<DOC> [108th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:91648.wais] CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL AGENCIES ======================================================================= HEARING before the SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS AND THE CENSUS of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS FIRST SESSION __________ JUNE 24, 2003 __________ Serial No. 108-100 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ 91-648 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2003 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman DAN BURTON, Indiana HENRY A. WAXMAN, California CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland DOUG OSE, California DENNIS J. KUCINICH, Ohio RON LEWIS, Kentucky DANNY K. DAVIS, Illinois JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri CHRIS CANNON, Utah DIANE E. WATSON, California ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California JOHN SULLIVAN, Oklahoma C.A. ``DUTCH'' RUPPERSBERGER, NATHAN DEAL, Georgia Maryland CANDICE S. MILLER, Michigan ELEANOR HOLMES NORTON, District of TIM MURPHY, Pennsylvania Columbia MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee JOHN R. CARTER, Texas CHRIS BELL, Texas WILLIAM J. JANKLOW, South Dakota ------ MARSHA BLACKBURN, Tennessee BERNARD SANDERS, Vermont (Independent) Peter Sirh, Staff Director Melissa Wojciak, Deputy Staff Director Rob Borden, Parliamentarian Teresa Austin, Chief Clerk Philip M. Schiliro, Minority Staff Director Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census ADAM H. PUTNAM, Florida, Chairman CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri DOUG OSE, California DIANE E. WATSON, California TIM MURPHY, Pennsylvania STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio Ex Officio TOM DAVIS, Virginia HENRY A. WAXMAN, California Bob Dix, Staff Director Chip Walker, Professional Staff Member Ursula Wojciechowski, Clerk David McMillen, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on June 24, 2003.................................... 1 Statement of: Charbo, Scott, Chief Information Officer, Department of Agriculture................................................ 115 Cobb, Robert, Inspector General, NASA........................ 101 Dacey, Robert F., Director, Information Security Issues, General Accounting Office.................................. 23 Forman, Mark A., Administator for Electronic Government and Information Technology, Office of Management and Budget.... 12 Frazier, Johnnie E., Inspector General, Department of Commerce................................................... 71 Ladner, Drew, Chief Information Officer, Department of Treasury................................................... 126 Morrison, Bruce, acting Chief Information Officer, Department of State................................................... 146 Letters, statements, etc., submitted for the record by: Charbo, Scott, Chief Information Officer, Department of Agriculture, prepared statement of......................... 118 Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 58 Cobb, Robert, Inspector General, NASA, prepared statement of. 104 Dacey, Robert F., Director, Information Security Issues, General Accounting Office, prepared statement of........... 25 Forman, Mark A., Administator for Electronic Government and Information Technology, Office of Management and Budget, prepared statement of...................................... 15 Frazier, Johnnie E., Inspector General, Department of Commerce, prepared statement of............................ 73 Ladner, Drew, Chief Information Officer, Department of Treasu128.................................................. Miller, Hon. Candice S., a Representative in Congress from the State of Michigan, prepared statement of............... 10 Morrison, Bruce, acting Chief Information Officer, Department of State, prepared statement of............................ 148 Putnam, Hon. Adam H., a Representative in Congress from the State of Florida, prepared statement of.................... 5 CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL AGENCIES ---------- TUESDAY, JUNE 24, 2003 House of Representatives, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2154, Rayburn House Office Building, Hon. Adam Putnam (chairman of the subcommittee) presiding. Present: Representatives Putnam, Miller, Clay and Watson. Staff present: Bob Dix, staff director; John Hambel, senior counsel; Chip Walker and Lori Martin, professional staff members; Ursula Wojciechowski, clerk; Suzanne Lightman, fellow; Bill Vigen and Richard McAdams, interns; Jamie Harper and Kim Bird, legislative assistants; David McMillen, minority professional staff member; and Cecelia Morton, minority office manager. Mr. Putnam. A quorum being present, this hearing on the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census will come to order. Good morning, and welcome to the second in a planned series of hearings addressing the important subject of cyber security. Today we continue our in-depth review of cyber security issues affecting our Nation. Specifically this hearing will focus sharply on the efforts within the Federal Government to secure our own computer networks. Our critical infrastructure of the cyber kind must have the same level of protection as our physical security if we are to be secure as a Nation from random hacker intrusions, malicious viruses or, worse, serious cyber terrorism. There are several things unique to cyber attacks that make the task of preventing them particularly difficult. Cyber attacks can occur from anywhere around the globe, from the caves of Afghanistan to the warfields of Iraq, from the most remote regions of the world, or simply right here in our own backyard. The technology used for cyber attacks is readily available and changes continually, and maybe most dangerous of all, is the failure of many people critical to securing these networks and information from attack to take the threats seriously, to receive adequate training and to take the steps necessary to secure their networks. A serious cyber attack would have serious repercussions throughout the Nation in a physical sense and in very real economic terms. A recent report under Government Information Security Reform Act once again demonstrates that we have a long way to go in the Federal Government to feel the least bit confident that we have secure computer networks. Before going into more detail about the report, I want to comment briefly about the timing. This latest GISRA report was released this May. It was based on information provided to OMB in September 2002. This is kind of like being an astronomer and looking in the telescope at the stars, all the while realizing that what you are viewing actually occurred a long, long time ago. We need to find a way to get more real-time reporting, and I want to work with OMB on improving the timeliness of their information. The current GISRA report demonstrates that progress in computer security at Federal agencies is proceeding slowly, and that simply is no longer acceptable. The OMB report to Congress identified a number of serious weaknesses. Many agencies are facing the same security weaknesses year after year, such as the lack of system-level security plans and certifications and accreditations. Some IGs and CIOs from within the same agencies have vastly different views of the state of the agency security programs. Many agencies are not adequately prioritizing their IT investments and are seeking funding to develop new systems while significant weaknesses exist in their legacy systems. Not all agencies are reviewing all programs and systems every year as required by GISRA. More agency program officials must engage and be held accountable for ensuring that the systems that support their programs and operations are secure. The old thinking of IT security as the responsibility of a single agency official or the agency's IT security office is out of date, contrary to law and policy, and that significantly endangers the ability of these agencies to safeguard their IT investments. The Departments of Treasury, State and Agriculture all have serious problems with their information security. Both the CIOs and the IGs of these agencies have concerns. In addition, GAO has indicated a concern with computer security for all three agencies in its performance and accountability series. In the fiscal year 2002 GISRA report, the Department of Agriculture reported that less than 26 percent of its systems were in compliance with the eight metrics that the OMB reported. The agency had 70 material weaknesses in the area of information security reported by the IG. In addition, according to the IG, the agency is not conducting risk assessments of its systems in compliance with either OMB or GISRA's requirements. This year the agency reported an increase in systems operating without written authority and an increase in systems that do not have up-to-date IT security plans. The Department of State did not report information for the fiscal year 2001 GISRA report. It reported three material weaknesses for information security for fiscal year 2002. In June 2001, the Department's IG released a report that highlighted a number of areas that State needs to address. They included assessing vulnerability of systems, conducting security control evaluations at least once every 3 years, and testing security controls. State reported in their fiscal year 2002 report that none of its systems have been certified and authorized, and only 15 percent have an up-to-date IT security plan. Finally, State reported that only 11 percent of its systems have contingency plans, and of those, none had ever been tested. Although the Department of Treasury reported that, in the 2002 GISRA report, 41 percent of its systems were assessed for risk, its IG reported that Treasury did not use an adequate methodology to determine that risk; therefore, its assessments were not valid under the law. There are also significant discrepancies in many of the metrics reported in the GISRA report between the Department and its IG. For example, the Department reported 451 of its systems were reviewed; however, the IG reports that only 204 systems were reviewed. Treasury has also reported 11 material weaknesses related to information security. I understand that many of those testifying today are relatively new to their jobs. We are not here today to point fingers, although I have serious questions about accountability and responsibility for these egregious failures to perform minimum requirements. We are here to identify weaknesses or roadblocks, find solutions and make progress. In a recent edition of the Federal Times headlined ``Computer Security Dilemma: Agencies Must Choose--Follow the Law or Fix the Problem,'' several government IT managers complained that the documentation process set up by Congress gives them a choice to document their security problems for Congress or to fix them. This attitude is disturbing, to say the least. For most IT managers, the documentation process set up by Congress is the only reason they discovered many of their security weaknesses. Before the documentation process, many IT managers couldn't identify their critical systems. Sadly, even with the documentation process required by Congress, many systems are still unidentified. That said, the committee will try and remain open-minded, and if any of the witnesses today would like to support this either/or contention as reflected by the article, we look forward to hearing it. As the subcommittee continues to examine the cyber security issue, we see the same recurring theme. Securing these networks is not about money or technology, but about management. The weaknesses identified are weaknesses that would be significantly reduced if approved procedures and protocols or best practices were actually followed. For example, GAO still conducts audits to this day where they find default passwords in place or where systems have not been tested in a production environment. Patches remain uninstalled on systems for months after known vulnerabilities are identified. These rudimentary lapses are not acceptable. There are a number of issues still up for consideration before the Congress. These include requiring that the common criteria be the standard government-wide; automated vulnerability scanning; new levels of accountability; and confronting the issue of CIO retention head on. While some progress is clearly being made at Federal agencies, going from an F to a D is not saying a lot. It is my hope that the Congress, OMB, the CIOs, the IGs and the GAO can work together to move our level of IT security government-wide into a range where