Compliance as Code and Improving the ATO Process

A wide-scale cyber-attack in 2020 impacted a staggering number of federal agencies, including the agency that oversees the United States nuclear weapons arsenal. Government officials are still determining what information the hackers may have accessed, and what they might do with it.

The fundamental failure of federal technology security is the costly expenditure of time and resources on processes that do not make our systems more secure. Our muddled compliance activities allow insecure legacy systems to operate longer, increasing the risk of cyber intrusions and other system meltdowns. The vulnerabilities introduced by these lengthy processes have grave consequences for the nation at large.

In federal technology, the approval to launch a new Information Technology (IT) system is known as an Authority to Operate (ATO). In its current state, the process of obtaining an ATO is resource-intensive, time-consuming, and highly cumbersome. The Administration should kick-start a series of immediate, action-oriented initiatives to incentivize and operationalize the automation of ATO processes (also known as “compliance as code”) and position agencies to modernize technology risk management as a whole.

Challenge and Opportunity

While the compliance methodologies that currently comprise the ATO process contribute to managing security and risk, the process itself causes delays to the release of new systems. This perpetuates risk by extending the use of legacy—but often less secure—systems and mires agencies with outdated, inefficient workflows. 

To receive an ATO, government product owners across different agencies are required to demonstrate compliance with similar standards and controls, but the process of providing statements of compliance or “System Security Plans” (SSPs) is redundant and siloed. In addition, SSPs are often hundreds of pages long and oriented toward one-time generation of compliance paperwork over an outdated, three-year life cycle. There are few examples of IT system reciprocity or authorization partnerships between federal agencies, and many are reluctant to share their SSPs with sister organizations that are pushing similar or even identical IT systems through their respective ATO processes. This siloed approach results in duplicative assessments and redundancies that further delay progress. 

The next administration should shift from static compliance to agile security risk management that meets the challenges of the ever-changing threat landscape. The following Plan of Action advances that goal through specific directives for the Office of Management and Budget (OMB) Office of the Federal CIO (OFCIO), General Services Administration (GSA), Technology Transformation Service (TTS), and other agencies.

Plan of Action

The Office of Federal Chief Information Officer (OFCIO) should serve as the catalyst of several of activities aimed at addressing inefficiencies in the ATO attainment process. 

OFCIO should draft an OMB Compliance as Code Memorandum that initiates two major activities. 

First, the Memorandum will direct GSA to create a Center of Excellence within the Technology Transformation Service (TTS). The goals and actions of the Center of Excellence are detailed under “Action Two” below. Second, the Memorandum should require Cabinet-level agencies to draft brief “exploration and implementation plans” that describe how the agency or agencies might explore and adopt compliance as code to create efficiencies and reduce burden.1

OFCIO should offer guidance for the types of explorations that agencies might consider. These might include:

During the plan review process, the OFCIO should collaborate with the Resource Management Offices (RMOs) at OMB to identify agencies that offer the most effective plans and innovations.3 Finally, OFCIO should consider releasing a portion of the agency plans publicly with the goal of spurring research and collaboration with industry.

The General Services Administration should create a Cybersecurity Compliance Center of Excellence. 

OMB should commission the creation of a Cybersecurity Compliance Center of Excellence at the General Services Administration (GSA). Joining the six other Centers of Excellence, the Cybersecurity Compliance Center of Excellence (CCCE) would serve to accelerate the adoption of compliance as code solutions, analyze current compliance processes and artifacts, and facilitate cross-agency knowledge-sharing of cybersecurity compliance best practices. In addition, OMB should direct GSA to establish a Steering Committee representative of the Federal Government that leverages the expertise of agency Chief Information Security Officers (CISOs), Deputy CISOs, and Chief Data Officers (CDOs) as well as representatives from the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). 

The CCCE Steering Committee will research potential paths to propagate compliance as code that are not overly burdensome to agencies, deliberate on these initiatives, and guide and oversee agency innovations. The ultimate goal for the Steering Committee will be to devise a strategy and series of practices to increase compliance as code adoption via the Cybersecurity Compliance Center of Excellence and OMB oversight. 

