, discussed and planned for in
advance of DOD's IT migration to the cloud?
And second, as DOD begins its migration, is there a
discussion of where data farms will reside? And if so, does
that discussion include the Department of Justice and members
of the Intelligence Community?
Ms. Takai. Well, thank you very much for that question,
because I think there is a significant amount of confusion as
we talk about cloud computing. It has a tendency to mean
different things to different people. So I think it is very
important.
You know, while we certainly agree with Vivek Kundra's
assessment that there are opportunities, we also believe that
we have to look at the way we move to the cloud in several
different ways. And security is actually our paramount concern
in terms of the way we look at cloud computing. So let me put
that in our overall context.
Our initial look at moving to cloud computing would be to
look at what we call a private cloud. So it would effectively
be taking the benefits of cloud computing, but rather than
looking at how we would buy that service outside, to look at
the way we would standardize our infrastructure, the way that
we can utilize the organization like DISA [the Defense
Information Systems Agency], which has several large computing
centers today, and actually be able to bring in implementations
from the services, for example, be able to get the cost-
effectiveness, but at the same time be able to assure the
securities.
So, for instance, right now Army is looking at a number of
applications that they will be moving into a cloud where we
will have full control of the security, including the points
that you raised as it relates to the security required for
employees, where we actually locate those centers and also the
information that we have in those centers. So our initial
foray, again, is to ensure that security is our number one
concern in terms of being able to move forward.
I think, as you mentioned in your opening remarks, while,
in fact, efficiency is extremely important to us, we have to be
sure that both from a security and protecting the warfighter
that we are fully capable.
Now, there will be instances--and we are looking at those
now--where we will be able to use commercial cloud providers.
But when we do that--and, in fact, this is a conversation that
I think Vivek Kundra is looking at as well--we will have to be
sure that those providers meet our security standards before we
will utilize those services.
And then lastly, we are looking now because we believe that
there may be a few instances where we can go to a public cloud,
but they would be for those things that don't require the kind
of security on our networks and from an information
perspective. And so those are the ones that we are taking a
look at as well.
So I do think while we are looking at this, it is important
to put it in the context of the different types of cloud-
computing environments and the fact that we are actually driven
in terms of our making the decision by our security concerns
and our standardization issues as much as certainly from the
standpoint of efficiencies.
Mr. Langevin. So in that process, as you are moving to the
cloud architecture, will that include discussions with the
Department of Justice and also members of the Intelligence
Community?
Ms. Takai. Absolutely. One of the concerns that we have
right now, in fact, is being able to take a look at our
information-sharing capability across the networks that the
Intelligence Community is responsible for and the SIPRNet
[Secure Internet Protocol Router Network] and NIPRNet [the Non-
secure Internet Protocol Router Network] that we are
responsible for. So as a part of our ongoing planning, it is
very important that we are well coordinated with the
Intelligence Community. And as they are looking at where they
are moving forward, I think in conversations I have had with
them, certainly security is also their number one concern.
In answer to your second part of the question, which is
Department of Justice, obviously with some of the challenges we
have had from an insider threat perspective, it is very
important that they be involved in any decisions we make about
the location and the configuration of where we put our
information.
Mr. Langevin. If I can continue. Another area of concern is
DOD's ability to continue its information-sharing efforts. As
we are all aware, the 9/11 Commission highlighted some serious
interagency deficiencies as to the timely sharing of sensitive
information. Since that time, much of the Federal Government
has made significant improvement, yet I am concerned that the
insider threat-type setback, such as the WikiLeaks affair, is
going to hamper further efforts to improve the sharing of
threat and intelligence information across the spectrums of
threats both physical and cyber amongst agencies.
So, Secretary Takai, does the DOD have the capability to
track insider threats to our information systems, particularly
those processing classified information? And what effect has
the WikiLeaks case had on our information-sharing efforts both
internally as well as interagency?
Ms. Takai. Well, let me answer that, first of all, by
saying we are continuing to be focused on information-sharing.
And it has been a major concern for us to ensure that we can do
that information-sharing in a secure way, because, as I
mentioned, we feel that certainly for the warfighter, the need
to have access to that information has never been more
important than it is today. So what we take as our
responsibility is to be sure that we can do that information-
sharing in a secure manner.
And that is really why I mentioned several areas of
technology that we are implementing so that we can continue to
do that sharing, and yet do it in a secure way. One of the
tools that we are deploying at this point in time is our Host-
Based Security System. And that is really, again, in response
to your question about knowing who is on the network and
knowing who has access to information.
We have two additional tools that are going to be very
important in actually helping us with that. We are currently
testing a tool and plan to roll out a tool which will actually
detect what we call anomalous behavior.
So to your question of do we know who is on the network?
Yes. And then what we need are tools that begin to detect where
there is access to information that looks different than what
we would expect to see and then will trigger our ability to get
in and take a look at that.
Then we are deploying much stronger identity management
capabilities so that we will be able to tag information to
particular users and then be able to continue to protect.
Now, while these technology enhancements are extremely
important, we also are improving our processes and our
procedures for access to that information. So I think, as you
know, we have put policies out about the use of removable
media, but to ensure that the warfighter has the capability to
see that information, we have also instituted processes, for
instance, which is a two-person rule around access to
information so that we are sure that there is always a check
and balance when there is the need to know.
