[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                                    

                         [H.A.S.C. No. 117-50]

                                HEARING

                                   ON

                   NATIONAL DEFENSE AUTHORIZATION ACT

                          FOR FISCAL YEAR 2022

                                  AND

              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS

                               BEFORE THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                   SUBCOMMITTEE ON CYBER, INNOVATIVE 
                 TECHNOLOGIES, AND INFORMATION SYSTEMS

                                   ON

                         DEPARTMENT OF DEFENSE

                        INFORMATION TECHNOLOGY,

                   CYBERSECURITY, AND INFORMATION 
                    ASSURANCE FOR FISCAL YEAR 2022

                               __________

                              HEARING HELD
                             JUNE 29, 2021

                                     
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
45-433                    WASHINGTON : 2021                     
          
-----------------------------------------------------------------------------------


SUBCOMMITTEE ON CYBER, INNOVATIVE TECHNOLOGIES, AND INFORMATION SYSTEMS

               JAMES R. LANGEVIN, Rhode Island, Chairman

RICK LARSEN, Washington              JIM BANKS, Indiana
SETH MOULTON, Massachusetts          ELISE M. STEFANIK, New York
RO KHANNA, California                MO BROOKS, Alabama
WILLIAM R. KEATING, Massachusetts    MATT GAETZ, Florida
ANDY KIM, New Jersey                 MIKE JOHNSON, Louisiana
CHRISSY HOULAHAN, Pennsylvania,      STEPHANIE I. BICE, Oklahoma
    Vice Chair                       C. SCOTT FRANKLIN, Florida
JASON CROW, Colorado                 BLAKE D. MOORE, Utah
ELISSA SLOTKIN, Michigan             PAT FALLON, Texas
VERONICA ESCOBAR, Texas
JOSEPH D. MORELLE, New York

                Josh Stiefel, Professional Staff Member
                Sarah Moxley, Professional Staff Member
                         Caroline Kehrli, Clerk
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Franklin, Hon. C. Scott, a Representative from Florida, 
  Subcommittee on Cyber, Innovative Technologies, and Information 
  Systems........................................................     2
Langevin, Hon. James R., a Representative from Rhode Island, 
  Chairman, Subcommittee on Cyber, Innovative Technologies, and 
  Information Systems............................................     1

                               WITNESSES

Sherman, John, Acting Chief Information Officer, U.S. Department 
  of Defense.....................................................     3

                                APPENDIX

Prepared Statements:

    Langevin, Hon. James R.......................................    29
    Sherman, John................................................    31

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Ms. Houlahan.................................................    45
    Mr. Langevin.................................................    45
    Mr. Larsen...................................................    46

Questions Submitted by Members Post Hearing:

    Mr. Banks....................................................    49
    Ms. Houlahan.................................................    50
    Mr. Moore....................................................    52
                   
                   
                   DEPARTMENT OF DEFENSE INFORMATION

 TECHNOLOGY, CYBERSECURITY, AND INFORMATION ASSURANCE FOR FISCAL YEAR 
                                  2022

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
       Subcommittee on Cyber, Innovative Technologies, and 
                                       Information Systems,
                            Washington, DC, Tuesday, June 29, 2021.
    The subcommittee met, pursuant to call, at 4:02 p.m., in 
room 2118, Rayburn House Office Building, Hon. James R. 
Langevin (chairman of the subcommittee) presiding.

 OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE 
      FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON CYBER, 
         INNOVATIVECHNOLOGIES, AND INFORMATION SYSTEMS

    Mr. Langevin. The subcommittee will come to order. So I 
want to welcome everyone to today's hearing on the Department 
of Defense information technology, cybersecurity, and 
information assurance. This is the subcommittee's first hearing 
on the Department's current IT [information technology] efforts 
and the requested investments for fiscal year 2022.
    Since this subcommittee was formed at the start of the 
117th Congress, our members have been eager and encouraged to 
see the Department of Defense approach its information 
technologies with a prioritization that has been lacking in the 
past. Of the many lessons from the pandemic, we have seen 
clearly that technology can revolutionize how we conduct our 
business, whether that is in Congress, or in the Department of 
Defense. However, it also requires that the infrastructure 
which enables our technology is prioritized and secured in a 
commensurate way.
    In my many years in Congress, I have witnessed firsthand 
the progress that the Department has made in improving the ways 
in which it can utilize technology. Nevertheless, there is 
still tremendous work to do. Year after year, we have leaders 
from across the Department tell us that they consider IT to be 
a priority before immediately pivoting to discuss how much 
funding they need for more flight hours, or more aircraft, or 
more tanks.
    Quite frankly, I would like to think that technology will 
truly be a priority when, for example, the Chief of Naval 
Operations says that the Navy can live with one less fighter 
aircraft in favor of greater IT investment.
    Through multiple National Defense Authorization Acts, the 
Congress has judged it prudent to empower the chief information 
officer [CIO] in managing the Department's technology 
portfolio. Today, the CIO is a Senate-confirmed position, has 
oversight over each of the service's IT budgets, and manages 
not only the Department's networks, but also its 
electromagnetic spectrum enterprise and command and control and 
communications efforts. This places the CIO in a unique 
operationalized role, contributing to success in the 
Department's ``no-fail'' missions.
    At the same time, there are still questions about how the 
Department of Defense defines the roles and responsibilities 
for cyber matters. If the Secretary of Defense is asked who is 
in charge of buying weapons for the Department, the answer is 
unequivocal: it is the Under Secretary of Defense for 
Acquisition and Sustainment.
    Conversely, if the Secretary is asked who is in charge of 
keeping DOD networks safe, the fact that there isn't a single 
correct answer is troubling. The Secretary could respond with 
the chief information officer, or the commander of Cyber 
Command, or even the chiefs of the military services, and he 
wouldn't technically be wrong in any of these responses.
    So if we can teach every one of our new officers about the 
criticality of clear command and control, why can't it apply--
apply this to the highest levels of the Department?
    So with that as the context, I want to welcome Mr. John 
Sherman, who appears in front of the subcommittee today. Mr. 
Sherman serves as the acting chief information officer. And 
while we have had the pleasure to work together since assuming 
the role in January, this is his first appearance before a HASC 
[House Armed Services Committee] hearing. He is a career member 
of the senior intelligence service and previously served as 
chief information officer of the U.S. intelligence community.
    So, I thank you, Mr. Sherman, for your service and your 
commitment to the United States and the work that you are doing 
in DOD [Department of Defense].
    But before we get to you, I would like to now yield to Mr. 
Franklin, who is stepping in for Ranking Member Banks. Scott, 
the floor is yours.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 29.]

  STATEMENT OF HON. C. SCOTT FRANKLIN, A REPRESENTATIVE FROM 
 FLORIDA, SUBCOMMITTEE ON CYBER, INNOVATIVE TECHNOLOGIES, AND 
                      INFORMATION SYSTEMS

    Mr. Franklin. Thank you, Mr. Chairman. Thank you, Mr. 
Sherman, for your time here with us today.
    The Department's information technology and cybersecurity 
budget may not be the most riveting subject, but it is 
certainly one of the most critical. IT undergirds every 
Department, or every part of the Department, whether it is 
protecting our Defense networks from adversaries; managing the 
DOD's spectrum to ensure swift, clear communication with our 
troops around the world; or deploying IT or software--secure 
software, IT is foundational from weapon systems to financial 
management.
    In an enterprise as large as the Department of Defense, 
with its many missions, different systems, and multiple 
stakeholders, we are fortunate there has not been a 
catastrophic IT failure rendering our equipment no better than 
paperweights, or allowing adversaries to sit in our networks 
and capture sensitive information.
    I am encouraged by the direction of the Department, but 
this is not an area where we can afford to slow down. Without 
strategic vision, resourcing, and investment in the workforce, 
and buy-in from leadership in the Department, failure is 
possible.
    The IT and cyberspace budget represents roughly 7 percent 
of the DOD budget. So every dollar must be used wisely. I look 
forward to hearing your views and justifications for the budget 
and how you are using the dollars to pursue modernization, 
efficiencies, and security.
    The Department of Defense has a technology deficit. And 
unless we make both the necessary investments and 
prioritizations, we risk weakening our national security, and 
none of us here wants that.
    With that, Mr. Chairman, I yield back.
    Mr. Langevin. Good. Very good. Thank you, Mr. Franklin.
    With that, I want to turn it Mr. Sherman for his opening 
statement.