we have some degree of comfort that our systems are secure. We are far from that point today. I would like to thank the witnesses for coming today and presenting the valuable testimony. As with all of our hearings, today's can be viewed live via Webcast by going to reform.house.gov and clicking on the link under multimedia. [The prepared statement of Hon. Adam H. Putnam follows:] [GRAPHIC] [TIFF OMITTED] T1648.001 [GRAPHIC] [TIFF OMITTED] T1648.002 [GRAPHIC] [TIFF OMITTED] T1648.003 [GRAPHIC] [TIFF OMITTED] T1648.004 Mr. Putnam. At this point I would like to yield to the vice chairwoman of the subcommittee, the gentlelady from Michigan, Mrs. Miller. Mrs. Miller. Thank you, Mr. Chairman. In a post-September 11 environment, the Federal Government has been forced to reevaluate its security procedures. The logistics associated with such an attack are huge, and today we focus on the security of Federal information systems. There has been a long-held belief that there should be one oversight facilitator for the entire Federal Government, government chief technology officer in a sense. I think this idea has some merit in order to ensure that government-wide uniformity occurs. However, one thing is clear, as technology continues to evolve at quite an astonishing rate, quite frankly, the Federal Government must not be left behind utilizing technology and systems designed for a different time and different type of threat. For these reasons, I am pleased, Mr. Chairman, that you have called this hearing so that Congress has an opportunity to objectively evaluate security measures taken by Federal agencies. To be frank, with the active measures that international terrorists are taking against our freedoms, I am concerned that certain Federal agencies appear to be lax with their efforts to improve system safeguards. Oversight reports by the GAO and the OMB frequently identify areas of concern and countless examples of Federal agencies in noncompliance with various laws and regulations related to system securities. Incomplete and inaccurate reports that are required of Federal agencies, the apparent inability of agencies to reach their own stated performance goals, and in many cases the blatant and utter disregard of federally mandated requirements are just some of the issues that we face in this regard. Since September 11, Americans have stated in poll after poll that homeland security and the war against terror is the most important issue facing our great Nation. I am concerned that individuals within the Federal Government, individuals that Americans trust to protect them and their families, do not seem to understand the nature of the cyber threat. However, in spite of current problems, the government is faced with a historic opportunity. With the passage of GISRA and the E- Government Act of 2002, which includes the FISMA, Federal agencies now have the tools and the necessary support to develop and implement substantial information security reform. There has been some success, as the government moves forward. The work being done at the Department of Commerce is really a great example. And those examples of success should be used as a model for other agencies. I certainly look forward to working with you, Mr. Chairman, and the other members of this committee to assist agencies with their reform objectives. Thank you. Mr. Putnam. I thank the gentlelady for her interest in these issues and her outstanding work on behalf of the subcommittee. [The prepared statement of Hon. Candice S. Miller follows:] [GRAPHIC] [TIFF OMITTED] T1648.005 [GRAPHIC] [TIFF OMITTED] T1648.006 Mr. Putnam. At this time we will move to witness testimony. Witnesses will please rise and raise their right hands for the oath. [Witnesses sworn.] Mr. Putnam. Note for the record both witnesses responded in the affirmative, and we will move forward with opening statements. I will begin with our first witness for his 5- minute statement, Mark Forman. In June 2001, Mr. Forman was appointed by President Bush to oversee implementation of the 21st century information technology throughout the Federal Government. Mr. Forman is the first person in the Federal Government to fulfill responsibilities normally associated with a corporate chief information officer. Under his leadership, the Federal Government has received broad recognition for its successful use of technology in the government. He manages over $58 billion in IT investments and leads the President's E- Government Initiative to create a more productive citizencentric government. He is a frequent guest of our hearings and always has a very fruitful and candid view of the government's progress in all matters related to technology and electronic government. Mr. Forman, you are recognized for 5 minutes. Welcome to the subcommittee. STATEMENT OF MARK A. FORMAN, ADMINISTATOR FOR ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET Mr. Forman. Thank you, Mr. Chairman and Congresswoman Miller. Thank you for inviting me to discuss the status of the Federal information security and the effects of FISMA at the departments and agencies. I do look forward to working with you to improve the timeliness of our report, and I agree with you that it should come up early as well. I think we have a number of actions at the staff level. We have been working with your staff to accelerate the reporting and make sure we are both getting good data on the status. As noted in our report to Congress, progress has been made in identifying and remediating longstanding IT security problems, but there is much work that remains before we can say IT systems are adequately secured in the Federal Government. FISMA requires that Federal agencies report as a material weakness any significant deficiency in a policy, procedure or practice, and over half of the large agencies have declared at least one material weakness relating to IT security. Deficiencies exist in a number of areas, including access controls, configuration management, security policy and training. From a government-wide perspective, the most common weaknesses include a lack of system-level security plans, legacy systems that are not appropriately secured, and plans of actions and milestones that do not include all of the agency systems. Nonetheless, in fiscal year 2002, departments and agencies have made measurable progress in IT security by conducting activities such as risk assessment, security planning, certification and accreditation, training and contingency planning. Of Federal systems in fiscal year 2002, 65 percent have been assessed for risk; 62 percent had an up-to-date security plan, 47 percent had been certified and accredited, and 55 percent had a contingency plan. We believe that is about double the status of IT security in 2001. I know the General Accounting Office has some difference and would be glad to discuss that. As noted in our report to Congress, agencies are testing an increasing percentage of their systems for management, operational and technical control weaknesses. These weaknesses, once identified, are included in agencies' plans of actions and milestones for prioritization, tracking and correction. The administration is committed to rapid progress, so by the end of this calendar year, all agencies will have a rigorous process for developing and implementing plans of actions and milestones. As you mentioned this is a management issue. And second, 80 percent of the systems will be certified and accredited. One reason we believe that IT security can be rapidly improved is that Federal agencies are incorporating security considerations into their capital planning process. Our analysis shows the percentage of Federal systems with security costs integrated into the life cycle of a system now stands at 62 percent. Improving Federal information security requires that we focus on enterprise architecture rather than firewalls, intrusion detection, vulnerability patches or the latest IT security technology. FEA, the Federal Enterprise Architecture, reference models will enable better use of standards and configuration management that we need to secure the Federal information systems. In addition, improvements in agency enterprise architectures will enable CIOs to better ensure that security and privacy are properly incorporated into their IT operations. To assist agency EA efforts in accordance with the responsibilities under FISMA, the National Institute of Standards and Technology recently published draft standards for security categorization of Federal information and information systems. This proposed standard will be used by all agencies to categorize systems according to risk. NIST is also drafting companion guidelines recommending the types of information systems to be included in each category as well as minimum information security requirements. OMB and the CIO Council have developed a process to rapidly identify and respond to cyber threats and critical vulnerabilities. CIOs are advised via conference calls as well as e-mails of specific actions needed to protect systems. Agencies must then report to OMB on the implementation of countermeasures usually in 24 to 72 hours. As a result of these early alerts, agencies have been rapidly closing vulnerabilities that otherwise might have been exploited, and this includes use of patch management services to ensure rapid application of patches. The Federal Information Security Management Act will be instrumental in improving the state of Federal IT security. The framework and processes in law and OMB policy highlight the importance of management, implementation evaluation and remediation for achieving progress. In closing, the administration is committed to a Federal Government with secure information systems doing the significant work of this committee, Federal IGs and the agencies. I think we are able to point to real improvements in government IT security, but there is much more work to be done. Thank you. Mr. Putnam. Thank you, Mr. Forman. [The prepared statement of Mr. Forman follows:] [GRAPHIC] [TIFF OMITTED] T1648.007 [GRAPHIC] [TIFF OMITTED] T1648.008 [GRAPHIC] [TIFF OMITTED] T1648.009 [GRAPHIC] [TIFF OMITTED] T1648.010 [GRAPHIC] [TIFF OMITTED] T1648.011 [GRAPHIC] [TIFF OMITTED] T1648.012 [GRAPHIC] [TIFF OMITTED] T1648.013 [GRAPHIC] [TIFF OMITTED] T1648.014 Mr. Putnam. I would like to introduce our second witness and welcome our ranking member on the panel to the subcommittee hearing. We will move forward with Mr. Dacey's opening statement and then recognize Mr. Clay for his. Mr. Dacey is currently Director of Information Security issues at the GAO. His responsibilities include evaluating information systems security in Federal agencies and corporations, including the development of related methodologies, assessing the Federal infrastructure for managing information security, evaluating the Federal Government's efforts to protect our Nation's private and public critical infrastructure from cyber threats, and identifying best security practices at leading organizations and promoting their adoption by Federal agencies. We welcome you and your insight to the subcommittee and appreciate the work that you and GAO have done for us. You are recognized for 5 minutes. STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY ISSUES, GENERAL ACCOUNTING OFFICE Mr. Dacey. Thank you, Mr. Chairman and members of the subcommittee. I am pleased to be here today to discuss efforts by Federal agencies and the administration to implement GISRA and briefly discuss additional provisions of FISMA, which permanently authorized and strengthened GISRA's requirements. I will briefly summarize my written statement, which provides detail on the status and progress of these efforts. This chart illustrates the average fiscal year 2001 and 2002 performance and related progress for 23 of the largest Federal agencies based on 6 selected performance measures detailed in OMB's fiscal year 2002 GISRA report. In summary, average improvements generally ranged from 3 to 10 percentage points for the selected measures. Our analysis excluded data for one agency that were not comparable for both years. Further, our analysis of individual agency reports showed mixed agency performance and progress, and that overall many agencies had not implemented security requirements for most of their systems. Nonetheless, the second-year implementation of GISRA yielded a number of benefits such as increased management attention to information security; important actions by the administration, such as integrating information security into the President's Management Agenda Scorecard; an increase in the types of information being reported and made available for oversight; and the establishment of a base line