The following sections detail potential opportunities for CCCE Steering Committee investigation and evaluation:

Study IT System Acquisition Rules for Vendor Compliance Information. The Steering Committee should review existing acquisition guidance and consider drafting a new acquisition rule that would require software vendors to provide ATO-relevant, machine-readable compliance information to customer agencies. The data package could include control implementation statements, attestation data and evidence guidance for the relevant NIST controls.4 In addition, the new system and process improvements should be agile enough to allow the incorporation of controls unique to a particular application or service.

Shifting the responsibility of managing compliance information from agencies to vendors
saves time and taxpayer dollars spent in the duplicative discovery, creation, and maintenance
of control implementation guidance for common software. The rule would be doubly
effective in time saved if the vendor’s compliance data package has common reciprocity
between agencies, allowing for faster adoption of software government wide.5 Finally, the
format of the data package should be open sourced, fungible and accessible.

Examine and Improve the Utility of System Security Plans (SSPs). System Security Plans are the baseline validator of a system’s security compliance and a comprehensive summary of an IT system’s security details.6 OMB and the CCCE Steering Committee should direct agencies to investigate the reusability and transmutability of System Security Plans (SSPs) across the Federal Government. A research-focused task force, composed of federal data scientists, compliance subject matter experts, auditors, and CISOs, should research how SSPs are utilized and draft recommendations on how best to improve their utility. The research task force would collect a percentage of agency SSPs, compare time-to-ATOs for various government organizations, and develop a common taxonomy that will allow for reciprocity between government agencies.

Create a Federal Compliance Library. The Steering Committee should investigate the creation of an inter-agency Federal Compliance Library. The library, most likely hosted by NIST, would support cross-agency compliance efforts by offering vetted pre-sets, templates, and baselines for various IT systems. A Federal Compliance Library accelerates the creation and sharing of compliance documentation and allows for historical knowledge and best practices to have impact beyond one agency. These common resources would free up agency compliance resources to focus on authorization materials that require novel documentation.

Explore Open Security Controls Assessment Language (OSCAL). The Steering Committee should explore the value added by mandating the conversion of agency SSP components to machine readable code such as Open Security Controls Assessment Language (OSCAL).7 OSCAL allows for the automated monitoring of control implementation effectiveness while making documentation updates easier and more efficient.

Conclusion

Federal compliance processes are ripe for innovation. The current system is costly and perpetuates risk while trying to control for it. The Plan of Action detailed above creates a crossagency collaborative environment that will spur localized innovations which can be tested and perfected before scaling government wide.

Frequently Asked Questions
Why is this recommendation important?
Current compliance processes are slow, costly and ineffective. They result in bureaucratic inertia that stalls the adoption of new technologies and exacerbates risk. The compliance-as-code recommendations outlined in this text dovetail with conclusions drawn from the Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States (2018). Compliance-as-code solutions match core actions that are necessary to address cybersecurity risks across the federal enterprise.
Why are OFCIO and TTS best positioned to lead these efforts?
OFCIO and TTS have been successful in guiding and monitoring agencies through a number of technology transformation initiatives including Data Center Consolidation Initiative, the HTTPSOnly Standard, and the FITARA Scorecard among many others. OMB OFCIO has the ability to direct agencies to develop exploration plans, as described above, and GSA TTS is well situated to stand up a new Center of Excellence to facilitate pilot initiatives and cross-agency collaboration. In addition, a Steering Committee for the Cybersecurity Compliance Center of Excellence (CCCE) that leverages the expertise of CISOs, Deputy CISOs, and CDOs as well as representatives from NIST and DHS CISA can ensure that GSA and OMB are developing guidance based on the actual situations within agencies. Greater participation and representation from agencies will ensure greater transparency, collaboration and adoption of new innovations.
How will these proposals make the ATO compliance process more efficient?
ATO processes have been a known encumbrance for some time. A handful of agencies have begun to explore automation and compliance as code, including, but not limited to, the Defense Digital Service Rapid ATO12 and the Centers for Medicare and Medicaid “Simplified and Guided Authorization for Rapid ATO” pilot. While many agencies recognize the need, most lack the resources to explore innovations and automate processes. These proposals aim to elevate the issue and proposed solutions to the White House level and align the most promising innovations with support and funding. Once solutions are identified and tested, they can be scaled for government-wide adoption.
Are there risks to centralizing all IT compliance in one library? Are there security concerns?
Published data formats provide greater security than proprietary counterparts. While the reference implementations and data formats must be open, the data collection and analysis of an operational system is fully protected by encryption. If required, certain SSPs can be delivered to new agencies on a by-request basis instead of being made publicly available.
Is it overly burdensome to ask agencies to convert their SSPs to OSCAL?
OSCAL integration across the Federal Government should be evaluated for burden and agencies’ current technical capacity to support OSCAL integration must be considered. Agencies should consider smaller-scale integrations of OSCAL as a starting point. Research should also be focused on potential time saved from automating compliance checks, streamlining the review process, and increasing the speed of adopting new technologies.
Are there any legal requirements or obstacles for agencies that may prevent them from participating in these reforms?
The request that software vendors provide machine-readable security documentation is to their own benefit. It is currently cumbersome and repetitive for a software vendor to provide information to support the ATO process on an individual basis every time their software is evaluated or implemented. Vendors already decide what information to share and are likely careful about what they choose to provide. A shared SSP library or reciprocity of SSP statements across agencies should not introduce any new legal obstacles or concerns into the process. Vendors should be made aware that any information they share is eligible for a cross-agency shared repository.
What exactly is the scope of the term “compliance as code”? in technical terms?
‘Compliance as Code’ is the automated implementation, verification, remediation, monitoring and reporting of compliance information and status. In technical terms, compliance as code can be facilitated by migrating the static SSP from Microsoft Word to OSCAL, including front matter, control implementation statements, and appendices. Additional examples of compliance as code include: evidence gathering and verification code, commit and pull-request automated testing, and DevOps context aware notifications and documentation. Developer tools such as an RMF and OSCAL-Aware GRC plugin for VS Code and continuous monitoring plugins can also be included.