So again, to summarize, the challenge for us is to put the
technology in place, but also, because there is never a 100-
percent solution, to be sure that we also have the policies and
the processes in place to be able to manage our information.
Mr. Langevin. I have further questions, but thank you for
that, and I will wait until maybe a second round.
I yield back.
Mr. Thornberry. Thank you.
Mr. West.
Mr. West. Thank you, Mr. Chairman, and, Mr. Ranking Member.
And, ladies, a pleasure to be here, and, Secretary, and
Honorable McGrath.
I spent a few days in the military myself, and I can tell
you when I first came in, you know, everything in the artillery
was charts and darts, and now everything is computerized. And,
of course, I was in Desert Shield, Desert Storm where you stood
in line for about 3 hours to get, you know, a 2-minute phone
call.
I spent 2\1/2\ years in Afghanistan. I can tell you from
the experiences then to now, information technology and the
network systems that we have deployed in these combat theaters
of operation are just incredible. But one of the things that I
know that we have to also be able to do is to protect those
systems in a combat zone, which is something we experienced for
about 48 hours in Afghanistan. I think you know what I am
talking about back, I believe, in 2006, and we were able to
trace that back to a very interesting country.
So one of the things I look at as we go probably from, you
know, so much of nation-building, so much of occupation-style
warfare, and we get back to maybe power projection, forceable
entry, more austere environments, what lessons have we learned
in the operations in Iraq, the operations in Afghanistan that
will make us better prepared, make us, you know, more secure
with the implementation of our network systems as we move
forward, you know, Libya, Tunisia, who knows where is next?
Ms. Takai. Well, just some examples, I think, to add to
your comments, which I think really do reflect the changes that
we are seeing actually in theater. First of all, we are seeing
very definitely that our need for network security going
forward needs to include our coalition partners. And so what we
saw in Afghanistan was the need to actually put a network in
place that allowed for each of the coalition partners to have
their own secure network, but at the same token have a network
which was protected at the point that each of our coalition
partners connected to it so that if, in fact, we had an issue
at any of those points in time, we could then block that and
not have that impact the entire network.
One of the things that we see going forward is that we have
to be cognizant of several things: Number one, what I just
mentioned, that while we might not necessarily deploy the
technology in the next conflict in the same way we did in
Afghanistan, we certainly would deploy the concepts that we are
using there, again because of the coalition.
The second piece of it is that what we have seen is the
need to share information--and this really gets back to some of
the other questions--across our unclassified and classified
networks. While we have seen that in the past, I think we
haven't seen it to the extent that we are seeing it today. And
so our future networks will need to plan for that level of
information-sharing.
And then lastly, these tools that we are putting in place
now are really aimed at being able to better secure these
networks when we go in.
And then finally, what we are really recognizing is that we
have to standardize our networks because it is not just the
networks, but it is what folks want to connect to the networks.
And they are bringing any number of devices. They are familiar
with devices, commercial devices that just weren't even things
that were conceived of being used in theater, and they are
bringing them with them. They are used to them. They don't
stand in line to make a phone call. They have a device in their
hand.
Mr. West. You are absolutely right.
Ms. Takai. And we have to recognize that that is the
situation, but the challenge for us is ensuring that when they
do have access to the network, they have access to the network
in a secure way. So it isn't then everyone can bring anything
they want, but they have to have that capability, and our
networks have to be secure enough to sustain that.
Mr. West. And, Ms. McGrath, a question. In the aftermath of
what we saw with the WikiLeaks, have we gone back and really
looked at our, you know, security clearance processes? You
know, have we gone back to some type of retraining,
recertification process?
Ms. McGrath. With regards to the Federal investigative
standards, those have been looked at by both the security
executive agent, which is the Director for National
Intelligence, and also the suitability executive agent, which
is the Director for Office of Personnel Management, to ensure
that when we are pursuing either a hiring action or a clearance
determination, that we have done the appropriate level checks
for the level of access or job that that individual will have.
So we have, from a Federal perspective--not only just DOD,
but this is a much broader Federal--paid attention to the
information that we gather to ensure that we are collecting the
right information to make those determinations. And we also
applied some of the sort of innovation and technology to that
process because historically it has taken much, much too long
to obtain a security clearance. So we did, through process
analysis and innovation and technology, apply those
appropriately to the process to enable speed without
degradation of quality.
Mr. West. Thank you very much.
And I yield back, Mr. Chairman.
Mr. Thornberry. Thank you.
Mrs. Davis.
Mrs. Davis. Thank you, Mr. Chairman.
And, Ms. McGrath, thank you very much, both of you, for
being here, Ms. Takai.
One of the discussions that we have been having in the
personnel committee over quite a number of years is bringing
together electronic records, of course, of the DOD and the VA
[Department of Veterans Affairs]. And I see that in your
written testimony you alluded to that, and I am sorry I wasn't
here at that time. It is my understanding that there are three
options that they were looking at, and how is that progressing,
and what are those options, I guess? And what does the timeline
look like that might bring us to a decision?
