The Pentagon wants more than $50 billion for IT and cybersecurity in fiscal 2022, but so far, it hasn’t given Congress a thorough enough justification for that money, according to a top cyber-focused lawmaker.
Rep. Jim Langevin, D-R.I., expressed disappointment Tuesday for the Department of Defense’s lack of specifics in its IT budget request summary for fiscal 2022 — which includes $5.5 billion for cybersecurity and much more for enterprise IT other “cyberspace activities” on top of that. The document gives top-level budget figures for the past and present, but few other programmatic details are shared.
Langevin rebuked acting DOD CIO John Sherman because much of the budget documentation for 2022 is “nearly a carbon copy” from the previous year, equating it to plagiarism. Because of this, DOD’s IT and cyber budget summary document shrank from 30 pages last year to six for fiscal 2022 — “only two of which contain any substance,” the congressman said.
“With all due respect if your office cannot be troubled to put together the necessary materials for this committee’s oversight, how can we trust the stewardship of this critical portfolio?” Langevin, chair of the House Armed Services Cyber, Innovative Technologies, and Information Systems Subcommittee.
He continued: “Without that level of detail, you need to understand, we can’t fulfill our oversight responsibilities; we’re in the dark otherwise,” Langevin said. “That’s unacceptable going forward.”
On top of this, Langevin criticized the department’s seeming lack of understanding of how to define and categorize total cybersecurity spending across its enterprise. For instance, the Navy and Air Force count end-point security differently toward their cybersecurity budgets, he pointed out. That lack of standardization in categorizing IT spending makes putting a top-line number on the DOD’s cybersecurity budget difficult, he said.
“I will own this…we need to do a better job,” Sherman said of the evidence his office presented Congress while pointing to new requirements to restrict some of the materials in the document as controlled unclassified information as part of the reason it shrank.
In addition to agreeing that his office needed to provide Congress more information, Sherman also admitted the issue with how DOD defines and categorizes IT spending — a problem the department perennially has across its budgeting activities. “$5.5 billion for cyber doesn’t indeed represent the totality of cybersecurity for the department,” he said.
Redundancies in the terminology DOD uses for cybersecurity could also create gaps in authorities of that spend, Langevin said, pointing out that DOD uses the terms “operational technology” or “industrial control systems” for the same protection of industrial systems, like air conditioning and elevators.
Langevin has long been a vocal proponent of funding cybersecurity and IT modernization. His subcommittee marks up the section of the defense appropriations bill that grants DOD its IT and cyber funding.
During his testimony, Sherman gave little else away on other hot-button issues, like the Joint Enterprise Defense Infrastructure (JEDI) cloud procurement. He reiterated comments made by Deputy Secretary of Defense Kathleen Hicks that the DOD is in the process of figuring out what it will do next to develop an enterprise cloud solution.