Combating Malicious Cyber Acts, Penny by Penny

Updated below

The Department of the Treasury blocked one transaction by a foreign person or entity who was engaged in malicious cyber activities earlier this year, using the national emergency powers that are available pursuant to a 2015 executive order.

But the value of the intercepted transaction was only $0.04, the Department said in a new report to Congress.

No other transactions were blocked by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) during the reporting period from March 15 to September 8 of this year, according to the Department’s latest report. See Periodic Report on the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, October 3.

Meanwhile, the cost of implementing the national emergency on malicious cyber activities was approximately $770,000 during the latest six-month period, the same report said.

Is this normal? Should Americans be concerned about the stark disparity between the amount of government expenditures and the reported proceeds? The Department of the Treasury did not respond to our inquiry on the subject yesterday. [see update below]

Background on OFAC’s Cyber-Related Sanctions Program can be found here.

Update: An official said that it would be a mistake to judge the efficacy or the efficiency of a particular sanctions program from a single periodic report, especially since these reports are not comprehensive assessments of the program.

Nor are blocked transactions the sole or primary measure of impact. Persons subject to sanctions may experience a range of other impacts, including: the disruption or loss of existing or planned contracts and other relationships with U.S. and foreign business partners; the blocking or rejection of transactions with persons outside of U.S. jurisdiction; the disruption of financial and other activities due to complementary actions taken by U.S. allies and partners; reputational damage due to the exposure of malign activities; the cost of altering and rebuilding cyber infrastructure exposed due to the imposition of sanctions; disavowal by associated governments; and loss of visas to travel to the United States and potentially to other countries.

 

A Forum for Classified Research on Cybersecurity

By definition, scientists who perform classified research cannot take full advantage of the standard practice of peer review and publication to assure the quality of their work and to disseminate their findings. Instead, military and intelligence agencies tend to provide limited disclosure of classified research to a select, security-cleared audience.

In 2013, the US intelligence community created a new classified journal on cybersecurity called the Journal of Sensitive Cyber Research and Engineering (JSCoRE).

The National Security Agency has just released a redacted version of the tables of contents of the first three volumes of JSCoRE in response to a request under the Freedom of Information Act.

JSCoRE “provides a forum to balance exchange of scientific information while protecting sensitive information detail,” according to the ODNI budget justification book for FY2014 (at p. 233). “Until now, authors conducting non-public cybersecurity research had no widely-recognized high-quality secure venue in which to publish their results. JSCoRE is the first of its kind peer-reviewed journal advancing such engineering results and case studies.”