 STATEMENT OF JOHN SHERMAN, ACTING CHIEF INFORMATION OFFICER, 
                   U.S. DEPARTMENT OF DEFENSE

    Mr. Sherman. Thank you very much, sir. Good afternoon Mr. 
Chairman, Ranking Member, and members of the subcommittee. 
Thank you for the opportunity to testify before the 
subcommittee today on the current efforts underway pertaining 
to the Department's information technology and cybersecurity. I 
am John Sherman, the acting Department of Defense Chief 
Information Officer.
    The President's interim national security strategic 
guidance, as well as Secretary Austin's priorities drive the 
key areas I will highlight regarding the Department's cloud, 
software and network modernization, cybersecurity workforce, 
command control communications, and data.
    In what I see as a critical step for the whole enterprise, 
we have made cloud computing a fundamental component of our 
global IT infrastructure and modernization strategy. With 
battlefield success increasingly reliant on digital 
capabilities, cloud computing satisfies the warfighters' 
requirements for rapid access to data, innovative capabilities, 
and assured support.
    Furthermore, we remain committed in our drive toward a 
multivendor, multicloud ecosystem, with our fiscal year 2022 
cloud investments representing over 50 different commercial 
vendors, including commercial cloud service providers and 
system integrators.
    The Department's cloud conversancy and ability to leverage 
this technology has definitely matured over the last several 
years, and we are driving hard to accelerate the momentum even 
more in this space.
    Software capabilities and networks are also critical to our 
success. I am pleased to announce that we will release a 
software modernization strategy later this summer that builds 
on already-developed guidance, such as DevSecOps 2.0 guidance 
released last month. We are dedicated to delivering resilient 
software capability at the speed of relevance. The fiscal year 
2022 budget includes investments to enable software 
modernization, with cloud services as the foundation to fully 
integrate the technology, process, and people needed to deliver 
next-generation capabilities.
    Meanwhile, the COVID-19 pandemic crisis changed the way we 
all work. The Department deployed a commercial-based 
collaboration capability to enable the rapid transition to 
remote work. While cloud access and remote work introduces a 
significant burden to the DOD networks, we continue to deploy 
secure and agile solutions.
    All of these efforts must address cybersecurity from the 
start. The Secretary previously discussed the Department's 
investment in cybersecurity and cyberspace operations that will 
maintain the momentum of our digital modernization strategy. 
The fiscal year 2022 DOD cybersecurity budget maintains 
enhanced funding levels established in fiscal year 2020 and 
fiscal year 2021 for key enterprise cybersecurity capabilities 
that will enable us to advance our focus on Zero Trust and risk 
management and drive our new investments to enhance resiliency 
and cyber defenses. We take our responsibilities in this area 
very seriously given the threat landscape we face.
    While all divisions on our CIO team support warfighting, it 
is command, control, and communications, or C3, that might be 
most closely linked to the warfighter on the ground, sea, air, 
and space domains. The critical capabilities in this portfolio, 
positioning, navigation, and timing, or PNT; electromagnetic 
spectrum enterprise, or EMSE; and 5G, are a key priority for 
the enterprise, especially as we face threats from our near-
peer competitors.
    Finally, we often note that data is the ammunition of the 
future. The Department has prioritized ensuring the timely, 
secure, and resilient access to data needed for military 
advantage and all-domain operations. While data management is 
not directly tied to specific program elements in the fiscal 
year 2022 budget request, we are identifying, assessing, and 
tracking our data-related investments as part of the budget 
certification process that I lead.
    In closing, I want to emphasize the importance of our 
partnership with Congress in all areas, but with a particular 
focus on digital modernization and IT reform.
    Thank you for the opportunity to testify this afternoon. 
And I look forward to your questions.
    [The prepared statement of Mr. Sherman can be found in the 
Appendix on page 31.]
    Mr. Langevin. Thank you, Mr. Sherman.
    So, we are going to go member questions now as we recognize 
in order of seniority for 5 minutes. And I will start with 
myself.
    Mr. Sherman, first question I have, and I am going to be 
direct, the Department released a comprehensive summary 
document of its IT and cyberspace activities budget, totaling 
30 pages. This year, that same document is six pages, only two 
of which contain any substance. Separately, this committee has 
made your office aware that the IT and cyberspace activities 
portion of this year's defense budget overview was nearly a 
carbon copy of the 2020 defense budget overview.
    I have to be honest with you. If the Department of Defense 
were a high school student, I would have called this 
plagiarism. So with all due respect, if your office cannot be 
troubled to put together the necessary materials for this 
committee's oversight, how can we trust the stewardship of this 
critical portfolio?
    Mr. Sherman. Mr. Chairman, thank you for the question. And 
I appreciate everything you are saying. And your staff had 
raised this with us a couple of weeks ago.
    So, a couple of things happened on this as I have dug into 
this in my 6 months into the job, and particularly as it was 
raised recently. Part of the reduction in the length of the 
documents had to do with the CUI, or controlled unclassified 
information, designator that was put on it that, in a way, 
perhaps restricted the number of pages on there.
    But your point, sir, about the carbon copy is something I 
take very seriously. Your staff has raised this with me. And I 
will own this and ensure we get it better next time. And, 
indeed, I have been laser-focused on the technology and 
cybersecurity, but we need to do a better job in CIO working 
with comptroller and other Department colleagues in the level 
of product we share with you. So sir, I will take this guidance 
on and make it a priority going forward. And I appreciate you 
flagging it, sir.
    Mr. Langevin. Without that level of detail, just to 
understand, we can't fulfill our oversight responsibilities. We 
are in the dark otherwise. And that is unacceptable going 
forward. So I take you at your word and we will go from there.
    Also, in reviewing the Department's budget materials, it 
would appear that there are significant challenges between all 
of the various DOD entities in harmonizing how the Department 
categorizes its cybersecurity and IT investments. For example, 
the Navy does not categorize endpoint device management tools 
as cybersecurity funding, yet the Air Force does. As a result, 
it is nearly impossible to get a comprehensive picture of how 
resources are being spent. How can our members help you 
accelerate the efforts to create greater compliance and 
consistency in understanding the Department's investments?
    Mr. Sherman. Sir, thank you for that. I think some of this 
is what we need to be doing on our own within the CIO 
enterprise, working with our service and other colleagues as we 
work the budget year to year.
    To your point, and I took this once I got in the seat here, 
that our $5.5 billion for cybersecurity thereabouts doesn't, 
indeed, represent the totality of cybersecurity throughout the 
Department. It is a large portion of it, but to your point 
about endpoint security--and I will give another example, what 
we have done with DOD or Office 365, and some of the 
cybersecurity features we bought from the vendor on there are 
reflected in our enterprise and not cyber budget.
    Cybersecurity is my top priority as CIO, along with the 
other modernization activities. But to be able to reflect the 
totality of that is something we need to do a better job of. 
And I think we have the tools and wherewithal internally to 
work with our colleagues to make sure we can reflect this more 
accurately. But this is something, sir, I have noticed 
recently, because the $5.5 billion, while an accurate 
assessment of cybersecurity, there are some more in the budget 
that we need to be able to reflect in there. So sir, we will 
take that on board as well.
    Mr. Langevin. It is important. Having that common 
understanding is going to help us better understand, you know, 
where we are lacking capabilities, where are we investing in 
the right place, and how our dollars are being spent.
    In the statement you submitted to the committee, you noted 
that you serve as the Department's lead for industrial control 
systems [ICS] cybersecurity. You also noted that the Department 
is working to build cybersecurity expertise in the cyber 
workforce and developing capabilities to monitor ICS systems. 
So I have a few questions about this.
    First, does the Department use the term ICS and operational 
technology, or OT, interchangeably?
    Mr. Sherman. To my understanding right now, we do, sir. 
This is an area of late that I have wanted to really dig on, 
both back when I was the principal deputy CIO at the time and 
now as the acting CIO. To answer your question, I believe we 
use those interchangeably. I am working with our chief 
information security officer, just as recently as this week, to 
start to gather the documentation we have on this to ensure 
that we, at the departmental CIO level, have the right sort of 
guidance and the articulation of terms, right what you are 
getting at, sir, as we are using IO--and I will throw IOT, 
internet of things, in there as well, along with industrial 
control systems, operational technology, et cetera, to get at 
the main issue that we are not creating seams in our 
cybersecurity activities between the cyber defenders and our 
facility managers, where an adversary could go after things 
like HVAC [heating, ventilation, air conditioning], elevators, 
and other places that would allow cyber vulnerabilities. So 
that is where we are at right now, sir.
    Mr. Langevin. And what is the difference between defense 
cyber workforce, and cyberspace operations forces?
    Mr. Sherman. The--I want to make sure I get this one right. 
The defense cyber workforce would include the way we 
characterize the work roles, include the cyber workforce, I 
believe in there, sir. So the defense cyber workforce is based 
only the framework of the occupational series we have, I 
believe there are 54, of any type of individual military or 
civilian operating in cyber work roles in terms of whether you 
are a coder, a cyber defender, et cetera.
    So this gets to the blocking and tackling we have been 
doing over the past couple of years to get our arms around the 
totality of our cyber workforce. So, I will take that for the 
record to ensure I am being correct on this, sir. But the cyber 
operators that are working for CYBERCOM [U.S. Cyber Command] 
and elsewhere included in our broader Cyber Workforce framework 
that we have put together to allow us to get the fidelity we 
need on these occupational series, and the work roles so we can 
look all the way across the dozens of work roles with the 
fidelity we need to be able to characterize the tens of 
thousands of individuals we have in this area, sir.
    [The information referred to can be found in the Appendix 
on page 45.]
    Mr. Langevin. And last question I have--and then I am going 
to yield to the ranking member, and hopefully, we will get a 
second round in, too--but do the efforts that your statement 
describe extend to the cyber mission force, and/or the cyber 
operation forces? And will the cyberspace operations forces 
have dedicated elements for OT cybersecurity?
    Mr. Sherman. Sir, I want to take that one for the record 
and make sure I give you the right answer on that. I would see 
the IOT, the industrial control system, absolutely involving 
our CYBERCOM colleagues on this, but in terms of how we are 
going to structure this, it is frankly early in the movie on 
this, and I want to make sure I get the right answer for you on 
that, sir. But this a priority for me, especially post-Colonial 
Pipeline. This was a wake-up call. And again, the Department 
has been on this, but what can be done to ICS? I want to ensure 
we are putting all the piece parts to this together. So I will 
need to take that one for the record as well, sir.
    [The information referred to can be found in the Appendix 
on page 45.]
    Mr. Langevin. We look forward to getting the follow-up from 
you for the record.
    With that, I am going to hold there and yield to the 
ranking member.
    Mr. Franklin. Thank you, Mr. Chairman.
    Mr. Sherman, it is my understanding that the Department of 
Defense allows unpatched software to remain on the network for 
120 days before being removed. When our adversaries are 
increasingly looking to attack us from the cyber domain, can 
you highlight what the Department's doing to reduce this 
timeframe, and make sure our systems are not vulnerable? And 
then part two of that, do you have the authorities necessary to 
require the services and components to act?
    Mr. Sherman. Thank you, sir. I believe we do absolutely 
have the authorities we need on this. And this gets into the 
broader cybersecurity push we have. Looking at things like our 
risk management framework, the standards we have about how long 
software can remain on our network, and, indeed, one of my 
absolute main priorities is we move to a Zero Trust 
architecture getting after things like unpatched software, but 
also, an overall holistic approach to how we structure our 
networks and making it assume that the bad guys are going to 
get on there, and how do we segment things, ensure it is 
patched as quickly as possible, and have the very best tools 
and approach on this. So sir, this is something 120 days is 
probably too long. We would need to take a look at that, but 
this gets to the broader push.
    I've also got the CISA [Cybersecurity and Infrastructure 
Security Agency] working on to how can we do this better to 
ensure as we look at peer competitors and non-state actors that 
know they are coming at this, that that is not what we want to 
be able maintain there, sir. So we will be looking at that.
    Mr. Franklin. Very good.
    In your testimony you state that not all priorities can be 
satisfied in each budget. That is pretty much a standard for 
all the different departments that come before us. But can you 
highlight what is not being satisfied in the President's 
budget? And what risks are there associated with those unfunded 
priorities?
    Mr. Sherman. Well, sir, I would say the main priorities are 
all being answered in the President's budget. We do have some 
risk areas that bother me, though, as CIO. And these have been 
enduring and I think my predecessors would have said the same 
thing. You mentioned about the software patching, that is 
something immediately on our networks. Working with our 
colleagues in Acquisition and Sustainment, I really want to put 
our shoulder in to weapon systems, and critical infrastructure, 
recognizing that our adversaries are going to be coming after 
those, too, and moving just beyond the Department of Defense 
Information Network under my charge, but looking again at 
weapon systems and elsewhere where we can work with General 
Nakasone's team at CYBERCOM, work with A&S [Under Secretary of 
Defense for Acquisition and Sustainment]. And those are some 
risk areas that because some of these programs were started in 
the 1990s when cybersecurity was in a different place, we have 
a better way to come at this. That is the type of area, sir, 
where I think we are carrying some risk that I want to do a 
