The document outlines a new cyber strategy released by the Department of Defense (DoD) in April 2015. The strategy identifies three cyber missions for DoD: defending its own networks; defending U.S. national interests against cyberattacks of significant consequence; and supporting military operations with cyber operations when directed. The strategy also lays out goals for DoD to build ready cyber forces and capabilities, defend DoD networks and data, and develop viable cyber options to control conflict escalation.

1. Top of Form
Rubric Name: Project 1: Outline for an Enterprise IT Security
Policy v2
Criteria
Excellent
Outstanding
Acceptable
Needs Improvement
Needs Significant Improvement
Missing or Unacceptable
Introduction
10 points
Provided an excellent introduction to the deliverable which
clearly, concisely, and accurately summarized the structure and
contents of the outline. Appropriately used information from 3
or more authoritative sources to support the introduction.
8.5 points
Provided an outstanding introduction to the deliverable which
clearly and accurately summarized the structure and contents of
the outline. Appropriately used information from 2 or more
authoritative sources to support the introduction.
7 points
Provided an acceptable introduction to the deliverable which

2. summarized the structure and contents of the outline.
Appropriately used information from authoritative sources to
support the introduction.
6 points
Provided an introduction to the deliverable but the section
lacked some required details. Information from authoritative
sources was mentioned and used.
4 points
Attempted to provide an introduction to the deliverable but this
section lacked detail and/or was not well supported by
information drawn from authoritative sources.
0 points
The introduction section was missing or did not present
information about the contents of the deliverable.
Overview of Organization
20 points
Provided an excellent overview of the organization which
clearly and concisely addressed the following:
• mission statement for the client
• brief overview of the client’s organization
• client's critical infrastructure sector
• information, information systems, and information
infrastructure in the enterprise
• major IT related regulations and laws impacting client's IT
operations
• products / services which the organization provides to its
customers
Appropriately used information from 3 or more authoritative
sources.
18 points

3. Provided an outstanding overview of the organization which
addressed four or more of the following:
• mission statement for the client
• brief overview of the client’s organization
• client's critical infrastructure sector
• information, information systems, and information
infrastructure in the enterprise
• major IT related regulations and laws impacting client's IT
operations
• products / services which the organization provides to its
customers
Appropriately used information from 2 or more authoritative
sources.
16 points
Provided an excellent overview of the organization which
addressed three or more of the following:
• mission statement for the client
• brief overview of the client’s organization
• client's critical infrastructure sector
• information, information systems, and information
infrastructure in the enterprise
• major IT related regulations and laws impacting client's IT
operations
• products / services which the organization provides to its
customers
Appropriately used information from authoritative sources.
11 points
Provided an overview of the organization which addressed at
least two of the following:
• mission statement
• client's critical infrastructure sector
• IT assets needing protection

4. • laws and regulations
Appropriately used information from authoritative sources.
6 points
Attempted to provide an overview of the organization but this
section lacked detail and/or was not well supported by
information drawn from authoritative sources.
0 points
The overview section was missing or did not present
information about the organization
Outline: Coverage of Required Content Areas
30 points
Provided an excellent, well organized outline which addressed
all 15 required content areas. For each content area in the
outline:
(a) provided a brief introduction,
(b) identified two or more relevant risks / threats which must be
mitigated, and
(c) identified two or more applicable security controls to
mitigate the risks.
Appropriately used three or more authoritative sources.
27 points
Provided a well organized outline which addressed at least 12 of
the required content areas. For each content area in the outline:
(a) provided a brief introduction,
(b) identified at least one relevant risk or threat which must be
mitigated, and
(c) identified two or more applicable security controls to
mitigate the risks.
Appropriately used at least two authoritative sources.
24 points

5. Provided an acceptable outline which addressed at least 10 of
the required content areas. For each content area in the outline:
(a) provided a brief introduction,
(b) identified at least one relevant risk or threat which must be
mitigated, and
(c) identified two or more applicable security controls to
mitigate the risks.
Appropriately used authoritative sources.
21 points
Provided an outline which addressed at least 7 of the required
content areas. For each content area in the outline:
(a) provided a brief introduction,
(b) identified at least one relevant risk or threat which must be
mitigated, and
(c) identified at least one applicable security controls to
mitigate the risk(s).
Appropriately used authoritative sources.
11 points
Attempted to provide an outline which address some of the
client's requested content areas. Mentioned risks and security
controls. OR, outline was not well supported by authoritative
sources.
0 points
Outline was missing or did not address the required content
areas.
Outline: Coverage of "Protective

6. Solution
s"
15 points
Identified 10 or more relevant and appropriate protective
solutions (technologies) which can be used to implement
required security controls. Protective solutions are provided for
at least 5 of the enterprise areas covered in the outline.
13 points
Identified 8 or more relevant and appropriate protective
solutions (technologies) which can be used to implement
required security controls. Protective solutions are provided for
at least 4 of the enterprise areas covered in the outline.
11 points
Identified 7 or more relevant and appropriate protective
solutions (technologies) which can be used to implement
required security controls. Protective solutions are provided for
at least 4 of the enterprise areas covered in the outline.
8 points

7. Identified 5 or more protective solutions (technologies) which
can be used to implement required security controls. Protective
solutions are provided for at least 3 of the enterprise areas
covered in the outline.
4 points
Identified relevant protective technologies for at least 2
enterprise areas.
0 points
Not included or no submission
APA Formatting for Citations and Reference List
5 points
Work contains citations and a reference list with entries for all
cited resources. Reference list entries and in-text citations are
correctly formatted using the appropriate APA style for each
type of resource.
4 points
Work contains citations and a reference list with entries for all
cited resources. One or two minor errors in APA format for in-
text citations and/or reference list entries.
3 points

8. Work contains citations and a reference list with entries for all
cited resources. No more than 3 minor errors in APA format for
in-text citations and/or reference list entries.
2 points
Work contains a reference list with entries for most of the cited
resources (no more than 2 omissions). No more than 5 minor
errors in APA format for in-text citations and/or reference list
entries.
1 point
Work attempts to credit sources but demonstrates a fundamental
failure to understand and apply the APA formatting standard as
defined in the Publication Manual of the American
Psychological Association (6th ed.).
0 points
Not included or no submission.
Professionalism Part I: Organization & Appearance
5 points
Submitted work shows outstanding organization and the use of
color, fonts, titles, headings and sub-headings, etc. is
appropriate to the assignment type.
4 points

9. Submitted work has minor style or formatting flaws but still
presents a professional appearance. Submitted work is well
organized and appropriately uses color, fonts, and section
headings (per the assignment’s directions).
3 points
Organization and/or appearance of submitted work could be
improved through better use of fonts, color, titles, headings, etc.
OR Submitted work has multiple style or formatting errors.
Professional appearance could be improved.
2 points
Submitted work has multiple style or formatting errors.
Organization and professional appearance need substantial
improvement.
1 point
Submitted work meets minimum requirements but has major
style and formatting errors. Work is disorganized and needs to
be rewritten for readability and professional appearance.
0 points
Submitted work is poorly organized and formatted. Writing and
presentation are lacking in professional style and appearance.

10. Work does not reflect college level writing skills. Or, no
submission.
Professionalism Part II: Execution
15 points
No formatting, grammar, spelling, or punctuation errors.
14 points
Work contains minor errors in formatting, grammar, spelling or
punctuation which do not significantly impact professional
appearance.
13 points
Errors in formatting, spelling, grammar, or punctuation which
detract from professional appearance of the submitted work.
11 points
Submitted work has numerous errors in formatting, spelling,
grammar, or punctuation. Work is unprofessional in appearance.
4 points
Submitted work is difficult to read / understand and has
significant errors in formatting, spelling, grammar, punctuation,
or word usage.
0 points

11. Submitted work is poorly executed OR does not reflect college
level work. Or, no submission
Overall Score
Excellent
90 or more
Outstanding
80 or more
Acceptable
70 or more
Needs Improvement
56 or more
Needs Significant Improvement
36 or more
Missing or Unacceptable Work
0 or more
Bottom of Form

12. University Library System
This case is a simplified version of a new system for the
University Library. Of course, the library system must keep
track of books. Information is maintained both about book titles
and the individual book copies. Book titles maintain
information about title, author, publisher, and catalog number.
Individual copies maintain copy number, edition, publication
year, ISBN, book status (whether it is on the shelf or loaned
out), and date due back in.
The library also keeps track of its patrons. Because it is a
university library, there are several types of patrons, each with
different privileges. There are faculty patrons, graduate student
patrons, and undergraduate student patrons. Basic information
about all patrons is name, address, and telephone number. For
faculty patrons, additional information is office address and
telephone number. For graduate students, information such as
graduate program and advisor information is maintained. For
undergraduate students, program and total credit hours are
maintained.
The library also keeps information about library loans. A library
loan is a somewhat abstract object. A loan occurs when a patron
approaches the circulation desk with a stack of books to check
out. Over time a patron can have many loans. A loan can have

13. many physical books associated with it. (And a physical book
can be on many loans over a period of time. Information about
past loans is kept in the database.) So, in this case, an
association class should probably be created for loaned books.
If a patron wants a book that is already checked out, the patron
can put that title on reserve. This is another class that does not
represent a concrete object. Each reservation is for only one
title and one patron. Information such as date reserved, priority,
and date fulfilled is maintained. When a book is fulfilled, the
system associates it with the loan on which it was checked out.
Patrons have access to the library information to search for
book titles and to see whether a book is available. A patron can
also reserve a title if all copies are checked out. When patrons
bring books to the circulation desk, a clerk checks out the books
on a loan. Clerks also check books in. When books are dropped
in the return slot, clerks check in the books. Stocking clerks
keep track of the arrival of new books.
The managers in the library have their own activities. They will
print reports of book titles by category. They also like to see
(online) all overdue books. When books get damaged or
destroyed, managers delete information about book copies.
Managers also like to see what books are on reserve.

14. Class Diagram and Use Case Diagram for the University Library
System
2
Testimonies
RAND testimonies record testimony presented by RAND
associates to federal, state, or local legislative
committees; government-appointed commissions and panels;
and private review and oversight bodies.
C O R P O R A T I O N
For More Information
Visit RAND at www.rand.org

15. Explore RAND Testimony
View document details
Support RAND
Browse Reports & Bookstore
Make a charitable contribution
Limited Electronic Distribution Rights
This document and trademark(s) contained herein are protected
by law as indicated in a notice appearing
later in this work. This electronic representation of RAND
intellectual property is provided for non-
commercial use only. Unauthorized posting of RAND electronic
documents to a non-RAND website is
prohibited. RAND electronic documents are protected under
copyright law. Permission is required from
RAND to reproduce, or reuse in another form, any of our
research documents for commercial use. For
information on reprint and linking permissions, please see
RAND Permissions.
Skip all front matter: Jump to Page 16

16. The RAND Corporation is a nonprofit institution that helps
improve policy and
decisionmaking through research and analysis.
This electronic document was made available from
www.rand.org as a public service
of the RAND Corporation.
CHILDREN AND FAMILIES
EDUCATION AND THE ARTS
ENERGY AND ENVIRONMENT
HEALTH AND HEALTH CARE
INFRASTRUCTURE AND
TRANSPORTATION
INTERNATIONAL AFFAIRS
LAW AND BUSINESS
NATIONAL SECURITY

17. POPULATION AND AGING
PUBLIC SAFETY
SCIENCE AND TECHNOLOGY
TERRORISM AND
HOMELAND SECURITY
http://www.rand.org/congress/testimony.html
http://www.rand.org/
http://www.rand.org/congress/testimony.html
http://www.rand.org/pubs/testimonies/CT439.html
http://www.rand.org/pubs/online.html
http://www.rand.org/giving/contribute.html
http://www.rand.org/pubs/permissions.html
http://www.rand.org/
http://www.rand.org/topics/children-and-families.html
http://www.rand.org/topics/education-and-the-arts.html
http://www.rand.org/topics/energy-and-environment.html
http://www.rand.org/topics/health-and-health-care.html
http://www.rand.org/topics/infrastructure-and-
transportation.html
http://www.rand.org/topics/international-affairs.html

18. http://www.rand.org/topics/law-and-business.html
http://www.rand.org/topics/national-security.html
http://www.rand.org/topics/population-and-aging.html
http://www.rand.org/topics/public-safety.html
http://www.rand.org/topics/science-and-technology.html
http://www.rand.org/topics/terrorism-and-homeland-
security.html
Testimony
Perspective on 2015 DoD Cyber Strategy
Lara Schmidt
RAND Office of External Affairs
CT-439
September 2015
Testimony presented before the House Armed Services
Committee on September 29, 2015
This product is part of the RAND Corporation testimony series.

19. RAND testimonies record testimony presented by RAND
associates
to federal, state, or local legislative committees; government-
appointed commissions and panels; and private review and
oversight
bodies. The RAND Corporation is a nonprofit research
organization providing objective analysis and effective
solutions that address
the challenges facing the public and private sectors around the
world. RAND’s publications do not necessarily reflect the
opinions of
its research clients and sponsors. R ® is a registered trademark.
C O R P O R A T I O N
Published 2015 by the RAND Corporation
1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-
2138
1200 South Hayes Street, Arlington, VA 22202-5050
4570 Fifth Avenue, Suite 600, Pittsburgh, PA 15213-2665

20. RAND URL: http://www.rand.org/
To order RAND documents or to obtain additional information,
contact
Distribution Services: Telephone: (310) 451-7002;
Email: [email protected]
http://www.rand.org/
mailto:[email protected]
1
Lara Schmidt1
The RAND Corporation
Perspective on 2015 DoD Cyber Strategy2
Before the Committee on Armed Services
United States House of Representatives
September 29, 2015

21. Chairman Thornberry, Ranking Member Smith, and
distinguished members of the House Armed
Services Committee, thank you for inviting me here today to
testify at this important hearing,
“Outside Perspectives on the Department of Defense Cyber
Strategy.”
In April 2015, the DoD released a new cyber strategy in order to
“guide the development of DoD’s
cyber forces and strengthen [its] cyber defense and cyber
deterrence posture.”4 The Strategy
identifies three cyber missions for DoD: (1) defending its own
networks, systems, and data; (2)
defending U.S. national interests against cyberattacks of
“significant consequence,” including loss
of life, significant damage to property, serious adverse U.S.
foreign policy consequences, and

22. serious economic impact; and (3) when directed by the
President or Secretary of Defense,
supporting military operations and contingency plans with cyber
operations, including by
disrupting an adversary’s military-related networks.
DoD further laid out strategic goals aimed at ensuring its ability
to accomplish these cyber
missions, including goals to:5
• Build and maintain ready forces and capabilities to conduct
cyber operations;
• Defend DoD networks, secure DoD data, and mitigate risks to
DoD missions;
• Build and maintain viable cyber options, and plan to use them
to control conflict
escalation and shape the conflict environment at all stages.
1 The opinions and conclusions expressed in this testimony are

23. the author’s alone and should not be
interpreted as representing those of RAND or any of the
sponsors of its research. This product is part of the
RAND Corporation testimony series. RAND testimonies record
testimony presented by RAND associates to
federal, state, or local legislative committees; government-
appointed commissions and panels; and private
review and oversight bodies. The RAND Corporation is a
nonprofit research organization providing objective
analysis and effective solutions that address the challenges
facing the public and private sectors around the
world. RAND’s publications do not necessarily reflect the
opinions of its research clients and sponsors.
2 This testimony is available for free download at
http://www.rand.org/pubs/testimonies/CT439/.
4 Department of Defense, The DoD Cyber Strategy, April 2015.
5 Two additional goals of the DoD Cyber Strategy not discussed
in this Testimony are: (a) Be prepared to
defend the U.S. homeland and U.S. vital interests from
cyberattacks of significant consequence; and (b)
Build and maintain international alliances and partnerships to
deter shared threats and increase international
security and stability.
http://www.rand.org/pubs/testimonies/CT439/

24. 2
Implementation initiatives – and the attendant resources – to
achieve these goals are needed in
order to meet challenges associated with the rapid rate of
change in technology, the growing
cyber threat, and the need to integrate cyber operations with
operations in other warfighting
domains.
Cyber Workforce
Building and maintaining a qualified workforce underlies all of
the goals of the Strategy. However,
U.S. Cyber Command reports that it is “hard pressed” to
identify, train, and retain qualified

25. personnel.6 How can DoD ensure a ready-workforce of military,
civilian, and contractor personnel,
capable of meeting the demands of the nation? Like the
commercial sector, DoD requires staff to
perform IT functions (e.g., configure databases, install and
manage applications, provide
customer support, securely configure networks, test new
designs, develop system architectures),
and cybersecurity functions (e.g., identify and analyze network
intrusions or other threats,
develop security tools, respond to security emergencies, assess
threats and vulnerabilities and
remediate risk).7 Furthermore, DoD requires specialized
workforces associated with military cyber
operations that are not commonly found in the commercial
sector, though applicable skillsets

26. overlap to some extent with elite commercial cybersecurity
personnel. How can DoD compete
with the rest of the technology sector – e.g., cybersecurity
companies, software and hardware
developers, the defense industrial base, not to mention IT
departments in companies across the
country – also seeking to identify an educated and capable
workforce? It is helpful to understand
how the commercial sector identifies staff.
Commercial practice is to hire cyber staff with a bachelor’s
degree, which provides a strong
foundation of relevant knowledge, and demonstrates an ability
to succeed in a professional
setting. Companies usually recruit graduates of reputable
colleges with STEM degrees – science,
technology, engineering, and mathematics – especially computer

27. science, information security,
information technology, computer engineering, and electrical
engineering.8 However, unlike the
commercial sector, the majority of DoD’s military cyber
workforce is enlisted and, therefore, not
typically required to have college degrees. Therefore, DoD will
need to implement substantially
more-rigorous selection criteria in order to vet non-degreed
candidates to ensure enlisted
accessions and new civilian hires are likely to succeed in the
cyber workforce . For example,
6 Admiral Michael Rogers, Statement before the House
Committee on Armed Services, Subcommittee on
Emerging Threats and Capabilities, 4 March 2015.
7 National Initiative for Cybersecurity Careers and Studies,
Interactive national Cybersecurity Workforce
Framework, Washington, D.C.: Department of Homeland
Security, undated.

28. 8 Schmidt, Lara and Caolionn O’Connell et al, Cyber Practices:
What Can the U.S. Air Force Learn from the
Commercial Sector?, Santa Monica, Calif.: RAND Corporation,
RR-847-AF, 2015.
3
cyber aptitude- or skills-testing or possession of professional
certificates9 can evaluate a
candidate’s expertise or mind-set for a particular discipline.
Participation in activities such as,
cyber competitions, open-source or ethical-hacker forums, or
bug bounty programs can indicate a
personal interest in and affinity for cyber. In fact, commercial
practice for elite, highly paid
cybersecurity jobs is to screen for such indications of aptitude
and affinity in addition to formal

29. educational requirements. These practices merit evaluation for
implementation in DoD to ensure
military and civilian staff are qualified to meet the challenges
the Department faces.
Furthermore, the commercial sector reports that their ability to
retain skilled personnel is closely
linked to job satisfaction gained through good working
environments, belief in the mission,
opportunities for training and professional development, and
access to interesting assignments.
Research indicates that corporate retention programs also seek
to provide satisfying career paths
for their cyber workforces, including not only a track to
promotion through management but also a
technical track. They also provide high performers opportunities
to rotate among units to learn the

30. business, and exposure to professional interaction outside the
company.
10
Though some worry that DoD hiring and retention suffers
because it cannot keep pace with
commercial pay, median salaries for corporate IT and
cybersecurity professionals are similar to
the pay and benefits for military personnel, when accounting for
additional allowances and tax
advantages.11 One exception relates to the most elite
cybersecurity professionals, those with
unique skills that few possess (e.g., software reverse
engineering, advanced malware analysis,
identifying advanced stealthy attacks). These cyber “ninjas” are
the competitive advantage for
cutting-edge cybersecurity firms and are increasingly in demand
in other corporate settings. The

31. relative scarcity of these skill sets allows qualified individuals
to command high salaries.12
Therefore, DoD might similarly find personnel with these
unique skills to be worthy of retention
programs not offered to the majority of the cyber workforce.13
9 To name just a few: Microsoft Certified