[Senate Hearing 115-837] [From the U.S. Government Publishing Office] S. Hrg. 115-837 JOINT HEARING TO RECEIVE TESTIMONY ON THE CYBER OPERATIONAL READINESS OF THE DEPARTMENT OF DEFENSE (OPEN SESSION) ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY and the SUBCOMMITTEE ON PERSONNEL of the COMMITTEE ON ARMED SERVICES UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION __________ SEPTEMBER 26, 2018 __________ Printed for the use of the Committee on Armed Services [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via http://www.govinfo.gov/ ______ U.S. GOVERNMENT PUBLISHING OFFICE 40-883 PDF WASHINGTON : 2020 COMMITTEE ON ARMED SERVICES JAMES M. INHOFE, Oklahoma, JACK REED, Rhode Island Chairman BILL NELSON, Florida ROGER F. WICKER, Mississippi CLAIRE McCASKILL, Missouri DEB FISCHER, Nebraska JEANNE SHAHEEN, New Hampshire TOM COTTON, Arkansas KIRSTEN E. GILLIBRAND, New York MIKE ROUNDS, South Dakota RICHARD BLUMENTHAL, Connecticut JONI ERNST, Iowa JOE DONNELLY, Indiana THOM TILLIS, North Carolina MAZIE K. HIRONO, Hawaii DAN SULLIVAN, Alaska TIM KAINE, Virginia DAVID PERDUE, Georgia ANGUS S. KING, JR., Maine TED CRUZ, Texas MARTIN HEINRICH, New Mexico LINDSEY GRAHAM, South Carolina ELIZABETH WARREN, Massachusetts BEN SASSE, Nebraska GARY C. PETERS, Michigan TIM SCOTT, South Carolina JON KYL, Arizona Christian D. Brose, Staff Director Elizabeth L. King, Minority Staff Director Subcommittee on Cybersecurity MIKE ROUNDS, South Dakota, BILL NELSON, Florida Chairman CLAIRE McCASKILL, Missouri DEB FISCHER, Nebraska KIRSTEN E. GILLIBRAND, New York DAVID PERDUE, Georgia RICHARD BLUMENTHAL, Connecticut LINDSEY GRAHAM, South Carolina BEN SASSE, Nebraska Subcommittee on Personnel THOM TILLIS, North Carolina, KIRSTEN E. GILLIBRAND, New York Chairman CLAIRE McCASKILL, Missouri JONI ERNST, Iowa ELIZABETH WARREN, Massachusetts LINDSEY GRAHAM, South Carolina BEN SASSE, Nebraska (ii) C O N T E N T S September 26, 2018 Page Joint Hearing to Receive Testimony on the Cyber Operational 1 Readiness of the Department of Defense (Open Session). Crall, Brigadier General Dennis A., USMC, Principal Deputy Cyber 4 Advisor and Senior Military Advisor for Cyber Policy. Miller, Essye B., Principal Deputy, Department of Defense Chief 7 Information Officer. Stewart, Lieutenant General Vincent R., USMC, Deputy Commander, 9 United States Cyber Command. Fogarty, Lieutenant General Stephen G., USA, Commander, U.S. Army 11 Cyber Command. Questions for the Record......................................... 25 (iii) JOINT HEARING TO RECEIVE TESTIMONY ON THE CYBER OPERATIONAL READINESS OF THE DEPARTMENT OF DEFENSE (OPEN SESSION) ---------- WEDNESDAY, SEPTEMBER 26, 2018 United States Senate, Subcommittee on Cybersecurity and Subcommittee on Personnel, Committee on Armed Services, Washington, DC. The Subcommittees met, pursuant to notice, at 2:43 p.m. in Room SD-106, Dirksen Senate Office Building, Senator Mike Rounds (Chairman of the Subcommittee on Cybersecurity) and Senator Thom Tillis (Chairman of the Subcommittee on Personnel). Members present: Senators Rounds and Tillis, presiding, Wicker, Fischer, Nelson, Gillibrand, McCaskill, and Warren. OPENING STATEMENT OF SENATOR MIKE ROUNDS Senator Rounds. The Cybersecurity and Personnel Subcommittees meet this afternoon to receive testimony on the cyber operational readiness of the Department of Defense. Our witnesses are Brigadier General Dennis Crall, Principal Deputy Cyber Advisor and Senior Military Advisor for Cyber Policy; Ms. Essye Miller, Principal Deputy, Department of Defense Chief Information Officer; Lieutenant General Stephen Fogarty, Commander, U.S. Army Cyber Command; and Lieutenant General Vincent Stewart, Deputy Commander, United States Cyber Command. Welcome. This hearing will commence in open session in which Senators Tillis, Nelson, and Gillibrand will all make a few opening remarks. At the conclusion of Senator Gillibrand's comments, we will ask our witnesses to make their opening remarks. After that, we will all have our round of questions and answers. We will then transition to SVC-217, the Office of Senate Security, and recommence in closed session. Each of the witnesses may provide additional context and testimony that they were not able to provide in an open setting, and we will then close with another round of Q&A. I encourage members and staff to stay through the closed session, given the gravity of the topic at hand. The administration recently issued a new policy document, known as National Security Presidential Memorandum 13. The new policy entailed by NSPM-13 replaces that of PPD, or Presidential Policy Directive, 20, which virtually paralyzed the conduct of offensive operations by U.S. Cyber Command outside of armed conflict. I look forward to a Department of Defense briefing on the new policy in the near future. I am hopeful this new policy will enable the Department of Defense to act more nimbly and effectively to counter and deter our adversaries' ongoing cyberattacks on the United States, attacks conducted with virtual impunity. However, no such policy, however well crafted, will succeed unless U.S. Cyber Command develops and maintains the high level of cyber operational readiness required to implement it. With the elevation of Cyber Command to status as fully unified command and the Cyber Missions Force's achieving full operational capability in May, the Department's cyber forces appear to have moved beyond adolescence. It is now vital that the current capability and operational readiness of the Command fulfill the requirements entailed by these designations. I invited Senator Tillis and Senator Gillibrand, along with the remainder of the Personnel Subcommittee, because these shortfalls are not limited to traditional readiness measures of equipment and training. Indeed, a great deal of the Department's cyber readiness issues resolve around the shortage of skilled cyber-capable personnel. These shortfalls will only be aggravated if the Cyber Mission Force needs to be expanded in the future. I am concerned that the current recruitment, pay, retention, and career pathway structures in place are not equipped to manage this problem. I am, thus, eager to hear the service or tactical-level perspective from General Fogarty, the operational Cyber Command's perspective from General Steward, the more strategic and governance perspective from General Crall in OSD [Office of the Secretary of Defense], and the CIO [Chief Information Officer] and civilian personnel perspective from Ms. Miller. I am also eager to explore the Department's plans to correct these shortfalls with the Senators of the Personnel Subcommittee today. I am grateful to have their expertise at this table. An ongoing concern of the subcommittee, which I am sure the Department shares, is that we preempt a hollow cyber force and that we have a cyber force that is adequately staffed and equipped and has the necessary tools, targeting capability, and development capability to respond to operational needs. In particular, Cyber Command needs the indigenous capability, without over-reliance on NSA [National Security Agency], to surveil adversary networks for zero-day vulnerabilities, produce malware to exploit these vulnerabilities, and implant this malware within a reasonable and realistic timeline. Such capabilities are necessary, not only for its own DODIN [Department of Defense Information Network] defense and national missions, but also for those conducted in support of the combatant commands. I am eager to hear about CYBERCOM's [Cyber Command] current capability and activity to assist EUCOM's [European Command], PACOM's [Pacific Command], and CENTCOM's [Central Command] operations. Each of our witnesses have an important role to play in this space. General Stewart, as Deputy Commander of the Cyber Command, is most directly responsible for the readiness of Cyber Mission Force. General Crall's role in defining DOD [Department of Defense] cyber policy shapes, and is shaped by, the capabilities offered by the Cyber Mission Force. General Fogarty, as Commander of the Army Cyber Command, is the executive agent for the persistent cyber training environment and must man, train, and equip the Army's cyber teams. Ms. Miller and the CIO's office generally retain responsibility for the cyber infrastructure, including that on which the Cyber Mission Force will fight and test their malware across the Department. I will close by thanking our witnesses for their service and for their willingness to appear today before the subcommittee. Senator Tillis. STATEMENT OF SENATOR THOM TILLIS Senator Tillis. Thank you, Mr. Chairman. I'm glad our two committees were able to put together this joint hearing. I think it represents an opportunity to examine an important topic, but also to share information that's instructive to our independent roles on committees. We should do more of them. Success in the cyber domain is uniquely reliant on highly qualified personnel. Where aircraft carriers, stealth technology, and smart weapons have given the United States a discernible advantage in traditional warfighting domains, the U.S. military doesn't have similar technological edges when it comes to cyberspace. Rather, we must rely on intelligence, creativity, and cunning of our people if we are to be successful in this rapidly changing environment. Since operating in cyberspace is so heavily dependent on access to talented people, we look forward to asking questions on the proper cyber workforce mix, the status of Cyber-Excepted Service, and the larger personnel management issues within the Cyber Mission Force. I thank all of the witness for your willingness to be here today, and I look forward to the following questions. Senator Rounds. Senator Nelson. STATEMENT OF SENATOR BILL NELSON Senator Nelson. In the interest of time, the questions I'll be asking are: ``Are the forces the right size? Are they getting the right training? Are they a good match for their mission? Do they have the tools and infrastructure they need? Are we recruiting the right people? How are we retaining them and managing their careers?'' Thanks. Senator Rounds. Senator Gillibrand. Senator Gillibrand. Thank you. I look forward to your statements. Senator Rounds. At this time, I would ask--Ms. Miller, would you like to begin, or did you have planned sequence that you would like to deliver these remarks today? Ms. Miller. Mr. Chairman, if you don't mind, we do have a planned sequence. Senator Rounds. Okay. Ms. Miller. We'll start with General Crall. Senator Rounds. Very good. General Crall, begin. Thank you. STATEMENT OF BRIGADIER GENERAL DENNIS A. CRALL, USMC, PRINCIPAL DEPUTY CYBER ADVISOR AND SENIOR MILITARY ADVISOR FOR CYBER POLICY Brigadier General Crall. I think the sequence should start with the junior person, so I'll certainly oblige, sir. First, I'd like to thank the committee members for a couple of things. One, for my invite to talk about a matter that's clearly important to the Department and the Nation, but also your continued interest and investment in improving these things that we're about to discuss today. So, I certainly thank you for that. In your openings, it's very clear that we all understand the challenges we have. We keep talking about competitive spaces in cyberspace, particularly in how we're going to see information contested in our current and future wars that we fight. But, we also have an interesting dynamic, as you've pointed out. We have competition in the recruitment, retention, the training aspect, and development of the cyber workforce. We understand that, in our competition, if you look at it that way--these are really partnerships, but, when it comes down to resources, each of these communities handles these differently, and they all have their own unique allures. For private industry, we know that it's difficult to match some of the compensation packages. It's also difficult to match the speed with which they hire and onboard and start individuals and clear them for some very sensitive projects. On the military or the civilian side for the Department of Defense, we have our own allures, as well: service to the Nation, the ability to perform very unique mission sets you can't do anywhere else, and also the exposure to a wide array of technology that