better job of working with our colleagues in the Department.
    Mr. Franklin. Okay.
    And one final question for this round. Recent cyber 
attacks, such as those on the Colonial Pipeline and water 
treatment facility back in my home State of Florida, have 
highlighted that critical infrastructure and utilities are 
becoming more integrated with traditional IT networks, and 
therefore, can be more exposed to cyber risks. How could the 
DOD's mission be impacted by such attacks on critical 
infrastructure and utility operations technology? And what are 
the Department's plans to ensure an adequate level of 
protection to those assets that is commensurate with the risk?
    Mr. Sherman. Yes, sir. That gets exactly to what I was 
mentioning with the chairman's question on this as well. ICS, 
industrial control systems, operational technology, and we will 
get the terminology all right on this, but exactly what you are 
talking about, a cyber attack not necessarily launched on our 
networks, but against our water supply, our heating and 
cooling, on a data center somewhere that could be the same as a 
kinetic kill on something, and shutting the water off for 
cooling. Any number of things that affect our operations on our 
installations.
    What I didn't appreciate until I got into this job was 
there could be seams we need to address. And so again this is 
one of our priorities is I am having our team do a close look 
at what policies we have in place. Is it directive enough? Is 
it suggestive? And we need to roll in harder on this? What I 
don't want to have happen is any seams between the outfield so 
to speak, between facilities, cybersecurity, and elsewhere, 
where our adversaries could find a gap and get after us and 
hurt our facilities in the NCR [National Capital Region], or 
one of our installations, or overseas, or our warfighting 
ability. So this is a priority, sir, and it is in progress as 
we are looking at this. And again, as recently as this week, we 
have been working on this.
    Mr. Franklin. Thank you, Mr. Chairman. I yield back.
    Mr. Langevin. Thank you, Mr. Franklin.
    Mr. Larsen is now recognized for 5 minutes.
    Mr. Larsen. Thank you, Mr. Chair.
    Mr. Sherman, it is good to see you. In your testimony, on 
page 10, you--on page 9 and 10, you discuss 5G; in particular, 
that, I think you say that the Department's ready to make 
available 3.45 to 3.65, but you have concerns about the 3.1 to 
3.45. Is this a setting in which you can explain some of your 
concerns about the mission operational impact on the 3.1 to 
3.45?
    Mr. Sherman. Yes, sir. At a high level, so the 3.45 to 3.65 
are areas we have actually been able to vacate, or are in the 
process of vacating. The other one, the 3.1 and up to 3.45, 
this other band has quite a bit of DOD activity in it in the 
continental United States and our territories for radars and 
other capabilities that are used for training, as well as real-
world operations, homeland security, and so on. Whereas we have 
been able to vacate, or in the process of outright vacating 
those other bands, this one is going to be trickier, where 
we're gonna need to learn and be able share that, where we can 
have some sort of relationship if this becomes available 
working with the FCC [Federal Communications Commission] and 
Commerce, NTIA [National Telecommunications and Information 
Administration] to where--I will give you an example of the 
kind of vision we have on this, would be, say, an Aegis-class 
cruiser down in Norfolk needs to be able to bring up their very 
powerful radar, but not every day, maybe certain days of the 
months. But when that illuminates, it can go well into the 
Tidewater region, as I understand it.
    Well, hopefully, we are able to walk and chew gum where we 
can work out arrangements where on those days that cruiser has 
to bring the radar up, there could be some sort of sharing of 
that spectrum. That is what I am getting at with that band, 
that 3.1 to 3.45, recognizing there is a lot. And I just used a 
naval example. There are plenty of others that operate in that 
space, where our soldiers, sailors, airmen, Marines, and 
guardians have to be able to operate in that space. And again, 
some of this is for real-world operational activity, AWACS 
[Airborne Warning and Control System] is an example.
    So that is what we are looking at. We want the U.S. to be a 
5G dominant Nation, but we also have to maintain these DOD 
operational needs. But we think we can work this out and that 
is what we are looking at in that band, sir.
    Mr. Larsen. You might know, we have been trying to help you 
all work that out as well. It has been fits and starts a little 
bit.
    So can you discuss, does CIO have a role and what would you 
assess the progress of the 5G pilot projects? You don't have to 
go through all 12, but do you have general thoughts right now?
    Mr. Sherman. Yes, sir. We absolutely have a role. So we 
work with our Research and Engineering colleagues, USD R&E 
[Under Secretary of Defense for Research and Engineering], they 
have the lead. We work it from the CIO side with the standards 
piece, working it closely with them. And working it--I don't 
want to say at a more strategic level, but there is a very 
close partnership where they are working directly with the 
services. And, sir, you are aware of all 12.
    Mr. Larsen. Yeah.
    Mr. Sherman. Logistics, and healthcare, and aircraft 
maintenance, and everything else. Well, we are working the 
standards piece and working with the higher level interlocutors 
at FCC, and Commerce, and elsewhere. So it is a very good 
coupling between their leadership, working with the 
stakeholders on the pilots, and us working it from a CIO 
standards, policies--I don't want to say oversight yet, but 
that piece of it, so we do have a very close part.
    Mr. Larsen. When those are done or when there is some 
assessment, I would note in your testimony, it said, CIO gets 
those in 2024. So will you--will the CIO office be taking the 
operational role at some point?
    Mr. Sherman. I think we need to define exactly what that 
means, sir. But yes, I think we are going to have that, as 
mentioned in my written submission. And by 2024 and what does 
that look like? And as our colleagues in R&E move on to 6G, and 
Next G, and keep leading us in that direction to stay ahead of 
our adversaries. So, yes, sir. I see us as having the overall 
baton, but to be honest, we have to define exactly what that is 
going to look like.
    Mr. Larsen. But that makes a broader assumption as well 
that CIO will be, for lack of a better term, you will be the 
repository for 5G, not military operations, but you will be the 
keeper of 5G for the Department once we are using it.
    Mr. Sherman. Yes, sir. That is based on that assumption, 
subject to administration and departmental guidance and 
legislation from you all, sir.
    Mr. Larsen. Yeah. That is great.
    I only have 20 seconds, so I will ask the question, but we 
may be able to come back. So I will give you a heads-up. It is 
a question about the JAIC [Joint Artificial Intelligence 
Center], and specifically the AI [artificial intelligence] 
education strategy that was part of the 2020 NDAA [National 
Defense Authorization Act]. So if you have an update on that. 
And specifically on that as well, any information on the 
DOD's--your perspective on the National Security Commission on 
AI and identification to be AI-ready by 2025 and will we be 
ready?
    With that, I will yield back. And you can chew on that 
while we work through the first round.
    Thank you, Mr. Chair.
    Mr. Langevin. Thank you, Mr. Larsen.
    Mr. Moore is recognized for 5 minutes.
    Mr. Moore. Thank you, Chairman. Thank you all for being 
here.
    The intelligence community through its commercial cloud 
enterprise initiative recently moved away from its previous 
approach of utilizing one cloud provider, and has, instead, 
adopted a new approach to cloud computing. Generally, I am in 
favor of increasing competition and innovation. I believe this 
ensures access to the latest emerging technologies and the 
benefit of price competition, as well as the ability to procure 
services based on specific workload. And the needs with that.
    I am interested in learning how the Pentagon has approached 
cloud computing in order to maximize the benefits of 
competition, while balancing the needs of managing highly 
sensitive, often classified, DOD materials. So my question to 
Mr. Sherman, the Pentagon's $10 billion JEDI [Joint Enterprise 
Defense Infrastructure] program has been in ongoing yearslong 
litigation. One of the key objectives for the JEDI contract is 
to move at the speed of relevance to support the delivery in 
sharing information real-time for our Nation's warfighters, but 
with years of delays that has still not happened. I know that 
JEDI is in litigation, and your comments may be short on 
specifics, but can you speak generally about how the Office of 
CIO is approaching cloud currently? And what plans are in place 
or being made for the Department for future cloud services?
    Mr. Sherman. Yes, sir. So, starting with cloud writ large, 
we went from a situation where we had maybe almost a 1,000 
flowers blooming, to really starting to consolidate down where 
we have roughly a dozen as we would call them fit-for-purpose 
clouds. You have heard of some of them: milCloud 2.0, the Air 
Force's Cloud One, the new cloud Army, cARMY as they call it, 
and I can go into some others, where we are using those as 
platforms for software development for some of the AI activity 
at the unclassified and secret level, in some cases. Some are 
on premises, some are off premises. But this gets into that in 
my opening statement about the cloud conversancy in the 
Department moving from a capital expenditure or CapEx model, to 
where we maintain all the infrastructure and all the hardware 
to an OpEx or an operations expenditure model which we would 
use a cloud setting. So it is not only having the software 
development, the DevSecOps, workloads, but learning how to live 
and operate in a cloud environment. And that we have done. So 
we have been able to work on that across the services, across 
the enterprise, and with the Defense agencies and field 
activities.
    To your point, we still also have an urgent unmet need for 
an enterprise cloud capability at all three security levels--
unclassified, secret, and top secret--that extends all the way 
from headquarters all the way to the tactical edge. And that 
has not gone away at this time.
    And as Deputy Secretary Hicks made some recent public 
statements, we are continuing to assess our next steps vis-a-
vis, the what comes next or what should we be doing with that 
enterprise cloud urgent and unmet need. And that is where we 
are now on the cloud and we will be pending your further 
questions.
    Mr. Moore. Would leveraging public-private partnerships 
help in that regard? Given the fact that a healthy majority of 
cyber infrastructure in this country is owned by the private 
industry, do you see an opportunity to leverage that with those 
particular challenges and moving forward?
    Mr. Sherman. I think some of the main challenges--and we do 
obviously want to work very closely with our industry partners 
on their best capabilities, gets into the cybersecurity realm 
as we move from different impact levels as we call from IL, or 
Impact Level 2, which is what we just did on that commercial 
virtual remote, that COVID-era remote work capability up now to 
what we call DOD 365 to get onto an Impact Level 5 enclave that 
in this case Microsoft helped set up for us in different 
tenants of which we have 13 of them. So, sir, a lot of that--we 
appreciate the public-private partnership, but for the 
Department of Defense and for our mission, cybersecurity is 
going to be paramount in that discussion.
    Mr. Moore. Yeah. And I would agree with that. I mean, it 
started--the questioning--we are talking about the intelligence 
community, and absolutely respect that.
    I look at our Space Force, right? And how our Space Force 
is able to leverage so much from the private sector, just 
thinking about how we can create more efficiencies and leverage 
it. Obviously, paramount is the classification and ability to 
do that.
    So with 20 seconds left, I will yield back. And thank you 
very much.
    Mr. Sherman. Yes, sir.
    Mr. Langevin. Thank you, Mr. Moore.
    Ms. Houlahan is now recognized for 5 minutes.
    Ms. Houlahan. Thank you, Mr. Chair. And I just would like 
to say I find this testimony riveting. And, so, I appreciate 
the conversation. And I am glad to be here to ask you 
questions.
    I guess my first question has do with a letter that I 
recently sent to Secretary Austin with several of my 
colleagues, and asked the DOD to implement a mandatory training 
on digital literacy and cyber citizenship within the DOD. The 
proposed defense budget would set aside $30.8 million to help 
the Pentagon improve tools to identify and address extremism 
amongst troops and to enhance training at all levels. It also 
included $9.1 million to take initial steps to fight extremism 
and insider threats.
    I was wondering if you might be able to share a little bit 
of detail on what sort of tools there would be possibly, and 
trainings there would be possibly, and what they might look 
like?
    Mr. Sherman. For digital literacy, ma'am ----
    Ms. Houlahan. Yes, sir.
    Mr. Sherman [continuing]. Or countering extremists 
specifically?
    Ms. Houlahan. Digital literacy. The idea here, sir, is that 
we need to make sure that everybody has understanding of how to 
assess truth. And literacy is a set of skills that is not just 
reading, but it is also numeracy, it is financial literacy. It 
is also just kind of civics engagement and understanding how to 
understand when you are being not told the truth. And so, the 
digital literacy would be for our troops in that area.
    Mr. Sherman. Ma'am, at a high level, I will say I know 
there are training opportunities all across the enterprise in 
terms specifically for those operating. And, ma'am, I know you 
have got a lot of experience of this from Hanscom [Air Force 
Base] and elsewhere for those operating in the digital space. 
But in terms, I would like to take this for the record to give 
you a holistic answer. Because I am going to be honest with 
you, I haven't had a chance to drill down on exactly how much 
we have for the--everybody's digital, of course, but if I am 
not working in the information technology or cybersecurity, and 
if I'm in operations let's say, which I think is what your 
letter is getting at, I would like to get back to you and take 
a look at that and see exactly what we have on the shelf and 
what we can do to expand what you are getting at to beyond the 
standard, computer-based training on things like avoiding 
cybersecurity threats.
    Ms. Houlahan. Sure.
    Mr. Sherman. But avoiding or doing the right thing. So, 
ma'am, I would like to take that for the record and come back 
to you with that.
    [The information referred to can be found in the Appendix 
on page 45.]
    Ms. Houlahan. No. I appreciate that. And I would love to 
follow up with you on that.
    My next question is about investment in STEM [science, 
technology, engineering and mathematics] to make sure that we 
have competitive cyber professionals that are able to meet our 
Nation's workforce demands. And so, I am really interested in 
your Cyber Excepted Service. At the hearing in April before the 
Senate Armed Services personnel committee, the Acting Secretary 
for Defense for civilian personnel testified that cyber 
exceptional service was important and that authorities have 
been able to enhance recruitment of cyber professionals. He 
pointed to the flexibility in compensation and classification 
of work requirements as examples of how this program has been 
able to better meet targeted cyber needs.
    We also received testimony in the subcommittee from the 
