This is the accessible text file for GAO report number GAO-11-695R
entitled 'Defense Department Cyber Efforts: Definitions, Focal Point,
and Methodology Needed for DOD to Develop Full-Spectrum Cyberspace
Budget Estimates' which was released on July 29, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO-11-695R:
United States Government Accountability Office:
Washington, DC 20548:
July 29, 2011:
The Honorable W. "Mac" Thornberry:
Chairman:
The Honorable James R. Langevin:
Ranking Member:
Subcommittee on Emerging Threats and Capabilities:
Committee on Armed Services:
House of Representatives:
Subject: Defense Department Cyber Efforts: Definitions, Focal Point,
and Methodology Needed for DOD to Develop Full-Spectrum Cyberspace
Budget Estimates:
This letter formally transmits the enclosed final briefing in response
to a request from the House Armed Services Committee, Subcommittee on
Emerging Threats and Capabilities, that asked GAO to examine the
Department of Defense's (DOD) cyber and information assurance budget
for fiscal year 2012 and future years defense spending. The objectives
of this review were to (1) assess the extent to which DOD has prepared
an overarching budget estimate for full-spectrum cyberspace operations
across the department; and (2) identify the challenges DOD has faced
in providing such estimates. We provided your offices a preliminary
briefing on these issues on April 28, 2011.
The President has identified the cyber threat as one of the most
serious national security challenges that the nation faces. In
February 2011 the Deputy Secretary of Defense[Footnote 1] said that
more than 100 foreign intelligence agencies have tried to breach DOD
computer networks, and that one was successful in breaching networks
containing classified information. To aid its efforts in countering
cyberspace threats, DOD established the U.S. Cyber Command in 2010 and
is currently undertaking departmentwide efforts to defend against
cyber threats.[Footnote 2]
DOD has defined some key cyber-related terms. Cyberspace operations is
defined as the employment of cyber capabilities where the primary
purpose is to achieve military objectives or effects in or through
cyberspace. Such operations include computer network operations and
activities to operate and defend the global information grid.[Footnote
3] U.S. Cyber Command defines full-spectrum cyber operations as the
employment of the full range of cyberspace operations to support
combatant command operational requirements and the defense of DOD
information networks. This includes efforts such as computer network
defense, computer network attack, and computer network exploitation.
[Footnote 4] Computer network defense is defined as actions taken to
protect, monitor, analyze, detect, and respond to unauthorized
activity within DOD information systems and computer networks.
Computer network attack is defined as actions taken to disrupt, deny,
degrade, or destroy information resident in computers and computer
networks, or the computers and networks themselves. Computer network
exploitation is defined as enabling operations and intelligence
collection capabilities conducted through the use of computer networks
to gather data from target or adversary automated information systems
or networks.[Footnote 5] Information assurance is defined as measures
that protect and defend information and information systems by
ensuring their availability, integrity, authentication,
confidentiality, and nonrepudiation. This includes providing for
restoration of information systems by incorporating protection,
detection, and reaction capabilities.[Footnote 6]
To examine DOD funding for cyberspace operations, we reviewed and
analyzed various DOD cyber-related budget documents including the
department's Fiscal Year 2012 IT [Information Technology] President's
Budget Request.[Footnote 7] We also reviewed Information Assurance
budget figures for the DOD for fiscal years 2010-2016. Additionally we
obtained and analyzed key budget documents and met with officials from
key organizations, including the Office of the Secretary of Defense,
Assistant Secretary of Defense for Networks and Information
Integration and Chief Information Officer; Office of the Under
Secretary of Defense Comptroller/Chief Financial Officer; Office of
the Under Secretary of Defense for Intelligence; U.S. Cyber Command;
U.S. Army; U.S. Air Force; U.S. Navy; U.S. Marine Corps; National
Security Agency; and the Defense Information Systems Agency. We made a
standardized request to the DOD components and military services for
information regarding funding for cyberspace operations and budget
estimates. We further obtained classified budget information taken
from the military intelligence program budget, but not from the
national intelligence program. See enclosure I, slide 6, for a list of
organizations we met with.
We conducted this performance audit from March to July 2011, in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
Summary:
DOD has planned and budgeted for information assurance programs for
fiscal year 2012 and has projected future years' spending for these
programs. However, DOD does not yet have an overarching budget
estimate for full-spectrum cyberspace operations including computer
network attack, computer network exploitation, and classified funding.
During February and March 2011, DOD provided Congress with three
different views of its cybersecurity budget estimates for fiscal year
2012 ($2.3 billion, $2.8 billion, and $3.2 billion, respectively) that
included different elements of DOD's cybersecurity efforts[Footnote
8]. The three budget views are largely related to the Defense-wide
Information Assurance Program and do not include all full-spectrum
cyber operation costs, such as computer network exploitation and
computer network attack, which are funded through classified programs
from the national intelligence and military intelligence program
budgets. In addition, according to U.S. Cyber Command officials, the
command was being established as the fiscal year 2012 information
assurance budget was being developed, and therefore its funding was
not coded as information assurance and consequently not included in
the $2.8 billion President's budget submission. However, U.S. Cyber
Command officials expect that command funding will be included in the
fiscal year 2013 information assurance budget.