really pulls individuals in. So, we need to understand that, and understand it well. So, what I'd like to do is cover a couple items very briefly in my opening, and that is to really set the stage for how we--enhancements that we're looking at on how we recruit, how we keep the folks that we recruit, and how we develop or train them. On the closed session, I'd like to use some of that time to talk about the governance structure, as it is classified, tied to our recently published Cybersecurity Strategy, and going into some of those details require that setting. So, to really get to the meat of what I will present today is in the Cyber-Excepted Service. These are authorities and funding that Congress gave the Department back in fiscal year 2016, and the rollout of that started in 2017. A couple of these incentives are already in place. I'll cover a couple of them, with a few that are being onboarded here really starting in the next 30 days, the first of which is this idea of moving between competitive service and noncompetitive service. The idea of how we take title 5 and title 10, blend them together, and move individuals and attract them to the Cyber-Excepted Service without penalty or loss of grade or seniority. Certainly an attractant. The other is the idea of building qualifications and advancements based on competencies, where you can be rewarded, compensated, and advanced because of the unique training that you have. Finally, increased pay scale. We know that the general service or competitive pay scales stop at the pay band of 10, where the Cyber-Excepted Service, we've expanded that to include pay bands 11 and 12, which offers a little more flexibility for that professional worker who would have no other place to go or no other incentive to offer. Those are in place today, albeit in a modest fashion. I'll explain the numbers in a minute. But, they are in play. What we're proposing are a few other items that will, again, start, here, hopefully in the next few months. One of them is the idea of a targeted market compensation. We know that it's difficult to recruit competent quality that we're looking for in every part of the country. In some cases, it's due to high-demand, low-density assets. There's just really a strict competition. In other place, they just don't exist, writ large, where we need them. So, that targeted compensation package will allow us to apply that particular solution to that target set. We also are looking at the idea of retention bonuses. Current pay caps prevented us from applying these, meaning they were available, but they couldn't be used in other combinations. You've given us the authority to move out, where it makes sense, to apply them, again, to our most gifted workforce. Finally, the piece the Department has to solve is its long security clearance process. We certainly don't want to compromise the end result. We want to ensure that we understand who we're employing. But, we certainly recognize that we've got to cut down the timeframe. You've asked us to do that. We're-- certainly have ways and means in front of us to do just that. From the total-force side that we're looking at, we're looking at the development and training aspects of this, enterprise and joint training standards. We're just finishing a coding initiative so that we can understand what a Military Occupational Specialty means in language to a civilian hire that we have. Right now, we--every service uses different descriptions. It's difficult to understand how to move an individual from one spot to another. When you're trading spaces and looking at benefits of training, manpower reallocation, and rightsizing the force, you have to start with a common lexicon. That coding effort is largely complete. Goes a long way to making sure that we can develop. Also, finally, I would say, putting on a career path. What right looks like in a workforce management to ensure that we don't pyramid out; where we have a lot of competent people that are stuck in certain places, but we have either the rotation that they need to go to to continue those skillsets or the advancement opportunities there in front of them. More work to do on that front. Definitely not there yet, but certainly putting brainpower to that. On the military side, I'd let the generals on the panel discuss the efficiency of some of the things that they're working on, but direct commissioning, we've been given the authority to increase both our rates and the levels in which we do that, very similar to the way that we onboard doctors, lawyers, and chaplains, bringing in those specialists at higher grades initially. Also, the constructive credit, how we can take people who are coming from the workforce and actually give them the credit due for the job skills they've had previously, whether that be in the service or in private industry. So, those two are available for our military side, as well. Looking at how we phase these, phase 1 was a very modest rollout. We had roughly 363, I believe, slots that we created in Cyber-Excepted Service, and we targeted U.S. Cyber Command with that initiative to begin with. Almost 70 percent of those billets were filled in relatively short order, which means I think we've got part of the cocktail correct, that the recipe may be right. That's only with half the enhancement packages onboard. But, given the size of our workforce, that's a very small number. Starting this year, we've--we're going to expand that to about 8300 slots, and we're going to target a few others--DISA [Defense Information Systems Agency] and the service cyber components--again, rolling out the full package to see if we can get that mix right. Some areas that I would tell the committee that I believe we need to improve, and in full transparency, we need to understand our market better. I think we use too much anecdotal evidence and experience to describe what attracts people and why people leave. While I would say that most of it sounds right, and we do have a few studies that look at it, from, you know, doing a couple of recruiting tours, market analysis is key, and we've got to make sure we're dialed in and we're not focusing on a goal that's maybe a year or two old. We may need to take a look at how we recruit. I think our message is slow to get out. Not everyone knows what our message is. On the military side, I would say the campaign is a little easier, far stronger, and we find that our audiences are more informed. Very few understand what we offer in the Federal Government side that would be an attractant, as well. We've got to do better there. I attended a ribbon-cutting ceremony with Senator Nelson a few years back at the Cyber Center in Tampa, sir. In both your public remarks and remarks to me privately, you stressed the importance of internships and making sure that we stay connected to academia, that we can build the kind of force we need if they come out of the schoolhouse equipped and right-set for us to put them to work. Neat environment in Tampa, with U.S. Central Command and Special Ops Command right there. I'll tell you, I think our efforts are still too modest. I don't think we've come close to leveraging that requirement and that opportunity. Our intelligence community does that well. They groom very early. They have recruiters at the universities. They teach classes, they stay very connected to that workforce, and we could learn something from that. So, we have the means. They're in front of us. We've got to execute better to get after that. We're a bit slow. Lastly, I would say we need to ensure that we have a solid baseline and assessment mechanism so, when we come back here and talk to you about what's working and what's not working and how we've spent money, we can do so with the right kind of accountability. We've got to be careful with all these incentives--and you've charged us to be careful with those--to ensure we just don't simply throw money at a problem without making sure that these are targeted, and they're targeted very specifically, and the outcomes are examined so we can keep that machine refined and moving in the right direction. So, hopefully, with an opener, I'll leave it at that, and either take questions or pass it on for opening. Thank you. [The prepared statement of General Crall follows:] [Deleted.] Senator Rounds. Thank you. Who would you like to have move next? Ms. Miller. Well, Mr. Chairman, had I known General Crall would cover the world---- [Laughter.] Senator Rounds. Okay. Well, that's okay, because what we're going to do is, we'll take all of your full remarks for the record, but then I'd ask that each of you limit your opening remarks to about 5 minutes, and we'll kind of move from there. STATEMENT OF ESSYE B. MILLER, PRINCIPAL DEPUTY, DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER Ms. Miller. So---- Senator Rounds. Ms. Miller, would you like to go next? Ms. Miller. So, given that General Crall---- Senator Rounds. Very good. Ms. Miller.--has done a great job of laying out where we are with policy and governance and how we are looking at the environment, writ large--and I'd like to just add that the Department does face workforce challenges that we need to address--most of the job losses that we've seen here over the last year or so total about 4,000 civilian cyber-related personnel losses. We're going to have to, to his point, work the recruiting piece of this such that we are postured and we know what that industry should look like, what the objectives and the outcomes of those hiring positions should be, and how we manage the force, in terms of career paths. But, keep in mind, too, this is--encompasses more than your traditional IT [information technology] intel role. It also includes some our health occupations, criminal investigation, and other occupational series that we need to keep in mind such that we take a holistic approach to how we execute the mission with our cyber forces and drive effect and outcome. So, with that, sir, I look forward to your questions. I really appreciate the opportunity to have this discussion with you today. [The prepared statement of Ms. Miller follows:] Prepared Statement by Essye B. Miller introduction Good afternoon Mr. Chairman, Ranking Member, and distinguished Members of both Subcommittees. Thank you for this opportunity to testify before the Subcommittees today on the cyber operational readiness of the Department of Defense. I am Essye B. Miller, Department of Defense (DOD) Principal Deputy Chief Information Officer (PDCIO). I am the principal deputy advisor to the Secretary of Defense for information management, Information Technology (IT), cybersecurity, communications, positioning, navigation, and timing (PNT), spectrum management, and senior leadership and nuclear command, control, and communications (NC3) matters. These latter responsibilities are clearly unique to the DOD, and my imperative, on behalf of the DOD CIO in managing this broad and diverse set of functions, is to ensure that the Department has the information and communications technology capabilities needed to support the broad set of Department missions. This includes supporting our deployed forces, cyber mission forces, as well as those providing mission and business support functions. I would like to provide you with an overview of the current state of the Department's cyber workforce policies and programs, as well as provide you with an update on the Department's implementation of the Cyber Excepted Service (CES) Personnel System. department of defense cyber workforce overview The DOD cyber workforce is currently comprised of four workforce categories. The Office of the DOD CIO is responsible for the policy oversight of two categories, Cyber (IT) and Cybersecurity. The Principal Cyber Advisor (PCA) leads the Cyber Effects category, while the Under Secretary of Defense for Intelligence (USD(I)) is responsible for the Intelligence (Cyber) category. Together, the DOD CIO, PCA, and the Under Secretary of Defense for Personnel and Readiness (USD(P&R)) tri-chair a Cyber Workforce Management Board that works with USCYBERCOM, the Military Departments, Joint Staff, OUSD(I), and other select DOD Components to provide oversight over the management of the DOD civilian and military cyber workforce. Additionally, the