for measuring agency performance. Also, in its fiscal year 2002 GISRA report, OMB highlighted actions and progress to address previously identified government-wide weaknesses as well as planned actions to address newly reported challenges. Overall, GISRA reports continue to highlight that, as we have reported for the last several years, agencies have significant weaknesses in agency security management programs. For example, developing an effective corrective action plan is a key element of a security management program to ensure remedial action is taken to address significant deficiencies. However, of the 14 IGs who reported whether their agencies' corrective action plan addressed all significant weaknesses, five reported that their agency's plans did include them, but nine reported that they did not include all material weaknesses. It is important for agencies to ensure that they have the appropriate information security management structures and processes in place to strategically manage information security as well as to ensure the reliability of performance information. For example, processes to routinely provide an agency with reliable, useful and timely information for day-to- day management of information security could help to significantly improve performance. Further, continued congressional and administration oversight will undoubtedly be needed to achieve significant and sustainable results, including the implementation of new FISMA requirements. FISMA established additional requirements that can assist agencies in implementing effective information security programs, help ensure that agencies incorporate appropriate controls and provide information for administration and congressional oversight. These requirements include the designation of and the establishment of specific responsibilities for an agency senior information security officer, implementation of minimum information security requirements for agency systems, required agency reporting to the Congress and inventories of major systems. Successful implementation of FISMA is essential to sustaining agency efforts to identify and correct weaknesses. As FISMA is implemented, it will be important to continue efforts to establish agencywide security management programs; to certify, accredit, and regularly test systems to identify and correct all vulnerabilities; to complete development of and test contingency plans to ensure that critical systems can resume operations after an emergency; to validate agency reported information through independent evaluations; and to achieve other FISMA requirements. Mr. Chairman and members of the subcommittee, this concludes my statement. I will be pleased to answer any questions that you or other members of the subcommittee may have at this time. Mr. Putnam. Thank you, Mr. Dacey. [The prepared statement of Mr. Dacey follows:] [GRAPHIC] [TIFF OMITTED] T1648.015 [GRAPHIC] [TIFF OMITTED] T1648.016 [GRAPHIC] [TIFF OMITTED] T1648.017 [GRAPHIC] [TIFF OMITTED] T1648.018 [GRAPHIC] [TIFF OMITTED] T1648.019 [GRAPHIC] [TIFF OMITTED] T1648.020 [GRAPHIC] [TIFF OMITTED] T1648.021 [GRAPHIC] [TIFF OMITTED] T1648.022 [GRAPHIC] [TIFF OMITTED] T1648.023 [GRAPHIC] [TIFF OMITTED] T1648.024 [GRAPHIC] [TIFF OMITTED] T1648.025 [GRAPHIC] [TIFF OMITTED] T1648.026 [GRAPHIC] [TIFF OMITTED] T1648.027 [GRAPHIC] [TIFF OMITTED] T1648.028 [GRAPHIC] [TIFF OMITTED] T1648.029 [GRAPHIC] [TIFF OMITTED] T1648.030 [GRAPHIC] [TIFF OMITTED] T1648.031 [GRAPHIC] [TIFF OMITTED] T1648.032 [GRAPHIC] [TIFF OMITTED] T1648.033 [GRAPHIC] [TIFF OMITTED] T1648.034 [GRAPHIC] [TIFF OMITTED] T1648.035 [GRAPHIC] [TIFF OMITTED] T1648.036 [GRAPHIC] [TIFF OMITTED] T1648.037 [GRAPHIC] [TIFF OMITTED] T1648.038 [GRAPHIC] [TIFF OMITTED] T1648.039 [GRAPHIC] [TIFF OMITTED] T1648.040 [GRAPHIC] [TIFF OMITTED] T1648.041 [GRAPHIC] [TIFF OMITTED] T1648.042 [GRAPHIC] [TIFF OMITTED] T1648.043 [GRAPHIC] [TIFF OMITTED] T1648.044 [GRAPHIC] [TIFF OMITTED] T1648.045 [GRAPHIC] [TIFF OMITTED] T1648.046 Mr. Putnam. I would also like to recognize and thank Ms. Watson for joining the subcommittee and recognize the ranking member for his opening statement. Mr. Clay, you are recognized for 5 minutes. Mr. Clay. Thank you, Mr. Chairman, for calling this hearing. I have asked my staff to put up a poster that is from the last computer security hearing held by the Subcommittee on Government Efficiency in the 107th Congress. The majority staff, working from the same agency reports that are the basis of the OMB report issued last month, created this report card. However, the story this report details is quite different from the more optimistic tone laid out by the administration. Of the 24 agencies examined, 12 showed no improvement in computer security, and 11 of those agencies had a grade of F in both 2001 and 2002. Those agencies include the General Services Administration, which had a grade of D both years; the Departments of Agriculture, Defense, Energy, Interior, Justice, Transportation, Treasury and Veterans Affairs; the Agency for International Development; the Office of Personnel Management; and Small Business Administration. Other agencies showed dramatic decline in grade. For example, the National Science Foundation went from a B plus in 2001 to a D minus in 2002. The National Aeronautics and Space Administration went from a C minus to a D plus. The Environmental Protection Agency went from a D plus to a D minus. The Department of State went from a D plus to an F. The Federal Emergency Management Agency went from a D to an F. And the Department of Housing and Urban Development went from a D to an F. However, if we look at the chart on page 11 of the administration's report, the government is improving on nearly every indicator. One conclusion might be that the agencies have done a lot of work between last November and now. Unfortunately, this report card and the OMB report are drawn from the exact same agency report. Last week I sent my staff over to the Department of Transportation, which, according to this report card, is one of the failing agencies, and they came back with a report of an agency that was making significant improvement in computer security. In fact, the Department of Transportation may well be a leader in implementing the requirements of the Federal Information Security Management Act. I hope today we can learn why we have such different summaries on the same agency report. And again, thank you, Mr. Chairman, and my thanks to the witnesses for taking their time to be here today. [The prepared statement of Hon. Wm. Lacy Clay follows:] [GRAPHIC] [TIFF OMITTED] T1648.047 Mr. Putnam. I thank the gentleman from Missouri and would recognize the gentlelady from California for her opening statement, if she would like to make one. Ms. Watson. Mr. Chairman, thank you. I don't have an opening statement, but I am looking at the details of the report card, and the question comes--and this is from GAO. Apparently they have described the shortfall. My question to anyone on the panel is why don't we see more progress, more upward movement in the security, and what accounts for these low grades, the grades of F? Mr. Putnam. If it is OK, Ms. Watson, we will give them a heads up. We will lead off with Mrs. Miller and then come back. At this time I recognize the vice chairwoman of the subcommittee Mrs. Miller for the first round of questions. You are recognized for 5 minutes. Mrs. Miller. Thank you, Mr. Chairman, I will be a few moments here, but I am new to the Congress and obviously new to the subcommittee, but I have to say that looking at that report card is rather startling when we think about the piece of educational legislation, No Child Left Behind. Fortunately we are not being graded on that kind accountability with where we are, but as a former elected official at the local level, State level, dealing with audits for the last 25 years, any time I would see the term ``material weakness,'' you know, your heart would begin to pound. Material weakness is a bad thing, obviously. And, Mr. Forman, I think you mentioned--I was taking some notes--over half of all the government agencies are reporting. Was that just in the last go-around, reporting material weaknesses in information security? And is that operational audits that are being conducted, performance evaluations? Mr. Forman. These were part of the financial management audits where it is required, and I think, as the chairman pointed to, a good example of that would have been the Treasury Department. That was one area where as part of the reviews of the reports from the IG and the CIOs, at that time Assistant Secretary for Management Ed Kingman noticed the significant gap, tracked it down, and indeed recognized that would be a reportable or should be considered as a reportable material weakness, and I think properly handled it at that point. Mrs. Miller. You know, when you do certification, I think that starts with accountability. It appears as though we have some difficulty in the Federal Government of retaining CIOs. You have a revolving door going with some of these CIOs. Is this something that Congress could assist you in addressing? Could you tell us a little bit to why we have that situation? You have to have a point person, and you have to have accountability if we are losing some of our brain trusts there and the institutional knowledge is going out the door with them. What can we do there? Mr. Forman. Officially we are looking at this as part of the skills gap assessment, Clinger-Cohen reports that never were really done, the Ego Vac site, we would like to make sure the agencies do that, and as well the agencies should modernize those reports. The Ego Vac did have rather strong human capital work force reporting. And we in the budget passed back to the agencies and said that those reports must come into OMB this September. So I think sometime in the fall would be appropriate after we have had time to look at those reports. Traditionally the issues that have come up are money- related, and the administration did ask for the performance fund. I think that will help a tremendous amount. Now on a less than official side, the personal note, we are trying to drive an awful lot of transformation through the agencies, and these have become some of the most stressful jobs. The area is--and you will hear from some of the folks that are driving major changes. The areas that need the most change, like computer security, forces an awful lot of management reform. I think the chairman was exactly correct. This is very much a management issue, and I am not quite sure yet how you keep people from burning out, although that is something we are going to have to start looking at more and more, because we do need this magnitude of change, and we can't let that stop as the people change. We have to figure out how we deal a little better with the stress, because I would not like us to slow down on some of the transformation in this important area in particular. Mrs. Miller. Just a note on that, the burn-out in those kinds of jobs is not particularly inherent to the Federal Government. You find it throughout the inventory really now because there is so much stress. Looking at some of the States that are really on the leading edge of utilizing technology, they are all struggling with the same thing that the Federal Government is, is retaining those kinds of individuals so they don't lose them off into the private sector. But you talked about money in those kinds of things, and in the GISRA report you are saying approximately 500 systems are sort of at risk again with the security weaknesses and apparently subject to having some of their funding withheld. Is that an appropriate thing for us to be doing as a Congress? I mean, we want to encourage improvement in this report card certainly, and we don't want to be a rat holding the taxpayers' money. On the other hand, how does all of that work, with you doing your performance evaluations and withholding dollars from the agencies? Mr. Forman. The framework is investment justification. We call it the business case, and the way it works is that there are a number of criteria that we know if we don't adequately address before the project really starts to ramp up, chances are we will be picking up the pieces in the end. The way that plays out in cyber security is that it costs us a lot more to go back and fix the security problems of the systems that are deployed. Had this been correctly addressed early on in the program, it would have been done much more effectively and at a lower cost. So our policy position has been until that gets built in from the beginning, we don't want the system to go forward because we know it increases both the risk and the cost