DOD's ability to develop an overarching budget estimate for full-
spectrum cyberspace operations has been challenged by the absence of
clear, agreed-upon departmentwide budget definitions and program
elements for full-spectrum cyberspace operations and the absence of a
central organization or a methodology for collecting and compiling
budget information on cyberspace operations.
With regard to the first issue, DOD has defined some key cyber-related
terms but it has not yet fully identified the specific types of
operations and program elements that are associated with full-spectrum
cyberspace operations for budgeting purposes. In the absence of such
definitions, there are differing perspectives on the elements that
constitute cyberspace operations in DOD. DOD's Financial Management
Regulation established steps for budget submission requirements and
for reporting information technology and information assurance
programs to Congress, including identifying the activities that
constitute information assurance.[Footnote 9] Although computer
network defense is included in the list of information assurance
activities, computer network attack and computer network exploitation,
which are part of full-spectrum cyberspace operations, are not
accounted for in this regulation.[Footnote 10] Department officials
stated, and our work confirmed, that since clear cyberspace operations
definitions for budgeting purposes do not exist, there can be
significant variations in the elements each organization includes in
its budget estimate. Additionally, military service officials said
they are challenged in providing budget estimates for cyberspace
operations as they are still defining what operations and programs are
considered cyberspace operations within their respective services.
Military service officials in particular noted that, once DOD provides
better guidance and definitions, it will be easier for them to provide
service-specific budget information. As of May 2011, definitions
related to DOD's full-spectrum cyberspace operations remain unclear,
including those needed for budgeting purposes.
Concerning the second issue, DOD has operationally merged defensive
and offensive cyberspace operations with the creation of U.S. Cyber
Command in October 2010, but the department still does not have a
designated focal point or methodology for collecting and compiling
budget information on full-spectrum cyberspace operations across the
department. U.S. Cyber Command has recognized that the department must
incorporate integrated defensive and offensive cyberspace operations
into all planning efforts.
DOD's organization for cyberspace operations is decentralized and
spread across various offices, commands, agencies, and the military
services.This decentralization presents challenges with regard to
collecting and compiling a complete DOD cyber budget estimate, as
various departments and organizations within DOD each include
different elements as a part of their cyberspace operations budgets.
For example, the Assistant Secretary of Defense for Networks and
Information Integration and Chief Information Officer manages the
Defense-wide Information Assurance Program, a well-developed and
structured program that has existed since 1998 and produces standard
budget data for the information assurance portion of cyberspace
operations. However, this office does not have responsibility for
preparing a departmentwide full-spectrum cyberspace operations budget
estimate that includes offensive operations such as computer network
attack and exploitation because such activities are associated with
multiple program elements that have both cyber and noncyber components.
Three of the four military services found it difficult to generate
complete budget estimates for full-spectrum cyberspace operations that
included computer network attack and exploitation in response to our
standardized requests for such information.[Footnote 11] Only the Army
was able to provide a budget estimate that it believed addressed full-
spectrum cyberspace operations. The Air Force, Navy, and Marine Corps
provided budget estimates for information assurance and cyber-related
programs. Service officials explained that, historically, computer
network attack and exploitation have been a part of classified efforts
involving signals intelligence, information operations, and
cryptography and appropriately have not been identified in the
publicly available President's budget. These programs are generally
funded through the classified military intelligence and national
intelligence program budgets. However, without including this
information in its cyberspace operations budget estimates, DOD's and
the Congress' view of the financial resources dedicated to these
operations are not comprehensive. We present the budget estimates for
fiscal years 2012 to 2016 provided by the Army, Air Force, Navy, and
Marine Corps on slides 14 to 17 of the enclosed briefing.
For additional information on the results of our work, see slides 3
through 17 of the enclosure.
Conclusions:
DOD has taken many important steps to better organize its cyberspace
efforts within a fairly short period of time. Without a complete
budget estimate for full-spectrum cyberspace operations though, DOD
does not have a complete picture of the resources it is investing in
its cyberspace operations. We recognize that this can occur in newly
emerging mission areas. However, until DOD can provide a complete
budget estimate for these operations, it will be difficult for the
department and Congress to obtain an accurate and comprehensive view
of the resources devoted to this emerging warfighting domain and make
investment trade-off decisions. In light of the need to confront this
serious national security challenge and the fiscal constraints the
nation is facing, it is important that DOD have better visibility of
its cyberspace resources so that the department and Congress may
prioritize among the program investments needed to defend DOD's
computer networks.
Recommendations for Executive Action:
To improve DOD's ability to develop and provide consistent and
complete budget estimates for cyberspace operations across the
department, we recommend that the Secretary of Defense take the
following actions:
* Direct the Under Secretary of Defense for Policy, in coordination
with the Chairman of the Joint Chiefs of Staff, U.S. Cyber Command,
and other organizations as appropriate, to develop and document
cyberspace-related definitions, including identifying specific
activities and program elements, for purposes of budgeting for full-
spectrum cyberspace operations, that will be used and accepted
departmentwide. They should also establish a time frame for completing
these actions.