Office of the DOD CIO also acts as the Functional Community Manager for 18 civilian occupational series, composed of approximately 52,000 individuals, working with USD (P&R) and the DOD Components to sustain the health and capabilities of each occupation. Over the past several months, DOD Components have been coding civilian cyber positions, per the Federal Cybersecurity Workforce Assessment Act. In addition to the typical or traditional cyber occupations, DOD also has some individuals performing cyber responsibilities in acquisition and engineering, financial management, health care occupations, as well as criminal investigation and physical security. The Department does face some cyber workforce challenges. DOD has seen over 4,000 civilian cyber-related personnel losses across our enterprise each year that we seek to replace due to normal job turnover. Most of these job losses fall within the IT Management and Computer Science occupations, but we also have cyber professionals within key engineering occupations such as Electronics Engineering and Computer Engineering. We need individuals across a wide variety of cyber work roles, including: software developers and secure software assessors, system administrators and network operations specialists, data analysts, systems security analysts, and system test and evaluators. Specific to the Cyber Mission Forces, their personnel needs center on planning, coding, forensics, malware, data science, linguists, and cybersecurity professionals. Congress has been a strong partner in this area. Specifically, through a number of key pieces of legislation, Congress has enabled: the startup of a new personnel management system for cyber, the Cyber Excepted Service; Direct Hire Authority and Advanced-In-Hire Authority for Cyber Workforce positions; other compensation flexibilities; new term appointment authority; and funding for the DOD Cyber Scholarship Program. Each has aided the Department in establishing and maintaining the readiness of our cyber warriors. We also work closely with other federal stakeholders, through the Federal CIO Council and the National Initiative for Cybersecurity Education (NICE). We share the same concerns on the challenges to find highly qualified job candidates and retain cyber professionals in a hyper competitive job market. Enhanced management practices, such as the implementation of the National Cybersecurity Workforce Framework, will provide greater capabilities to identify personnel requirements and target effective solutions. cyber excepted service (ces) personnel system The Cyber Excepted Service is an enterprise-wide approach for managing civilian cyber professionals across the Department. By fostering a culture based upon mission requirements and employee capabilities, Cyber Excepted Service will enhance the effectiveness of the Department's cyber defensive and offensive mission. This personnel system will provide DOD with the needed agility and flexibility for the recruitment, retention and development of high quality cyber professionals. Specifically, the CES will help DOD to streamline its hiring procedures to quickly fill vacant mission-critical cyber positions across the Enterprise. CES lets DOD Hiring Managers recruit candidates from any source and offer more competitive market-based compensation packages. The Office of the DOD CIO has successfully designed, developed, and implemented the new personnel system for U.S. Cyber Command, Joint Force Headquarters DOD Information Networks, and the Deputy CIO for Cybersecurity. To date, 403 positions have been converted to the CES. We are currently partnering with the DOD Components to begin implementing CES for 8,305 positions across the Defense Information Systems Agency and the Service Cyber Components. conclusion DOD recognizes the importance of growing and maintaining the cyber workforce. The recent authorities provided by Congress have allowed the Department to adjust existing personnel policies and to implement new policies that account for this dynamic need in an increasingly important mission area. The Department appreciates the support of both Subcommittees on this important matter. Thank you for the opportunity to testify today and I look forward to your questions. Senator Rounds. Thank you. General Stewart. STATEMENT OF LIEUTENANT GENERAL VINCENT R. STEWART, USMC, DEPUTY COMMANDER, UNITED STATES CYBER COMMAND Lieutenant General Stewart. Yeah. Mr. Chairman, Ranking Members, members of the committee, first of all, thanks for the opportunity to do this. I think the support that we've gotten-- that we've received from the committee that's driven us to think about the policy, think about the strategy, think about the readiness of the force, has pushed us in the right direction. So, I thank you for the opportunity to be here. But, more than that, I thank you for the opportunity to be able to speak about the men and women who make up this cyber force, extraordinary men and women who today are on mission against a threat that's operating--that's pervasive in this space. I look forward to the opportunity to talk about that, and I certainly look forward to the opportunity to discuss that in closed session. Among the things that we've learned over the last year or so is that success in cyberspace requires--in fact, it demands--persistent engagement, it demands persistent presence, and it demands a persistent innovative spirit. Failure to do that means that we will never compete against near-peer competitors in this space. So, we're thinking our way now through how we move from growing this force to how we persistently engage, persistently have presence and we innovate in this space. We have shifted from building out those teams to how we build a force that is operationally relevant and is able to deliver outcomes, as necessary, from the Chairman--from the national authorities, all the way through the Chairman. We've shifted a little bit from building capacity--we think about just personnel and their training readiness--to the capabilities. Those capabilities requirements speaks to our necessity for the right tools or the munitions that we need in order to be successful in this space, the access that we need, the authorities we need, the infrastructure we need, and the intelligence necessary to support operation of a relevant force. So, we're now melding--in order to get a better sense of readiness, we're melding both capability and capacity against the problem sets that we've been assigned. So, as we look forward, we realize that the future requires us to be continually engaged in order to compete in cyberspace. We're building a combatant command that will be postured for success. We couldn't have built that without--or accomplished what we have for this Nation without your dedicated support that we receive from the committee. The language you included in the Fiscal Year 2019 NDAA [National Defense Authorization Act] was especially helpful, and we thank you for your continued advocacy and support, and we look forward to your questions. [The prepared statement of General Stewart follows:] Prepared Statement by Lieutenant General Vincent R. Stewart u.s. cyber command (uscybercom) statement for the record USCYBERCOM's mission is to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national security interests in collaboration with domestic and international partners. Success in cyberspace requires persistent engagement, persistent presence, and persistent innovation. To support the Nation's priorities as a combatant command, USCYBERCOM's focus has shifted from building a cyber force to focusing on readiness, partnerships and building the ethos of a new Command. USCYBERCOM is diligently working to build a more robust fighting force for the future. We are embracing innovative ways to develop and strengthen our workforce. If we are to maintain our strategic advantage in cyberspace, we must invest heavily in the talent of our people and the resources they need. USCYBERCOM is acutely aware of the challenges that result from being in persistent contact with the adversary in cyberspace. Our adversaries continue to adapt and evolve . . . so must we. operational readiness One component of our evolution is our approach to measuring readiness. As a command, we have evolved from a model focused on building a force to a model that ensures the sustained readiness of the force we've built. Early in our development as a combatant command, we measured readiness based on number of people and the status of their training. Now that we have matured, previously used readiness metrics are not sufficient to provide a holistic readiness picture. The sustained readiness approach we are developing merges capability metrics with capacity metrics to provide a more complete readiness picture. In other words, our new approach assesses readiness in terms of both ``capacity'' (people and training), as well as ``capability/' (tools, access, authorities, infrastructure, and intelligence). workforce As a trailblazer for DOD's Cyber Excepted Service (CES) personnel system, USCYBERCOM is using new, fast and flexible hiring authorities to tackle civilian vacancies and recruit talent necessary to build our Combatant Command. Outside the confines of the traditional DOD hiring process, USCYBERCOM is pushing past the norms of laborious, slow hiring by actively recruiting talent through job fairs and hiring events where our teams screen resumes and conduct on-site interviews leading to the best candidates receiving intent-to-hire job offers. For our military workforce, like the other Combatant Commands, USCYBERCOM relies on the Services to recruit and retain the talent we need to deliver joint force objectives for the Nation. We applaud the diligent efforts of the Services to organize, train and equip cyber operations forces, including fully leveraging recruitment and retention incentives and creating talent management programs that grow a robust cyber workforce. conclusion Whether civilian or military, the men and women of USCYBERCOM are committed to being part of something bigger than themselves. Our men and women want to make a difference for this Nation, and they do-- everyday. USCYBERCOM is a learning organization continuing to innovate and adapt as we posture our force for success in the cyberspace domain. With the sustained support of Congress, USCYBERCOM will build upon our momentum and continue to defend and advance our Nation's national security interests in cyberspace. Senator Rounds. Thank you, General. General Fogarty. STATEMENT OF LIEUTENANT GENERAL STEPHEN G. FOGARTY, USA, COMMANDER, U.S. ARMY CYBER COMMAND Lieutenant General Fogarty. Chairman Rounds, Chairman Tillis, Ranking Members, and members of the subcommittee, I want to thank you for the support, from both committees, which is vitally important to Army Cyber Command's continued progress and the critical missions of our dedicated and talented soldiers, Army civilians, contractors, and Reserve and Army National Guardsmen carry out every day on behalf of the Army and the Nation. The Army's philosophy for training is to train as you fight. For the Army's teams within the DOD Cyber Mission Force, training to a joint standard is predicated on a culture of adaptive learning for operations and form, training at every level. A ``train as you fight'' philosophy in cyberspace also depends on employing realistic, dynamic, and complex range environments against simulated peer and near-peer adaptive adversaries. Cyber Mission Force training must be tough, realistic, relevant, and holistic, just like it is for the rest of our forces. With the achievement of full operational capabilities for the Army's CMF [Cyber Mission Force] last year, the Army and joint forces are shifting focus to measuring and sustaining CMF readiness. While achieving full operational capabilities of these teams was an important milestone, it is certainly not an end state and doesn't tell the complex story of the Army and joint force's overall readiness to fight and win. Readiness is a combination of the CMF's ability to conduct cyberspace operations, reflects a team's ability to plan, develop access, report, and maneuver in cyberspace, hold targets at risk, and deliver capabilities based on assigned missions. This