of the system. Mrs. Miller. When you are making those kinds of determinations about withholding funding, how do you interact with the Congress as far as talking to the appropriators and those kinds of things? And is there some sort of exemption they could get if they show you measurable performance increase? Mr. Forman. There are a set of criteria. It is based on NIST standards and OMB guidance, A-130, that we use, and generally that is part of the budget process discussed with the agencies via Circular A-11, the basic document used to put the budget together. That is associated with what is called an apportionment process, which is a financial term of art for how appropriations dollars are managed, and that is worked through with the appropriators. I will say the understanding of all that as it relates to IT varies from agency to agency because so much of the IT budget is not explicitly appropriated. It is funded out of working capital. There are salaries and expenses. Mrs. Miller. Just a quick question. Mr. Putnam. We are going to have to wrap up this first round if that is OK, Mrs. Miller. And Mr. Clay is glad to defer to Ms. Watson, so you get another crack at it, and you are recognized for 5 minutes. Ms. Watson. Thank you, Mr. Chair. I guess if I read the GAO report, I would have my questions answered, but listening very closely, I hear you really have a personal management resource factor that gets in the way of making more progress. Can you expound a bit? Mr. Forman. First of all, let me say about the grade, I think there are two aspects of this: Where are you in terms of status, and how much progress are you making. And I will tell you in terms of progress, there is clear progress. We have laid out an 80 percent target, to move from 60 percent to 80 percent this year, and very much I am accountable. I am the person to hold me accountable. It helps me hold the agency accountable for that. So I am the person that has signed up to the Congress to make sure we achieve that under FISMA and the EGO VAC. And you will see some of the CIOs, there is a commitment throughout the administration making the progress, and the management commitment from the leadership level is key to making this a success. I am fairly comfortable we are making progress. We are tracking that quarterly, and you will be getting data to see that as well. On the status side, whether it is an F or D minus, I would ask that you not grade us on a bell curve, that you hold us to standard academic levels of success. Ms. Watson. Let me just ask, what is the source of this grading chart? Mr. Dacey. Let me jump in a minute. The grades were given by the committee essentially based upon, for fiscal 2002, the GISRA reports that were provided by the various agencies. The committee weighted those responses and came up with a composite grade, and that yielded the scores. The prior year was based upon some--the work on 2001 from the GISRA report. So it is pretty much coming from the GISRA reports and the various performance measures and information that are reported therein. Ms. Watson. What kind of progress have you made since this came out in November 2002 up to what you have today? Mr. Dacey. One of the challenges is measuring that progress, and that is something the chairman mentioned in his opening statement, and that is the need to be looking at more frequent reporting, and Mark might talk about some of the quarterly reporting they are moving to for FISMA in the first year. But I think that is a key element. As I said in my oral statement, it is going to be important for agencies to really build this into a systematic process so they are getting information to regularly manage information security along with other IT and other areas that they manage. And it is going to be important to build those systems, so that GISRA and FISMA reporting are an outgrowth of those systems, not the primary direction for gathering the data to include in the reports. And some of that is going to happen, but I think that an important element to make this succeed is to really have that management process in place and some of this information regularly coming to agencywide management CIOs and so forth, and they have the right responsibilities and authorities to move forward and make sure that security's improved. In terms of the overall issue you mentioned in your initial question, I think it's going to be important, as I said, to make sure we have security management programs in place. And that's the management structure at the top and commitment by leadership to these things, because it does come down to a management issue to make sure that technology is properly implemented. Ms. Watson. Have we appropriated the funds to be able to put management personnel in the right place? Mr. Dacey. There's a process, and Mr. Forman may want to speak, but it's part of the process of requesting budgets and so forth and so on. They do request what they need. And Mr. Forman might want to expand upon that a little more. Mr. Forman. Virtually all the agencies have chief information security officers. What really is, I think, the heart of getting the Federal Government more secure is what we are doing with the infrastructure, networks, telecommunications, the basic competing platforms that we're using. We have tried to, in this year's budget process, significantly empower the CIOs. It gets to an esoteric risk level the way we are managing IT in the Federal Government, but we use a business case. And last year we had hundreds of projects. The rule of thumb in security is the more systems you have, the harder it is to make sure they're secure. You want to integrate and consolidate infrastructure. Ms. Watson. Let me cut through this. You are talking insider language. Do you have the necessary resources to organize in a way that will guarantee greater security at a time when the technology has gone above the line, and people can hack in and expose information, reveal information that can be very harmful and damaging? And particularly when I look at NASA and other security systems, I get really worried. Have we done all we can for you, or is it that you are having challenges in organizing and placing--you know, how do we get to the problem and show progress? That's my interest. Mr. Forman. I think we're fine with resources. We've added a significant amount of resources. Ms. Watson. And the challenge is? Mr. Forman. It is a lot of work, and it takes time. The older the systems, less security was built in, the more you find when you do the audit of the system, and then there is work to fix that. Ms. Watson. So it's the timing of trying to improve these sluggish systems and bring them up to top operation capacity. Mr. Forman. And we continue to modernize. By the same token we continue to modernize. And I believe we've learned our lesson as a government that if you do not work in security before you start the system, it's going to take you longer and cost you more to fix it at the back end. So we're trying to fix the things that are out there, the so-called legacy systems. But we have made good progress in building in--before we move forward, making sure security is built in and hence Congresswoman Miller's questions. Ms. Watson. Thank you, Mr. Chairman. Mr. Putnam. Let me follow up on Ms. Watson's question. Federal Times ran an article, essentially highlighting some of the excuses that agencies have used for not being in compliance. And the FAA said this: ``We have told OMB that we can't be in compliance for a while. We don't have the money to both secure our systems and document we have done so.'' Do you buy that, Mr. Forman? Mr. Forman. No. Mr. Putnam. Later in the article, an anonymous information security specialist from a social service agency stated, ``someone at our parent department told OMB we would have it done in July. We can't get it done right by then, so we will throw together some documentation and make it look like we did.'' They go on to say that same information security specialist at the social service agency points out that even if they had the money to do the assessments, they do not have the authority to make local offices cooperate. ``They have their own funding and don't report to us. When I call them and ask for this or that, they just ignore me,'' the specialist said. Have you received reports that were so off or so inaccurate or so hastily put together that you believe that they deliberately put something together to meet an artificial deadline but knowingly submitted something that was not accurate or complete? Mr. Forman. I think the Treasury situation that you alluded to in your opening statement is very clear documentation that happens. It is so important to have the independent review by the ITs come concurrent with the report from the CIOs. There are so many pressures. I know funding issues. We cannot allow ourselves to make this into a paperwork exercise. And so the audit is incredibly important to us. On the other hand, what I would say is the market is stepping up. There are an awful lot of automated tools out there that reduce the cost. And the other thing is NIST is in the second iteration of a tool kit that assists agencies in classifying. The lower the risk of the system or the fact that may be disconnected in the Internet means that there are cheaper and faster ways to get the certification and accreditation done. And that is laid out in the new set of NIST guidelines. Mr. Putnam. Everybody seems to agree this is a management issue. So what are the consequences for someone with that responsibility who would submit such a report? Mr. Forman. Well, I can't say in blanket how this works. I would ask you to keep in mind the reason that the CIO at the State Department did change out, and while I can't speak to all the specifics and the details here, there's no question that the State Department acted partly in response to the IG report that indicated lack of progress in IT security. We downgraded the score on the scorecard--progress, that is, and that had a substantial impact, ultimately resulting, I believe, is my personal belief, in restructuring greater emphasis in some very tough management decisions including allocation of funding that weren't being taken before. Mr. Putnam. Mr. Dacey, how widespread do you believe that this attitude is, that it's just another congressional report, just another paper that is supposed to be filed, its fine whether its done or not? Mr. Dacey. Mr. Chairman, I am not aware of any instances where we know that reports have been intentionally prepared with improper data or data that's not accurate. At the same time, in looking at FISMA and its implementation, I think it will be important in the long term, as Mr. Forman suggested, that we have an independent audit process that starts to begin to look at those performance measures and do auditing on the performance measures, which is not currently required, and think about that as part of that process. I think that would give more credibility to the numbers. It would also make it clear to people in the agencies that someone was going to be auditing the numbers and lessen the likelihood of people preparing statements that might not be accurate. Mr. Putnam. You said there is no indication of anyone having deliberately done it. But clearly, you just didn't fall off the turnip truck. Somebody has been quoted by a reporter saying this. It's probably indicative of something more widespread, don't you suspect? Mr. Dacey. I suspect without any cross-checks that there is great pressure to report such information. That could have happened, sure. But again, it gets backs to the issue I think FISMA is a basic process that will work. We really need to put in place a process to make sure those numbers are accurate. They are self-reported so that the numbers you see in our chart and in OMB's testimony are self-reported numbers inherently not audited in any way, shape or form other than some information we have on inventories which was specifically asked for in the OMB requirements. I think that will always be a challenge unless we put in some kind of effort that is going to assure both the agency, the administration and Congress that these numbers that are being reported are accurate. Until that happens, there is a possibility that their reporting could be inaccurate. Mr. Putnam. I will abide by my own time element and recognize the ranking member, Mr. Clay, for 5 minutes. Mr. Clay. Thank you, Mr. Chairman. I'd like each of the witnesses to explain for me the difference between the report card prepared by former Chairman Horn and the OMB report before us today. Which is correct, and has the government improved since 2001 in the OMB reports, or