Ms. McGrath. The ``they'' you are referring to in my
assumption is both Secretaries Gates and Shinseki recently met.
Actually it was on March 17th. We gave them a presentation. We
did look at options in determining our collective way forward
for electronic health records. One was looking at upgrading our
existing capabilities. DOD uses AHLTA [the Armed Forces Health
Longitudinal Technology Application], and the VA has VisTA [the
Veteran's Health Information Systems and Technology
Architecture] as their major IT system. The other was taking a
joint approach to a--I will use the term ``single solution,''
but I really mean single approach to capability delivery. And
the other one was pursuing our own separate IT capability
initiatives with a bridging mechanism to share data, which is
mostly how we interface and exchange information with VA today.
So those were the options that were discussed with the
Secretaries.
The decision was that we agreed to use a common
architecture, common data services and data centers, and it
would be a standards-based approach to exchanging data as
opposed to the interfaces that we do today. So it would be a
data-driven approach to information exchange.
We have agreed to joint development/acquisition, and it is
probably more acquisition than development because there is a
lot of commercial-off-the-shelf capabilities; a number of the
functional areas, like pharmacy and labs and those kinds of
things.
For an integrated electronic health record, we will look at
using commercially available solutions first, adopt an
application if one of us has a best-of-breed that we are
currently using. And then finally, our last option would be we
would develop it.
In saying that, the difference really is that we are taking
a lighter architectural approach as opposed to a heavy systems-
based approach. Today our data and system are very much
integrated, and so it limits our ability to be agile and
exchange at the data level. The major difference in the
approach that we are taking is exchange at the data level. That
will require us to develop this common architecture that is a
significant difference in how we do things today.
Governance will be key going forward, having the effective
governance in place to ensure that we are staying aligned to
the agreements that had been made by the Secretaries, and also
with regard to the capability we have currently deployed in the
North Chicago Medical Center. We have agreed to pursue any
capability that is not yet delivered there, pharmacy and
consults being the major two, to pursue those jointly.
Saying all that, those are the agreements that we reached.
We have a comeback to the Secretary, both Secretaries, early in
May where we are to deliver more details with regard to the
implementation timeline.
Mrs. Davis. Are there any steps that either the DOD or the
VA are taking now where their efforts essentially would not be
very productive if they move ahead in the separate ways that
they have been moving all these years? I guess are there
certain investments, certain expenditures that are moving
forward in the different architectures that would not
necessarily mesh with what may eventually be the----
Ms. McGrath. The message is to ensure that the investments
that we are making in today's environment are needed today. And
if there are things that we can defer such that we ensure
alignment with this integrated electronic health record, that
is what we would like to do. North Chicago is a really good
example. Each of the departments was pursuing a separate
pharmacy solution that would interact through interfaces. We
have stopped those separate development efforts, if you will,
to ensure that we pursue----
Mrs. Davis. I guess can I ask you, given the cultures and
given the difficulty with getting to this place, how successful
are we going to be?
Ms. McGrath. I mentioned the governance. Governance is key,
and the agreements by the Secretaries and then the persistent
engagement by the Secretaries I think will be key to enabling
success here. Both Secretaries have agreed to continue to
monitor the progress that the two Departments are pursuing, in
addition to the Deputy Secretaries of both organizations and
our Joint Chiefs of Staff.
Mrs. Davis. If you were overseeing this, and as a
committee, what would you want to see in 3 months and in 6
months from now? Where should we be?
Ms. McGrath. Those things that we have currently agreed to
with regard to the data standards and data center
consolidation, certainly we should be able to provide plans and
enter milestones on where are we to achieving those goals. I
certainly would ask for those. Those are things that we will be
delivering to the Secretaries. And we will need those in place
to then be held accountable to managing towards--you know, to
achieving the overarching goal. And I think that as we define
how we are going to pursue different capabilities, certainly,
you know, cost and schedule for all of those are absolutely
what I would ask for.
Mrs. Davis. All right. Thank you. I appreciate that.
As you can sort of sense my impatience here because--aside
from the fact it is very costly, I think, just to the
government, to all of us, it is also costly to the warfighter.
And we know that we have been working at this for a long time.
So I am really hopeful that we can have a deliverable soon.
Ms. McGrath. I would just like to add, we do between the
two Departments share so much data today with regard to the
medical. I mean, it really is incredible when you look at how
much data the two Departments share today. What we are talking
about is enabling the sharing of that information, taking a
different approach from a data perspective so that we can
eliminate redundancies, you know, increase efficiencies so it
is a better experience for our military members.
Mrs. Davis. Thank you.
Mr. Thornberry. Is that a 3-year project or a 10-year
project?
Ms. McGrath. I don't think it is a 3-year project to be
completed, but I do think that there are, again, phases of
implementation we will be able to achieve in terms of the data
standards. There are already international health data
standards out there. DOD has already enabled standardization
within our own enterprise. It is aligning with VA. I don't see
that as--certainly not a 10-year. So I actually think that we
will be able to achieve some of that interoperability much
sooner than the 10-year mark. So I do think that there are some
opportunities in the nearish term, the near being relative, to
achieve greater interoperability than we have today.