* Designate a single focal point to develop a methodology and provide
a single, departmentwide budget estimate and detailed spending data
for full-spectrum cyberspace operations (to include computer network
defense, attack, and exploitation), including unclassified funding as
well as classified data from the military intelligence and national
intelligence programs and any other programs, as appropriate.
Agency Comments and Our Evaluation:
In written comments on a draft of this report, DOD partially concurred
with our recommendations. DOD agreed with the objective of our
recommendation that the Under Secretary of Defense for Policy, in
coordination with the Chairman of the Joint Chiefs of Staff and U.S.
Cyber Command, should develop and document cyberspace-related
definitions for purposes of budgeting for full-spectrum cyberspace
operations and establish a time frame for doing so, but did not
provide a timeline for completing these actions. DOD noted in its
comments that additional components should be included in identifying
the specific activities and program elements for purposes of budgeting
for full-spectrum cyberspace operations and that to ensure the right
organizations are involved, the department should be given discretion
to direct implementation of the recommendation. We have adjusted our
recommendation to allow the department to include other appropriate
organizations at its discretion. We believe that this adjustment will
allow the department the flexibility needed to take the actions we
recommended and encourage DOD to set a time frame for completing these
actions.
DOD also partially concurred with our recommendation to designate a
single focal point to develop a methodology and provide a single,
departmentwide budget estimate and detailed spending data for full-
spectrum cyberspace operations (to include computer network defense,
attack, and exploitation), including unclassified funding as well as
classified data from the military intelligence and national
intelligence programs and any other programs, as appropriate. However,
DOD stated that the Office of the Director of National Intelligence
must be intimately involved in the development of budget estimates and
spending data for classified data related to cyberspace operations
that are contained in the national intelligence program and suggested
that we include that Office in our recommendation. We agree that the
Director of National Intelligence has an important role in cyberspace
operations and should be involved in the development of budget
estimates and spending data contained in the national intelligence
program. We further believe that the Secretary of Defense has the
ability to coordinate with the Director of National Intelligence, as
appropriate, to take actions necessary to satisfy our recommendation.
DOD's comments are reprinted in their entirety in enclosure II.
We are sending this report to the appropriate congressional
committees. We are also sending copies to the Secretary of Defense,
the Secretary of the Army, the Secretary of the Navy, the Secretary of
the Air Force; the Commandant of the Marine Corps; the Commander of
U.S. Strategic Command; and the Commander of U.S. Cyber Command. This
report will also be available at no charge on our Web site at
[hyperlink, http://www.gao.gov].
Should you or your staff have questions concerning this report, please
contact Davi M. D'Agostino at (202) 512-5431 or dagostinod@gao.gov; or
Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Key
contributors to this report were Penney Harwell Caramia, Assistant
Director; Jeffrey Knott, Assistant Director; Nelsie Alcoser; Katherine
Lenane; Jamilah Moon; Zsaroq Powe; and Cheryl Weissman.
Signed by:
Davi M. D'Agostino:
Director:
Defense Capabilities and Management:
Signed by:
Gregory C. Wilshusen:
Director:
Information Technology:
Enclosures:
[End of section]
Enclosure I:
A Briefing for the Subcommittee on Emerging Threats and Capabilities,
Committee on Armed Services, House of Representatives:
Defense Department Cyber Efforts: Definitions, Focal Point, and
Methodology Needed for DOD to Develop Full-Spectrum Cyberspace Budget
Estimates
July 29, 2011:
Table of Contents:
* Background and Definitions;
* Objectives;
* Scope and Methodology;
* Summary;
* Preliminary Observations;
* Conclusion;
* Recommendations for Executive Action;
* Agency Comments and Our Evaluation.
Background: Key Definitions:
Cyberspace Operations is defined as the employment of cyber
capabilities where the primary purpose is to achieve military
objectives or effects in or through cyberspace. Such operations
include computer network operations and activities to operate and
defend the global information grid. (Department of Defense [DOD] Memo
CM-0477-08)
Full-Spectrum Cyber Operations is defined as the employment of the
full range of cyberspace operations to support combatant command
operational requirements and the defense of DOD information networks.
This includes efforts such as computer network defense, computer
network attack, and computer network exploitation. (U.S. Cyber Command)
* Computer network defense is defined as actions taken to protect,
monitor, analyze, detect, and respond to unauthorized activity within
DOD information systems and computer networks. (Joint Publication 1-02)
- Information Assurance is defined as measures that protect and defend
information and information systems by ensuring their availability,
integrity, authentication, confidentiality, and nonrepudiation. (Joint
Publication 1-02)
* Computer network attack is defined as actions taken through the use
of computer networks to disrupt, deny, degrade, or destroy information
resident in computers and computer networks, or the computers and
networks themselves. (Joint Publication 1-02)
* Computer network exploitation is defined as enabling operations and
intelligence collection capabilities conducted through the use of
computer networks to gather data from target or adversary automated
information systems or networks. (Joint Publication 1-02)
Background: Past Work:
In October 2010, DOD established U.S. Cyber Command and tasked the
military services with providing appropriate service component
commands and support. DOD, U.S. Cyber Command, and the military
components are undertaking departmentwide efforts to defend against
cyber threats to DOD's computer network.