The titles listed in the newly disclosed JSCoRE tables of contents are not very informative — e.g. “Flexible Adaptive Policy Enforcement for Cross Domain Solutions” — and many of them have been redacted.

However, one title that NSA withheld from release under FOIA was publicly cited in a Government Accountability Office report last year:  “The Darkness of Things: Anticipating Obstacles to Intelligence Community Realization of the Internet of Things Opportunity,” JSCoRE, vol. 3, no. 1 (2015)(TS//SI//NF).

“JSCoRE may reside where few can lay eyes on it, but it has plenty of company,” wrote David Malakoff in Science Magazine in 2013. “Worldwide, intelligence services and military forces have long published secret journals” — such as DARPA’s old Journal of Defense Research — “that often touch on technical topics. The demand for restricted outlets is bound to grow as governments classify more information.”

Cybersecurity Resources, and More from CRS

A compilation of online documents and databases related to cybersecurity is presented by the Congressional Research Service in Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources, November 14, 2017.

Other new and updated publications from CRS include the following.

A Primer on U.S. Immigration Policy, November 14, 2017

Defense Primer: Department of Defense Maintenance Depots, CRS In Focus, November 7, 2017

Potential Effects of a U.S. NAFTA Withdrawal: Agricultural Markets, November 13, 2017

State Exports to NAFTA Countries for 2016, CRS memorandum, n.d., October 24, 2017

Membership of the 115th Congress: A Profile, updated November 13, 2017

Drought in the United States: Causes and Current Understanding, updated November 9, 2017

Impact of the Budget Control Act Discretionary Spending Caps on a Continuing Resolution, CRS Insight, November 14, 2017

Saudi Arabia: Background and U.S. Relations, updated November 14, 2017

Jordan: Background and U.S. Relations, updated November 14, 2017

The Latest Chapter in Insider Trading Law: Major Circuit Decision Expands Scope of Liability for Trading on a “Tip”, CRS Legal Sidebar, November 14, 2017

In Any Way, Shape, or Form? What Qualifies As “Any Court” under the Gun Control Act?, CRS Legal Sidebar, November 14, 2017

Generalized System of Preferences: Overview and Issues for Congress, updated November 14, 2017

Trade Promotion Authority (TPA): Frequently Asked Questions, updated November 14, 2017

The Article V Convention to Propose Constitutional Amendments: Current Developments, November 15, 2017

FAS Website Blocked by US Cyber Command, Then Unblocked

For at least the past six months, and perhaps longer, the Federation of American Scientists website has been blocked by U.S. Cyber Command. This week it was unblocked.

The “block” imposed by Cyber Command meant that employees throughout the Department of Defense who attempted to access the FAS website on their government computers were unable to do so. Instead, they were presented with a notice stating: “You have attempted to access a blocked website. Access to this website has been blocked for operational reasons by the DOD Enterprise-Level Protection System.”

The basis for the Cyber Command block is unclear, and official documentation of the decision that we requested has not yet been provided. In all likelihood, it is due to the presence on the FAS website of a small number of currently classified documents that were obtained in the public domain.

The basis for the removal of the block is likewise unclear, though we know that a number of DoD employees complained about the move and advised US Cyber Command that direct access to the FAS website was needed for them to perform their job.

The record of a 2015 hearing of the House Armed Services Committee on Implementing the Department of Defense Cyber Strategy was published last month.

Cyber “Emergency” Order Nets No Culprits

In April 2015, President Obama issued Executive Order 13694 declaring a national emergency to deal with the threat of hostile cyber activity against the United States.

But six months later, the emergency powers that he invoked to punish offenders had still not been used because no qualifying targets were identified, according to a newly released Treasury Department report.

In a White House statement coinciding with the release of last year’s Executive Order, the President said that “Cyber threats pose one of the most serious economic and national security challenges to the United States, and my Administration is pursuing a comprehensive strategy to confront them….  This Executive Order offers a targeted tool for countering the most significant cyber threats that we face.”

The Executive Order authorized the Secretary of the Treasury “to impose sanctions on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”

But although the criminal justice system has produced indictments against suspected Chinese and Iranian hackers, the President’s cyber “emergency” regime has not yielded any comparable results.

In the first periodic report on the implementation of the order, Treasury Secretary Jacob J. Lew said that “No entities or individuals have been designated pursuant to E.O. 13694.” Accordingly, the Department of the Treasury took no punitive licensing actions, and it assessed no monetary penalties, Secretary Lew wrote.