U.S. CYBERCOM commander that the mission and the opportunity to 
work with colleagues of such caliber provides the most unique 
and important competitive advantage than compensation when 
competing with the commercial industry.
    So, I would like to hear your take on what it is--what is 
and what isn't working with Cyber Excepted Service from an IT 
perspective, rather than from a personnel perspective. Do you 
agree with the assessments that we have heard previously? What 
would you like Congress to know about what is and what isn't 
working as we continue to examine these and other authorities 
to meet the DOD's cyber needs?
    Mr. Sherman. I think at a higher level I think CES [Cyber 
Excepted Service] is working well. I think, and as I put in my 
written testimony, we got about 9,000 civilian positions that 
it could apply to, and we have got about 6,500 that have been 
converted. This has been, as us at an enterprise level, 
learning how to use this capability to the best advantage, 
getting it out there to the different services and components 
on how to use it. And also, as we use the targeted local market 
supplement, TLMS, to the best advantage, and the other 
capabilities that CES provides us for expedited hiring, and 
benefits, and so on to get that talent in the door.
    I would say this really does have to be nested in a broader 
cyber workforce strategy, which I have actually launched, and 
we aim to publish early next year on what is it we are trying 
to do with CES and all these other tools in our toolkit here, 
and to increase the diversity, the capability, the conversancy 
of our workforce for the 21st century threats. And also 
leveraging back to the STEM training, things like the NSA 
[National Security Agency] scholarship program they have, and 
being able to fit that in, and also the accreditation they have 
for institutions around the country from junior colleges up to 
4-year institutions. So what I saw lacking was we didn't have 
one place, we had a little bit in our cyber strategy. We need a 
cyber workforce strategy. And as a matter of fact, I chaired 
the first--I need to make sure I get this right--the CWMB, the 
Cyber Workforce Management Board. We hadn't held one in a year. 
I said we need to hold one, which I co-chair with personnel 
resources and PCA [principal cyber advisor] to be able to start 
to look as these hard problems that you are getting at, ma'am, 
with CES and some of these other talent issues we have got to 
get right.
    Ms. Houlahan. I know my time has expired, and I yield back. 
Thank you.
    Mr. Langevin. Thank you, Ms. Houlahan.
    Before we go to the second round, is there any member who 
has not asked a question in the first round that wants to ask a 
question? Any of our members remotely? Okay.
    Hearing none, we are going to move to the second round. And 
I will recognize myself for the first round of second 
questions.
    So out of the 17 unfunded priority lists submitted by DOD 
components and commands, there are a total of $1.2 billion in 
IT-related requests. Obviously, no small number. As the DOD is 
officially responsible for compiling and certifying the 
Department's IT and cyberspace activities budget, what does it 
say that the various components have identified IT and cyber 
requirements may judge to be critical, but do not prioritize 
them enough in the normal budget process to make sure that they 
are in the President's budget?
    Mr. Sherman. So as a CIO, this is an ongoing thing we need 
to always be looking at. We have certified the budget as 
required for sufficiency to ensure that as we look at our 
digital modernization priorities, that the components 
submitting, the services and so on, have funded sufficiently to 
reach that, as well as within the submitted budget, the 
increase roughly I think 5 or so percent since last year we 
have seen an in--our submitted increase to get after what we 
need to get to. But to your point about UFR [unfunded 
requirements], sir, being able to be have the governance to 
work with them to ensure that this is being submitted properly 
and not outside of what we are certifying is something I will 
continue to focus on as CIO to ensure we can get this right. 
But I feel that we have certified a good budget, that we have 
what we need to cover down on digital modernization priorities. 
And we will continue to watch this closely with our component 
colleagues.
    Mr. Langevin. So I have consistently advocated for more 
dedicated senior leadership and focus for electromagnetic 
spectrum operations at the Department. Mr. Sherman, in your 
written testimony, you wrote that the CIO has been assigned and 
designated as senior official for long-term implementation of 
the 2020 spectrum superiority strategy. When will this 
implementation plan be released? And how do you intend to carry 
it out? And why would this plan be successful while others have 
fallen short?
    Mr. Sherman. So on the question, we expect the 
implementation plan to be signed very soon by the Secretary. I 
don't have an exact date. But we have got this teed up, ready 
to go. And in terms of why it will be successful, the 
commitment from the Department, from the Joint Chiefs to the 
OSD [Office of the Secretary of Defense] side, in recognizing 
that we have got to get this right in a near-peer competitor 
environment, not that we haven't been focusing on this during 
the wars in Afghanistan and Iraq, but as we look at China, and 
Russia, and other adversaries in that regard, electromagnetic 
spectrum is going to be critical, just as critical as kinetic 
long-range fires, space, cyberspace, and so on. We've got to be 
successful.
    So the commitment from the Chairman, the Vice Chairman, 
Secretary, Deputy Secretary, and everybody has been very 
strong. So we are confident that we are going to have what we 
need.
    And back, I think, to your middle question, sir, we are the 
main overseeing official for this. The Vice Chairman through 
the Joint Staff is leading a CFT [cross-functional team], a 
functional team working on this. And come start of fiscal year 
2022, we are going to take the baton as the implementing office 
for this.
    So we are the overall lead responsible official for the 
Department, Joint Staff is working the CFT and we are ready to 
pick that up. And sir, I feel we have the commitment on this 
across the services and the seriousness recognizing the threats 
we face right now.
    Mr. Langevin. Very good. Thank you, Mr. Chairman.
    With that, since Ms. Bice has not asked a question yet, I 
will yield to Ms. Bice for 5 minutes.
    Mrs. Bice. Thank you so much, Mr. Chairman, for holding 
this important hearing today. Mr. Sherman, thank you for being 
here.
    The DOD's cloud strategy calls for three clouds: milCloud 
2.0, a secure premise cloud; the Defense Enterprise [Office] 
Solution, cloud-based secure collaboration solution; and the 
JEDI, general purpose cloud. Fourth Estate agencies were 
directed to move to the milCloud 2.0, but adoption has been 
incredibly slow. Today, only 3 percent of the targeted 
workloads have migrated to the milCloud. This has delayed 
realization of enhanced security, which is paramount in light 
of the most recent Colonial Pipeline and Solar Winds 
cybersecurity attacks.
    A little bit back of background. I come from a family 
business that has dealt in the technology space. And I 
recognize the critical need for us to protect our assets, 
especially in the cyberspace. Will the DOD enforce the 2018 
mandate directing milCloud 2.0 migration by the Fourth Estate?
    Mr. Sherman. We are going to ensure that it is being used 
where it can be used and ensuring that the DAFAs, the Defense 
agencies and field activities, that need the on-prem capability 
that it provides are going to use it.
    In terms of what was directed in 2018, I am frankly, from 
my seat, going to take a more nuanced approach on this. 
MilCloud 2.0 is a powerful capability on-prem. To your point, 
it operates at IL 5. It is not yet accredited at IL 6 secret. 
And roughly 25 percent of the DAFA migrations that have 
occurred from legacy to cloud-based solutions have gone to 
milCloud 2.0. It is a powerful arrow in our quiver, but not the 
only one. And, so, that is the approach I am taking on this. It 
is definitely a good capability to have, but it is not our only 
capability. And so, that is how I am approaching this, ma'am.
    Mrs. Bice. If I may follow up. So you are suggesting that 
only 25 percent has migrated to milCloud. What is the other 75 
percent doing?
    Mr. Sherman. They are going to other cloud-based 
capabilities. Amazon, Microsoft, and DISA [Defense Information 
Systems Agency] provided cloud capabilities to get off of 
legacy platforms.
    Mrs. Bice. Do you feel like the migrating to those 
particular platforms provides a security that you feel 
comfortable with?
    Mr. Sherman. Yes, ma'am, It does.
    Mrs. Bice. A follow-up question to that, if I can. Our 
adversaries have made it known that they plan to use artificial 
intelligence to gain a competitive advantage in cyberspace. 
What is the DOD doing to match and exceed any capabilities our 
adversaries might develop in this space to defend our assets, 
and ensure DOD can effectively carry out its mission? What 
keeps you up at night?
    Mr. Sherman. What keeps me up at night are cyber threats of 
the kind we are seeing across the country, not only against the 
government, but against the private sector. This is the main 
reason I am so committed to moving out with the Zero Trust 
implementation at the Department of Defense. I want DOD to be a 
leader in this space.
    Zero Trust has been bandied about for years. Some in the 
private sector may have achieved this at some level, but no 
department has at the level I am suggesting. With an assumption 
that the adversary is on the network, we must segment in a way 
we never have before. Instrument the network in a way we 
haven't, and using things like identity credentials access 
management, endpoint security, comply to connect. And it is not 
one thing you buy, but a host of capabilities. I know what the 
Chinese and Russians want to do to our networks and this is the 
most important role I have as CIO, along with our types of 
modernization for our warfighters, keeping our networks safe.
    I have often noted that right now, the offensive side has 
all the capability. And we on the defensive side have got to 
run a new defense, to use one of my football terms. We are 
going to run a new defense. That is what keeps me up. And it is 
going to involve making it about the data in the systems as 
well as, ma'am, artificial intelligence, how we can bring that 
to bear, so we don't segment ourselves and have to have tens of 
thousands of defenders doing the work that a set of AI 
algorithms can do. So that is going to be part of Zero Trust as 
well.
    Mrs. Bice. Mr. Sherman, I appreciate your answer.
    One of the concerns I have, however, is looking at, as a 
freshman legislator, I am probably bringing a different 
perspective, the time that it is taking to actually get these 
services migrated to either cloud-based solutions or other that 
can protect our assets. We talked about milCloud 2.0 being 
implemented in 2018, and here we are 3 years later with a very 
small percentage that have been migrated. How can we 
effectively speed things up in a way that will make sure that 
we are doing it in a thoughtful way but we are also protecting 
our assets?
    Mr. Sherman. Ma'am, I would just add, of the Defense 
agencies and field activities, the first 14 of them, in our 
first tranche, we moved 97 percent of their applications off 
legacy to cloud of the four areas I talked about, as well as 
the services have made great progress, shut down legacy data 
centers, and got to manage services like cloud. We are moving 
aggressively in this direction, recognizing the vulnerability 
of legacy to cybersecurity threats. So we appreciate your 
comments on that, ma'am.
    Mrs. Bice. Thank you.
    Mr. Chairman, I yield back.
    Mr. Langevin. Thank you, Mrs. Bice.
    Mr. Larsen is now recognized for 5 minutes.
    Mr. Larsen. Thank you, Mr. Chairman. Mr. Sherman, thanks 
for sticking around for my second round of questions. I 
appreciate it.
    I had a question regarding, first off, section 256 of the 
fiscal year 2020 NDAA, which required the DOD to develop an AI 
education strategy. And JAIC is responsible for that effort. Do 
you have an update on that?
    Mr. Sherman. Sir, I am going to have to take this for the 
record. As the JAIC no longer reports to me directly, they are 
close colleagues.
    We work hand in glove with them. But some of their specific 
initiatives, sir, I wouldn't feel comfortable articulating. I 
would defer that to General Groen and the JAIC leadership. So I 
would like to take that for the record to give you an accurate 
answer back on that, sir.
    [The information referred to can be found in the Appendix 
on page 46.]
    Mr. Larsen. That is fine.
    And then to follow up on some AI. I mentioned earlier, I 
asked if the DOD CIO had perspective on whether or not we are 
AI-ready. The National Security Commission on AI has a variety 
of goals, including to be AI-ready by 2025. Do you think the 
Department will be AI-ready by 2025?
    Mr. Sherman. Yes, sir. I think holistically we are doing 
the right things to be AI-ready. We talked about cloud a little 
bit here in terms of what we have for cloud to host AI 
capabilities and algorithms. The cybersecurity pieces I have 
talked about with Zero Trust are going to be critical for 
artificial intelligence. I will come back to our urgent and 
unmet need for an enterprise-wide cloud capability from 
headquarters to the tactical edge. That is going to be 
important for AI, and it will go to what Deputy Secretary Hicks 
announced last week with the AI and Data Accelerator 
initiative, or AIDA, as we are calling it, to be able walk 
across combatant commands, and unlock the power of AI for the 
COCOMs [combatant commands] as well, using cloud-based 
technology. So I think we are leaning in the right direct, but 
we have with got some work to do.
    Mr. Larsen. So on that point, though, then who is 
responsible, for lack of a better term, educating the COCOMs on 
the use of algorithms for purposes they define?
    Mr. Sherman. I think this is exactly the AIDA initiative 
that Deputy Secretary Hicks announced with these AI teams that 
will be going to the COCOMs, as well as data teams, ODTs, 
operational data teams, working together on both the data side 
and the AI side, starting at places like NORTHCOM [U.S. 
Northern Command], INDOPACOM [U.S. Indo-Pacific Command], and 
so on. Getting in there with the users and the various J-code 
staffs and so on, and working on everything from the algorithm 
development, building on say what Maven has done, and also on 
the data side working on thing like Advana [advanced 
analytics], and what the data capabilities are and merging that 
together, so these teams that are coming out are going to be a 
key accelerator for that, sir.
    Mr. Larsen. Yeah. I might have missed it, but maybe I 
didn't, do you have an update, or are you directly involved 
with CMMC [Cybersecurity Maturity Model Certification], with 
the role cybersecurity plays with these smaller suppliers?
    Mr. Sherman. Sir, only insofar as I had one of my senior 
executives participate in the CMMC review which was conducted 
by A&S as a subject matter expert to contribute to that. And 
then only as CMMC connects to our broader defense industrial 
base security that we are working through the strategic 
cybersecurity program. But directly, no, sir. CMMC I am aware 
of, but not directly leading.
    Mr. Larsen. I understand. We will follow up with other 
folks on that.
    With that, Mr. Chair, I will yield back.
    Mr. Langevin. Very good. Thank you, Mr. Larsen.
    The ranking member, Mr. Franklin, is going to be 
recognized.
    Mr. Franklin. Thank you, Mr. Chairman.