is the standard we use for operations, and it must be the standard we use for training. This includes a focus on nonstandard access methodologies, title 10 operator training, and integration with mission partners to improve mission readiness. Again, training as we fight. Army Cyber Command's mission success rests on our people. We must recruit, retain, and reward the most talented people. As such, we put tremendous focus on talent management. Thanks to your support, Army talent management initiatives continue to show increased results in civilian hiring and military recruiting. But, we do have a challenge with retaining the core skills that we need. We have a superb recruitment pool that we draw from. I think the training is outstanding. They get on the mission. But, our challenge, as the other witnesses have already mentioned, is the compensation to keep that trained force. You know, the average interactive online operator, it takes about 2 and a half years of training to be able to conduct operations. In a 6-year enlistment, you get about 3, maybe 3\1/2\ years of useful work out of that individual. So, it's absolutely critical that we roll out, really, the incentives we need to maintain that force. Now, readiness of the total force requires that our investment in cyber ensure that Active and Reserve and Guard forces are trained and equipped to one standard. We also continue to make progress toward fully integrating the Army's Reserve and National Guard into the Cyber Mission Force. We're already benefiting from the critical skills the Reserve component brings to bear and look forward to their full integration. The Reserve component is approved to build and maintain 21 Cyber Protection Teams, 11 in the Army National Guard and 10 in the U.S. Army Reserve. One Army National Guard and two Army Reserve CPTs [Cyber Protection Terms] have already achieved initial operational capabilities. The Army National Guard is scheduled to have all 11 CPTs at full operational capability by fiscal year 2022. In the Army Reserves, 10 CPTs will be fully operational-capable by fiscal year 2024, trained and equipped to the same standards as the Active component. I'll discuss PCT [Persistant Cyber Training] at detail to answer your questions. One of the things I did want highlight is, my command is getting ready to move from Fort Belvoir down to Fort Gordon, Georgia. We'll do that in about 18 months. That is a significant investment, almost $1.3 billion, that the Army has placed in Army Cyber Command and the Army Cyber Center of Excellence, which is our premier schoolhouse. We train Active, we train civilians, and then we train Army National Guard and Reserve forces. For the Army, this is important, because we'll have the operational headquarters, the operational platform, and the schoolhouse all on the same location. We think that's going to give us the ability to take operators that are in Active missions to be able to move over and instruct, realtime, in the classroom. It also gives a stability for our workforce. You can have an entire career at Fort Gordon, Georgia, if you decide that you wanted to have your family there. The soldiers, civilians, and contractors from Army Cyber Command are persistently engaged against a wide range of adversaries and competitors in the cyber domain. We remain committed to preserving U.S. superiority in cyberspace and defending the Nation. Furthermore, we are committed to working with our interagency partners, international allies and partners, the defense industrial base, and defense critical infrastructure partners to secure that critical infrastructure. It's worth stating that operations in the cyber domain require problem-solving in ways never employed before by the U.S. Army. But, creativity, aggressive problem-solving, and rapid mastery of new fighting methods are not just possible for the Army, they are, in fact, qualities that lie at the core of our service. I'm confident that, with your continued support, we will continue to make progress and continue to achieve mission success. I thank you for the opportunity to testify today and look forward to answering your questions. [The prepared statement of General Fogarty follows:] Prepared Statement by Lieutenant General Stephen G. Fogarty Chairman Rounds, Chairman Tillis; Ranking Members Nelson and Gillibrand; and Members of the Subcommittees on Cybersecurity and Personnel, thank you for your continued support of the dedicated soldiers and Army civilians of U.S. Army Cyber Command (ARCYBER) and the entire Army Cyber Enterprise. It's an honor to represent the Army's Cyber Team, alongside my colleagues from the Department of Defense and U.S. Cyber Command, to discuss the critical issues associated with sustaining a ready Cyber Mission Force (CMF). My testimony addresses the following topics as requested by the Subcommittees: retaining and maintaining the Army's cyber talent; individual and unit level training of the Army's CMF; integration of the Army's Reserve Component into the CMF; and the development of the National Cyber Range Complex and Persistent Training Environment. retaining and maintaining the army's cyber talent Army Cyber Command's mission success rests with recruiting, retaining, and rewarding talented people, and as such we put tremendous focus on talent management. Thanks to congressional support, Army talent management initiatives continue to show increased results in civilian hiring and military recruiting. The Army is on pace to man, train, and equip Total Army cyber forces to meet current and future threats. Readiness of the total force requires that our investments in cyber ensure that Active and Reserve forces are trained and equipped to one joint standard. We have established innovative and tech-centric recruiting cells; are exercising our direct hiring authority for cyber professionals supported by Fiscal Year 2017 National Defense Authorization Act; and using internships, scholarship programs, and talent management initiatives focused on attracting, employing, developing and retaining technical people, including our Cyber Officer Direct Commissioning Pilot supported by Fiscal Year 2017 National Defense Authorization Act. The first two 1st Lieutenants under the Direct Commissioning Program are now training and we are assessing the next accessions from hundreds of applicants. With the expanded constructive service credit (up to O6 (Colonel) level) included in the Fiscal Year 2019 National Defense Authorization Act, we intend to attract candidates from a wider pool of applicants in the coming months. To help the Army resolve some of our toughest talent management and technical challenges, we have partnered with the Pentagon's Defense Digital Service (DDS) to bring technically-gifted soldiers together with interns and top private sector civilian talent to rapidly develop immediate-need cyber capabilities. We have also partnered with DDS on a Civilian Hiring as a Service Pilot to streamline the hiring process for technical talent and better leverage hiring authorities and incentives. We are working with DDS and the State of Georgia to expand this program to Fort Gordon and the region surrounding Augusta, Georgia, the Army's center of gravity for cyber operations and training. This innovative partnership is solving problems and serving as a powerful retention and recruitment tool. Additionally, in partnership with DDS, ARCYBER and the Cyber Center of Excellence launched a training pilot in January 2018 to compress and streamline joint cyber training courses. individual and unit level training of the army cyber mission force The Army's philosophy for training is to ``Train as you fight!'' For the Army's teams within the DOD's Cyber Mission Force (CMF), training to a joint standard is predicated on a culture of adaptive learning, where operations inform training at every level. A ``train as you fight'' philosophy in cyberspace also depends on employing realistic, dynamic, and complex cyber range environments against simulated peer and near-peer adaptive adversaries. Cyber Mission Force training is tough, realistic, relevant, and holistic. With the achievement of Full Operational Capability of the Army CMF, the Army and Joint Force are shifting focus to measuring and sustaining CMF readiness. Readiness of the CMF's ability to conduct cyberspace operations reflects a teams' ability to plan; develop access; report and maneuver in cyberspace; hold targets at risk; and deliver capabilities based on assigned missions; this is the standard we use for training. This includes a focus on non-standard access methodologies, title 10 operator training, and integration with mission partners to improve mission readiness. The readiness of our defensive teams is tested daily, during remediation of routine incidents; proactive defensive cyberspace operations; and during contingency operations. Training programs must constantly sharpen our edge to adapt faster than our adversaries. Mission rehearsals, simulating complex conditions, are necessary to ensure sufficient procedures are in place, while real-world operations grow our understanding of our adversaries' capabilities and add a decisive edge to our collective training. The Army's Cyber Protection Brigade has taken the lead in Cyber Protection Team (CPT) training by developing a concise training manual, known as ``Cyber Gunnery Tables,'' that defines the tasks individuals, crews, and mission elements must master. These tables provide foundational training for individuals and teams and serve as training and readiness validation events, certifying that a crew has the required knowledge, skills, and abilities to participate in collective exercises as part of a mission element. They also provide a metrics- based assessment to determine individual and crew readiness. The Army's Cyber Electro-Magnetic Activities Support to Corps and Below (CSCB) initiative provides another venue to improve team readiness levels. Teams are integrated into the Combat Training Center rotations, War Fighter Exercises, and senior leader developmental exercises and events that train and challenge supported units and keep teams proficient on individual and collective skills. Army Cyber Command has built real-time reach-back links between Corps and Below level forces at the National Training Center and cyber operators at Fort Meade, Maryland and Fort Gordon, Georgia, that further enhance training capabilities for the Army's Brigade Combat Teams as well as our cyber forces. Based on lessons learned from the CSCB initiative, the Army will start building a Cyber Warfare Support Battalion (CWSB) in fiscal year 2019, dedicated to integrating tactical operations with strategic cyber capabilities, and supporting Electronic Warfare and cyber planning and integration. Training is critical for operators and teams, but the CMF also needs infrastructure, tool development, and mission alignment of these ready teams. In 2017 the Army completed the second of two joint mission operations centers for offensive cyberspace operations, located at Forts Meade and Gordon. The Army has also established tool development workspaces at three locations and aligned talented personnel to innovate the creation of these in-house tools. To support this effort, the Army is developing a sustainable career map for tool developer Officers and Warrant Officers. The Army is also leading the way with broadly-scaled multi-domain exercises for the Active, Reserve, and National Guard components. These exercises take place at existing CTCs and purpose-built environments like Muscatatuck, Indiana's ``Cybertropolis'' facility. In September, 2018 the Army exercise ``Cyber Blitz'' based out of Joint Base McGuire- Dix-Lakehurst, New Jersey will allow Total Army forces to synchronize new technologies and define how the information warfare capabilities can be employed in the Multi-Domain fight. Specifically, the Army is looking at how Cyber Operations, Information Operations and Electronic Warfare can be synchronized with maneuver warfare and precision fires to bring effects to bear against adversaries. the army's investment in fort gordon, ga as a power projection platform Thanks to congressional support and over $1 billion in cumulative construction and modernization projects, Fort