In May 2011, we reported that DOD and U.S. Cyber Command have made
progress in identifying roles and responsibilities, describing command
and control relationships, and defining long-term mission
requirements, but a greater level of detail is needed to guide the
military services' efforts. We recommended that DOD develop and
publish detailed policies and guidance on categories of personnel that
can conduct cyberspace operations, command and control relationships
between U.S. Cyber Command and the geographic combatant commanders,
and long-term mission requirements and capabilities.
Objectives:
(1) To what extent has DOD prepared an overarching budget estimate for
full-spectrum cyberspace operations across the department?
(2) What challenges has DOD faced in providing such budget estimates?
Scope and Methodology:
To address these objectives, we met with cognizant officials and
analyzed budget documents from key organizations including:
* Office of the Secretary of Defense (OSD):
- Assistant Secretary of Defense for Networks and Information
Integration/Chief Information Officer (NII/C10);
- Office of the Under Secretary of Defense Comptroller/Chief Financial
Officer (USD-(C)/CFO);
- Office of the Under Secretary of Defense for Intelligence (USD-1);
* U.S. Cyber Command;
* U.S. Army, U.S. Air Force, U.S. Navy, and U.S. Marine Corps;
* National Security Agency (NSA);
* Defense Information System Agency (DISA).
Summary:
DOD has planned and budgeted for information assurance programs for
fiscal year 2012 and has projected future years spending for these
programs. However, DOD does not yet have an overarching budget
estimate for full-spectrum cyberspace operations including computer
network attack, computer network exploitation, and classified funding.
DOD's ability to develop an overarching budget estimate for full-
spectrum cyberspace operations has been challenged by the absence of
clear, agreed-upon departmentwide budget definitions and program
elements for full-spectrum cyberspace operations and the absence of a
central organization or a methodology for collecting and compiling
budget information on cyberspace operations.
Objective One: To what extent has DOD prepared an overarching budget
estimate for full-spectrum cyberspace operations across the
department?
DOD provided Congress with three different views of its fiscal year
2012 cybersecurity budget estimates, each including different elements
of DOD's cybersecurity efforts. These estimates did not include all
full-spectrum cyberspace operation costs, such as computer network
exploitation and computer network attack, which are funded through
classified programs from the national intelligence and military
intelligence program budgets.
February 2011:
Initial view of cybersecurity budget estimate submitted by the DOD
Comptroller for the President's fiscal year 2012 budget;
$2.3 billion.
March 2011:
The Assistant Secretary of Defense, Network Information and
Integration provided DOD's fiscal year 2012 President's IT
[Information Technology] Budget and the fiscal year 2012 Defense-wide
Information Assurance Program (DIAP) submission;
$2.8 billion.
March 2011:
The Assistant Secretary of Defense, Network Information and
Integration provided an updated view of DOD's total defensive
cybersecurity budget estimate to include elements not previously
provided;
$3.2 billion.
In February 2011, $2.3 billion was reported by the DOD Comptroller in
a summary highlighting cybersecurity elements of the fiscal year 2012
President's budget; this estimate focused largely on the unclassified
Information Assurance (IA) and operational portion of U.S. Cyber
Command.
* This estimate includes unclassified investments in the five IA
programs/capabilities: (1) Public Key Infrastructure (PKI), (2) Key
Management Infrastructure (KMI), (3) Comprehensive National
Cybersecurity Initiative (CNCI), (4) Defense Industrial Base (DIB)
cybersecurity, and (5) Information Systems Security Program (ISSP) and
the operational portion of the U.S. Cyber Command.
Information Assurance (ISSP, PKI, KMI): $2 billion;
CNCI/DIB (unclassified): $200 million;
U.S. Cyber Command Operations & Maintenance (O&M): $119 million;
Total: $2.3 billion.
Source: GAO analysis of DOD Comptroller and Assistant Secretary of
Defense for Networks and Information Integration data.
The military departments, U.S. Cyber Command, DISA, NSA, and OSD
Information Assurance programs are included in the above $2.3 billion
figure. However,the military departments and other agencies have
information assurance programs and activities that are not included in
this $2.3 billion request.
In March 2011, DOD reported a $2.8 billion fiscal year 2012 budget
estimate for cybersecurity/information assurance in the DOD fiscal
year 2012 IT [Information Technology] President’s budget request; the
estimate was taken from the Cyber Information & Identity Assurance
segment.
Information Assurance (ISSP, PKI, KMI): $2 billion;
CNCI/DIB (Unclassified/classified): $276 million;
Other cybersecurity/IA Program funds: $547 million;
Total: $2.8 billion.