    Two follow-on questions. All of the services who have come 
before us have talked about the need for more folks trained in 
the area of cybersecurity. It is a hot job market in the 
outside private sector. What difficulties are you facing in 
hiring individuals with the skill sets you need? And what are 
you doing to address any shortfalls?
    Mr. Sherman. Sir, I think about this almost every day as I 
look out my window over at Crystal City, and as I walk out to 
my truck and look over at Rosslyn and the number of our private 
sector partners who are competing for some of the very same 
talent here. This gets to the cybersecurity workforce strategy 
I spoke about a minute ago. We have got to come at this 
differently here.
    We are using the Cyber Excepted Service as mentioned to get 
talent in here. We are using things like NSA educational 
programs to get to the colleges and institutions. We have to 
broaden the aperture on this, sir. I feel very strongly about 
this. This is going to take a whole-of-Nation approach. We talk 
about diversity is critical. And I mean diversity and not only 
race, gender, but also geographic placement. We can't keep 
going to the same wells and recruiting in the same places. I 
want to broaden the aperture of the sort of talent we can bring 
into the Department of Defense.
    We may need to think differently, too, working with our P&R 
[Under Secretary of Defense for Personnel and Readiness] 
colleagues about, I am not sure if we want to hire a data 
scientist for 30 years. Maybe she comes in for 3 or 4 years, 
gets the skills there, gets the patriotic duty for DOD and 
returns to the private sector, and then comes back to us in 
some number of years. We are going to have to work with our 
colleagues in Intelligence and Security on how we work 
clearance issues with that.
    I am both excited by this, but also daunted, because of the 
competitive environment in which we live with our private 
sector colleagues and the whole-of-Nation approach this is 
going to take to stand up against our adversaries, sir.
    Mr. Franklin. One last question. In the physical domain, a 
commander would be held accountable if he or she lost equipment 
or mishandled it. To what extent do you believe commanders are 
held sufficiently accountable for not caring for DOD 
information and system in their care?
    Mr. Sherman. Sir, this is an evolving era that we have 
talked about quite a bit. Part of the issue, and I felt 
passionately about this myself, if you roll out of a motor pool 
without proper ammunition, or fuel on your fighting vehicle, or 
off pushing the ship off the dock, et cetera, you are held 
accountable for that. Part of it has to get on how we can 
ensure that there is instrumentation and that the commanders, 
and the ship drivers, and the maneuver commanders, and others 
know what is going on on their weapons platform.
    So, if there is gonna be accountability with this, we have 
got to be able to monitor what is actually going on there. And 
then what does it mean in terms of readiness? So that is an 
evolving discussion we are having again with our P&R colleagues 
on this.
    But what does cyber accountability mean? But one key thing 
on this, sir, that I am working to do, and this is an area that 
I want to inject with here with you all on the legislative 
side, and industry partners, and elsewhere, we use terms like 
cyber hygiene, which can make people glaze over. Sir, I know 
you are a former operator. Sometimes cyber hygiene my people 
go, Well, that is something for the CIO, or the 6, the J6. I 
want to use a term called cyber survivability, this is 
something--as a former Bradley guy myself, this will get my 
attention, that if I am going to be taken down by this by an 
adversary, we have got to change how we think about 
cybersecurity. So sir, these are the kinds of things we are 
looking at. We need different tools in our tool box working 
with P&R. And we have brought this up to our leadership and we 
have some work to do on it, sir.
    Mr. Franklin. Thanks. And I agree. From a Navy standpoint, 
it has just always been known that the captain is ultimately 
responsible. It doesn't matter if he or she is on the bridge, 
if the ship goes aground, you are relieved of command. And at 
some point I think we are going to have to understand that the 
potential damage from cyber intrusions are going to be just as 
serious as any of those. But I appreciate your comments there.
    I yield back, Mr. Chairman.
    Mr. Langevin. Very appropriate comments, too, I would say.
    Thank you, Mr. Franklin.
    And Ms. Houlahan is now--before I go to Ms. Houlahan, I 
just want to remind members that as soon as we adjourn here, we 
will be going up to 2212 for the classified portion of this 
hearing. So I hope everyone can go up there for the classified 
portion.
    With that, Ms. Houlahan is now recognized for 5 minutes.
    Ms. Houlahan. Thank you.
    My last and final question has to do with our allies. And I 
had the opportunity to meet with several of their defense 
attaches. And they were talking about how their nations have 
implemented effective cybersecurity protocols, or at least what 
they believe to be effective cybersecurity protocols and 
managing potential cyber attacks and intrusions. And in their 
opinion, sometimes better than the United States. Has the DOD 
sought to work closely with our allies to determine what 
cybersecurity practices are working for other nations?
    Mr. Sherman. Absolutely, ma'am. One of things I am 
privileged to do is work, for example, with our Five Eyes 
defense CIOs. As a matter of fact, just 2 weeks ago, we would 
have been meeting in person, but for COVID. But we held a 
multiday virtual conference going over not only cybersecurity, 
but how we can work together to modernize. As I work with my 
colleagues in the Five Eyes, but other nations as well, such as 
Singapore I had a meeting with recently.
    As we talk about things like Zero Trust, there may be 
different terminologies, but how do we segment networks? How do 
we instrument things? How do we train our workforce, back to 
the talent piece? So yes, ma'am, we have robust conversations. 
And one thing coming from the intelligence side having the 
privilege to work with allies for many years, we in the United 
States do a lot of things right, but we have a lot to learn 
from allies, too. And I value that highly. And many of them are 
women and men who have great experience in the private sector 
before they went to their governments. And, so, we do have very 
active discussions on this area, ma'am.
    Ms. Houlahan. Has there been discussion in the DOD or with 
our allies about developing a formal comprehensive approach to 
cybersecurity or global cyber infrastructure?
    Mr. Sherman. So some of this would get into probably--in 
terms of cybersecurity, I don't think that we have talked 
formally about that. I would also have to defer to General 
Nakasone through CYBERCOM, some of those channels, what he may 
be setting up. So I will take that one for the record and make 
sure we get you a whole answer. But from the CIO side, we do 
have a lot of engagements, but maybe not quite to the level of 
a formal structure that you are getting at on that, ma'am.
    [The information referred to can be found in the Appendix 
on page 46.]
    Ms. Houlahan. Thanks.
    And my last question is something that you talked about 
with kind of the workforce coming in and out, starting with you 
all as an example, and then going to the private sector and 
then perhaps looping back around later on mid-career, and you 
talked about something that is an important part of that, which 
is clearances.
    Can you reflect for a little bit on what does that mean? 
How do--I am a person who held a TS/SCI clearance decades ago, 
came back around, and now I am here again, and we have a very 
different process, which we can talk about later on, how we 
reestablish those clearances here. But how would that happen? 
And is there anything congressionally or federally that we can 
be doing to make that easier for people?
    Mr. Sherman. Ma'am, I would really have to defer to my 
colleagues in Intelligence and Security and DCSA [Defense 
Counterintelligence and Security Agency], but I would just 
flag, as someone who has worked in intelligence and now seen 
how this would work, we are going to have to get our head 
around this. As a person leaves government service, works in a 
private sector, academic setting, they are necessarily going to 
have foreign contacts in a globalized--and I know you are well 
aware of this, ma'am, and when they come back, let's say they 
want to come back at a higher rank, maybe a slightly different 
role, we are going to have to figure out how we don't make them 
wait 12-, 18-plus months. And so I think this is something we 
need to look at.
    And, again, on the cyber workforce strategy, this is 
something I want to start to put some markers down as really 
firm requirements for us to think differently because the more 
we reflect on this, 30-year careers may work for some, but as 
we look at the digital and cyberspace, this is not going to be 
best for us, back to as we were talking, from a whole-of-nation 
approach.
    So I don't know if we need anything legislatively just yet, 
but I think we need to get our head around kind of what the 
steps of this would look like, ma'am.
    Ms. Houlahan. Thank you.
    And one final comment, I really was interested in the 
ranking chair's comments about, kind of how we have 
responsibility to understand what the liabilities are and, 
frankly, the punishments are for people who are in command and 
control of cyberspace, so to speak, and I am really intrigued 
and would look forward to learning more about that with 
everybody on the committee.
    Mr. Sherman. Yes, ma'am. And nothing to add on that, but 
just recognizing cyber accountability, maybe a new term, is 
something we definitely need to consider the same as poor 
maintenance or poor training as before a unit pushes out.
    So thank you, ma'am.
    Ms. Houlahan. Thank you. I yield back.
    Mr. Langevin. Thank you, Ms. Houlahan.
    Mr. Moore is now recognized for 5 minutes.
    Mr. Moore is still with us?
    Okay. I will hold there. I am going to yield to Ms. Bice 
for 5 minutes.
    Mrs. Bice. Thank you, Mr. Chairman.
    And I actually want to really tack on to Representative 
Houlahan's comments about the clearance process. I think one of 
the things that we have heard over and over is that it is 
taking too long, and sort of to that point, when we are talking 
about recruitment, we often think of sort of the high-tech 
universities, maybe west coast universities, the Stanfords of 
the world to go recruit from.
    What are you all doing to really look at other institutions 
of higher learning that have a fantastic program that maybe 
hadn't been thought of in the past? And I will use a university 
in Oklahoma. The University of Tulsa has a fantastic cyber 
program that they are really doing some innovative work in. How 
are you looking at this from a workforce standpoint?
    Mr. Sherman. So I will tell you how we are looking from 
CIO, and I think our P&R colleagues could absolutely amplify 
this with greater detail. The NSA accreditation--and I don't 
have the list here in front of me of several hundred 
institutions, again, from junior colleges, and I would have to 
look in the State of Oklahoma, ma'am, but I know there is 
several there, to be able to--and partner institutions together 
to help bootstrap each other, as some have gotten the 
accreditation to get the students there, and this is what I 
really feel strongly about. I come from a rural area myself, La 
Ward, Texas. You know, everywhere from very rural areas to 
urban areas, from mainland U.S. to U.S. territories, it is 
going to take us looking very broadly.
    So to your point, that is one thing I am trying to push as 
CIO through this upcoming workforce strategy. I will say I 
believe recruitment has expanded over the last several years 
into these areas, and the NSA accreditation that General 
Nakasone's team lead has helped, again, anywhere from 2-year 
junior colleges up to 4-year institutions, major Big 12 or Big 
Ten schools and SEC [Southeastern Conference], and so on, all 
across the Nation, to be able to do that. So that is what we 
are trying to do to broaden the aperture, and also maybe 
looking at--we do have a new tool we are looking at, kind of 
matching talent to job positions, looking more broadly beyond 
just the degree they have, what types of experiences they have, 
to be able to get folks in there. And this is, of course, 
something that the private sector, I know you noted, ma'am, is 
looking very carefully at, too, in terms of what degree 
requirements does someone really need to be a coder? How do we 
get them in the door?
    So those are the kind of things I am, again, excited and 
daunted by. But I think if we get this right, this is what is 
going to give us the advantage on the PRC [People's Republic of 
China] and others. We have got the talent out there. We just 
have got to get them in the door.
    Mrs. Bice. It is fantastic to hear you talk about that. And 
Representative Houlahan and I sit on the Supply Chain Task 
Force that has been talking a lot about workforce and how do we 
engage various, you know, young people and getting engaged in 
this that may not be going to a 4-year college, but still have 
the aptitude to be able to engage in these conversations. So I 
appreciate your comments on that.
    If you could kind of pivot for a just a minute. Can you 
talk a little bit about how you are coordinating with other 
government agencies, CISA for example, to really look at a 
whole-of-government approach in protecting our assets and 
addressing cybersecurity issues? We have seen all of these 
intrusions lately. And, so, it is not just DOD that could be 
impacted, but you have all of these other agencies that are 
also kind of coordinating. Can you talk a little bit about 
that?
    Mr. Sherman. Yes. Well, there is the interagency process. 
My friend and colleague, Anne Neuberger up at the NSC [National 
Security Council] is a Deputy National Security Advisor up 
there and, of course, we have Mr. Inglis is the National Cyber 
Director. Through their various forums through the National 
Security Council, and so on, we have the new cyber executive 
order has been a good thing to help us unify as a government on 
these things. And, of course, there is other governance fora we 
have. The Federal CIO has meetings as well as with the Federal 
CISO [chief information security officer]; and also the kind of 
informal networks we have with DHS, CISA, with other agencies, 
and, of course, with where I come from, the intelligence 
community, governance bodies we have on national security 
systems, on things like accreditation and looking at policies 
and practices.
    So there is quite a bit--you noted CISA, obviously, close 
work and they have the .gov and helping secure the Federal 
side. And then also, we have what we are doing through the 
Joint Force Headquarters, DODIN, JFHQ-DODIN [Joint Force 
Headquarters Department of Defense Information Network], that 
General Skinner leads, has much contact with them. So I think 
there is robust dialogue back and forth, and best practices. 
And I do have to say, the cyber EO [executive order] and the 
focus that we have there has helped us kind of unify around 
some best practices, everything from Zero Trust supply chain to 
how we are going to look at these problems, ma'am.
    Mrs. Bice. Thank you.
    Mr. Chairman, I yield back.
    Mr. Langevin. Thank you, Ms. Bice.
    That concludes the member questions as I understand it. So 
with that, the subcommittee will recess, and then we will 
immediately reconvene in 2212 for the classified portion of 
this hearing.
    The committee stands in recess.
    [Whereupon, at 5:09 p.m., the subcommittee proceeded in 
closed session.]