A copy of the Treasury report was obtained through the Freedom of Information Act. See Periodic Report on the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, October 1, 2015.

Even though it generated no policy outputs, implementation of the executive order nevertheless incurred costs of “approximately $760,000, most of which represent wage and salary costs for federal personnel,” the Treasury report said.

Unbeknownst to most people, there are typically multiple “national emergencies” in progress at any given time. A helpful introduction to the subject was prepared by then-CRS specialist Harold C. Relyea a decade ago.

By invoking emergency powers derived from the Constitution or from statutory law, Relyea wrote, “the President may seize property, organize and control the means of production, seize commodities, assign military forces abroad, institute martial law, seize and control all transportation and communication, regulate the operation of private enterprise, restrict travel, and, in a variety of ways, control the lives of United States citizens. [However], Congress may modify, rescind, or render dormant such delegated emergency authority.” See National Emergency Powers, updated August 30, 2007.

One other ongoing “emergency” pertains to North Korea. A Treasury Department Periodic Report on the National Emergency With Respect to North Korea, dated May 21, 2015, reveals that five financial transactions involving North Korean agents or interests — and totaling $23,200 — were blocked by executive order between December 2014 and April 2015. That’s an increase from $17,600 during the previous reporting period.

A Bureaucratic History of Cyber War

When Gen. Keith Alexander became the new director of the National Security Agency in 2005, “his predecessor, Mike Hayden, stepped down, seething with suspicion”– towards Alexander.

As told by Fred Kaplan in his new book Dark Territory, Gen. Hayden and Gen. Alexander had clashed years before in a struggle “for turf and power, leaving Hayden with a bitter taste, a shudder of distrust, about every aspect and activity of the new man in charge.” The feeling was mutual.

The subject (and subtitle) of Kaplan’s book is “the secret history of cyber war.” But the most interesting secrets disclosed here have less to do with any classified missions or technologies than with the internal bureaucratic evolution of the military’s interest in cyber space. Who met with whom, who was appointed to what position, or even (as in the case of Hayden and Alexander) who may have hated whom all turn out to be quite important in the ongoing development of this contested domain.

Kaplan seems to have interviewed almost all of the major players and participants in this history, and he has an engaging story to tell. (Two contrasting reviews of Dark Territory in the New York Times are here and here.)

Meanwhile, the history of cyber war is becoming gradually less secret.

This week, the Department of Defense openly published an updated instruction on Cybersecurity Activities Support to DoD Information Network Operations (DoD Instruction 8530.01, March 7).

It replaces, incorporates and cancels previous directives from 2001 that were for restricted distribution only.

The Federal Cybersecurity Workforce, and More from CRS

New and updated reports from the Congressional Research Service that Congress has withheld from online public distribution include the following.

The Federal Cybersecurity Workforce: Background and Congressional Oversight Issues for the Departments of Defense and Homeland Security, January 8, 2016

The Trans-Pacific Partnership (TPP): In Brief, updated January 8, 2016

American Agriculture and the Trans-Pacific Partnership (TPP) Agreement, January 8, 2016

Cuba: Issues for the 114th Congress, updated January 11, 2016

Guatemala: One President Resigns; Another Elected, to Be Inaugurated January 14, CRS Insight, updated January 11, 2016

China’s Recent Stock Market Volatility: What Are the Implications?, CRS Insight, updated January 9, 2016

Navy John Lewis (TAO-205) Class Oiler Shipbuilding Program: Background and Issues for Congress, updated January 8, 2016

Navy Ship Names: Background for Congress, updated January 8, 2016 (This report explains that “John Lewis (TAO-205) class oilers, previously known as TAO(X)s, are being named for people who fought for civil rights and human rights.” An oiler is a fuel resupply vessel that is used to transfer fuel to surface ships at sea.)