Mr. Thornberry. Thank you.
As you all know, one of the provisions of last year's bill
was to provide the Department some rapid acquisition authority.
I think maybe you both make reference to it in your written
statements. But can you update us on where that is? Is it being
used? Have we gotten far enough to know whether it is the kind
of authority you need?
Ms. McGrath. I can start, and certainly Ms. Takai can add
on to my initial comments.
We have established--as the lead for the IT Acquisition
Task Force--and the Department is certainly working very
closely with Ms. Takai's office and our acquisition, technology
and logistics organization, and, frankly, every organization,
it seems like, within the Department from a test and evaluation
to the comptroller, because we are all somehow involved in
enabling delivery of capabilities with regard to our
acquisition process.
We have established many work groups; focus on very
specific areas like measures, metrics, what are leading
indicators that we should be looking for when things are in a
particular program to ensure that we achieve better outcomes;
combining the certification and accreditation for testing with
the regular test process. Typically we treat them separately,
and they are not concurrent; they are sequential. So we are
looking to take that timeline significantly down.
Taking a much more portfolio-management approach to
overseeing these IT investments so that we are not just looking
at one system at a time. We are looking at how does this one
particular system fit within the broad portfolio within which
it will be deployed, but also what other systems do we have
that also utilize that same capability, how many financial
systems do we really need. So you can look at it from a
functional perspective and also within an operating
environment.
Requirements I think I mentioned. Every study says that we
don't baseline the requirements, we don't hold them stable. So
we are ensuring that when we pursue a new IT solution, that the
requirements are small enough that you can deliver them more
rapidly in a 12- to 18-month timeframe. Typically we put all
the requirements in one big bucket, and it is 5 years before we
hit our initial operational capability. So in order to make
those timeframes smaller, we need to parse the requirements
such that we are delivering incremental capabilities.
Contracting is also an area that we are extremely focused
on. I don't think there is anything within a FAR, Federal
Acquisition Regulation, rewrite that we need. I think we need
to be more creative about how do we utilize the contracting
aspects, authorities that we currently have. But we need to
contract differently than we currently do today. On the one
hand, some programs will be a firm fixed price, but if you
don't have your requirements nailed and definitized enough,
fixed price is not the right way to go. But then time and
materials does not seem like the most accountable way to also
pursue an IT solution. So it is coming up with the balance,
when should you use those types of contracting, and
understanding that not one size fits all.
And then the other very key is the IT acquisition
workforce. The Defense Acquisition University has a program
management course down there. It is terrific, and I happen to
be a graduate. But they don't teach IT the way we procure IT
today. These enterprise resource planning program systems
capabilities didn't exist previously. And so it is really
putting a very fine point on our acquisition workforce to say,
hey, IT today is very different from source lines of code and
function point counts that we used to do. We are actually
buying a lot more commercial-off-the-shelf capability and
ensuring that we have got the right credentials for those
folks.
We are taking very much a piloting approach. In my written
testimony I highlighted an Air Force financial system called
DEAMS, the Defense Enterprise Accounting Management System. We
did utilize some of these different approaches to move their
implementation significantly forward. Both Army and Air Force
have their integrated personnel and pay systems. We are looking
at establishing their acquisition strategy aligned with the
more streamlined capabilities. The same with the Joint Space
Operation Center mission system and the Navy's intelligence,
surveillance and reconnaissance capability.
So we expect through the use of pilots we will learn more
to ensure before we institute our final policy we have actually
tried it out a little bit to see where we need to course
correct, and so we get some fact-based feedback to ensure that
we have policies that are in line with where we want to go.
Mr. Thornberry. Ms. Takai, it seems to me that, having
heard all of that, it just seems very difficult for the
Department to keep up with the change in technology, the way
technology changes and with all that has to go on before a
purchasing decision is made. So does that mean we are always
going to be behind?
Ms. Takai. Well, it doesn't always mean we are going to be
behind. There is a qualified answer to that, if I could add to
what Ms. McGrath was talking about. And let me add to that, in
addition to the many process changes that we have been working
with her team on, we also believe that the efforts around
streamlining and standardizing the technology we use are a
critical part of being able to get innovative technologies in
more quickly.
Right now what we do is we reinvent, in many cases, the
same technology platforms over and over again because we bring
them in in separate instances for separate projects. And so
just as an example, you know, as we have been working together
from the standpoint of business systems, if we can get
standardized platforms, then it really does give Ms. McGrath an
opportunity to build on those standard platforms and not have
to worry about the technology coming in the door, but to be
able to spend the money and the resources on understanding what
business processes have to ride on it.
The second piece of that, though, is that if we can
standardize and improve the security of our backbone, we can
then look at more innovative technologies and not have to
invent them all the way from the data center, the server, the
network out, but rather look at how those innovative
technologies can hook into our standard infrastructure. It
gives us more flexibility in looking at those kinds of
capabilities.
Having said that, as we build that out, we will need to, as
Ms. McGrath mentions, look at shorter timeframes for bringing
these technologies in. We will need to look at our testing and
accreditation processes, because that is one of the inhibitors
that we are aware of today in terms of retesting platforms for
every upgrade as opposed to recognizing that there are standard
platforms and there is not the need to test.