     
=======================================================================

                            A P P E N D I X

                             June 29, 2021
      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             June 29, 2021

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
      
=======================================================================


              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                             June 29, 2021

=======================================================================

      

            RESPONSES TO QUESTIONS SUBMITTED BY MR. LANGEVIN

    Mr. Sherman. The DOD defines the Cyberspace Workforce in DOD 
Directive 8140.01 as ``personnel who build, secure, operate, defend, 
and protect DOD and U.S. cyberspace resources; conduct related 
intelligence activities; enable future operations; and project power in 
or through cyberspace.'' It is comprised of 54 work roles and 5 
elements: Information Technology (IT), Cybersecurity, Cyberspace 
Effects, Intelligence (Cyberspace), and Cyberspace Enablers. The Cyber 
Operations Forces (COF) are included in the broader Cyberspace 
Workforce and consist of ``Units organized, trained, and equipped to 
conduct offensive cyberspace operations (OCO), defensive cyberspace 
operations (DCO), and DOD Information Network (DODIN) operations.'' The 
DOD CIO, in coordination and consultation with U.S. Cyber Command 
(USCYBERCOM) and the Components, has developed foundational 
qualification standards for the Cyber Workforce in accordance with DOD 
Directive 8140.01. USCYBERCOM is authorized to augment Enterprise 
qualification requirements with focused training requirements to meet 
specialized mission objectives, which extends to the COF.   [See page 
6.]
    Mr. Sherman. Regarding whether Cyberspace Operations Forces will 
have dedicated elements for IOT cybersecurity, the DOD Cybersecurity 
Program is applicable to all DOD systems and technology types. 
Likewise, the Cyber Mission Force is organized, trained, and equipped 
to operate, protect and defend in all mission environments. Dedicated 
forces solely for ``operational technology (OT) cybersecurity'' are not 
feasible as most DOD systems are comprised of many different technology 
types. To enhance the cybersecurity risk posture of all systems and 
ensure readiness, the DOD CIO and U.S. Cyber Command are integrating 
the DOD Cybersecurity Program and the Cyber Operations Program. This 
integration will inform and mature the skill sets of the cyber mission 
force to ensure they have the requisite skills to protect and restore 
critical systems that enable the Department to successfully accomplish 
its various missions and operations in a cyber-contested environment.   
[See page 7.]
                                 ______
                                 
