⚡️ News Flash ⚡️

“Open/Closed: Hearing titleTo receive testimony on enterprise security and information technology operations of Department of Defense networks and systems”

Senate Armed Services Committee
March 24, 2026 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony:

• Honorable Kirsten A. Davies: Chief Information Officer, Department of Defense

• Lieutenant General Paul T. Stanton: Director, Defense Information Systems Agency/ Commander, Department of Defense Cyber Defense Command

HEARING HIGHLIGHTS

QUICK SUMMARY

• IT as a Warfighting System: The hearing focused on how the Department of Defense viewed enterprise IT, cybersecurity, and network resilience as core warfighting capabilities rather than back-office support functions. Members and witnesses repeatedly argued that future conflicts would depend on secure, resilient, and globally connected networks that could move data faster than adversaries.

• Modernization and Oversight Challenges: Senators raised concerns about slow acquisition and authorization processes, long standing technical debt, and whether current systems could support modern warfare and large scale AI deployment. They also pressed the department on long term issues such as authority to operate reform, cloud modernization, Cybersecurity Maturity Model Certification, and the need for more transparent engagement with Congress.

• DISA’s Operational Role: LTG Stanton emphasized DISA’s operational role in designing, operating, and defending DoD networks in real time, especially during active operations. He said the department was building redundancy across undersea, terrestrial, and space based communications, expanding zero trust and mission thread defense, and integrating new technologies quickly so commanders could make faster and better decisions.

• Anthropic and AI Risk: A major point of tension came over the department’s designation of Anthropic as a supply chain risk while its tools were still reportedly in operational use. Senators questioned the legal justification, reporting compliance, and operational implications of that decision, while witnesses argued that the department was trying to balance risk reduction with mission continuity and broader AI flexibility.

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS

• Chair Rounds said the hearing came at a pivotal moment for how the Department of Defense prepared to fight and win, because its digital backbone had become a core warfighting capability rather than a support function. He argued that future conflicts would depend on secure, resilient, and connected networks that could link sensors and shooters faster than adversaries could act. He said the department had recognized the importance of networks and IT infrastructure as a warfighting platform, but he stressed that acquisition, certification, and fielding processes still moved far too slowly. He warned that years of underinvestment had created severe technical debt in hardware and software, which adversaries were already exploiting. He maintained that modernization had to combine speed with security, and he said the department needed clearer requirements and more transparent processes so industry could help deliver the computing, networking, and data capacity that warfighters would need.

• Ranking Member Rosen noted that the delayed budget request left Congress with less time to evaluate the details, which made early visibility into major program changes especially important. She said DISA’s operational role gave it a practical perspective on how policy translated into action, including the effects of resourcing constraints, workforce needs, and technical debt on modernization. She stressed that the department still needed to address long term issues such as Cybersecurity Maturity Model Certification implementation, improvements to the authority to operate process, and the backlog of technical debt affecting network resilience and security. She also said the committee wanted to work collaboratively, but she warned that the department had not been timely or forthcoming enough with information, which had created a trust deficit that needed to be repaired through more open and responsive engagement.

SUMMARY OF WITNESS STATEMENTS

• Ms. Davies said the department’s strategy aimed to turn technology and cybersecurity into a decisive warfighting advantage by enabling data supremacy and decision dominance at the speed and scale required by warfighters. She explained that the department was consolidating enterprise IT and cybersecurity responsibilities under the Chief Information Officer in order to cut inefficient spending, reduce technical debt, accelerate modernization, and strengthen cybersecurity. She said the first pillar focused on building an enduring digital foundation through network modernization, hardened communications transport, broader 5G adoption, data center modernization, cloud evolution, spectrum management, and resilient positioning, navigation, and timing capabilities. She said the second and third pillars focused on agile digital capabilities and a more risk based cybersecurity model, including faster software delivery, standardized data architectures, improved authority to operate processes, expanded zero trust implementation, and less reliance on paperwork driven compliance. She added that the fourth pillar emphasized workforce development and partnerships by clarifying cyber and IT roles, improving recruitment and retention, expanding certification programs with industry and academia, and strengthening digital cooperation with allies and partners.

• Lieutenant General Stanton said the department was making a fundamental shift to ensure that the Department of Defense Information Network functioned as a weapon system that gave warfighters decision advantage. He said DISA and the Department of Defense Cyber Defense Command had to provide a secure, standardized, resilient, and efficient architecture that delivered the right data to the right place at the right time so commanders could make better and faster decisions than their enemies. He explained that his organization supported warfighting by designing, building, securing, operating, and defending the network in close coordination with commanders, and he said it was already doing so in ongoing operations. He emphasized that continuous modernization was essential because new technologies such as artificial intelligence, commercial satellite communications, and mobile data centers were emerging quickly and had to be integrated at speed, including in coalition environments with partners. He also said the department was advancing secure by design systems, zero trust implementation, mission thread defense, and data analytics to protect critical systems, optimize defenses, and preserve commanders’ decision space, while relying on a skilled and ready workforce to make the architecture effective.