So some of those things are the things that we are looking
at from an information assurance perspective in terms of the
policies that we put out as well as the accreditation and the
testing that we do at DISA to, again, allow for bringing new
technologies in, but at the same token making sure that when we
do, we aren't increasing our risk from a security perspective.
Mr. Thornberry. And I guess related to that, what are your
concerns about supply chain? You know, in general in
cybersecurity we hear more and more concern about so many
pieces of hardware and software that are not made here, and
certainly many components are not made here. But as you and Mr.
West were talking, you know, we have got soldiers out in the
field that are taking whatever they have got out of their
pocket to do their job or to communicate back home. That has
got to create all sorts of challenges for you in looking at the
overall enterprise.
Ms. Takai. We totally agree with you, and there are really
two answers to the question you are asking about supply chain.
One of them is just an awareness of the issue that you have
mentioned. And we have two programs that we are working with
NSA [the National Security Agency] and also with our policy
office. One of them is to actually look at the ground rules
around the way that we bring technology in and the, if you
will, background information that we gather on the companies
that we purchase from. So that is a key part of what we do.
And, of course, in that, we are aided by information that we
get through our intelligence sources as well about those
particular companies.
The second thing from a supply-chain perspective is to work
with our defense industrial base. And we have any number of
programs that Deputy Secretary Lynn has been really
spearheading around how to work and share information
effectively with our defense industrial base, because, again,
the supply chain problem isn't really just an issue of DOD. It
really involves our key partners.
But the other piece of that is to recognize that as we move
forward, and as there is obviously a globalization and a
dispersion of where the information--or rather the components
from a hardware and software standpoint come from, it is really
to look at cybersecurity in that light, which is why we are
focused not only on protecting at the perimeter, which has been
a focus, I think, for everyone in terms of trying to prevent
intrusions, to prevent invasions in your network. And now what
we are recognizing is that while that is still a deterrent, it
is not a complete answer from a security perspective. And so we
have to look more at the way that we are classifying our
information, the way we are linking that to the identities of
the individuals that can access it. So, again, we have a second
level of defense actually at the information level, and that we
are acknowledging that we will have some of these kinds of
intrusions inside our network, and we are prepared to handle
them.
Mr. Thornberry. Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
One last here that I wanted to talk about is the depth of
DOD's bench in IT career fields. Secretary Gates' IT
initiative--I realized individuals assume that the new IT
positions after efficiency implementation would require greater
technical expertise and experience to efficiently maintain the
Department's IT needs across all of the military branches. In
the fiscal year 2009 NDAA, the committee directed DOD to look
at the feasibility of identifying and retraining, for example,
wounded servicemembers in information technology and other
fields.
So my question is considering the challenges recruiting a
competent IT workforce, have you leveraged any of those
programs to help build your workforce there, and is there more
that this committee can do to retain the skills and expertise
of these wounded warriors to help meet our needs for a trained
IT workforce?
Ms. Takai. Well, we have been moving forward in terms of
looking at those individuals that are returning from theater,
and particularly the wounded warriors programs, around the
capability and making sure we have technology skills. But going
forward we will continue to be vigilant and need to be vigilant
on this. And while it involves, I think, as you mentioned,
being sure that we are retaining and training our workforce, it
also is a focus for all of us in terms of making sure that we
have enough professionals coming up that are educated in
cybersecurity and certainly educated in the sciences and the
maths.
So some of the things that we are doing in that regard is
to participate in and encourage many of the cybersecurity
programs that are focused on our high school students as well
as our university students, to get them interested at a very
early age in a career in the science and maths, and
particularly moving into cybersecurity. That is something that
my office is very heavily engaged in, something that the policy
office is very much engaged in. So it is going to be a
combination of retaining the workforce we have, being able to
grow it, but also making sure that we have an influx of
individuals that have those skills.
Mr. Langevin. Let us not at all forget about our wounded
warriors and see how they might be incorporated into these job
opportunities. I think that would be important.
I am also glad to hear that you have a focus on bringing up
the next generation, whether it is focusing on high school or
college. I actually starting working with the SANS Institute.
We created the cybersecurity challenge at the high school
level. My home State was one of three of the pilot States that
originally tested the program through high schools in our
State, and now we have kicked it off statewide. And it is
amazing how talented these young people are. And the cyber
challenge sets up the different hurdles that they have to kind
of work through and test their skills, and hopefully get some
on the career path, thinking about a career path in
cybersecurity.
Ms. Takai. Yes, sir. And I just came, I think, as you may
know, from the position of the CIO in California, and we were
very much able to take advantage of that cybersecurity
challenge program. And, in fact, I think we were the first to
institute the high school version of that program, in order to
be able to bring young people in and get them interested.
Mr. Langevin. Very good. If I could, just going back to
Congressman Thornberry's line of questioning. You talked about
the supply chain. And I actually had Secretary Lynn in my
office yesterday, and we were actually talking about the supply
chain industry. We were also talking about working with the
defense industrial base and how do we best work with them on a
voluntary basis to better secure their own networks.