is the government still failing and going from bad to worse as the subcommittee reported last year? Mr. Forman. I think there are substantial improvements. I can go through from the data some differences that I would have in the grades. But let me just say, there are some agencies that are doing really well. And if you scored a 60 percent as a--if you were generous and you scored that as a D, at best, most of the agencies would get a D. It's not good enough. It's just not flat good enough. We need to be up in the 80 or 90 percent range, or A and B range. And that has to be the standard. We can talk about how much progress that we made or not, but for me a progress from an F to a D is not enough. It's just not simply good enough. Mr. Dacey. I would like to point out again that this is the same basic information both for the GISRA report from OMB, our testimony and all the grades. So the most recent data we have Governmentwide is September 2002 data, and that gets back to the point where there is a consistency. The grades are the way in which the committee assessed and weighted the responses in the GISRA report. What we have presented and what has been included in OMB's report is some of the statistics and averages that are included in there for the same measures. It is a matter of looking at the same information in slightly different ways. It gets back to how do we know from September 2002 until today whether we have made improvements, and the point is we don't really have good reporting processes in place to get that information on a more timely basis. Right now the next set of information we will get is September 2003. Mr. Clay. In your testimony last fall, you indicated all 24 agencies had significant weaknesses in program management in both 2001 and 2002, and only 2 agencies improved performance in access control. Would you agree that shows little or no progress? Mr. Dacey. It shows some progress, but we still have serious problems. Again, we have had general progress at least in reported information across all the categories. The challenge is, as Mr. Forman indicated, whether it is F or D, we still have a long way to go to get to where we need to be. Yes, that is in the report, and that is probably still the case, and that is one of the areas that I think is particularly important that you have these structures in place for the agencies to manage information security. FISMA started to provide some of that by creating information security officers and coming up with a set of requirements for them in the agencies. And I believe most of the agencies now have a designated information security--if not all--have a designated security information officer. We also--there's a need to have this process in place to report. Again, we don't have specific information, but I believe a lot of the information for GISRA reporting came from efforts to accumulate that information for the purpose of GISRA reporting and not as part of a routine process that management was getting the information to use to manage their security program. I think that has to change to be effective. Mr. Clay. Well, in the OMB report, they list six areas of government-wide security weaknesses and then report that the government shows improvement over 2001. Do you agree with that assessment? Mr. Dacey. I agree with the characterization in OMB's report with respect to the actions that have been taken. It's consistent with what we have seen in doing our work as well. So there has been action taken in each of those areas. And five new areas, or five areas that are newly reported, I think those are areas that we knew there were some challenges in the past; but identification of five new areas and action plans, is important to try to address those in going forward. Mr. Clay. Mr. Forman, according to your report, there are only 8,000 reporting systems in the Federal Government. Now, I find that difficult to believe. Can you explain to the committee what that number represents and what systems are not included in that count? Mr. Forman. Generally these are combinations of applications that work together to perform a function. So, do we have more than 8,000 systems? Probably. The number of reporting went up in 2002 compared to fiscal year 2001. I suspect it will go up again this year. But, that said, we know there are many more applications than that number. It's just agencies under the definition in GISRA are allowed to bundle together applications and call that a system. This is the best reporting we've had. I think, for security purposes, that makes sense, because they are generally used by the same group of people, tied to the same network, and work together to support a business process. At the end of the day, you want to secure all the information around a business process, and you want to make sure that's secure, that business process can keep operating even if it's attacked. So I'm fairly comfortable with the definition that Congress came up with for GISRA. I think it exists fairly the same, except for national security systems, all training in FISMA. But the focus is appropriate. Mr. Clay. Thank you both for your answers. Thank you, Mr. Chairman. Mr. Putnam. Thank you, Mr. Clay. Mrs. Miller, do you have another round of questions? Mrs. Miller. Just one. You know, I'm looking at this blue chart over there from the GAO about performance measures and those kinds of things. Mr. Dacey, can you give me a little more specific about what kind of performance evaluations you actually do? I can hardly see the bottom. Give me an example of what kind of performance measures. I mean, we keep talking about this is a management problem, apparently not a financial resource situation; it's a management problem. So just what kinds of things do you actually look at to measure this performance evaluation? Mr. Dacey. Let me talk about that a minute. And hopefully you have something that looks like this up on your desk area that you can see better. In any case, these are six of the areas that were included in OMB's report. And what we put together in the chart was to try to really reflect the change from year to year, from 2001 to 2002, and on average for 23 of the largest agencies. Again, as I said before, the information that goes into these is a whole series of performance measures that were required by OMB in reporting on the second year GISRA implementation. And these have been important, because they really are establishing a baseline and a basis for comparison from year to year. And this is the first year we have comparative information government- wide that we can look at. These are six of the many performance measures that were required to be reported. These particular ones I think are somewhat illustrative because it gets to some of the critical challenges that we have. If you look at the first column on risk assessment, that's whether the agencies have assessed risk in their systems to know what level risk they are accepting and operating them. The second is a security plan in place---- Mrs. Miller. Let me just ask you about the risk. Mr. Dacey. Sure. Mrs. Miller. What kind of risk assessments, for instance? I don't want to go through the whole thing, but just in that particular column there. What kind of risk assessments do you actually do? I mean, risk of terrorists? I mean, some guy with a laptop in a cave in Afghanistan being able to get into one of the systems in DOD? And are the evaluations for risk assessments uniform throughout these last two report cards and as we are entering September now? Mr. Dacey. Well, I think--I guess my observations on risk assessments would be, they're supposed to include the threats to the system. And that's the normal process. We actually have a best practices report we issued on risk assessment; it's something that OMB requires to be done. The format and structure of them has a lot--some flexibility built into how detailed they are. So I couldn't say that every agency does it the same way. But what this number represents is the number of systems that those agencies reported that they had assessed risk for, and that's what those columns represent, both the gold for 2001 and the blue for 2002. Mrs. Miller. So risk of the type of information that you are gathering? Risk of the type of access that individuals would have to it? Risk of security of that information, those kind of things? Mr. Forman. And then the final aspect of that is risk that you wouldn't--the agency wouldn't be able to complete its mission if either the information was stolen, disrupted, or the system processing was shut off. Mr. Dacey. As part of that process, just to point out, one of the provisions of FISMA is to actually come up with risk levels. I think that can help a lot, because that will standardize the process by which agencies assess risks and can communicate more effectively between each other and within the agency as to when they are hooking systems together and what the risk levels are. So I think that would be an important improvement. Right now, the risk assessment is a little more subjective, not that it won't be somewhat subjective, but at least it will have a structure that is proposed by NIST as part of the FISMA law. Mrs. Miller. Thank you, Mr. Chairman. Mr. Putnam. Thank you, Mrs. Miller. Now I'd like to ask each of you: does every agency currently have an acceptable business continuity plan? Mr. Forman. Generally we look at that down to the system level. And the answer is, no. That there are big gaps in some agencies and really good success in other agencies. That's part of the data that is tracked and I think was in our report. I would ask you not only to take a look at the agencies that have a valid contingency plan, but also what I think we need to do one step further that has been tested and validated, very similar to the work that we had to do with the year 2000 contingency plans. Mr. Putnam. OK. While we are talking about that, in Mr. Dacey's testimony, he said that less than 50 percent of the contingency plans at 19 out of 24 agencies have been tested. Less than half have been tested. So does that mean that those plans might not work? Mr. Dacey. Yeah. I think that really signifies that--until you test it, you don't know it will work, in fact. And there are two issues here. The other number that we have is also the fact that there are a significant number of systems for which they don't have contingency plans. I think it is reported now at about 50 percent, 55 percent, just have the plans to start with; and then the second step is testing those plans to be sure that they would be effective in case of an emergency. I think that is a critical area, because absent some of these other controls in other areas, particularly for critical systems, it would be very vital to make sure that those systems could be recoverable in case some of these other weakness areas were exploited and the system availability was lost. Mr. Putnam. Nobody ever wants to say that one agency or department is more important than another one. But in terms of the ramifications of having a contingency plan or a disaster management plan, are the agencies that are most at risk and most critical to national security or homeland security the ones who have tested? Has the Social Security Administration tested their contingency plans, and Defense not? Has Homeland Security, has FEMA? Mr. Forman. It's a mix. And you will find the data in the table. You will see, for example, you are absolutely right. Social Security has tested their contingency plans. They are in pretty good shape. By the same token, FEMA did not test their contingency plans. Mr. Putnam. So the Emergency Management Agency has no emergency management plan? Mr. Forman. They have the plans for--as of the end of last year they had some of the plans. They don't have enough plans. And, moreover, they haven't tested the ones they have. There is significant work that needs to be done here. Mr. Putnam. Let's talk about patches very briefly in my remaining time. Then we are going to move to the second panel. Patch management is critical to information security. It goes a long way toward protecting our systems from viruses and other attacks. The PAD-C, the patch authentication and dissemination capability, will provide a system to Federal agencies to manage the patching of their systems. How far along are we in that? How are the agencies participating? Are they responding to OMB's encouragement? Mr. Forman. I don't believe I have the exact numbers on how many agencies have signed up. They continue to get more agencies to sign up. This is, again, part of our concept of buy one, choose many. Patches are obviously to use a software code. And to the extend that people have