            RESPONSES TO QUESTIONS SUBMITTED BY MS. HOULAHAN
    Mr. Sherman. At the awareness level, the primary purpose of Cyber 
Awareness Challenge, mandated to be taken by all DOD personnel 
annually, is to influence behavior, focusing on actions that authorized 
users can engage to mitigate threats and vulnerabilities to DOD 
Information Systems, and that the users themselves are a critical link 
protecting DOD information and information technology (IT). The Cyber 
Awareness Challenge content works to encourage cyber citizenship and 
digital leadership by providing users with an awareness needed to 
maintain a degree of understanding about cybersecurity policies and 
doctrine commensurate with their responsibilities. All users must be 
capable of 14 appropriately reporting and responding to suspicious 
activities and know how to protect the information and IT systems to 
which they have access. The course provides an overview of 
cybersecurity threats and encourages users to maintain awareness of and 
stay up to date on new cybersecurity threats. The training also 
reinforces best practices to keep both DOD and personal information 
secure and stay abreast of changes in DOD cybersecurity policies. 
Course content is based on the requirements addressed in Congressional 
Legislation, Federal and DOD policies, and from DOD Component community 
input from the DOD CIO chaired Cyber Workforce Advisory Group (CWAG). 
An example below of new DOD Component community input that will be 
added to 2022 version to be fielded on October 1, 2021 is content on 
disinformation. ``Adversaries exploit social and other media to share 
and rapidly spread false or misleading news stories and conspiracy 
theories about U.S. military and national security issues. Using fake 
accounts on popular social networking platforms, these adversaries:
      Disseminate fake news, including propaganda, satire, 
sloppy journalism, misleading headlines, and biased news
      Share fake audio and video, which is increasingly 
difficult to detect as the creation technology improves
      Gather personal information shared on social media to 
devise social engineering attacks
      Most media messages intend to influence you, if only to 
attract traffic.
    Ask yourself:
      Who provided the information, and why?
      How does the information provider want you to act?
      Whose interests would your reaction serve?''
    The depth of understanding of the Cyber Awareness Challenge is 
mapped to the Cybersecurity Essentials concept as described in the 
Information Technology Security Learning Continuum Model found in the 
National Institute of Standards and Technology (NIST) Special 
Publication (SP) 800.16. The Draft NIST SP 800-16 Revision 1 (3rd 
Draft), titled ``A Role-Based Model for Federal Information Technology/
Cyber Security Training,'' dated March 2014, describes Cybersecurity 
Essentials. Cybersecurity Essentials, in addition to knowledge gathered 
via security awareness, provides a general introduction to 
cybersecurity. The concept of Cybersecurity Essentials is not computer 
literacy as this concept refers to an individual's familiarity with a 
basic set of knowledge that is needed to use and maintain a computer. 
Cybersecurity Essentials refers to an individual's familiarity with--
and ability to apply--a core knowledge set required to protect 
electronic information and systems.   [See page 12.]
    Mr. Sherman. DOD's approach to cybersecurity with respect to allies 
is directed by the classified International Cyberspace Security 
Cooperation Guidance. Along with the Department of State, DOD seeks 
like-minded partners who will stand with us to reinforce responsible 
state behavior in cyberspace and push back on the authoritarian regimes 
that seek to control access to information and expand the surveillance 
state. The Department has been quite active in sharing its views about 
the cybersecurity risks of telecommunications infrastructure provided 
by companies with ties to authoritarian regimes. Further, the 
Department has expressed the importance of countries building 5G 
networks that rely on infrastructure and equipment that meets our 
cybersecurity standards.   [See page 20.]
                                 ______
                                 
              RESPONSE TO QUESTION SUBMITTED BY MR. LARSEN
    Mr. Sherman. The Department of Defense Artificial Intelligence 
Education Strategy, developed in response to Section 256 of the FY20 
NDAA, is the foundation for the JAIC-led pilot training programs based 
on AI archetypes and concentrations designed to differentiate AI 
learning needs across the entire DOD workforce, from the AI developers 
to the administrative assistants. Since October 2020, the JAIC has 
launched four pilots--they target DOD leadership, product managers, 
acquisition professionals, and data scientists. A present, three of the 
pilots are currently underway, and one has successfully been completed. 
Each of the pilots are designed to improve the skill sets of the 
current workforce and to encourage cross collaboration across the 
commands through the interaction of its students in a common learning 
environment. The JAIC is currently evaluating these early pilots to 
assess their effectiveness in meeting the DOD needs of AI education at 
scale. As the Department moves toward further implementation and 
integration of AI capabilities, it will be paramount for the DOD to 
adopt scalable training and education practices. DOD stands at a 
critical juncture in history, where adopting AI capabilities at speed 
and scale is essential to maintain military advantage. DOD must not 
only develop world class AI practitioners to make AI real at the 
Department, but must also ensure the entire DOD workforce is ready and 
capable to employ AI capabilities in their respective areas of 
responsibility. It is important that the DOD AI training strategy is 
constantly updated to ensure new developments in the field are 
incorporated into the training to ensure DOD's competitive edge against 
our adversaries.   [See page 17.]

     
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                             June 29, 2021

=======================================================================

      

                    QUESTIONS SUBMITTED BY MR. BANKS

    Mr. Banks. Mr. Sherman, Purdue University and Carnegie Mellon 
University, in partnership with industry, recently launched a research 
effort to study the use of AI for intrusion detection in resource-
limited embedded systems.
    Artificial intelligence, as you know, is one of the most effective 
methods to detect undesired or anomalous behaviors within systems. 
However, traditional AI requires significant computing resources that 
may not be available in challenging operating environments, like 
aircraft engines, where high-temperatures, high-vibration and high-
noise levels require robust, and often less-sophisticated, embedded 
systems.
    Given your view of the future threat environment, and the DOD's 
intention to procure new combat systems--like hypersonics--how critical 
is it that we fund and develop threat detection capability for embedded 
systems that can operate in harsh environments?
    Will you commit to working with Purdue, and their partners to 
ensure we mature this capability?
    Mr. Sherman. The Department concurs that employment of threat 
detection capability for embedded systems that can operate in harsh 
environments is critical. Artificial intelligence (AI) at-the-edge, 
where data can be analyzed in near-real time or real time, will provide 
key insights into current or future performance for critical systems 
such as aircraft engines. However, the data with which these algorithms 
are developed, trained, and tested can be as important (if not more so) 
than the algorithms themselves. Sensors currently exist that enable 
real-time data collection in these highly-dynamic, harsh environments. 
This data can be leveraged in compute-rich environments to develop AI/
machine learning (ML) models for deployment to the edge. Once deployed, 
these embedded algorithms can analyze this critical data to provide 
predictions and analytics in a future threat environment. DOD has 
partnered with universities and companies looking to leverage AI and 
anomaly detection to enhance the cybersecurity of embedded sensors and 
software. At a high-level, this is very similar to how the DOD cyber 
protection teams are using AI/ML today; with tools developed by the 
JAIC and others. Since data is the foundation for AI, each of these 
sensors/embedded systems become a potential target for corrupted or 
manipulated data; and from an autonomous cyber perspective, they each 
could be a potential inject point for a cyber exploit. 2 DOD CIO has 
identified threat detection in this environment as critical to assuring 
the safety of our warfighters and success of our mission. DOD CIO and 
the Defense Information Systems Agency (DISA) recently initiated the 
deployment of an AI/ML-based cybersecurity capability for industrial 
control systems (ICS) defense. This work is based on the capability to 
monitor spacecraft behavior that exhibits the same methodical and well-
characterized traffic that ICS exhibit. DOD CIO is committed to working 
with OUSD(R&E), the Services, the Defense Industrial Base (DIB), 
academia, DISA and the Joint Artificial Intelligence Center (JAIC) to 
employ diverse partnerships, such as with Purdue, Carnegie Mellon, and 
others, to enhance our cyber-secure future.
    Mr. Banks. Mr. Sherman, mobile devices are the current and future 
of compute--with massive investment and innovation from the commercial 
sector. How is the Department using mobile devices today? What plans do 
you have to leverage technologies like 5G in order to support the use 
of mobile devices within the broader national security infrastructure? 
How are you securing those devices? Many governments, including the 
United States, ban commercial smartphones and tablets in secure spaces 
due to security risks, which impacts accessibility, productively, and 
the ability of the Department to recruit people who have become reliant 
on their mobile devices. What is your plan to securely enable mobile 
devices at work, at home and on the move? Finally, how does the 
Department control RF emissions and our adversaries' use of them to 
target mobile users?
    Mr. Sherman. The DOD is employing mobile devices today. With our 
Microsoft Office 365 (O365) deployment of e-mail, chat, and 
communication tools, the Department is taking a measured approach that 
balances accessibility and security. Government-furnished mobile phones 
provide access to O365 tools through the native application. There are 
also multiple ongoing pilots by the Army, Navy, Air Force, National 
Guard, and Defense Information Systems Agency (DISA) to enable access 
from personal mobility devices utilizing modern commercial 
cybersecurity tools, or via virtualization from a remote, secure 
infrastructure. DOD is also planning for technologies like 5G to 
support mobility. The deployment of 5G will significantly broaden the 
use of mobile devices across all aspects of the Department's 
infrastructure--including in physical security, logistics, 
transportation, maintenance, training, command and control, and combat 
operations. We are currently piloting each of these applications in 10 
experiments across 11 DOD installations in the Continental United 
States and Hawaii. The results of these projects will be foundational 
for the plan to transition 5G technology to operational use within DOD, 
as stipulated in Section 224 of the Fiscal Year 2021 National Defense 
Authorization Act. To secure these devices, DOD is actively 
implementing cybersecurity principles and techniques in all aspects of 
its 5G technology development and deployment--including in supply chain 
risk management, zero-trust network implementation, and the use of 
highresiliency operational techniques. 3 DOD actions to secure the 5G 
supply chain are consistent with the National Strategy to Secure 5G and 
are in accordance with the DOD 5G Strategy Implementation Plan. The DOD 
is engaged in Defense Industrial Base (DIB) consortiums established to 
protect national security interests. Further, DOD is developing 5G-
specific Supply Chain Risk Management standards through the North 
American Alliance for Telecommunications Industry Solutions (ATIS). DOD 
makes extensive use of mobile devices at home and on the move. The 
Department also makes extensive use of properly secured laptops and 
tablets at work, including in secure spaces. There are numerous 
issuances that govern the use of commercially available unclassified 
and classified mobile devices and technologies in DOD-accredited 
classified spaces. DOD balances the risk of compromise of classified 
information with mission capability very carefully. In many cases, the 
risk is determined too great to integrate mobile technologies in these 
spaces. During the COVID-19 pandemic, the Department adapted to remote 
work through largest deployment of Microsoft Teams in history. As we 
plan for a return to work, DOD is diligently working to find the 
correct balance between capability and security. DOD goes to great 
lengths to keep foreign adversaries from introducing radio frequency 
(RF) listening devices, or ``bugs,'' into our classified environments. 
DOD personnel bringing smartphones and tablets into these spaces could 
enable hostile monitoring of classified conversations through embedded 
and undetected malware, doing our adversaries' work for them. Physical 
security issuances provide guidance for RF shielding protecting 
classified spaces as well as restrictions on the introduction of mobile 
devices to prevent compromise of classified information.
                                 ______
                                 