SUMMARY OF KEY Q&A

• Chair Rounds asked how far the department had progressed on network modernization and whether warfighters could keep operating effectively in contested or degraded conditions if networks were attacked or denied. Ms. Davies said network resiliency and traffic effectiveness remained active priorities across the department because globally dispersed joint and partner forces depended on them for current operations. LTG Stanton said DISA had invested in resilient transport through undersea cables, terrestrial fiber, multimodal satellite communications, and fallback routing plans so forces were never dependent on a single path.
  Chair Rounds said the department’s move from thinking in terms of a kill chain to a kill web reflected the need for multiple communications pathways between sensing and weapons employment. LTG Stanton agreed and said the department deliberately built alternate and redundant transport options so operations could continue even when one route was degraded.
  Chair Rounds asked what the department was doing to help smaller defense industrial base companies that lacked the ability to defend themselves against sophisticated state actors. Ms. Davies said the department was treating industrial base resilience as part of its own security, while trying to reduce burdensome requirements and provide more practical guidance and partnership for smaller firms.

• Ranking Member Rosen said she wanted to examine classified lessons from recent operations later, but asked in open session what DISA’s Combat Support Agency role meant in practice during wartime compared with peacetime. LTG Stanton said DISA and Cyber Defense Command were actively monitoring network conditions, rerouting traffic, relocating terminals, leasing new circuits, and solving transport problems in real time to keep critical data moving

  Ranking Member Rosen then asked what lessons the department had learned from the Joint Warfighting Cloud Capability contract and how artificial intelligence might shape its successor. Ms. Davies said the department was expanding JWCC into a broader cloud marketplace with more providers, better financial visibility, stronger interoperability, and improved ability to identify and defend cloud assets across the enterprise.

  Sen. Rosen next asked how they were working with other military and defense agency CIOs in such a decentralized environment. Ms. Davies said she had been meeting regularly with her counterparts to identify strengths, gaps, and uneven performance, and she intended to use the new strategy to raise standards and align the department around stronger cyber defense and operational execution.

• Sen. Reed asked why the department had designated Anthropic as a supply chain risk even though the committee had not yet received the legally required explanation for that decision. Ms. Davies said she had participated in the collaborative decision process, but she declined to discuss the rationale in detail because of active litigation and said the department had offered a briefing and shared court filings and related analysis.

  Sen. Reed pressed on why the department had not yet complied with the statutory reporting requirement. Ms. Davies said she understood that legislative affairs had followed the required process and that the department believed it had met the regulatory steps tied to the designation.
  Sen. Reed then asked whether the department had estimated the cost of removing and replacing Anthropic systems across DoD. Ms. Davies said she knew the department had conducted a risk analysis and built interoperable data architectures for multiple AI tools, but she said she did not have the cost estimate and would take that question back.

  Sen. Reed further asked whether Anthropic Claude was still being used in ongoing military operations. Ms. Davies said the system remained in active use and that the department had allowed a transition period and exceptions process so it would not disrupt ongoing operations.

  Sen. Reed said it seemed contradictory to keep using a system the department had labeled a supply chain risk. Ms. Davies said the department would not jeopardize mission success or warfighter effectiveness and believed it had allowed a reasonable amount of time to replace the system while preserving operational continuity.

• Chair Rounds followed up by asking whether the 180 day removal window left room for further discussions or negotiations given the department’s current reliance on Anthropic. Ms. Davies said the department had designed its data environment to support multiple AI systems and had set what it believed was an appropriate timeline, but she deferred questions about negotiations to the legal team handling the litigation.

  Sen. Rounds then turned to deterrence and asked for a description, in general terms, what offensive cyber capabilities the United States could use to impose costs on adversaries. LTG Stanton said the department could force adversaries to spend more time and resources to achieve their aims and could also use offensive cyber capabilities at speed against hostile activity outside U.S. networks.
  Sen. Rounds then described capabilities such as denying communications, obscuring adversary awareness, and manipulating data inside an opponent’s decision cycle as part of what offensive cyber operations could achieve. LTG Stanton agreed and said those capabilities helped protect U.S. forces by limiting an adversary’s ability to respond effectively on the battlefield.

• Ranking Member Rosen asked about the department’s efforts to streamline the authority to operate process and create more reciprocity across the services and components. Ms. Davies said the current risk management and ATO framework was too fragmented, static, and difficult to inherit across organizations, so the department was pursuing more automation, dynamic repositories, and stronger leadership under the new Chief Information Security Officer.
  Ranking Member Rosen cautioned that moving more dynamically could create vulnerabilities if speed outpaced audits and controls. Ms. Davies said the department intended to use industry best practices such as automated code scanning, code review, and continuous checking to move faster without sacrificing security.
  Ranking Member Rosen then asked how the department was protecting the trustworthiness and integrity of artificial intelligence systems and the data that powered them while still taking advantage of commercial tools. Ms. Davies said her office had already issued AI cybersecurity risk management guidance, was evaluating model risks such as hallucinations and model integrity, and planned to keep updating safeguards as the technology evolved.

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.