And I was curious, when you say you look at companies you
are doing business with, and you look at from the supply chain
perspective, how far back do you drill down with each of those
companies? The problem is not just the company that you are
doing business with, but it is who they are doing business with
and who they are doing business with. Since the supply chain
can cover a range of problems, you know, it is not just the
initial companies, but where are they getting the products from
as well. So I guess how deep does that go?
Ms. Takai. The initial pilot that we did did not really--
and I am sure that Secretary Lynn mentioned to you--we were
able to go down deep in some companies. But when we really
looked at the level of resource that was needed to actually be
able to do all of that research, we recognized that we will be
able to do a certain amount through research, but in many ways
it is not going to be the full answer to looking at how we do
supply chain.
And that is really why we are taking now a step back from
that. We know we have to do a certain level of that, but it is
also going to be we are not going to be able to do all of the
research; we are going to have to engage with our partners.
And then, lastly, we are going to have to have other ways
of looking at how to defend. Because I think your point is very
well taken. You really can't have enough resource to be able to
go down to every last component, and so you have to look at the
major components, but yet that doesn't give you the complete
picture. So that is why we are looking at not only being able
to do that kind of research, but also recognizing that when we
have threats inside our network, we are going to have to be
able to mitigate them.
Mr. Langevin. Fair enough.
And the last area of questions I want to get into,
something in addition to and very much tangential to
cybersecurity is the security of our military bases and
critical infrastructure that supports our military bases. As
you know, much of our critical infrastructure is owned and
operated by the private sector. I am becoming increasingly
concerned about Supervisory Control and Data Acquisition
attacks in particular on critical infrastructure, particularly
the electric grid. Our military bases around the country so
much rely on these outside power grids for their own power, and
I have been involved with reviewing how secure those bases are.
I have the chiefs of the services before us, and I have
asked what their level of knowledge is on this, and it is
troubling to them certainly as well. Our bases are not
independent of the power grid. So I know this is a bit outside
your area in particular, but it does relate to IT and cyber.
So in your work, do you have anything to add, any awareness
that you have, on what we are doing to better secure our
military bases in the event that something happens to critical
infrastructure off the base and how they would be affected?
Ms. Takai. Well, let me add to the discussions. I know you
have talked with Deputy Secretary Lynn about this. One of the
things that he has been spearheading is to work very closely
with the Department of Homeland Security for exactly that
reason, because while clearly it is the Department of Homeland
Security's responsibility to look at critical infrastructure as
it relates to certainly the U.S., at the same token it does
affect our military operations in those cases. And so what we
are doing is to really work collaboratively with them around
taking a look at those threats, being able to share
information.
I think, as you know, there has been a close working
relationship between Secretary Gates and Secretary Napolitano
around the sharing of that information. And one of the things
that we will be moving forward on as part of what Secretary
Lynn calls our enduring security framework is now to move more
into review of critical infrastructure protection, including
not only our power grid, but also taking a look at some
emerging areas, particularly, for instance, with nuclear power.
Mr. Langevin. Very good.
Thank you, Mr. Chairman. I yield back.
Mr. Thornberry. Thank you.
Mr. Johnson.
Mr. Johnson. Thank you, Mr. Chairman, for holding this
hearing.
Secretary Takai, three intelligence contractors named
HBGary Federal, Palantir Technologies and Berico Technologies
have a proposal under the name Project or Team Themis. Are you
familiar with this proposal that has been purportedly made by
those three firms, all of which are defense contractors? Are
you aware of that proposal that was leaked from the HBGary
Federal e-mails which would offer the counterterrorism and
intelligence techniques to prospective private parties, i.e.,
Bank of America, U.S. Chamber of Commerce, for use against
critics of those firms? Are you familiar with that situation?
Ms. Takai. No, sir, I am not familiar with that specific
proposal. So, you know, we are happy to take that for the
record and gather that information and be able to get back to
you on it.
Mr. Johnson. Well, now it has been about 2 weeks I
requested that information. Do you know what has happened to
that request and whether or not it is being complied with, or
there is an intent to comply with it?
Ms. Takai. No, sir. I don't have that information. I
wouldn't want to give you something that was incorrect. I will
make sure that my office takes a look at it, and that we get
right back to you on it.
Mr. Johnson. Now, it is my understanding that the firm
HBGary Federal had developed malicious software that allows
users to monitor the networks and computers used by third
parties. Is that the kind of capability that they have provided
to the Department of Defense?
Ms. Takai. Again, sir, I am not familiar with that company.
So, again, my staff will definitely get that information and
make sure that we get right back to you.
Mr. Johnson. If there is a misuse of properties of the
Federal Government paid for by citizens of the United States
through their tax dollars, i.e., tools to disrupt foreign
intelligence, foreign terrorism, and if that technology is used
on Americans, would that be a breach of the contract between
DOD and any particular contractor? Are there provisions in the
contracts that prohibit such use?
Ms. Takai. Again, I would need to go back and take a look
at that specific instance and get that information back to you.
Mr. Johnson. You do agree that that is a problem, that we
should not use taxpayer-funded techniques on taxpayers who may
disagree with a private domestic business entity?