Gordon, Georgia will be the Army's focal point for cyberspace operations and training for responsive and enhanced support to the Army and the Joint forces. The ARCYBER headquarters will relocate to Fort Gordon beginning in 2020. The new purpose-built, modern headquarters will support more than 1,300 new cyber soldiers and civilian employees at Fort Gordon, is projected to be ready for occupation in summer 2020 and fully operational by 2022. The co-location of Army cyber operational and institutional forces will enable collaboration, flow of instructors, and speed up requirements development and acquisition. Additionally, the transformative modernization project of the Army Cyber Center of Excellence (Cyber CoE) at Fort Gordon will break ground in fiscal year 2019. This will increase training capacity and provide modern training and workspaces to gain efficiencies across the installation. The Cyber CoE continues to make significant progress growing the cyber, electronic warfare and signal workforce. The Cyber CoE is the Army's principal organization for future cyberspace, EW and signal innovation, providing capability through concepts, design and experimentation, across Doctrine, Organization, Training, Materiel, Leadership and Education, Personnel, Facilities, and Policy. In addition to training, the Cyber CoE provides force modernization, capabilities and career management for Signal, Cyber and Electronic Warfare forces. The Cyber CoE trained over 13,000 students in fiscal year 2018. This includes students from the Cyber School, Signal School and the Non-commissioned Officer Academy. The Cyber School trains officers, warrant officers, and enlisted soldiers from all three force components (Active, Guard, and Reserve), provides training across the joint forces, and offers two industry certifications tied to training. The Signal School provides trained soldiers to the operational force to conduct Department of Defense Information Network (DODIN) operations and cybersecurity, training 17 military occupational specialties and providing 42 industry certifications tied to training. Signal soldiers install, operate, and maintain the Army's portion of the DODIN. The Signal School provides a common foundation in networking fundamentals in support of DODIN Operations to all new Signal soldiers. integration of the army's reserve component into the cmf The Reserve Component (RC) is approved to build and maintain 21 CPTs; 11 in the Army National Guard (ARNG) and 10 in the U.S. Army Reserve (USAR). One ARNG and two USAR CPTs have already achieved Initial Operational Capability, the ARNG is scheduled to have all 11 CPTs at Full Operational Capability (FOC) by fiscal year 2022, and the USAR's 10 CPTs will be FOC by f24; trained and equipped to the same standards as the Active Component. Beyond the build of these teams, soldiers from the Army's Reserve and National Guard are trained, ready, and on-mission today, performing critical and unique support and effects-delivery roles for Army and Joint cyber missions. The 91st Cyber Brigade was initiated in September, 2017, as the Army National Guard's first cyber brigade. In August, 2017, the all-National Guard Task Force Echo was launched to engineer, install, operate, and maintain critical networks for U.S. Cyber Command. Our RC cyber soldiers bring critical skills that are a force multiplier. Continued support from Congress for programs to attract soldiers, such as Direct Commissions, Special Duty and Assignment Pay, and Cyber Affiliation Bonuses will assist in recruiting and retaining RC cyber talent. the national cyber range complex and persistent cyber training environment Currently, DOD operates four Cyber Training and Test Ranges: the DOD Cyber Security Range; the Joint Information Operations Range; the National Cyber Range Complex; and the C5 Assessments Division range. The Persistent Cyber Training Environment (PCTE) is a material solution that provides the total cyber force a training platform to conduct joint training (including exercises and mission rehearsals), experimentation, certification, as well as the assessment and development of cyber capabilities and tactics, techniques, and procedures for missions that cross boundaries and networks. PCTE will use resources from all four of the DOD ranges, as well as resources from other existing cyber training facilities. Headquarters, Department of the Army is the DOD's Executive Agent for Cyber Training Ranges, a responsibility led by the Army's Deputy Chief of Staff, G-3/5/7. Army Cyber Command is in support as a primary advisor to the G-3/5/7, with the Army's Program Executive Office for Simulation, Training, and Instrumentation (PEO-STRI) serving as the lead for acquisition, prototyping, and deployment of PCTE. The entire PCTE effort is governed by a board that includes Army Cyber Command, the DOD's Principal Cyber Advisor, and the Undersecretaries of Defense for Personnel & Readiness and Acquisition, Technology, & Logistics, as well as U.S. Cyber Command's J7, through which the Joint Cyber Service Components take part in shaping the PCTE to meet current joint operational needs. The PCTE v1.0 prototype was delivered 31 July 2018, just one year after the Army received initial funding for the project, and is currently undergoing limited user assessment, with feedback informing the next prototype, PCTE v2.0. Follow-on capability drops are projected to occur every six months (v2.0 in January 2019; v3.0 in July 2019; etc.). To meet the requirements for individual and lower-level collective training, the Army is also using a commercially available cyber range product. To meet higher collective training tasks, the Army is evaluating another commercial platform used by the U.S. Navy, which provides a broader collective training environment. All Services are currently using, or considering, both platforms to meet training requirements. These tools will be a bridging effort until the PCTE is fully operational. conclusion Thank you again for inviting me to appear before you today representing the Army Cyber Enterprise. Your support has been enormously important to the maturation of Army Cyber Command, the Army Cyber Enterprise, and the critical mission our dedicated and talented soldiers and Army civilians conduct for the Army and the Nation. The Army Cyber Enterprise has made tremendous progress during the last eight years--building a cyber branch, schoolhouse, cyber infrastructure, and a Total Army cyber force. Although much remains to be done, I am confident that with your sustained support we will continue to make progress and achieve mission success. The tasks before us are great, however the talent and drive of our people is greater. Senator Rounds. Thank you, General. This group in front of us as a team has a huge responsibility. Cyberspace, this new domain, requires personnel. The reason that we're doing a program like this with both subcommittees, Personnel and Cyber, together is because we recognize the seriousness of the situation at hand. General Fogarty, the Army faces significant manning gaps in the roles of tool developers and interactive on-network operators, or, I think, as we call them, IONs. While the Army needs about 150 operators, for example, it has about half of its requirements. Part of the problem is that the Army has only about 14 spots in the RIOT training, which is Remote Interactive Operational Training, which is provided by the NSA. About half of these personnel will fail the training, meaning that the Army might only see seven graduate to the Cyber Mission Force as capable operators for any given RIOT course. This could leave the Army below the replacement level, given promotions and retirements, and yields a major capability gap. The Air Force has noted to us that the NSA has facilitated-- they're obtaining more spots in training, as required, and that, because they send their operators to training later, they are less likely to fail, leaving them without the shortfalls that afflict the Army. My specific question is, What is the impact of the resulting gaps--in particular, in infrastructure, IONs, and tool developers--on your operations? Lieutenant General Fogarty. So, Senator, we have identified three critical missions for--or critical work roles for the offensive force. So, the IONs, the exploitation analysts, and the tool developers. Each one is really--for the Army, is in a different point. So, you've aptly described our challenge with IONs. There are two things that we're doing about this. First of all, as we conduct more and more operations off of title 10 infrastructure--and the Army is really--we were the service that had title 10 infrastructure first, we've got the most robust capability--what we recognize is, not every ION has to be RIOT qualified. We have a title 10 operators course that allows our IONs to actually operate off the title 10 infrastructure. That gives us the opportunity to observe them as they start to act, conduct reps. Then we can identify better those star athletes that we need to send to RIOT. What we're hoping is, we can identify someone who has better aptitude, a better likelihood of actually graduating, and that would essentially double our numbers if we can get that straight, per---- Senator Rounds. Excuse me. You don't---- Lieutenant General Fogarty.--per year. Senator Rounds.--you don't quite have it straight yet, so what is that doing to your operational timelines today? Lieutenant General Fogarty. So, what happens, sir, is, with the current limit of 15 per year--and I would say, for the Air Force, we actually gave up slots, both for EAs [exploitation analysts] and IONs, so they could actually get fully operational-capable and meet their timelines. So, we took a little bit of hit there. But, I think the big thing is, we weren't selecting people that were making it all the way through the course. So, by getting them in the title 10 operators course, we get them actually on mission much sooner than we do if we send them through RIOT training. That allows us to determine the best athletes that would then allow us to get them into RIOT, have a much better chance of graduating. So, we think that will increase graduation. We've also talked to General Nakasone. We think, ultimately, we're going to have to expand the throughput of the RIOT course. So, we think that's going to be necessary to meet our ultimate requirements. But, we think success, for us, is a number of RIOT-trained operators, and then a larger number, actually, of title 10 operators. Because, again, as you said very eloquently, we've got to get off of the NSA platform, become more independent. The title 10 infrastructure with title 10 IONs actually allows us to achieve that goal. Senator Rounds. One thing that I'm going to ask, for the record, of both you, General Fogarty, and also for you, General Crall, is a timeline for actually meeting the guidelines necessary to make that happen. [The information referred to follows:] Lieutenant General Fogarty. Since the standup of the Cyber Mission Force (CMF) in 2012, the work roles presenting the greatest training and retention challenges for the Army are Interactive on-Network Operator (ION) and Tool Developer (TD). Both are high demand, low density work roles requiring personnel with advanced technical aptitude, training and certification. Since 2012, changing mission requirements, organic platform developments, and programmatic changes necessitated a revised model for Army's training of IONs. The Army developed our own interactive cyber operator course external to NSA's training pipeline with a curriculum informed by and more directly supporting the evolving USCYBERCOM mission. Since the Army's development of this course in 2017, as of January 2019, 73 Army students have graduated, and over 21 individuals have been Joint Qualification Reviewed (JQR)- certified and are on-mission supporting USCYBERCOM operations. The remainder are fulfilling JQR requirements. The Army plan going forward is to hand-pick the high performing graduates of this course and select them for the RIOT course. We project this will increase graduation rates, and help close the ION gap. Tool Developers (TD), much like IONs, fill a critical role in the execution of cyberspace missions by building software