common software--and we have an awful lot of common software in the government--it's better to buy that patch once and then have an automated way to distribute it. So that's why we invested in this patch management, buy-one, choose-many concept. I need to get back to you on exactly how many agencies, and I will do that. Mr. Putnam. Do you want to add something, Mr. Dacey? Mr. Dacey. I don't have the information right in front of me, but a fair number of agencies have signed up for PAD-C. I forget the number. It might be in our testimony. OK. I don't have that with us today. We can certainly get back to you on that. But it is an important area because it does provide a central source for patches that have been tested and authenticated and placed out there. I think one of the key issues in patch management is that even with that, agencies need to have a process to ensure that these patches are installed and installed properly and don't break other parts of the system. And so they need to take efforts to put that in place. And NIST has some draft guidance out in how to do patch management that is very informative. Mr. Putnam. Well, the committee has submitted a letter to the secretaries of the departments, their IGs and CIOs, requesting more frequent updates of information and given them August 1 as a deadline for the update. And we will also be picking up where Mr. Horn left off with the score cards this fall. I think that our first panel will note that this is bipartisan frustration with this, with the inadequate progress on the part of the Federal agencies, and we will continue to monitor this very closely. My parting question would be this: are the differences in reports due to different interpretations of what the law requires or a genuine disagreement over the level of information security that exists at the agencies? Mr. Dacey. Just for clarification. Difference in which reports are you referring to, Mr. Chairman? Mr. Putnam. Different interpretations of the FISMA, GISRA requirements, or to a genuine disagreement over the status of information security between the IGs. Mr. Dacey. Between the IGs and the agencies? Mr. Putnam. Yes. Mr. Dacey. That's an interesting question. There were a number of IGs that did disagree, and I think OMB in fact in their report pointed out that was one of the new challenges that needs to be really looked at and addressed. And Mr. Forman might speak more to that. That's an area at least that's highlighting where there are differences that go back to the FISMA model and talk about the agency and the IG both working together and the agency providing some validation of that information. So I think it's good that we are pointing out where there are differences, and it's also a need then to followup on those differences and find out why they exist. I don't know that we have any information on why the differences exist. In some cases it may be just differences of thought or differences in the systems that were looked at. I do know that when we deal with some of these issues from our audit perspective at GAO, there's not always unanimity in how you interpret the results of your reviews. And a lot of our discussion goes around what does this really mean, how serious of an issue is it. So there also--there can be differences of opinion as well. Mr. Putnam. Do you want to add anything, Mr. Forman? Mr. Forman. First of all, let me say that we do have some data in followup to your past question on the patch management contract. There are 37 agencies that subscribe to that today. What I need to do in getting back to you is find out how many are Cabinet-level agencies versus small agencies. Obviously, the small agencies really like to use the shared approaches. I think that actually the debate is good on what is a covered system and the amount of risk. To have the IG have that independent view and say this system is actually more mission critical or it is more important to the agency's mission than a CIO may say, really reveals to us something about the positioning of the CIO. And generally, as in some of the examples you cited, I notice that the CIO may not have the appropriate status that, sure, maybe in the agency to come forward and say a system is badly performing. They may be kept out because of the differences between the IT organizations and the bureau program offices. So, I think, first of all, it's not necessarily bad to have the disagreement. And, second, it is very important that the IG stay aggressive in this area so that it can reveal to us where are the areas to look. Mr. Putnam. Thank you very much for your testimony. At this time we will dismiss panel one and seat panel two and move as quickly as possible. Thank you very much, Mr. Forman and Mr. Dacey. The committee will recess for 3 minutes. [Recess.] Mr. Putnam. We will go ahead and seat the second panel and reconvene the subcommittee hearing. I would like to welcome our second panel of witnesses. As is the custom of the subcommittee, we will swear in this panel. I would ask that if you have personnel joining you today who will be assisting you in answering, that they will also rise and be sworn at this time. Please stand and raise your right hands. [Witnesses sworn.] Mr. Putnam. Note for the record that all of the witnesses and their supporting cast responded in the affirmative. We will move right to panelists' testimony. I begin with Johnnie Frazier. Mr. Frazier was appointed to the position of Inspector General at the Department of Commerce in 1999. The Presidential appointment capped more than three decades of distinguished service at the Department in a variety of leadership roles. During his tenure as IG, Mr. Frazier has significantly strengthened that office's strategic agenda to reflect the most pressing priorities for the Department and the Nation. For example, he has directed key audits and investigations of security weaknesses in Commerce's computer networks information systems and personnel policies. He has initiated assessments of emergency preparedness plans at commerce facilities and prompted examinations of export safeguards on sensitive U.S. technology. He has precisely defined the IG's direction for the near future around a set of core priorities that strategically target emerging audit and inspection areas of need. We welcome you to the subcommittee, and recognize you for 5 minutes for your testimony. STATEMENT OF JOHNNIE E. FRAZIER, INSPECTOR GENERAL, DEPARTMENT OF COMMERCE Mr. Frazier. Mr. Chairman and members of the subcommittee, I am pleased to appear before you today to provide the IG's perspective on IT security in the Department of Commerce. You know, although IT security and data have long been among the Department's most critical assets, ensuring their security, unfortunately, was not a high priority for the Department before GISRA. When I first testified on IT security 2 years ago, I had few favorable observations to share. The Department was striving to improve, but our work at that point revealed pervasive security weaknesses that placed sensitive IT security systems at serious risk. As a result, we identified IT security as one of the top 10 management challenges facing Commerce. And while much progress has been made, it still remains high on my top 10 list. OMB's fiscal year 2002 report to the Congress on Federal IT security noted that progress is evident and that the government is heading in the right direction. I am pleased to report that Commerce, too, has made progress and is heading in the right direction; but this department, like many others I'm sure, must overcome a history of much neglect. As Commerce's CIO put it, the Department has been coming from behind. Our IG GISRA evaluations over the past few years have often found the same basic weaknesses at Commerce that OMB has found throughout the government. First and probably foremost, we have seen the problems, the progress, and the potential that surround senior management's attention to IT security. Before GISRA, IT security was simply not on the radar screen of senior Commerce management. Through the Secretary and Deputy Secretary's efforts, and quite candidly their bully pulpit, senior managers are increasingly coming to understand that they are responsible for IT security. Our independent observations on security education and awareness previously highlighted this as an area of neglect. Again, the Department has responded. Today, all employees and contractors receive security awareness training. But specialized training for personnel with significant IT security responsibilities remains inadequate. A third major area centers on the importance of management religiously integrating funding and IT security into Commerce's capital planning and investment control process. While the Department has substantially increased its control over IT investments, it often still struggles to adequately plan IT security controls and costs for every system. Our ongoing independent evaluation is also showing that the Department has improved its capability to detect, report, and share information on vulnerabilities. Before GISRA, only 4 of Commerce's 14 operating units had a formal incident response capability. Now, all Commerce operating units have such capability. Another matter of particular note to us is the importance of ensuring that contractor services are adequately secure. Our review of 40 of the Department's IT service contracts found that contract provisions to safeguard sensitive systems and information were either insufficient or nonexistent. Why, you ask? Little Federal or departmental guidance or policy in this area. On the Federal level, a proposed Federal acquisition clause for IT security is currently under review by the FAR Council. I believe this clause will be beneficial government-wide. And I am personally pleased that our IG contracting expert, Karen DePerini, who first identified the contract problem at Commerce, is co-chair of the OMB issue group that recommended this clause and is identifying methods to improve security in contracts. And last, but by no means least, aggressive schedules for IT performance measures are having an impact on all parties involved in the IT security effort. It should be noted here, however, that although security plans have been required for Federal IT systems since the Computer Security Act of 1987, when I testified 2 years ago, nearly two-thirds of the Department's systems lacked risk assessments, almost half did not have a security plan, and more than 90 percent were not certified or accredited. The Department is vigorously addressing these serious deficiencies. The Department's focus can best be seen by looking at its performance measures for system certification and accreditation. According to the Department, between fiscal years 2000 and 2003, the percentage of systems certified and accredited increased from a mere 8 percent to 77 percent of its roughly 600 systems. At the same time, I must caution that performance measures do not tell the whole story. Overaggressive schedules can actually weaken the process. Our evaluation suggests that aggressive timeframes have often resulted in premature certification and accreditation, where risk assessments, security plans, testing, evaluation, and review have been inadequate or sacrificed altogether. In closing, I am proud that the independent evaluations required of the IGs play a uniquely valuable role in confirming the substance and quality of critical processes and control and in helping ensure that the job is done right. Unfortunately, our resource limitations have not allowed us to do such things as validate the specific details of the Department's annual IT security report. Likewise, we have not been able to perform vulnerability assessments and penetration testing of nonfinancial systems that would demonstrate whether vulnerabilities exist and intrusions may occur. I cannot overemphasize how critical it is that the rigor and integrity of IT security processes be maintained; otherwise, we will have paper security but lack true security. Thank you. Mr. Putnam. Thank you very much, Mr. Frazier. [The prepared statement of Mr. Frazier follows:] [GRAPHIC] [TIFF OMITTED] T1648.048 [GRAPHIC] [TIFF OMITTED] T1648.049 [GRAPHIC] [TIFF OMITTED] T1648.050 [GRAPHIC] [TIFF OMITTED] T1648.051 [GRAPHIC] [TIFF OMITTED] T1648.052 [GRAPHIC] [TIFF OMITTED] T1648.053 [GRAPHIC] [TIFF OMITTED] T1648.054 [GRAPHIC] [TIFF OMITTED] T1648.055 [GRAPHIC] [TIFF OMITTED] T1648.056 [GRAPHIC] [TIFF OMITTED] T1648.057 [GRAPHIC] [TIFF OMITTED] T1648.058 [GRAPHIC] [TIFF OMITTED] T1648.059 [GRAPHIC] [TIFF OMITTED] T1648.060 [GRAPHIC] [TIFF OMITTED] T1648.061 [GRAPHIC] [TIFF OMITTED] T1648.062 [GRAPHIC] [TIFF OMITTED] T1648.063 [GRAPHIC] [TIFF OMITTED] T1648.064 [GRAPHIC] [TIFF OMITTED] T1648.065 [GRAPHIC] [TIFF OMITTED] T1648.066 [GRAPHIC] [TIFF OMITTED] T1648.067 [GRAPHIC] [TIFF OMITTED] T1648.068 [GRAPHIC] [TIFF OMITTED] T1648.069 [GRAPHIC] [TIFF OMITTED] T1648.070 [GRAPHIC] [TIFF OMITTED] T1648.071 [GRAPHIC] [TIFF OMITTED] T1648.072 [GRAPHIC] [TIFF OMITTED] T1648.073 [GRAPHIC] [TIFF OMITTED] T1648.074 [GRAPHIC] [TIFF OMITTED] T1648.075 Mr. Putnam. At this time I would like to recognize Robert Cobb. Following nomination by President Bush and confirmation by the Senate, Robert Cobb took office as NASA's Inspector General in April 2002. Mr. Cobb, in his capacity as a member of the President's Council on Integrity and Efficiency, serves as the Chair of that organization's Information Technology Roundtable, which promotes a coordinated approach to information technology issues among inspectors general across the executive branch. He also serves as an observer to the Columbia Accident Investigation Board, which is examining the February 2003 loss of the space shuttle Columbia and her crew. Mr. Cobb was previously associate counsel to the President. In this role, he handled administration of the White House ethics program under the supervision of the counsel to the President, and was responsible for the administration of the conflict of interest and financial disclosure clearance process for candidates for nomination to Senate-confirmed positions. Prior to joining the Office of the Counsel to the President, Mr. Cobb worked for almost 9 years at the U.S. Office of Government Ethics. We welcome you. You are recognized for 5 minutes. STATEMENT OF ROBERT COBB, INSPECTOR GENERAL, NASA Mr. Cobb. Thank you, Chairman Putnam, Ranking Member Clay, Vice Chair Miller. Thank you for the opportunity to discuss information security at NASA and the impact of GISRA and FISMA on the agency's information security program. The Office of Inspector General is committed to helping the agency improve IT security through our ongoing program of IT audits and investigations. I will discuss three areas: the current state of NASA IT security, our audit of the information NASA submitted to OMB under GISRA in fiscal year 2002, and our plans to audit the information submitted by NASA under FISMA in 2003. First, I want to highlight some of the unique challenges associated with securing NASA's IT resources. The NASA vision and mission concern challenges for scientific exploration and discovery. NASA pursues these challenges with a broad array of programs, including research and development in aeronautics, space exploration, and space flight. Needless to say, these endeavors require a complex range of IT systems. As context and setting for NASA's IT security challenges, NASA carries out a civilian mission where the distribution of information about scientific exploration, discovery, and achievement is practiced by the agency and expected and desired by the public. NASA is a highly visible agency, with many readily available Web sites, and thus is a natural target for those seeking to illegally access government systems. NASA's IT security program is reliant on the participation and dedication of all employees, contractors, and other partners with access to NASA information. NASA, like every other agency, faces a challenge in convincing its work force that IT security is a primary rather than a secondary responsibility. The OIG has examined the state of NASA's IT security, and we identified it as a significant management challenge in our December 2002 report to the Administrator. IT's security activities at NASA have historically been carried out on a decentralized basis. This has resulted in a lack of full interoperability among the systems. NASA is moving toward a one-NASA concept, with a greater centralization and integration. However, as long as NASA's governance structure is such that center CIOs and center security officials report to center directors--who are program officials--rather than to NASA's CIO and chief security officer, a fully integrated approach to IT security will be practically impossible at NASA. As part of our work, we conduct audits of information security and perform investigations of the criminal misuse of NASA IT systems. Our recent activities have addressed a broad spectrum of security problems. There are examples from our ongoing investigations where inadequate IT security, such as weak password controls, resulted in unauthorized access to significant amounts of NASA data that was sensitive, but unclassified. The agency is aware of these cases and acknowledges that serious compromises have occurred. In our audit work, we have reported on issues including inadequate security training for system administrators, an inconsistently applied program for ensuring security of sensitive systems, inadequate security plans for NASA's IT systems, and an inadequate incident response capability. It's important to note that NASA has been responsive to our work and that corrective actions are planned or are underway to address key IT security challenges. Our 2002 GISRA submission reflected the results of 26 final reports and several ongoing assignments related to IT security at NASA. Our submission also reflected IT security-related work performed by the agency's independent accountants as part of their annual review of NASA's financial statements. Additionally, we verified and validated the status of weaknesses identified in NASA's Fiscal Year 2002 Plans of Actions and Milestones. The agency generally incorporated our suggestions into their final version that they submitted to OMB. Our fiscal year 2002 GISRA efforts were limited to unclassified systems because NASA did not have the national security information systems reviewed in accordance with GISRA requirements. During fiscal year 2003, my office continues to conduct a series of IT security-related audits and assessments and will incorporate the results of this work into our FISMA submission. We will also followup on our 2002 GISRA report. Later this year we plan to start an audit of NASA policies to protect sensitive, but unclassified information. The requirements of GISRA and FISMA are having a positive effect on IT security at NASA. The legislation and related OMB guidance provided NASA with a framework for more effectively managing IT security. Because GISRA, and now FISMA, hold agency heads responsible for IT security, NASA senior management is more focused on it. The legislation also requires the agency to consider the view of the Office of Inspector General and to deal with the issues raised in our independent evaluations, and, in my view, this has also had a positive impact on the agency. Last, I would like to note that in the NASA OIG, we have an exceptional team of IT auditor, specialists and computer crimes professionals. Because of the investment the OIG has made in this area, we have been able to provide leadership in the IT area to the IG community through my chairing of the IT Roundtable of the President's Council on Integrity and Efficiency. Through this roundtable, the NASA OIG has sought to promote the sharing of best practices in IT audits and investigations. This concludes my statement. Mr. Putnam. Thank you very much, Mr. Cobb. [The prepared statement of Mr. Cobb follows:] [GRAPHIC] [TIFF OMITTED] T1648.076 [GRAPHIC] [TIFF OMITTED] T1648.077 [GRAPHIC] [TIFF OMITTED] T1648.078 [GRAPHIC] [TIFF OMITTED] T1648.079 [GRAPHIC] [TIFF OMITTED] T1648.080 [GRAPHIC] [TIFF OMITTED] T1648.081 [GRAPHIC] [TIFF OMITTED] T1648.082 [GRAPHIC] [TIFF OMITTED] T1648.083 [GRAPHIC] [TIFF OMITTED] T1648.084 [GRAPHIC] [TIFF OMITTED] T1648.085 [GRAPHIC] [TIFF OMITTED] T1648.086 Mr. Putnam. We have a large panel, and I would ask that everyone be respectful of our 5-minute time limit. I now introduce Scott Charbo. Agriculture Secretary Ann Veneman named Scott Charbo as Chief Information Officer at the U.S. Department of Agriculture in August 2002. As CIO, Mr. Charbo is responsible for the overall management of USDA's information resources and IT assets, overseeing more than 4,000 IT professionals and $1.7 billion in physical assets. He comes to the CIO position from the USDA Farm Service Agency where he served as director of the Office of Business and Program Integration since July 2002. He was responsible for planning, developing, and administering the agency's programs and policies, and provided direction in the areas of economic and policy analysis, appeals and litigation, strategic management, and corporate operations, outreach programs, and strategic planning and leadership in the agency's citizen-centered E- government initiatives. Welcome to the subcommittee. You are recognized. STATEMENT OF SCOTT CHARBO, CHIEF INFORMATION OFFICER, DEPARTMENT OF AGRICULTURE Mr. Charbo. Thank you, Mr. Chairman. With your permission, I will submit my testimony. At the Department of Agriculture, I am responsible for computer systems that support billions of dollars in annual program benefits. Information stored on these systems include Federal payroll data and market-sensitive crop, commodity, and farm data, information on food stamps and food safety and proprietary research data. This information is one of USDA's greatest assets. Mr. Chairman, we at USDA are doing a better job initiating change and managing information in IT security at USDA; however, our size, decentralized organization, and the wide array of hardware and software in use, combined with the magnitude of today's cyber threats, mean that we have a tremendous amount of work remaining to reduce the risk to our information assets to an acceptable level. Historically, each USDA agency and office funded and managed its own IT investments independent of other organizations in the department. Likewise, security controls employed to protect these investments have been selected independently. This decentralized management structure has created an environment where some USDA agencies have addressed the issues of security and risk while others have not. Today, assuring a high level of information security in every USDA agency is a critical issue of USDA's management. Representative of this commitment, we have begun holding our senior executives accountable by including a performance measure in their annual performance plan directly tied to implementing their FISMA plan of action milestones report. With funds from Congress, we are continuing to build a central cyber security program that is providing our agencies with uniformed policies, guidance tools, and program management. We are setting clear cyber security goals and then assisting agencies in meeting them. Through our IT capital planning investment control process, we are also doing a better job integrating security in all phases of our IT project life cycle, from initial planning to system retirement. This story of good progress and change with much more work to do is representative of our numbers. In 2004, USDA plans to spend about 68 million to protect our information assets. This represents an increase of 6 percent over the 64 million in securities spending estimates in fiscal year 2003. In the past year, six agencies completed risk assessments of their cyber security programs from qualified security contractors, with an additional four now underway. Similarly, nine USDA organizations created independent security risk assessments on 26 separate systems. Many others are currently in the process of completing assessments. Over the past 2 years, we have deployed intrusion detection and antivirus software across the Department. Just this month we held a training session for agency IT staff on how to deploy the Department's latest patch management software solution. By deploying patch management software, we will ensure the most recent releases of software patches. Finally, our USDA FISMA and plan of action and milestones report currently shows that we are taking 1,405 distinct actions to address 243 program and system-level weaknesses. While the numbers we report go up and down as threats to our systems change, I am confident we will see progress in our POA&M report. At USDA, we are fortunate to have a strong senior information security officer and staff who drive our information and IT security efforts. They are the ones who deserve the credit. Mr. Chairman, in your invitation to this hearing, you asked to discuss the actions that we are taking to remedy the deficiencies in both our GISRA and financial reporting. I will focus my comments on the highest-priority initiatives. Information assurance starts with employee education and awareness. We are spending--spreading the word across USDA through online courses like the government standard GoLearn.gov classroom training, and