Source: Assistant Secretary of Defense, Networks and Information
Integration.
* U.S. Cyber Command Operations and Maintenance (O&M) are not included
in this $2.8 billion estimate.
In March 2011, DOD provided an updated view of $3.2 billion for total
defensive cybersecurity operations for fiscal year 2012. This figure
includes everything in the prior $2.8 billion estimate, plus funding
for U.S. Cyber Command Research, Development, Test, and Evaluation
(RDT&E) and Military Construction, Defense Cyber Crime Center (DC3),
and Science and Technology (S&T) investments.
Previous Figure: $2.8 billion;
plus:
U.S. Cyber Command Operations: $119 million;
U.S. Cyber Command RDT&E: $26 million;
U.S. Cyber Command Military Construction (MILCON): $15 million;
DC3: $26 million;
S&T: $258 million;
Subtotal: $440 million;
equals:
Total: $3.2 billion.
Source: Assistant Secretary of Defense, Networks and Information
Integration.
Objective Two: What challenges has DOD faced in providing such budget
estimates?
DOD has defined some key cyber-related terms, but it has not yet fully
identified the specific types of operations and program elements that
are associated with full-spectrum cyberspace operations for budgeting
purposes.
DOD has operationally merged defensive and offensive operations with
the creation of U.S. Cyber Command in October 2010; however, the
department still does not have a designated focal point or a
methodology for collecting and compiling budget information on full-
spectrum cyberspace operations across the department.
In response to our data request, three of the four military services
found it difficult to generate complete budget estimates for full-
spectrum cyberspace operations that included computer network attack
and exploitation. Service officials explained that, historically,
computer network attack and exploitation have been a part of
classified efforts involving signals intelligence, information
operations, and cryptography and appropriately have not been
identified in the President's budget. These programs are generally
funded through the military intelligence and national intelligence
program budgets. Consequently, the data provided by the military
services varied widely in the details they included.
* Only the Army was able to provide budget estimates that it believed
included full-spectrum cyber operations for fiscal years 2012 to 2016.
* The Air Force, Navy, and Marine Corps provided budget estimates for
fiscal years 2012 to 2016 that focused on information assurance and
cyber-related programs.
Table: U.S. Army Estimate
Program element: ISSP/Information Assurance;
Fiscal year 2012: $276,463,000;
Fiscal year 2013: $224,746,000;
Fiscal year 2014: $202,346,000;
Fiscal year 2015: $208,609,000;
Fiscal year 2016: $207,028,000.
Program element: Network Operations Security Center;
Fiscal year 2012: $138,184,000;
Fiscal year 2013: $142,757,000;
Fiscal year 2014: $124,863,000;
Fiscal year 2015: $137,231,000;
Fiscal year 2016: $138,354,000.
Program element: Computer Emergency Response Team;
Fiscal year 2012: $29,136,000;
Fiscal year 2013: $31,696,000;
Fiscal year 2014: $32,227,000;
Fiscal year 2015: $32,768,000;
Fiscal year 2016: $33,318,000.
Program element: Army Cyber Headquarters[A];
Fiscal year 2012: $57,639,000;
Fiscal year 2013: $54,247,000;
Fiscal year 2014: $55,537,000;
Fiscal year 2015: $56,865,000;
Fiscal year 2016: $58,231,000.
Program element: Army Cyber Brigade;
Fiscal year 2012: $94,557,000;
Fiscal year 2013: $96,192,000;
Fiscal year 2014: $99,055,000;
Fiscal year 2015: $100,841,000;
Fiscal year 2016: $101,341,000.
Program element: Army Public Affairs/Travel[A];
Fiscal year 2012: $0;
Fiscal year 2013: $844,000;
Fiscal year 2014: $868,000;
Fiscal year 2015: $902,000;
Fiscal year 2016: $946,000.
Program element: Total;
Fiscal year 2012: $595,979,000;
Fiscal year 2013: $550,482,000;
Fiscal year 2014: $514,896,000;
Fiscal year 2015: $537,216,000;
Fiscal year 2016: $539,218,000.
[A] These are projected amounts for fiscal years 2013 through 2016 and
were not included in the 2012 President's budget submission.
Source: GAO Analysis of U.S. Army data.
[End of table]
Table: U.S. Marine Corps fiscal year 2012 President's Budget
Submission:
Program element: Marine Forces Cyber;
Fiscal year 2012: $10,953,000;
Fiscal year 2013: $11,126,000;
Fiscal year 2014: $11,350,000;
Fiscal year 2015: $11,576,000;
Fiscal year 2016: $11,776,000.
Program element: Marine Corps Network Operations Security Center;
Fiscal year 2012: $42,698,000;
Fiscal year 2013: $44,384,000;
Fiscal year 2014: $46,265,000;
Fiscal year 2015: $48,848,000;
Fiscal year 2016: $45,148,000.
Program element: Information Assurance;
Fiscal year 2012: $5,520,000;
Fiscal year 2013: $5,937,000;
Fiscal year 2014: $6,349,000;
Fiscal year 2015: $6,360,000;
Fiscal year 2016: $6,362,000.