and hardware capabilities to enable a variety of operations. To better serve the TD mission, the Army built a developer environment that enables the rapid production and delivery of cyberspace capabilities to our operational force. Our experience indicates officers and civilians are the best equipped to fill the TD work role, often arriving with computer science, electrical engineering, or computer engineering degrees. As a result, the Army developed the Tool Developer Qualification Course (TDQC) in partnership with the University of Maryland Baltimore County (UMBC) Training Center. The 11- month course provides students with the basic fundamentals of computer science and programming. The average class size is 14, with a graduation rate of approximately 75 percent. The high pass rate is directly attributed to the strong emphasis placed on identifying and assessing the best candidates for the course. Since 2016, the Army has successfully graduated 64 soldiers. The Army executes assessment tests and selection panels to identify the best qualified TD and ION candidates. The most experienced in the force administer the assessments and oversee the selection panels, ensuring the prospective candidates understand the rigors and challenges ahead of them. Once a candidate is selected, (e.g. IONs for RIOT), a mentor is assigned to them to ensure help is available should the need arise. However, the aptitudes and talent required for ION and TD roles come from the same population. As we improve recruiting and training, we must also improve retention of our Cyber force. The attrition rate of trained IONs and TDs equals or exceeds the production rate of new personnel. Part of the challenge with this highly technical force is compensating trained and experienced IONs and TDs at an appropriate level. Currently HQDA has authorized the maximum Selective Retention Bonus it can provide ($72,000 for a 6-year re-enlistment) for enlisted soldiers serving as IONs, TDs, and Exploitation Analysts (EA). HQDA has also implemented a Written Bonus Agreement that will have a maximum of $100,000 for an additional four years of service for our most experienced senior Non-Commissioned Officers, and has approved Assignment Incentive Pay ranging from $200-$500 a month and Special Duty Assignment Pay ranging from $150-$300 per month for personnel trained and serving in these key work roles. ARCYBER leadership continues to work with HQDA to maximize the benefits that can be provided to these soldiers by law, in order to reduce the compensation gap that can be offered by the private sector, or even other governmental agencies. Senator Rounds. General Crall, I'm out of time, but the same questions that I've asked of General Fogarty I will be asking of you for the record, as well. [The information referred to follows:] Brigadier General Crall. [Deleted.] Senator Rounds. Thank you. With that, Senator Tillis. Senator Tillis. Thank you, Mr. Chair. Again, thank you all for being here. General Crall, thank you for, I think, covering good landscape in your opening comments. Ms. Miller, my first question is for you. I believe you chair the Cyber Workforce Management Board. Is that correct? Ms. Miller. Yes, sir, along with---- Senator Tillis. And P&R [Personnel and Readiness] co- chairs, right? Ms. Miller.--P&R, exactly. Senator Tillis. Tell me a little bit about how that relationship works, and how the roles are playing out right now. Ms. Miller. Well, actually, sir, we're very well aligned. The board was charted to manage the health and welfare maturity of the force, both civilian and military, so we have an opportunity to oversee and assess the use of the force, how we are doing on the recruiting and attracting, as General Crall talked about. Predominantly, efforts have been focused on Phase 1 and how we code the positions, identifying the work roles and understanding where our shortfalls are and where we need to focus our efforts. But, I think it's pretty safe to say, the relationship between the three organizations are very closely aligned. We meet on a regular basis, and our staffs are joined at working the issues, be it with the coding or with the hiring-and-retention piece. Senator Tillis. This question is probably for all of you. I spent virtually all of my professional career in technology, first in research and development, then architecture definition, deployment, and then project execution. Sometimes I worked at Pricewaterhouse, so sometimes we would acquire another firm, or at IBM we would acquire another firm, and it would be standing alone, but it really didn't make sense to have it stand alone for long. In most of your mission sets, I can see a very rational basis for--the mission of the Marines has its own kind of training, tools, tactics, it's separate from the Army, the Navy, the Air Force. But, in this domain, I'm struggling--except at the atomic level, maybe equipment that you need to a service line--I'm struggling to understand why we're not looking at a more innovative way to leverage--you know, we had matrixed organizations, where we have the silos of the service lines now, or we had market domains or technology domains--but the common platform that we're talking about, can you explain to me the rationale for having--and the risk of having duplicative systems and environments and potentially sub-optimizing some of the cross-learning? I'm not saying that any one service should own it, but I'm wondering whether or not we should be looking at a very different structure than the current trajectory. Lieutenant General Stewart. Let me take the first shot at this one. In fact, what we've designed and what we've put forward, Senator, is what we call the Joint Cyber Warfighting Architecture. It is an integrated architecture. It includes building common firing platforms, common set of tools, common infrastructure, common cockpit for command and control. Now, none of the services will do that by themselves, but we will designate a specific service to build one element of that Joint Cyber Warfighting Architecture. Senator Tillis. So, a center-of-excellence sort of capability. Lieutenant General Stewart. So, for the training component, the Army will take that persistent common training environment. so, they will bring that into a common architecture, where U.S. Cyber Command will set the standards, set the information exchange protocols, and then each of the elements within our subordinate elements within Cyber Command will build those pieces and those components to a common standard. So, we get the idea that we don't want each of the services build their own unique tools, build their own training environment, build it on--and so, now we've put that all together, and we structured that into what we call the Joint Cyber Warfighting Architecture. Senator Tillis. And the government---- Lieutenant General Stewart. So, we're moving in that---- Senator Tillis. Okay. Lieutenant General Stewart.--direction. Senator Tillis. Because I'm going to be limited on time--I have to step out briefly to go to a VA [Veterans Affairs] Committee--I think that the--with respect to something that General Fogarty and I talked about, and as Chair of the Personnel Subcommittee, we have provided some authorizations that, hopefully, are helping you be a little bit more competitive recruiting and retaining resources. But, you can expect that we'll have a hearing in Personnel to talk about what more we can do. General Crall, you made a very important point. If we're giving you these authorities to use to be more competitive, but we're also going to be expecting seeing how they've been used and what the results are. We'll discuss those in the--we'll discuss those in the hearing or in meetings that we'll have in my office. For many of you, I've got a lot of questions, and I know-- I'm looking forward to getting back so we can go to the closed session, but I'll probably have a number of questions that are structural in nature that'll be instructive to some of the work we'll be doing on the Personnel Subcommittee. Thank you, Mr. Chair. Senator Rounds. Thank you. Senator Nelson. Senator Nelson. General Stewart, how are we going to objectively measure the readiness of Cyber Mission Force to execute their mission? Lieutenant General Stewart. So, we know we have a standard now that the Chairman measures: personnel readiness, number of folks that the services are providing, the level of their training. So, we have a standard approach for measuring that. Now, what we have to do is--in U.S. Cyber Command, is clearly define the mission essential task and the joint mission essential task that says, ``When a team is presented to us, here are the things that we need them to do against a particular target set.'' That is more than just the personnel. That's easy objective measurement. The services are either providing them at a certain level or they're not, they're either trained to a certain level or not. Quite frankly, the services are doing a remarkable job in presenting personnel. Senator Nelson. Will the combatant commanders understand this so-called meaningful set of metrics that you're talking about, a standard? Lieutenant General Stewart. There is no doubt in my mind that we've identified intelligence requirements that are essential for delivering capabilities, we've identified access requirements that are important, we've identified tools and munitions that are important, we've identified architecture that's important to get to the target. Those are things that I think any combatant commanders would understand, ``In order for me to have an operational effect, here are the things that I must have in order to deliver those outcomes.'' So, we think that's pretty well-defined, and we'll continue to refine that over time. Senator Nelson. So, how are you going to make sure that the services are giving you what you need in their training and standards? Lieutenant General Stewart. We've now mandated or laid out the requirements for 1,000-2,000 level. That's the basic entry- level training. The services are building capability and capacity. We were just down in Georgia, had an opportunity to see the things that the Army was doing. All of the services understand the requirements. Quite frankly, Senator, I think they're delivering a fairly capable--and I say that, ``fairly capable,'' because we now have to take them, when they come to Cyber Command, and take them from the journeymen and the apprentice level to the mastery level. I think the services are doing a remarkable job, and we have to--to go back to the question on IONs, for instance, we have to now define whether or not we have the right number of IONs on the teams. We started with a number, based on our best guess of how we would operate in the space. The reality is, we may not need as many IONs, and that will change the training requirements and allow us to do some things that are more creative to get our workforce from journeyman, from apprentice, to a mastery level. I--we're working to refine those as we speak. Senator Nelson. General Fogarty, the Secretary assigned to you the job of building a cyber range and training system. Why aren't all of these separate ranges being consolidated and moving to a cloud? Lieutenant General Fogarty. Senator, currently, there are so many ranges--there are so many ranges. I'm the executive agent for the training ranges. There are a whole series of test-and-evaluation ranges that TRMC [Test Resource Management Center] is the executive agent for. Services have built ranges. So, what we're trying to do at this point is start to move these ranges, connect them. The objective actually is to move them into the cloud. So, that's the direction we believe we need to be at. But, it's--I think it's similar to many challenges. Over a long period of time, you had organizations that built their own capability because they had an immediate need for it. We're at the point now where we're--we've inventoried those. We know what the advantages and disadvantages of the different ranges are, how to better connect them. There are certain ranges that, frankly, we'll probably have very limited interest in. It doesn't mean there's not a requirement, but it's not for the Cyber Mission Force. There's others that are very robust. We don't want to duplicate that. We actually want to connect to those ranges. Senator Nelson. Can I assume that what you're saying is that you're going to move to the cloud so that you don't have to constantly upgrade the in-house computing infrastructure? Lieutenant General Fogarty. Senator, that's actually a succinct way of saying that, but we're---- Senator Nelson. Okay. Lieutenant General Fogarty.