Navy Force Structure and Shipbuilding Plans: Background and Issues for Congress, updated January 8, 2016

Free Riders or Compelled Riders? Key Takeaways as Court Considers Major Union Dues Case, CRS Legal Sidebar, January 12, 2016

Unauthorized Aliens, Higher Education, In-State Tuition, and Financial Aid: Legal Analysis, updated January 11, 2016

The TRIO Programs: A Primer, updated January 11, 2016

The Consolidated Appropriations Act, 2016: Effects on Budgetary Trends, CRS Insight, January 11, 2016

President Obama Announces Executive Actions to “Reduce Gun Violence”, CRS Legal Sidebar, January 8, 2016

Juvenile Justice Funding Trends, updated January 8, 2016

Community Services Block Grants (CSBG): Background and Funding, updated January 8, 2016

Drones, Pope Francis, Encryption, and More from CRS

A new report from the Congressional Research Service looks at the commercial prospects for the emerging drone industry.

“It has been estimated that, over the next 10 years, worldwide production of UAS for all types of applications could rise from $4 billion annually to $14 billion. However, the lack of a regulatory framework, which has delayed commercial deployment, may slow development of a domestic UAS manufacturing industry,” the report said. See Unmanned Aircraft Systems (UAS): Commercial Outlook for a New Industry, September 9, 2015.

In advance of the September 2227 visit to the United States by Pope Francis, another new CRS report “provides Members of Congress with background information on Pope Francis and a summary of a few selected global issues of congressional interest that have figured prominently on his agenda.” See Pope Francis and Selected Global Issues: Background for Papal Address to Congress, September 8, 2015.

Another new report from CRS on encryption and law enforcement presents “an overview of the perennial issue involving technology outpacing law enforcement and discusses how policy makers and law enforcement officials have dealt with this issue in the past.” See Encryption and Evolving Technology: Implications for U.S. Law Enforcement, September 8, 2015.

Other new and newly updated publications from the Congressional Research Service include the following.

Syrian Refugee Admissions to the United StatesCRS Insight, September 10, 2015

An Analysis of Efforts to Double Federal Funding for Physical Sciences and Engineering Research, updated September 8, 2015

Cybersecurity: Data, Statistics, and Glossaries, updated September 8, 2015

Cybersecurity: Legislation, Hearings, and Executive Branch Documents, updated September 8, 2015

The EMV Chip Card Transition: Background, Status, and Issues for Congress, updated September 8, 2015

Cyprus: Reunification Proving Elusive, udpated September 10, 2015

Saudi Arabia: Background and U.S. Relations, updated September 8, 2015

Jordan: Background and U.S. Relations, updated September 10, 2015

Iran Nuclear Agreement, updated September 9, 2015

Statutory Qualifications for Executive Branch Positions, updated September 9, 2015

Federal Reserve: Emergency Lending, September 8, 2015

 

Pentagon’s Cyber Mission Force Takes Shape

The Department of Defense plans to complete the establishment of a new Cyber Mission Force made up of 133 teams of more than 6000 “cyber operators” by 2018, and it’s already nearly halfway there.

From FY2014-2018, DoD intends to spend $1.878 billion dollars to pay for the Cyber Missions Force consisting of approximately 6100 individuals in the four military services, DoD said in response to a question for the record that was published in a congressional hearing volume last month.

“This effort began in October 2013 and today we have 3100 personnel assigned to 58 of the 133 teams,” or nearly 50% of the intended capacity, DoD wrote in response to a question from Rep. Rick Larsen (D-WA) of the House Armed Services Committee. The response was included in the published record of a February 26, 2015 Committee hearing (page 67).

The DoD Cyber Mission Force was described in an April 2015 DoD Cyber Strategy and in April 2015 testimony by Assistant Secretary of Defense Eric Rosenbach:

“The Department of Defense has three primary missions in cyberspace: (1) defend DoD information networks to assure DoD missions, (2) defend the United States against cyberattacks of significant consequence, and (3) provide full-spectrum cyber options to support contingency plans and military operations,” Mr. Rosenbach said.

“To carry out these missions, we are building the Cyber Mission Force and equipping it with the appropriate tools and infrastructure to operate in cyberspace. Once fully manned, trained, and equipped in Fiscal Year 2018, these 133 teams will execute USCYBERCOM’s three primary missions with nearly 6,200 military and civilian personnel,” Mr. Rosenbach said at an April 14 hearing of the Senate Armed Services Committee.

The new Cyber Mission Force will naturally have both defensive and offensive characteristics.

“Congressman, we are building these cyber teams… in order to, one, protect ourselves from cyber attacks,” said Adm. Cecil D. Haney, commander of U.S. Strategic Command. “We are being probed on a daily basis by a variety of different actors.”