Program element: Public Key Infrastructure;
Fiscal year 2012: $9,105,000;
Fiscal year 2013: $10,203,000;
Fiscal year 2014: $10,289,000;
Fiscal year 2015: $10,453,000;
Fiscal year 2016: $11,083,000.
Program element: Total;
Fiscal year 2012: $68,276,000;
Fiscal year 2013: $71,650,000;
Fiscal year 2014: $74,253,000;
Fiscal year 2015: $77,237,000;
Fiscal year 2016: $74,369,000.
Note: Figures do not include full-spectrum cyber operations.
Source: U.S. Marine Corps.
[End of table]
U.S. Air Force Fiscal Year 2012 President's Budget Submission
Appropriation group: Procurement;
Fiscal year 2012: $530.5 million;
Fiscal year 2013: $483.0 million;
Fiscal year 2014: $508.6 million;
Fiscal year 2015: $491.2 million;
Fiscal year 2016: $439.2 million.
Appropriation group: Research, Development, Testing, and Evaluation;
Fiscal year 2012: $145.8 million;
Fiscal year 2013: $124.4 million;
Fiscal year 2014: $114.9 million;
Fiscal year 2015: $109.0 million;
Fiscal year 2016: $125.4 million.
Appropriation group: Military Construction
Fiscal year 2012: $15.0 million;
Fiscal year 2013: $101.0 million;
Fiscal year 2014: $270.0 million;
Fiscal year 2015: $0.0;
Fiscal year 2016: $0.0.
Appropriation group: Operations and Maintenance
Fiscal year 2012: $624.2 million;
Fiscal year 2013: $587.7 million;
Fiscal year 2014: $606.8 million;
Fiscal year 2015: $677.2 million;
Fiscal year 2016: $630.5 million.
Appropriation group: Military Personnel
Fiscal year 2012: $175.9 million;
Fiscal year 2013: $180.7 million;
Fiscal year 2014: $185.5 million;
Fiscal year 2015: $191.5 million;
Fiscal year 2016: $197.9 million.
Appropriation group: Total:
Fiscal year 2012: $1.491 billion;
Fiscal year 2013: $1.477 billion;
Fiscal year 2014: $1.686 billion;
Fiscal year 2015: $1.469 billion;
Fiscal year 2016: $1.393 billion.
Note: The U.S. Air Force is the Executive Agent for U.S. Cyber
Command, and this table includes Air Force funding for the command.
Source: U.S. Air Force.
[End of table]
Table: U.S. Navy Fiscal Year 2012 National Security System President's
Budget Information Technology Budget:
Appropriation group: Procurement;
Fiscal year 2012: $627,134,000;
Fiscal year 2013: $813,619,000;
Fiscal year 2014: $900,513,000;
Fiscal year 2015: $834,644,000;
Fiscal year 2016: $897,445,000.
Appropriation group: Research, Development, Testing, and Evaluation;
Fiscal year 2012: $914,049,000;
Fiscal year 2013: $359,978,000;
Fiscal year 2014: $284,963,000;
Fiscal year 2015: $231,063,000;
Fiscal year 2016: $258,322,000.
Appropriation group: Working Capital Fund;
Fiscal year 2012: $292,378,000;
Fiscal year 2013: $286,740,000;
Fiscal year 2014: $290,350,000;
Fiscal year 2015: $295,225,000;
Fiscal year 2016: $295,193,000.
Appropriation group: Operations and Maintenance;
Fiscal year 2012: $1,330,443,000;
Fiscal year 2013: $1,206,726,000;
Fiscal year 2014: $1,132,496,000;
Fiscal year 2015: $1,154,808,000;
Fiscal year 2016: $1,138,417,000.
Appropriation group: Operations and Maintenance Navy Reserve;
Fiscal year 2012: $75,781,000;
Fiscal year 2013: $77,166,000;
Fiscal year 2014: $78,788,000;
Fiscal year 2015: $77,187,000;
Fiscal year 2016: $78,503,000.
Appropriation group: Military Personnel;
Fiscal year 2012: $260,928,000;
Fiscal year 2013: $273,388,000;
Fiscal year 2014: $282,476,000;
Fiscal year 2015: $290,810,000;
Fiscal year 2016: $269,204,000.
Appropriation group: Total;
Fiscal year 2012: $3,500,713,000;
Fiscal year 2013: $3,017,617,000;
Fiscal year 2014: $2,969,586,000;
Fiscal year 2015: $2,883,737,000;
Fiscal year 2016: $2,937,084,000.
Note: Numbers do not include full-spectrum cyber operations.
Source: U.S. Navy.
[End of table]
Conclusion:
DOD has taken many important steps to better organize its cyberspace
efforts within a fairly short period of time. Without a complete
budget estimate for full-spectrum cyberspace operations though, DOD
and Congress do not have a complete picture of the resources DOD is
investing in its cyberspace operations. We recognize that such
challenges can occur as new mission areas are established. However,
until DOD can provide a complete budget estimate for these operations,
it will be difficult for the department and Congress to obtain an
accurate and comprehensive view of the resources devoted to this
emerging warfighting domain and make investment trade-off decisions.