--we're not there yet---- Senator Nelson. Let me---- Lieutenant General Fogarty.--for sure. Senator Nelson. Let me ask General Crall. Cyber Command, created in 2009, but it wasn't until 2013 that we actually started to build the mission force. So, a number of years, we had a command with no forces. It took another couple of years for the Department to start the acquisition process for command and control, network, infrastructure, weapons, and so forth. Why the delays? Brigadier General Crall. Sir, that's probably a question that I'll have to go back and do some forensics to give you an adequate answer. I can give you a few answers that I think apply generally, and certainly not making excuses. But, understanding what rightsizing looks like, I've learned the challenges of moving anything quickly in the Department. Matching resources, at the time they're available, with the need and the planning that we're trying to execute has also been a challenge. You could ask the same question on our infrastructure, writ large. We've been modernizing our IT infrastructure for 10 years, at least, in a holistic fashion. Change has been difficult, but I think we're looking at the problem set in a new way. And, in the closed session, we're going to lay out a placemat for you to consider the ``eaches'' of how we're trying to do this in a way that makes some sense. But, I'll tell you, sir, one of the areas that we're making improvements on, General Stewart has already covered. We've allowed too much of unique building. Lack of standards, allowing each person to do what's right in their own eyes in the process, and not holding individuals or services accountable for a common standard, I believe, have all been contributors, and significant contributors, to delays. Senator Nelson. Thanks. Senator Rounds. Senator Gillibrand. Senator Gillibrand. General Stewart, I appreciate that your authority is focused on addressing foreign cyberactivities and you're constrained in working on domestic matters. However, I'm very concerned that foreign adversaries have abused the borderless nature of the Internet to stage cyberattacks on our domestic critical infrastructure, such as our election system. How do you coordinate with domestic Federal agencies, as well as local and State agencies, where much of our election security is entrusted? Lieutenant General Stewart. Well, we're generally not, Senator, directly interfacing with the State and local levels. We are, in fact, working closely with the Department of Homeland Security. We've had a series of engagements to ensure that they understand the threats as we see the threats, that we've asked them to pass those indicators of compromises down to the States so they can also see the threats. So, we're working this, to borrow a phrase, by, with, and through DHS [Department of Homeland Security] to get the insights that we have, both from Cyber Command and from our NSA partners, turn those into real indicators, and pushing those out to the State and local level. Beyond that, we have limited authority to go to the State and local levels. So, if I were going to use this platform to send a message, I suspect the message would be: As we move indicators of compromise from DHS down to the State levels, how do we make sure the States are loading those indicators of compromise onto the appropriate sensors and then passing them back up through DHS so that we can be proactive in going after the adversary in gray and red space? Senator Gillibrand. It also sounds, though, that your limited authority is limiting for you. I'm concerned that, you know, you have a mission to protect this country and our critical infrastructure. That's part of Department of Defense mission. But, you've not been given all the authorities you need, in fact, to prevent or stop or respond to cyberattacks to critical infrastructure if it has to do with the electoral system. I think that's a mistake. So, one thing that I hope you will do is seek the authorities that you think you need from this committee, because, regardless of what the administration believes, I believe that better coordination, more holistic coordination, through the National Guard perhaps, so that the States can have on-the-ground expertise that is feeding information and data and intelligence back up to the Department, so that you have a fully integrated defense system for this country. Because if they were bombing a powerplant or they were bombing, or even cyberattacking, a powerplant, you might have a response, or a responsibility, but, because somehow it's an election infrastructure, you have to stay hands-off. So, I hope that you will seek authorities, as you believe from your expertise you think you should have them. Lieutenant General Stewart. In the closed session, we should probably talk about the changes in authorities over the last 6 months. Senator Gillibrand. Correct. Lieutenant General Stewart. If you had approached me 6 months ago about the limits of our authorities, I would tell you that it would cause me great frustration. Senator Gillibrand. Yes. Lieutenant General Stewart. We're in a much better place today, Senator. Senator Gillibrand. I understand. But, I think there's even more authority that you should seek, especially in giving more support to the National Guard to continue to be eyes and ears on the ground. We will--I will pursue this more in closed session, because I think it's so vital. General Crall, the military's ability to pay for high- quality educational degrees through ROTC [Reserve Officer Training Corps.] programs or direct accession programs for skilled doctors and lawyers have undoubtedly played a key role in recruiting talented individuals into our uniformed ranks. In addition to paying cyber operators for the skills through specialized compensation, I also believe we should leverage our ability to pay for the educational--education of servicemembers and civilians interested in joining the cyber workforce. Do you believe that a cyber ROTC scholarship or advanced degree- holders would help us to attract skilled military cyber officers? Brigadier General Crall. Ma'am, I do. I believe that's a wise course of action. In fact, in the opening, we talked about expanding all the opportunities. But, what I would also add to that is, it's important for us to ensure that, when we track this, we learn what's working and what doesn't work. I've found that sometimes these things are a bit counterintuitive. We have to apply our resources properly, as you would expect us to, and we want to make sure, as the markets change, we follow those trends very carefully and we apply our valued resources to the right population groups and pockets. But, I will say this. Every university--this is anecdotal, this is me walking around and talking to people in these environments--it is the most talked-about subject matter. Whether we're at the service academies or out in the local communities, we've got a large force of young civilians who are very interested and eager to work in the cyber workforce. Senator Gillibrand. Thank you. Thank you, Mr. Chairman. Senator Rounds. Thank you. Senator Warren. Senator Warren. Thank you, Mr. Chairman. Thank you, to our witnesses, for being here today. Talent management is a critical component of the ability to maintain cyber readiness. That means that we need to recruit and retain for a set of skills that might not necessarily be considered traditional military skills. I was glad to see that talent management is included as a key component of the Department's updated cyber strategy, which was released last week. But, the strategy doesn't offer much detail on the specifics of how exactly the Department plans to recruit and retain men and women with the necessary skills. So, can I start with you, General Crall? Can you be more specific for us on the Department's long-term plans for cyber talent management? Brigadier General Crall. Yes, ma'am, I can. I'll also share with you some shortcomings in that, because I think your instincts of maybe--on some of the leads of understanding that market, we may not be as refined as we need to be. I share--if those are your concerns, I share some of those. But, yes, when it comes to developing, you know, the recruitment aspect, the military side has a very unique recruiting campaign and designated workforce that gets after that, professional recruiters who work very aggressively at ensuring that message is out. In part of my opening, I described a kind of a vacuum for the Federal Government side. The civilian side, we really don't have, even the initial tenets of our Cyber-Excepted Service, well known. So, we need to get our message out, for one. One of the ways that we could get that message out is to ensure that we have very robust presences in areas where these people are being trained--in academia, you know, our universities, internships, exchanges with private sector--all of those areas where we can get natural exposure to some of those benefits that only we can provide. And, while it's still, I would say, maybe anecdotal to express it this way, the people that we've spoken to have explained very carefully their desire to serve the Nation, do unique mission sets they can't do in the private sector, and work with emerging technology. Those are things that we can offer that--very unique to our government. So, yes, we need to do more in that. On the civilian side for Excepted Service, I had mentioned we've covered a few to close some of the pay gaps. Congress has given us the authority to address some of those, to include regional pay gaps, compensation, higher step increases. But, those are normally only known by those who are really at our doorstep already. We need to do a better job of getting the word out on what we can offer, and to pursue those individuals at a very early start. Senator Warren. Well, I'm very glad to hear this, General Crall, and glad to hear your enthusiasm for this. You know, our readiness is only as good as our people. If we don't recruit and retain the best and offer the kind of career incentives for people to stay in public service, then we can't mount an effective cybersecurity defense or response. So, thank you for that. I have one other issue I want to raise. I am a big supporter of the Defense Innovation Unit, which has an office in Cambridge, for piloting new approaches to technology, including cyber and software engineering. I want to ask about one of those experiments. In 2016, the software system at the Al Udeid Air Operations Center in Qatar was so outdated--are you ready for this? In 2016, airmen were using a flight board to manage aerial refueling. Now, in response, DIU [Defense Innovation Unit] worked with the Air Force to sponsor a small program, called the Kessel Run, to teach Active Duty Air Force personnel how to code. In the span of 4 months, at a cost of just about $2 million, they designed a software application that automated the refueling. And because the airmen now have the coding skills, they can continuously update that software to meet the mission. So, maybe I could ask you, Ms. Miller. Do you think having in-house coding ability like this can also help improve our cyber operational readiness? Ms. Miller. Yes, ma'am, I do. That's actually one of the skillsets. If you look at the list of specific skills that we know we need to mature, that is one at the top of the list. Senator Warren. So, we're trying to build this in-house. I think that makes a lot of sense. I'm glad to hear it. But, getting the Kessel Run Development Lab up and running was not easy. I understand there was some real resistance within segments of the Department. So, the question I want to ask is, How can we normalize and scale these types of programs up and make technical skills, like coding or cyber defense, a core competency for Active Duty personnel and defense civilians? General Crall, it looks like you want to answer. Brigadier General Crall. Yes, ma'am. This is an exciting question, because you're---- Senator Warren. Good. Brigadier General Crall.