SASC calls for new oversight of Cyber Command


The Senate Armed Services Committee says it has concerns that oversight of Cyber Command and the cyber mission within the Defense Departments "is fragmented and weak," calling for creation of a Senate-confirmed position within the undersecretary of defense for policy to supervise and manage the funds of offensive cyber forces.

The Senate committee voted 23-3 on June 14 to report its version of the fiscal 2014 national defense authorization act (S. 1197), detailing its intentions in a newly released legislative report (.pdf).

In the report, the committee says fragmented oversight of Cyber Command and the cyber mission is partly unavoidable, "inasmuch as cyber operations affect every segment of the department, making clear lines of jurisdiction and responsibility impossible to draw."

Different defense organizations are in charge of defensive and offensive cybersecurity, while others have responsibility over "technology, architectures, and acquisition, and another for policy and operational considerations."

The committee doesn't propose a broad consolidation--although among its other proposals besides creation of the new supervisory position within the USD(P) is to fold the duties of the DoD chief information officer into the deputy chief information officer and give the DCMO authority over the National Security Agency's Information Assurance Directorate.

SASC also proposes the chartering of a joint software assurance office as a means of satisfying a provision from the fiscal 2013 authorization act that mandates the use of automated vulnerability analysis tools for DoD systems. The center "would be a logical choice for managing the purchase and distribution of licenses for commercial automated code analysis tools" and for managing the development of improvements to software code analysis tools, the report says.

Defense acquisition of cloud computing would also come under increased scrutiny under the SASC proposal through a requirement that the undersecretaries of defense for acquisition technology and logistics, and for intelligence, the DoD CIO and the chair of the Joint Requirement Oversight Council supervise the development and implementation of cloud capabilities for intelligence, surveillance, and reconnaissance data analysis.

The supervision would entail enforcing requirements for interoperability and attribute-based access controls for all ISR cloud systems within military services and agencies, as well as enterprisewide data discovery across domains, and the "correlation of data stored in cloud and non-cloud databases, relational and non-relational databases." The intelligence community in particular has embraced NoSQL databases.

The committee also calls for a comprehensive Internet mapping capability, stating that "charting this new terrain is as fundamental to operations in cyberspace as maps of physical terrain have always been to military campaigns."

For more:
- go to the THOMAS page for S. 1197
- download the legislative report; the DoD CIO language is in Sec. 901 (.pdf)

Related Articles:
SASC proposes folding DoD CIO into DCMO
Senate lays out $625.1 billion for the National Defense Authorization Act
Cyber Command, NSA leadership may be reassessed under fiscal 2014 NDAA