In light of the need to confront this serious national security threat
and the fiscal constraints the nation is facing, it is important that
DOD have better visibility of its cyberspace resources so that the
department and Congress may prioritize among the program investments
needed to defend DOD computer networks.
Recommendations for Executive Action:
To improve DOD's ability to develop and provide consistent and
complete budget estimates for cyberspace operations across the
department, we recommend that the Secretary of Defense take the
following actions:
* Direct the Under Secretary of Defense for Policy, in coordination
with the Chairman of the Joint Chiefs of Staff and U.S. Cyber Command,
and other organizations as appropriate, to develop and document
cyberspace-related definitions, including identifying specific
activities and program elements, for purposes of budgeting for full-
spectrum cyberspace operations, that will be used and accepted
departmentwide. They should also establish a time frame for completing
these actions.
* Designate a single focal point to develop a methodology and provide
a single, departmentwide budget estimate and detailed spending data
for full-spectrum cyberspace operations (to include computer network
defense, attack, and exploitation), including unclassified funding as
well as classified data from the military intelligence and national
intelligence programs and any other programs, as appropriate.
Agency Comments and Our Evaluation:
In written comments on a draft of this report, DOD partially concurred
with our recommendations. DOD agreed with the objective of the
recommendation that the Under Secretary of Defense for Policy, in
coordination with the Chairman of the Joint Chiefs of Staff and U.S.
Cyber Command, should develop and document cyberspace-related
definitions for purposes of budgeting for full-spectrum cyberspace
operations and establish a time frame for doing so, but did not
provide a timeline for completing these actions. DOD noted in its
comments that additional components should be included in identifying
the specific activities and program elements for purposes of budgeting
for full-spectrum cyberspace operations and that to ensure the right
organizations are involved, the department should be given discretion
to direct implementation of the recommendation. We have adjusted our
recommendation to allow the department to include other appropriate
organizations at its discretion. We believe that this adjustment will
allow the department the flexibility needed to take the actions we
recommended and encourage DOD to set a time frame for completing these
actions.
DOD also partially concurred with our recommendation to designate a
single focal point to develop a methodology and provide a single,
departmentwide budget estimate and detailed spending data for full-
spectrum cyberspace operations (to include computer network defense,
attack, and exploitation), including unclassified funding as well as
classified data from the military intelligence and national
intelligence programs and any other programs, as appropriate. However,
DOD stated that the Office of the Director of National Intelligence
must be intimately involved in the development of budget estimates and
spending data for classified data related to cyberspace operations
that are contained in the national intelligence program and suggested
that we include that Office in our recommendation. We agree that the
Director of National Intelligence has an important role in cyberspace
operations and should be involved in the development of budget
estimates and spending data contained in the national intelligence
program. We further believe that the Secretary of Defense has the
ability to coordinate with the Director of National Intelligence, as
appropriate, to take actions necessary to satisfy our recommendation.
[End of section]
Enclosure II:
Department Of Defense:
Chief Information Officer:
6000 Defense Pentagon:
Washington, D.C. 20301-6000
July 25, 2011:
Ms. Davi M. D'Agostino:
Director, Defense Capabilities and Management:
U.S. Government Accountability Office:
Washington, DC 20548:
Dear Ms. D'Agostino:
Thank you for the opportunity to comment on the U.S. Government
Accountability Office (GAO) Draft Report, GAO-11-695R, "Defense
Department Cyber Efforts: Definitions, Focal Point, and Methodology
needed for DoD to Develop Full-Spectrum Cyberspace Budget Estimates,"
dated July 2011 (GAO Code 351584).
Enclosed are the Department's responses to the GAO recommendations. If
you have further questions, please contact my focal point, Ms.
Christine M. Condon at email: chris.condon@osd.mil, 703-697-7627.
Sincerely,
Signed by:
Teresa M. Takai:
Enclosure: As stated:
[End of letter]
GAO Draft Report Dated July 2011:
GAO-11-695R (GAO Code 351584):
"Defense Department Cyber Efforts: Definitions, Focal Point, And
Methodology Needed For Dod To Develop Full-Spectrum Cyberspace Budget
Estimates" Department Of Defense Comments:
To The GAO Recommendations:
Recommendation 1: The GAO recommends that the Secretary of Defense
direct the Under Secretary of Defense for Policy, in coordination with
the Chairman of the Joint Chiefs of Staff and U.S. Cyber Command, to
develop and document cyberspace-related definitions, including
identifying specific activities and program elements, for purposes of
budgeting for full-spectrum cyberspace operations that will be used
and accepted departmentwide. They should also establish a timeframe
for completing these actions.