“The protection side is one thing,” said Rep. Larsen at the February hearing of the House Armed Services Committee. “What about the other side?”

“The other aspect of it, we are distributing these forces out to the various combatant commands so that they can be integrated into our overall joint military force capability,” Adm. Haney replied.

*    *    *

“Worldwide Cyber Threats” was the subject of an open hearing of the House Intelligence Committee on Thursday.

The foreign intrusions suffered by U.S. government and private networks have yielded some useful lessons, said Director of National Intelligence James R. Clapper.

“Of late, unauthorized disclosures and foreign defensive improvements have cost us some technical accesses, but we are also deriving valuable new insight from cyber security investigations of incidents caused by foreign actors and new means of aggregating and processing big data. Those avenues will help offset some more traditional collection modes that are obsolescent,” he told the Committee.

Cybersecurity and Information Sharing, and More from CRS

New and updated reports from the Congressional Research Service include the following.

Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731, April 20, 2015

FY2016 Appropriations for the Department of Justice (DOJ), April 15, 2015

Domestic Human Trafficking Legislation in the 114th Congress, April 16, 2015

Trade Promotion Authority (TPA): Frequently Asked Questions, April 20, 2015

Mountaintop Mining: Background on Current Controversies, April 20, 2015

FEMA’s Public Assistance Grant Program: Background and Considerations for Congress, April 16, 2015

Cuba: Issues for the 114th Congress, April 17, 2015

DoD Cyber Operations, and More from CRS

A new report from the Congressional Research Service presents an introduction to U.S. military operations in cyberspace and the thorny policy issues that arise from them.

“This report presents an overview of the threat landscape in cyberspace, including the types of offensive weapons available, the targets they are designed to attack, and the types of actors carrying out the attacks. It presents a picture of what kinds of offensive and defensive tools exist and a brief overview of recent attacks. The report then describes the current status of U.S. capabilities, and the national and international authorities under which the U.S. Department of Defense carries out cyber operations.”

The Department of Defense requested $5.1 billion for “cybersecurity” in 2015, the CRS report noted. Cybersecurity here includes funding for cyberspace operations, information assurance, U.S. Cyber Command, the National Cybersecurity Initiative, and related functions. See Cyber Operations in DoD Policy and Plans: Issues for Congress, January 5, 2015.

(The CRS report includes only a capsule summary description of the Stuxnet episode.  A fuller account is presented in Kim Zetter’s gripping book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.)

Other noteworthy new and updated CRS reports that Congress has withheld from online public distribution include the following.

State Sponsors of Acts of International Terrorism–Legislative Parameters: In Brief, December 24, 2014

The President’s Immigration Accountability Executive Action of November 20, 2014: Overview and Issues, January 8, 2015

Proposed Retirement of A-10 Aircraft: Background in Brief, January 5, 2015

American War and Military Operations Casualties: Lists and Statistics, January 2, 2015

A Shift in the International Security Environment: Potential Implications for Defense–Issues for Congress, December 31, 2014

Secret Sessions of the House and Senate: Authority, Confidentiality, and Frequency, December 30, 2014

Navy Littoral Combat Ship (LCS) Program: Background and Issues for Congress, December 24, 2014

Navy Shipboard Lasers for Surface, Air and Missile Defense: Background and Issues for Congress, December 23, 2014

Definitions of “Inherently Governmental Function” in Federal Procurement Law and Guidance, December 23, 2014

Congressional Careers: Service Tenure and Patterns of Member Service, 1789-2015, January 3, 2015

The Congressional Research Service has never been more frequently cited or more influential in informing public discourse than it is today, as its publications are increasingly shared with the public in violation of official policy.

But budget cuts and congressional dysfunction seem to have bred discontent among some staff members, judging from an article by former CRS analyst Kevin R. Kosar.

“Thanks to growing pressure from a hyper-partisan Congress, my ability to write clearly and forthrightly about the problems of government–and possible solutions–was limited. And even when we did find time and space to do serious research, lawmakers ignored our work or trashed us if our findings ran contrary to their beliefs. When no legislation is likely to move through the system, there’s simply not much market for the work the CRS, at its best, can do,” he wrote. See “Why I Quit the Congressional Research Service,” Washington Monthly, January/February 2015.