--you're spot-on. We have young folks, who are--have zero experience in doing this formally, who are writing programs for us today. Going back to my answer earlier, the proper venue and outlet for this is to ensure that we have the right developers toolkits and the right coding infrastructure, the lateral limits, left and right, so that they know what standards to write these to. We spent a lot of time and frustration in the Department of trying to make these disparate software applications communicate with each other. In the closed session, I can cover some of the solutions we have. But, they are screaming for ways to contribute, and we are taking that onboard, and it's showing great promise. But, there is a lot of work ahead, ma'am. Senator Warren. Good. So, I--again, I'm glad to hear your enthusiasm, but I sure want us to concentrate on how we can scale this up and normalize it within the Department. Thank you. Thank you, Mr. Chair. Senator Rounds. Thank you, Senator. Okay, this will conclude the open portion of the session. My intention is to recess until 4 o'clock, and that will be in SVC-217. At this point, we will recess. [The open portion of the hearing concluded at 3:42 p.m. The Subcommittees recessed until 4:00 p.m. to meet for the closed portion of this hearing.] [Questions for the record with answers supplied follow:] Questions Submitted by Senator M. Michael Rounds redundancy 1. Senator Rounds. Lieutenant General Stewart, to serve in the interim as the Unified Platform is developed, does Cyber Command have or plan to develop an integrated database or organizing structure of all tools and tool development efforts in the Services and its own capabilities development group? Lieutenant General Stewart. [Deleted.] 2. Senator Rounds. Lieutenant General Stewart, what redundancies has Cyber Command seen in the Services and what efforts are underway to mitigate them? Lieutenant General Stewart. [Deleted.] missing authorities and outstanding resource issues 3. Senator Rounds. Brigadier General Crall and Lieutenant General Stewart, please provide a list of missing authorities, outstanding resource issues and misallocations, and interagency issues that are hampering the readiness of the Cyber Mission Force, to include difficulties in using accesses and tools that originate with the intelligence community. Brigadier General Crall. My fellow witness, Lieutenant General Stewart, is best positioned to provide a response regarding the authorities related to the Cyber Mission Force. Lieutenant General Stewart. [Deleted.] tools 4. Senator Rounds. Lieutenant General Stewart, how much do each of the Services and how much does CYBERCOM spend on tool development each year? How does this compare with the NSA? Lieutenant General Stewart. [Deleted.] 5. Senator Rounds. Lieutenant General Stewart, what efforts-- manning, technological, and policy--are underway to accelerate CYBERCOM's tool development (including accessing and surveilling of adversary networks)? How can Congress help? Lieutenant General Stewart. [Deleted.] information warfare 6. Senator Rounds. Brigadier General Crall, what efforts are underway to integrate cyber operations with information operations, electronic warfare and military deception especially at CYBERCOM? How can Congress help in this regard? Brigadier General Crall. [Deleted.] 7. Senator Rounds. Brigadier General Crall, how are the PCA and CYBERCOM working with ASD(SO/LIC) and SOCOM to integrate information warfare into cyber operations? What efforts are still required? Brigadier General Crall. [Deleted.] metrics 8. Senator Rounds. Lieutenant General Stewart, it is our understanding that the readiness metrics CYBERCOM uses are built off of those used for conventional forces, assessing manning, training, and ``equipment'' as percentages instead of measuring the capability and capacity of a given team. How do these metrics compare to those used by SOCOM, and is work underway to determine what the best metrics to measure force capability are going forward? Lieutenant General Stewart. [Deleted.] 9. Senator Rounds. Lieutenant General Stewart, please provide a complete spreadsheet of the manning status of each required position-- including tool developer, exploitation analyst, and on-network operator--for each team in the Cyber Mission Force. Lieutenant General Stewart. [Deleted.] timelines 10. Senator Rounds. Lieutenant General Stewart and Brigadier General Crall, with the Department's cyber posture review and recent policy changes, what is the expected future operational timeline from identification of a target to insertion of malware? Lieutenant General Stewart. [Deleted.] Brigadier General Crall. I support the responses from my fellow witnesses, Lieutenant General Stewart and Lieutenant General Fogarty, on this specific question regarding the expected future operational timeline from identification of a target to insertion of malware. combatant commands 11. Senator Rounds. Lieutenant General Stewart, how many of EUCOM's priority Russian targets has Cyber Command compromised? For how many of these has Cyber Command developed or identified an extant tool? For how many of these has Cyber Command delivered the tool? Lieutenant General Stewart. [Deleted.] 12. Senator Rounds. Lieutenant General Stewart: How many of PACOM's priority Chinese targets has Cyber Command compromised? For how many of these has Cyber Command developed or identified an extant tool? For how many of these has Cyber Command delivered the tool? Lieutenant General Stewart. [Deleted.] __________ Questions Submitted by Senator Kirstin Gillibrand civilian personnel and cyber force mix 13. Senator Gillibrand. Brigadier General Crall, Cyber Command appears in many respects to have been conceived along the lines of a traditional military operational unit, meaning most immediately that ``operators'' are primarily military personnel. This has led to much discussion about relaxing military standards to enlist or commission nontraditional recruits for military service. Meanwhile, civilian employees are not subject to these standards, cost less to the Government in terms of pay, benefits, and training, and generally can stay in one place longer as part of a successful career. Moreover, civilian positions can be filled by individuals who are otherwise not interested or qualified to serve in uniform, leaving those military recruits available for other military duty. For those who are qualified to serve, civilians can also serve in the Guard and Reserve as a compliment to their civilian duties. What is your view of the proper use of civilian personnel in building the cyber force? Brigadier General Crall. [Deleted.] 14. Senator Gillibrand. Brigadier General Crall, what is your view of the optimum force mix of military and civilian personnel? Brigadier General Crall. [Deleted.] 15. Senator Gillibrand. Brigadier General Crall, what is the proper force mix between Active Duty and Reserve personnel (who may also be full time civilian employees within the command)? Brigadier General Crall. My fellow witness, Lieutenant General Fogarty, is best positioned to provide a response regarding the proper mix between Active Duty and Reserve personnel. 16. Senator Gillibrand. Lieutenant General Stewart, among the operational billets in Cyber Command, what percentage are filled by civilian personnel? Lieutenant General Stewart. [Deleted.] 17. Senator Gillibrand. Lieutenant General Stewart and Lieutenant General Fogarty, are any restrictions on the hiring of civilian personnel hampering your ability to hire more civilians? If so, please explain. Lieutenant General Stewart. [Deleted.] Lieutenant General Fogarty. There are restrictions hampering the Army's ability to hire more civilians within the cyber workforce. First is the time requirement to acquire a Top Secret (TS), Sensitive Compartmentalized Information (SCI), Counterintelligence (CI) Polygraph (Poly) security clearance. Cyber professionals are required to obtain and maintain a TS, SCI, Poly which could potentially take over one year to obtain. There may also be an additional security vetting requirement if the place of employment is located with the National Security Agency (NSA) teams/workspace which may take an additional six months for adjudication. The security requirements add significantly to the timeliness of hiring and on-boarding a civilian employee, which may dissuade applicants from applying and following through for these types of positions. However, we are addressing this setback by authorizing civilian new hires to train and work on unclassified mission sets until such time as the security clearance vetting process is complete. Second is the salary rate of cyber professionals working in the private sector compared to that of DA civilians. Private industry can offer significantly higher salaries, stock/share options, bonuses and financial incentives, loan incentives, various types of paid leave packets, daily meals, campus transportation, medical, dental, and child care on work-site as well as an environment that's conducive and attractive to cyber professionals. While dollar for dollar, the salaries are incomparable, the Army can offer a wide range of compensation and incentives that include recruitment, retention, and relocation incentives, student loan incentives, accelerated salary incentives, additional leave incentives, paid federal holidays, paid sick leave, Thrift Savings Plan match incentives, Permanent Change of Station (relocation) benefits and entitlements, coupled with the standard DA civilian compensation packet to include a defined benefit plan (pension) not normally offered in the private sector, plus the stability of the Government workforce. Currently, however, when DA Civilian compensation packages are compared to that of private industry, the Army's inability to offer a comparable industry salary may limit future recruiting and retention efforts of cyber operators. 18. Senator Gillibrand. Lieutenant General Stewart, Lieutenant General Fogarty, and Brigadier General Crall, do you believe that existing personnel authorities for military and civilian personnel are adequate to build the cyber force to meet identified requirements? Lieutenant General Stewart. [Deleted.] Lieutenant General Fogarty. A holistic DOD strategy to building a cohesive cyber workforce that includes the current authorities and an industry level compensation program, for both military and civilians, would reduce the retention and recruitment challenges and help stabilize the current highly skilled cyber workforce while building the future identified requirements. The 37 U.S. Code Sec. 353 limits skill incentive pay to $1,000 per month, and proficiency bonuses to $12,000 per year for qualified cyber soldiers. While adequate for most military career fields, these monetary incentives may not be competitive or commensurate with that of other government agencies and private industry in order to retain our highly skilled talent. Amending the law to enable payments up to $5000 per month for skill incentive pay, and $60,000 per year for proficiency bonuses, provides additional incentives close the compensation disparity between private and military/government sectors. Furthermore, this would enable the services to establish a Cyber Proficiency Pay/Bonus scale similar to that of the Medical and Legal Corps. Furthermore, increased incentive may aid in the retention of the Army's highly skilled, cyber professionals, who are routinely recruited by other government agencies and private industry based upon their extensive training, knowledge, skills and abilities, within key work-rolls. For DA civilians, the current Direct Hiring Authorities (DHA) are adequate. However, the variations between multiple DHAs may hamper the Army's ability to build a cyber civilian workforce. Specifically, streamlined and flexible hiring process would be beneficial to Army Cyber. Brigadier General Crall. I support the responses from my fellow witnesses, Lieutenant General Stewart and Lieutenant General Fogarty, on this specific question regarding personnel authorities for military and civilian personnel.