                  QUESTIONS SUBMITTED BY MS. HOULAHAN
    Ms. Houlahan. Back in April, I sent a letter to Secretary Austin 
with several of my colleagues asking the DOD to implement mandatory 
training on digital literacy and cyber citizenship within the DOD. The 
proposed defense budget would set aside $30.8 million to help the 
Pentagon improve tools to identify and address extremism among troops, 
and enhance training at all levels. It also includes $9.1 million to 
take initial steps to fight extremism and insider threats.
    Can you share in a bit more detail what these tools and trainings 
would look like?
    Mr. Sherman. DOD CIO supports OUSD(I&S) efforts to take essential 
steps to fight extremism and insider threats through the proposed Non-
Secure Internet Protocol Router (NIPR) User Activity Monitoring (UAM) 
program described in the $9.5 million request. UAM provides a technical 
capability to observe and record the actions and activities of an 
individual at any time on select Non-Secure Internet Protocol Router 
(NIPR) devices accessing U.S. Government information in order to detect 
insider threats. The NIPR UAM capability provides the Department with 
the ability to detect and monitor leading indicators of concern on the 
unclassified IT system. The Departments `Countering Extremist Activity 
Working Group' is exploring multiple actions to enhance Insider Threat 
(InT) awareness training which are still being reviewed. While those 
recommendations are being finalized, the Office of Under Secretary of 
Defense for Intelligence & Security (OUSD(I&S)) is: (1) collaborating 
with the Common Military Training Working Group to include InT 
awareness training and requirements for the services in an efficient 
and effective manner; (2) reviewing the Cyber Awareness Challenge and 
InT trainings provided by Defense Counterintelligence and Security 
Agency (DCSA) Center for Development of Security Excellence (CDSE) for 
recommended updates to address extremist activities/behaviors; and (3) 
partnering with Department stakeholders to produce additional training 
tools, including graphic novels and leadership training videos, to 
assist with identifying, addressing, and mitigating extremist 
activities and other behaviors of concern. The $30.8M is contained 
within the Defense Counterintelligence and Security Agency (DCSA)'s FY 
2022 President's Budget request, as follows:
      User Activity Monitoring: +$9.5M/3 Full-time Equivalents 
(FTEs) in O&M, DW (DCSA OP-5 Increase Statement #1) 5
      Vetting Risk Operations Center: +$12.5M O&M,DW/7 FTEs 
(DCSA OP-5 Increase Statement #5); +$8.8M in RDT&E,DW (DCSA RDT&E, DW 
Line 230, PE 0305128V, Security and Investigative Activities)
    Additionally, the Vetting Risk Operations Center (VROC) 
incorporates Publicly Available Electronic Information (PAEI), 
including social media, into background investigations in accordance 
with Security Executive Agent Directive 5 (SEAD-5) and aligned to the 
Trusted Workforce 2.0 personnel vetting reform initiative. PAEI also 
fulfills the Secretary's requirements to improve the vetting of 
International Military Students who intend to or are currently 
receiving training within the continental U.S. This effort funds 
collection, analysis and reporting of PAEI, including social media, in 
support of national security eligibility determinations. The PAEI 
investment will deliver a capability to support DOD requirements for 
enhanced personnel security as directed in the Intelligence 
Authorization Act for Fiscal Year 2016 (division M, P.L. 114-113), and 
aide in the execution of continuous vetting in accordance with 
direction of the Security and Suitability Executive Agents
    Ms. Houlahan. I recently met with several defense attaches who 
shared how their nations are implementing effective cybersecurity 
protocols and managing potential cyber attacks/intrusions, some times 
better than the United States.
    Has the DOD sought to work closely with our allies to determine 
what cybersecurity practices are working well for other nations?
    Has there been any discussion in the DOD or with our allies about 
developing a comprehensive approach to cybersecurity or a global cyber 
infrastructure?
    Mr. Sherman. The DOD continues to share US Government (USG)-
approved cybersecurity standards such as the National Institute for 
Standards and Technology (NIST) framework with partners. However, the 
Department is always interested in learning how are allies are tackling 
problems of interest to DOD too. We regularly engage on a bilateral and 
multilateral basis to share best practices with mission partners and to 
proliferate cybersecurity best practices and standards. Of note, DOD 
generally cites the NIST standards both in our international 
engagements and when developing security cooperation cyber security 
programs with partners. Also, DOD CIO publishes a cybersecurity 
reference and resource guide for the department that is just as 
applicable for international partners. DOD's approach to cybersecurity 
with respect to allies is directed by the classified International 
Cyberspace Security Cooperation Guidance. Along with the Department of 
State, DOD seeks like-minded partners who will reinforce responsible 
state behavior in cyberspace and push back on the authoritarian regimes 
that seek to control access to information and expand the surveillance 
state. The Department has been quite active in sharing its views about 
the cybersecurity risks of telecommunications infrastructure provided 
by companies with ties to authoritarian regimes. The Department has 
expressed the importance of countries building 5G networks that rely on 
infrastructure and equipment that meets DOD's cybersecurity standards.
    Ms. Houlahan. During my time in Congress, I have advocated 
vigorously for investment in DOD STEM to ensure cyber professionals 
remain competitive and meet the needs of the future's workforce. To 
that end, I am interested in your perspective on Cyber Excepted 
Service.
    At hearing in April before the Senate Armed Services Personnel 
Subcommittee, the Acting Secretary for Defense for Civilian Personnel 
Policy testified on how important Cyber Excepted Service authorities 
have been to enhancing recruitment of cyber professionals, pointing to 
the flexibility in compensation and classification of work requirements 
as examples of how the program has been able to better meet targeted 
cyber needs. We've also received testimony in this Subcommittee from 
the U.S. CYBERCOM Commander that mission and the opportunity to work 
with colleagues of such high caliber--provides the most unique and 
important competitive advantage than compensation when competing with 
the commercial industry. I'd like to hear your take on what is and 
isn't working with Cyber Excepted Service from an IT perspective rather 
than a personnel perspective. Do you agree with these assessments? What 
do you want Congress to know about what is and isn't working as we 
continue to examine these and other authorities to meet DOD's cyber 
needs?
    Is the program equally effective from both a recruitment and 
retention perspective? How are we making these cyber positions 
competitive to retain highly qualified individuals and prevent them 
from moving on to the private sector?
    Mr. Sherman. The Department of Defense is appreciative of the 
authorities and flexibilities afforded by Congress to implement the 
Cyber Excepted Service (CES). Since October 2018, US Cyber Command 
(USCC) continues to see positive improvements to the recruiting and 
hiring timeline with the use of CES authorities. Some metrics provided 
below:
      Since CES implementation, USCC conducted 19 recruiting/
hiring events resulting in 150+ job offers (including same-day offers 
during the hiring events on 18 May, 2018, and 28 August, 2019), met 
over 3,300 candidates and built a repository of 5,000+ resumes.
      CES authorities decreased their hiring timeline by 45 
percent. The average timeline to receive a Tentative Job Offer started 
at 111 days prior to CES and reduced to less than 60 days pre-COVID. 
This is separate from the security clearance process and associated 
timelines. 8
      Despite the nation-wide impacts of COVID-19, USCC found 
alternative ways to onboard new talent. In 2020, USCC added over 70 new 
cyber warriors to their formation.
      In 2019, the Command offered $270K in recruitment 
incentives and over $80K in relocation incentives.
      In 2020, USCC offered over $375K in recruitment 
incentives and over $40K in relocation incentives to attract high-
quality civilians with competitive compensation packages.
      In 2021, USCC offered $219K in recruitment and retention 
packages. A key program enhancement has been the development of CES 
Target Local Market Supplement (TLMS), a monetary compensation tool 
used to incentivize seven critical work roles. The TLMS addresses 
recruiting and retention challenges of these critical work roles due to 
excessive vacancy and attrition rates.
      To date, USCC paid $40K in support of TLMS and 
anticipates paying $60K by the end of this FY.
      The Department continues to explore this new authority 
and use it as a tool to attract our best and brightest cyber warriors.
                                 ______
                                 
                    QUESTIONS SUBMITTED BY MR. MOORE
    Mr. Moore. Now that a Federal judge recently rejected the 
government's motion to dismiss the JEDI protest, what is the DOD doing 
to meet this pressing need?
    Mr. Sherman. The Department continues to have unmet cloud 
capability gaps for enterprise-wide, commercial cloud services at all 
three classification levels that work from the home front out to the 
tactical edge, at scale. In the three-and-a-half years since the 
Department developed its enterprise cloud needs, the cloud computing 
industry has undergone significant technical advancements and 
marketplace changes. The Department has itself matured in its cloud 
technology utilization. Additionally, a number of new programs, 
including Joint All Domain Command and Control (JADC2) and the 
Artificial Intelligence (AI) and Data Acceleration (ADA) initiative, 
have impacted the Department's enterprise cloud needs. As it exists, 
the JEDI Cloud solution no longer supports the technical requirements 
of the Department. In a commitment to filling our unmet capability 
gaps, on 6 July, 2021, the DOD canceled the JEDI Cloud Request for 
Proposals (RFP), began the process to terminate the JEDI contract, and 
issued a Pre-Solicitation Notice for a new contract action, the Joint 
Warfighting Cloud Capability (JWCC). The JWCC is a multi-award/multi-
vendor cloud solution with a performance period of no more than five 
years, if all the options are exercised. The JWCC will allow for vendor 
competition at the task order level and will help drive innovation and 
pricing to the benefit of the Department. Additionally, in a multi-
vendor environment, DOD Components will be able to consider varying 
approaches to their specific cloud computing needs and will be able to 
choose the vendor whose capabilities best suit their missions. DOD is 
actively pursuing the JWCC contract and is in the process of completing 
its market research by conducting technical engagements with each of 
the U.S.-based hyper-scale Cloud Service Providers (CSPs) to evaluate 
if they meet DOD's requirements. The intent is to provide the 
Warfighter with an enterprise multi-vendor cloud solution as quickly as 
possible. The Department intends to make awards within the next 8-12 
months.
    Mr. Moore. The DOD OCIO's December 2020 report on the status of 
implementation of 21st Century IDEA states that the Department ``is 
working to ensure each department or command has selected a 21st 
Century IDEA designee responsible for coordinating the implementation 
of IDEA requirements.''
    What is the status of this requirement? Has every required 
department or command identified a 21st Century IDEA lead? Can you 
provide that list to the committee? Will the Department be requesting 
funding in future year budgets to meet these requirements?
    Mr. Sherman. The Department identified a 21st Century IDEA designee 
from each required Service CIO, Washington Headquarters Service, and 
relevant Defense Agencies and Field Activity. To further support the 
implementation of the IDEA requirements, DOD CIO established the 21st 
Century IDEA Working Group that meets quarterly to coordinate on OMB 
and Congressional reporting. The Department is committed to meeting the 
legal requirements of the IDEA act and has established an environment 
that fosters open communication and sharing of ideas, lessons learned, 
and dialog for future opportunities for standardization. The DOD CIO 
plans to utilize the 21st Century IDEA Working Group to continue open 
dialog on the improvement and standardization of customer experience 
and digital services, and ensure that resource gaps are identified and 
addressed.

                                  [all]