Ms. Takai. Well, we at DOD are concerned with any breach to
our networks or any risk to the security of our information,
and we take that very seriously. It is a major part of the way
that we construct our technology. And so any breach of that
type is of paramount concern to us.
Mr. Johnson. Well, if the same technology used by the
Department of Defense to protect its own internal security,
cybersecurity issues, if that technology were used to do the
reverse to a private citizen of America, that would not be a
proper use of DOD techniques, would it?
Ms. Takai. Well, again, any breach, and any malicious
software or hardware, or any breach to DOD information----
Mr. Johnson. Well, no, I am not talking about DOD
information; I am talking about DOD information being used
against American citizens for the use of private entities.
Ms. Takai. Again, I am not familiar with any particular
instances of that. Certainly if there are areas that we can
research and take a look at, then we would be very happy to do
that and get back to you.
Mr. Johnson. Well, again, I would like to request copies of
any and all contracts between the Department of Defense and the
three subcontractors or the three contractors that I mentioned,
HBGary Federal, Palantir Technologies, and Berico Technologies.
Would you be able to provide me with that information, and also
the chairman of the committee?
Ms. Takai. I don't have that information directly myself,
but certainly again I will have staff research that, and we
will get back to you with an answer to that question.
Mr. Johnson. Well, I think it is a very important issue
that I am not planning on sweeping under the rug. I want to at
least get those contracts and analyze them to determine whether
or not they have been used or they have been breached. So I
need that information.
Ms. Takai. Yes, sir. Again, we will have my staff research
it, and we will get back to you with an answer.
Mr. Johnson. Thank you.
Anything you can add, Ms. McGrath?
Ms. McGrath. No. I do not have my own self familiarity with
the proposal nor those three companies. Certainly the contracts
are written in accordance with the Federal Acquisition
Regulations, and we would have to look at the scope and
conditions of each one of those to make sure that there is not
a breach of contract. But I do not see an issue with complying
with your request to have copies of those contracts, and I will
ensure that Ms. Takai has all the support she needs to get
those.
Mr. Johnson. Well, Ms. Takai, I tell you, while I was
asking you some questions, out of the corner of my eye, I saw
somebody come up and give you a note, and that always kind of
arouses my curiosity. I won't ask you what is in it, but I am
concerned about this case and the way it is being swept under
the rug.
Thank you, Mr. Chairman.
Mr. Thornberry. Mr. Conaway.
Mr. Conaway. Recognized for 7, 8 minutes? Excuse me.
Ms. McGrath, thank you.
Ms. Takai, thank you for being here.
You talked to us about the impact that the--I am blanking
on the name--the $100 million reprogramming exercise that DOD
went through to try to find $100 million in monies that they
would put other places within the system itself, what impact
that had on the efforts to get the Department of Defense's
financial statements audited. Did it hurt, helped?
Ms. McGrath. To be clear, the $100 billion efficiency
initiative. I think we all wish it was $100 million and not
$100 billion.
The Department, as certainly the members of this committee
are well aware, took an initiative with Secretary Gates leading
to look for efficiencies in all aspects of not only the way we
do business, but what we are procuring, how we are procuring
it, how we are organized; you know, are we positioned to be the
most efficient and effective organization that we can be, and
to look for opportunities to identify efficiencies.
Mr. Conaway. But how did it--help or hurt?
Ms. McGrath. So I think that some of the lasting impacts of
the efficiency initiative we won't know until we are actually
realizing some of those efficiencies. We have identified the
opportunities for those efficiencies. I can talk----
Mr. Conaway. Well, let me ask the question this way. Do you
have the accounting systems, internal control systems, and
management systems in place to actually track that $100 billion
and know that it went from one spot to the other?
Ms. McGrath. So we have the mechanism in place, will be led
by Secretary Lynn, with Mr. Hale, our comptroller, and myself
looking at--and with the Under Secretaries of the military
departments leading the data collection, if you will, for their
organizations, along with their CFOs [Chief Financial
Officers], to ensure that we understand the--I will say how
close we got to the efficiencies that we identified.
So from a systems perspective, I want to be clear, I think
we have the governing structure in place to ensure that we can
accurately identify the efficiencies.
Mr. Conaway. Then why can't we audit that governance
structure?
Ms. McGrath. Some of the data collection that we will
utilize will not be 100 percent systems-based. It will require
a combination of both manual and IT, if you will, to enable the
data collection. And I think that you are aware that from an
auditability perspective, if you put people on a problem or an
initiative like auditability, you don't have a sustained
process. And the path the Department is pursuing for
auditability is one of sustainment.
Mr. Conaway. I can't put words in your mouth. I am doing a
pretty poor job of it. If you had better systems in place,
would there be less manhours required to manually track the
$100 billion? Because if you are using manhours to put together
one-time schedules that track that big nut, that is the least
efficient way to do it. You get it done, and perhaps the
numbers would be good. But if you had better systems that spoke
as you talk, end to end and across the systems and all those
buzzwords that MBA [Masters of Business Administration] guys
who write these papers use currently, that current lexicon,
would it be easier to do that? Would it be easier to do the $78
billion in cuts in terms of trying to find those?
Ms. McGrath. Yes.
Mr. Conaway. Thank you. I appreciate that.