DoD Response: Partially concur. The Department agrees with the
objective of this recommendation, however, there are additional
Components that need to be included in identifying specific activities
and program elements for purposes of budgeting for full-spectrum
cyberspace operations. To ensure that the right organizations are
involved, the Department should be given the discretion to direct
implementation of the recommendation within the Department as it sees
best. Therefore, the recommendation should be modified to read,
"The GAO recommends that the Secretary of Defense direct the
development and documentation of cyberspace-related definitions,
including identification of specific activities and program elements,
for purposes of budgeting for full-spectrum cyberspace operations that
will be used and accepted departmentwide. The DoD should also
establish a timeframe for completing these actions."
Recommendation 2: The GAO recommends that the Secretary of Defense
designate a single focal point to develop a methodology and provide a
single, departmentwide budget estimate and detailed spending data for
full-spectrum cyberspace operations (to include computer network
defense, attack, and exploitation), including unclassified funding as
well classified data from the military intelligence and national
intelligence programs and any other programs, as appropriate.
DoD Response: Partially concur. The Office of the Director of National
Intelligence must be intimately involved in the development of budget
estimates and spending data for classified data related to cyberspace
operations that are contained in the national intelligence program.
Therefore the recommendation should be rewritten as follows:
"The GAO recommends that the Secretary of Defense, in coordination
with the Director of National Intelligence, as appropriate, designate
a single focal point to develop a methodology to provide a single,
departmentwide budget estimate with detailed spending data for full-
spectrum cyberspace operations (to include computer network defense,
attack, and exploitation), including both unclassified and classified
program funding. Classified funding data should include data from
the military intelligence program, the national intelligence program
(with assistance from the Office of the Director of National
Intelligence), and any other programs, as appropriate, releasable at
higher classification levels when there is a need to know."
[End of section]
Footnotes:
[1] Deputy Secretary of Defense William J. Lynn, III, Remarks on Cyber
at the RSA Conference, February 15, 2011.
[2] In May 2011, we reported that DOD and U.S. Cyber Command had made
progress in identifying roles and responsibilities, describing command
and control relationships, and defining long-term mission
requirements, but that a greater level of detail was needed to guide
the military services' efforts. GAO, Defense Department Cyber Efforts:
More Detailed Guidance Needed to Ensure Military Services Develop
Appropriate Cyberspace Capabilities, [hyperlink,
http://www.gao.gov/products/GAO-11-421] (Washington, D.C.: May 20,
2011).
[3] DOD defines the global information grid as the globally
interconnected, end-to-end set of information capabilities, and
associated processes for collecting, processing, storing,
disseminating, and managing information on demand to warfighters,
policy makers, and support personnel. The global information grid
includes owned and leased communications and computing systems and
services, software (including applications), data, security services,
other associated services and National Security Systems. Joint Chiefs
of Staff, Joint Pub. 1-02, Department of Defense Dictionary of
Military and Associated Terms (Nov. 8, 2010, as amended through May
15, 2011).
[4] Joint Chiefs of Staff, Joint Pub. 1-02.
[5] Joint Chiefs of Staff, Joint Pub. 1-02.
[6] Joint Chiefs of Staff, Joint Pub. 1-02.
[7] DOD, Fiscal Year 2012 IT Presidents Budget Request, (Washington,
D.C., March 2011)
[8] DOD's $2.3 billion cybersecurity budget estimate, provided in
February 2011, included $2.0 billion for information assurance
including Information Systems Security Program (ISSP), Public Key
Infrastructure (PKI) and Key Management Infrastructure (KMI), $200
million for unclassified programs in Comprehensive National
Cybersecurity Initiative (CNCI) and Defense Industrial Base (DIB), and
$119 million for U.S. Cyber Command operations and maintenance. DOD's
$2.8 billion cybersecurity budget estimate, provided in March 2011,
included $2.0 billion for information assurance including ISSP, PKI,
and KMI, $276 million for unclassified and classified programs in CNCI
and DIB, and $547 million for other cybersecurity and information
assurance programs. However, funding for U.S. Cyber Command was not
included in this estimate. DOD's $3.2 billion defensive cybersecurity
budget estimate, also provided in March 2011, included the entirety of
the above $2.8 billion estimate and an additional $119 million for
operations, $26 million for research and development, and $15 million
for military construction for the U.S. Cyber Command, $26 million for
the Defense Cyber Crime Center, and $258 million for Science and
Technology.
[9] DOD Financial Management Regulation 7000.14R, Vol 2B, Chapter 18
Information Technology (July 2010).
[10] Office of Management and Budget, Circular No. A-11, which
contains guidance on preparing a federal budget, also defines terms
and activities involving information technology and other related
areas. Executive Office of the President, Office of Management and
Budget Circular No. A-11, Preparation, Submission, and Execution of
the Budget section 53 (July 2010). However, the DOD Financial
Management Regulation notes that regardless of the guidance in section
53 of OMB Circular A-11, DOD categorizes information assurance as a
major reportable category of the global information grid/information
technology/defense information infrastructure.
[11] We asked the military services to provide budget estimates for
full-spectrum cyberspace operations to include computer network
defense, computer network attack, and computer network exploitation.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: