TESTIMONY OF
SAMUEL W. BODMAN
DEPUTY SECRETARY
U.S. DEPARTMENT OF COMMERCE
BEFORE THE
COMMITTEE ON ENERGY AND COMMERCE
SUBCOMMITTEE ON INVESTIGATIONS AND OVERSIGHT
UNITED STATES HOUSE OF REPRESENTATIVES
AUGUST 3, 2001
Good morning, Mr. Chairman. I appreciate this opportunity to discuss the Information Technology Security Audit of the Department of Commerce that was recently conducted by the General Accounting Office (GAO). Accompanying me today is Tom Pyke, Acting Chief Information Officer for the Department. Although Tom took on this role only recently, his information technology (IT) security experience includes directing the National Institute of Standards and Technology's (NIST's) program for the development of government-wide computer security standards and guidelines.
Secretary Evans and I are very concerned about the findings of this GAO review because much of the work of the Department on behalf of our citizens depends on the quality and integrity of our data and IT systems. We thank the Committee and GAO for bringing this serious issue to the attention of the Department's new leadership. Having managed the IT security programs at Fidelity Investments and the Cabot Corporation, I appreciate the critical importance of IT security, and I trust that my management experience in this area will be of some value in meeting the challenges presented by the findings of the GAO review.
Speaking for the Secretary and myself, we accept the findings of the GAO report, as to both the specific weaknesses identified in the audit and their underlying causes. To correct these security problems and prevent future incidents, Secretary Evans is acting to build a strong and effective Commerce IT Security Program and to correct the technical problems identified by the GAO audit.
First, Secretary Evans has directed all Commerce agency heads to focus their personal attention on establishing IT security as a priority. Working in conjunction with their Chief Information Officers, they will allocate necessary resources to assure that the Department's data and IT systems are protected in order to avoid data loss, misuse, or unauthorized access, and to assure the integrity and availability of Commerce data. In this connection, the Secretary has also recently appointed a Senior Advisor for Privacy, another area important to overall IT security.
Second, the Secretary has ordered the implementation of a Department-wide IT restructuring plan. The plan provides the Departmental Chief Information Officer (CIO) with the authority to guide individual agency CIOs as they address IT security problems. This oversight function ensures that appropriate action will be taken at the agency level to implement new Departmental IT policies. In the past, the Departmental CIO apparently had little management authority, and policy often stalled when it reached the agencies. I believe that the new priority given this matter by Secretary Evans and me, our agency heads and our CIOs will produce positive results.
The plan also gives each of our CIOs the authority to manage IT security, IT planning and operations, and IT capital investment review. This new approach is in sharp contrast to the old way of doing business in which CIOs apparently were not key members of the Commerce management team.
Third, Commerce has established an IT Security Task Force, which will work under my personal oversight. This Task Force will improve Commerce IT security by developing a comprehensive, Department-wide IT security program. The Task Force is made up of individuals with expertise in IT security management, including people from NIST, which has a critical Government-wide role in developing standards and guidelines for effective IT security programs. We also have enlisted the assistance of the National Security Agency. We appreciate NSA's willingness to share its institutional knowledge and leadership in this field as part of the Task Force.
The new Task Force is already working on a fast track to develop an effective IT Security Program for the Department and to identify actions that Commerce should take quickly to bolster its IT security posture. These recommendations for short-term action will be made in the context of the Corrective Action Plans already developed by Commerce agencies in response to specific concerns identified in the GAO review.
Furthermore, the program developed by the Task Force will address the assessment of risks throughout the Department and the means for providing security commensurate with those risks. The Task Force will provide a roadmap for updating the Department's IT security policies,
develop an oversight process with compliance testing as a key component, and plan a Department-wide IT security awareness training program.
The Task Force is also addressing specific issues, including strengthening access controls for the Department's IT systems, segregating assigned duties consistent with mitigating risk, and developing policies and procedures for authorizing, testing, reviewing and documenting software changes prior to implementation. Special attention is being given to network security, an area the GAO audit singled out in light of the Department's reliance on network connectivity to carry out its mission. The Task Force is designing recovery plans for the Department's sensitive systems; developing a Department-wide IT security incident detection and response process; and looking at other areas essential to a comprehensive Commerce IT Security Program.
The Secretary and I are committed to supporting the efforts of the Commerce IT Security Task Force and to implementing its recommendations throughout the Department. Under the leadership of our agency heads and our CIOs, and guided by the efforts of this Task Force, we are confident that we are moving in the right direction, and that the Department's IT security program will be effective.
Again, thank you for this opportunity to discuss the IT security initiatives underway at the Department of Commerce. Secretary Evans and I appreciate that effective IT security is vital to the Department's mission, and I am pleased that this important issue is among the first I have devoted my time and attention to after having been sworn in last week. I would be pleased to respond to any questions you may have.