Because much of this auditability does rely around the
purchase of systems, and we have had these age-old issues of
one branch likes one general ledger package, and another branch
likes a different one, can you talk to us about progress that
you are making in helping, you know, one common HR [human
resource] system, one common fixed-asset handling system, those
kinds of things, in order to gain efficiencies, and to do it
the way an enterprise would do it versus stand-alone
subsidiaries, as an example of the business?
Ms. McGrath. So the Defense Department, being as large and
complex as it is, we have multiple systems that establish
transactions to then feed into the broader general ledger
system. We are pursuing, I will say, five main financial
systems, one for each of the services and then the defense
agency-wide initiative. We are also taking a standards-based
approach to ensure that we have commonality of data, the
standard financial information structure, so that we can
aggregate the information at the end of the day.
It is not just those financial systems, as you mentioned.
It is the logistics systems, it is the personnel systems, and
again ensuring that they have the financial standards in them
so that when we feed from a transactional level up to the
financial, then we can aggregate the information.
Mr. Conaway. If the chair will indulge me. You have got to
have some system to track progress against that. We need to
have oversight on the success of what you are doing. We are not
going to do what you have to do, we are just simply asking you
to do it. And so perhaps off-line conversations about how you
satisfy yourself as the person responsible, or one of the folks
responsible, for making this happen, that you are on task, on
time to make that 2017 deadline, which I think we all want to,
which is systems in place that are sustainable and, oh, by the
way, auditable and audited.
Thank you, Mr. Chairman. I yield back.
Mr. Thornberry. Thank you.
Ms. Takai, in answering some of Mr. Langevin's questions a
few minutes ago about some of the tools you are putting in
place to prevent WikiLeaks-like things, one of the things you
mentioned was a new tool to detect anomalies. Surely there is
commercial products very suited to that. I mean, every time you
go overseas and use your Visa card, they call, for example.
Ms. Takai. Yes, sir. The tool that we are looking at is a
commercial product. And what we are doing is testing the
integration of that product with our Host-Based Security System
to ensure that, again, we have that integration.
The second thing with any commercial tool is that we have
to do a level of testing, because the volume and the size of
our implementations are generally larger than what any of the
tools are doing in the commercial space. So we always take a
look and make sure that we have scalability in those tools. But
in this particular case, that tool is a commercial-off-the-
shelf product, yes.
Mr. Thornberry. You mentioned a few minutes ago as $38
billion, roughly, in the accounts we are looking at; $2.8
billion, I think you said, for information assurance kinds of
things. Is that enough?
Ms. Takai. Well, we are looking at that. In fact, it is
interesting that you would ask that question, because Secretary
Gates actually also asked us that same question as we were
relating to him the review of what we are doing from an insider
threat mitigation standpoint.
Certainly for the calendar year, we believe that that $2.8
billion will successfully allow us to implement the tools that
I mentioned, as well as helping us to look at some of the
emerging threats and what we need to do.
I think one of the things that is important to know is that
improving our security isn't totally in just what we spend
under the cybersecurity label. The things that we are doing
around standardization of our infrastructure actually are all,
if you will, cybersecurity investments, but are not labeled as
such. So to some extent, when we talk about that spending, it
isn't totally representative of everything we are doing.
Mr. Thornberry. Fair point. Fair point.
I think we have run out of questions for the moment. Thank
you both for being here and for answering questions on a wide
variety of topics. We look forward to continuing to work with
you both towards the things you are trying to achieve.
With that, the hearing is adjourned.
[Whereupon, at 4:12 p.m., the subcommittee was adjourned.]
?
=======================================================================
A P P E N D I X
April 6, 2011
=======================================================================
?
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
April 6, 2011
=======================================================================
[GRAPHIC] [TIFF OMITTED] T5810.001
[GRAPHIC] [TIFF OMITTED] T5810.002
[GRAPHIC] [TIFF OMITTED] T5810.003
[GRAPHIC] [TIFF OMITTED] T5810.004
[GRAPHIC] [TIFF OMITTED] T5810.005
[GRAPHIC] [TIFF OMITTED] T5810.006
[GRAPHIC] [TIFF OMITTED] T5810.007
[GRAPHIC] [TIFF OMITTED] T5810.008
[GRAPHIC] [TIFF OMITTED] T5810.009
[GRAPHIC] [TIFF OMITTED] T5810.010
[GRAPHIC] [TIFF OMITTED] T5810.011
[GRAPHIC] [TIFF OMITTED] T5810.012
[GRAPHIC] [TIFF OMITTED] T5810.013
[GRAPHIC] [TIFF OMITTED] T5810.014
[GRAPHIC] [TIFF OMITTED] T5810.015
[GRAPHIC] [TIFF OMITTED] T5810.016
[GRAPHIC] [TIFF OMITTED] T5810.017
[GRAPHIC] [TIFF OMITTED] T5810.018
[GRAPHIC] [TIFF OMITTED] T5810.019
[GRAPHIC] [TIFF OMITTED] T5810.020
[GRAPHIC] [TIFF OMITTED] T5810.021
[GRAPHIC] [TIFF OMITTED] T5810.022
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