numerous technical and management forums. Recognizing the importance of this issue, the Secretary and I are personally addressing these concerns at our subcabinet meetings and during regular briefings for our agency heads. We are making good progress establishing executable business resumption and recovery plans for critical information systems. At USDA, we are finalizing a standard certification accreditation methodology and process for our agencies to verify and attest that information security functions as required. As I mentioned earlier, we revised our IT capital planning investment control guidance to ensure system owners address security at all stages of an IT project's life cycle. I would also like to mention one modernization project that is critical to strengthening cyber security at USDA. We are redesigning our long distance telecommunication network to support the growing demand for E-government services, once implemented. Our system will greatly improve our ability to verify the integrity and confidentiality of data transmitted over the network. Thank you for the opportunity to be here, Mr. Chairman. Thank you. Mr. Putnam. Thank you very much. [The prepared statement of Mr. Charbo follows:] [GRAPHIC] [TIFF OMITTED] T1648.087 [GRAPHIC] [TIFF OMITTED] T1648.088 [GRAPHIC] [TIFF OMITTED] T1648.089 [GRAPHIC] [TIFF OMITTED] T1648.090 [GRAPHIC] [TIFF OMITTED] T1648.091 [GRAPHIC] [TIFF OMITTED] T1648.092 [GRAPHIC] [TIFF OMITTED] T1648.093 [GRAPHIC] [TIFF OMITTED] T1648.094 Mr. Putnam. I now recognize Mr. Ladner. Drew Ladner was appointed Chief Information Officer of the U.S. Treasury Department in March 2003. He is responsible for managing the Treasury's $2.5 billion information technology strategy and budget, serving as Treasury's official lead on E-government initiatives, and providing policy direction and oversight of the Department's security programs. Welcome to the subcommittee. You are recognized. STATEMENT OF DREW LADNER, CHIEF INFORMATION OFFICER, DEPARTMENT OF TREASURY Mr. Ladner. Thank you, Mr. Chairman. Mr. Chairman, Ranking Member Clay, thank you for the opportunity to appear today to discuss the state of Treasury's IT security as well as the actions underway for remediating the Department's material weaknesses. The continued leadership of the chairman and the members of the subcommittee is essential if we are to improve IT security and accountability not only at Treasury but across the Federal Government. The present state of Treasury's IT security requires improvement to achieve our objective: closing all IT-related material weaknesses as identified by GISRA's fiscal year 2002 review process. As of March 31, 2003, the Department had 14 material weaknesses. These included nine at the Internal Revenue Service, three at the Financial Management Service, one at the Mint, and one at the Departmental Offices. To bolster IT security, Treasury has taken a number of actions to date to resolve outstanding issues addressed by the Treasury Inspector General and the Treasury Inspector General for Tax Administration. First, Treasury has implemented an aggressive oversight and compliance program for IT security. During fiscal year 2003, reviews will have been completed for all of the bureau's IT security programs to establish a baseline for future annual reviews. This is the first time that the Department has conducted a complete review of the IT security programs. Second, to maximize implementation success and accountability, Treasury has set specific goals to improve security with the use of performance measures, including the 80 percent to which Mark Forman alluded previously. Third, a combined Federal Information Security Management Act 2003 data call has just been instituted by the Treasury CIO, IG, and TIGTA. This joint data call is expected to remedy the inconsistency to which the chairman referred earlier in reporting numbers in the last two surveys performed under GISRA. Fourth, Treasury has taken further action to ensure the protection of our critical infrastructure cyber assets. Fifth, to augment the FISMA requirement for periodic security training, Treasury has scheduled an IT security conference for the bureau's IT security managers and staffs. This conference will include high-level training sessions and targeted technical sessions focused on Treasury's IT security issues, along with promoting new CD-ROM and Internet-accessible training opportunities. Treasury is committed to identifying the root causes of unacceptable IT security and putting in place the structures, processes, and systems that will ensure the Department has a strong security regime. Let me describe several initiatives briefly that are key. First of all, as soon as I began as Treasury CIO, I decided that my first priority as Treasury CIO would be IT governance. Pursuant to the Clinger-Cohen Act, the CIO's mission is to ensure that the Department wisely steward the funds of our taxpayer citizens on technology systems so that we can deliver ultimately valuable E-government services and other services. Establishing the right structures, processes, and systems of sound IT governance not only provides for sound planning and budget allocation, but also necessitates incorporating security considerations into our capital planning and investment controls. It's a cardinal rule in business operations that the quality of a design has a disproportionate impact on the life cycle cost of the system. If Treasury's systems are not secure when we develop and deploy, the Department leaves itself vulnerable until deficiencies are remediated and taxpayer dollars are not stewarded to boot. An additional benefit is that Treasury increasingly aligns its IT operations with Department goals and objectives, achieving a more integrated, cohesive, and institutionalized security regime across Treasury. In short, achieving a strategic, robust, and integrated security regime will be limited if our capital planning investment control process does not share those same characteristics. In addition to the new IT governance regime, we are working very hard on the enterprise architecture that also achieves the goals that Mark Forman described previously. This will provide us a baseline for planning our security regime as well. Third, proactive interagency collaboration on IT security provides additional evidence of the institutionalization of Treasury's IT security. The measures thereof are included in my submitted statement. In the Office of the CIO, our mission is to steward Treasury's information resources with integrity and professionalism. I remain committed to doing that and working on everything we can do to ensure that your goals and this committee's on IT security are stewarded as well. Thank you very much. Mr. Putnam. Thank you very much. [The prepared statement of Mr. Ladner follows:] [GRAPHIC] [TIFF OMITTED] T1648.095 [GRAPHIC] [TIFF OMITTED] T1648.096 [GRAPHIC] [TIFF OMITTED] T1648.097 [GRAPHIC] [TIFF OMITTED] T1648.098 [GRAPHIC] [TIFF OMITTED] T1648.099 [GRAPHIC] [TIFF OMITTED] T1648.100 [GRAPHIC] [TIFF OMITTED] T1648.101 [GRAPHIC] [TIFF OMITTED] T1648.102 [GRAPHIC] [TIFF OMITTED] T1648.103 [GRAPHIC] [TIFF OMITTED] T1648.104 [GRAPHIC] [TIFF OMITTED] T1648.105 [GRAPHIC] [TIFF OMITTED] T1648.106 [GRAPHIC] [TIFF OMITTED] T1648.107 [GRAPHIC] [TIFF OMITTED] T1648.108 [GRAPHIC] [TIFF OMITTED] T1648.109 [GRAPHIC] [TIFF OMITTED] T1648.110 [GRAPHIC] [TIFF OMITTED] T1648.111 [GRAPHIC] [TIFF OMITTED] T1648.112 Mr. Putnam. I would like to recognize Bruce Morrison. Mr. Morrison assumed his duties as Acting Chief Information Officer in the Bureau of Information Resource Management in December 2002. Previously Mr. Morrison was Deputy Chief Information Officer for Operations in the Bureau of Information Resource Management. Mr. Morrison is a career senior Foreign Service officer. During his 26-year career, he has held a succession of information management positions, including serving as dean of the School for Applied Information Technology in the Foreign Service Institute. We look forward to your testimony. You are recognized for 5 minutes. Welcome to the subcommittee. STATEMENT OF BRUCE MORRISON, ACTING CHIEF INFORMATION OFFICER, DEPARTMENT OF STATE Mr. Morrison. Thank you, Mr. Chairman, and Ranking Member Clay. I am honored to be here and appreciate the opportunity to discuss information security at the Department of State. While we are not where we would like to be in cyber security, I can report on the initial stages of improving our program. We at the State Department have the highest level of support and attention from Secretary Powell and Under Secretary for Management Green. Secretary Powell considers information technology to be a strategic component in implementing U.S. foreign policy. Let me summarize IT security at State. We have long had a strong perimeter defense, with technical, physical, and personnel controls, including an antivirus program, firewalls, intrusion detection, and incident reporting. However, we realize that a sound cyber security program is built upon a defense-in-depth strategy that includes management controls as well as technical and operational measures. What we have lacked in the past is a comprehensive management structure and a serious systems authorization program. It is a new day at State, with the convergence of several events bringing a fresh approach and commitment to cyber security. First, GISRA, and then, FISMA focused top management attention on cyber security. Second, we have new cyber security leadership at State. I stepped into the position of acting CIO 6 months ago. Additionally, there is a new Assistant Secretary for Diplomatic Security with whom we collaborate closely. Finally, OMB very helpfully mandated that we authorize all systems by the fourth quarter of 2004. Our new organization is giving birth to a new cyber security culture and is producing results. We have a new Office of Information Assurance headed by a senior officer reporting directly to me. This office handles IT security policy, program management, performance measures, risk management, and reporting. There is increased departmentwide cyber security focus, as all offices are now involved to some degree in cyber security through the plans of action and milestones process and awareness programs. As I mentioned, there is an excellent rapport and collaboration between the Chief Information Officer and the Bureau of Diplomatic Security on all aspects of cyber security. Similarly, a cooperative partnership exists with the Chief Financial Officer on Critical Infrastructure Protection and the information technology budget. We have a senior-level multidisciplinary cyber security advisory group. There is a close working relationship with the Office of the Inspector General. In biweekly meetings with the Inspector General, we discuss a variety of cyber security issues, with FISMA requirements and systems authorization taking center stage. State has recently established an E-government program board chaired by Under Secretary for Management Green to manage all IT funds. Information assurance experts now review every IT system budget request to assure that appropriate security considerations are budgeted and executed. Very significantly, we have developed a certification and authorization plan. It was submitted to OMB in March, fully funded in mid-April. We are on track with the plan, with 10 percent of our systems done, and a goal of 33 percent by August 2003, and 100 percent by August 2004. We are taking specific steps to institutionalize cyber security management and practices, enhancing policies, developing a cyber security program management plan, integrating security into planning, and providing training. New systems are addressing security from the outset. Our future budget request will include security costs. Regular awareness sessions for all users, and mandatory training for security practitioners will assist in institutionalizing cyber security. In summary, we are still at the early stages of creating a comprehensive cyber security program, but we have made great strides over the past few months. This progress contributed to our PMA scores going from red to yellow to green. I appreciate the opportunity to talk before the committee. Mr. Putnam. Thank you, Mr. Morrison. You timed it perfectly, too. [The prepared statement of Mr. Morrison follows:] [GRAPHIC] [TIFF OMITTED] T1648.113 [GRAPHIC] [TIFF OMITTED] T1648.114 [GRAPHIC] [TIFF OMITTED] T1648.115 [GRAPHIC] [TIFF OMITTED] T1648.116 [GRAPHIC] [TIFF OMITTED] T1648.117 [GRAPHIC] [TIFF OMITTED] T1648.118 [GRAPHIC] [TIFF OMITTED] T1648.119 [GRAPHIC] [TIFF OMITTED] T1648.120 [GRAPHIC] [TIFF OMITTED] T1648.121 [GRAPHIC] [TIFF OMITTED] T1648.122 [GRAPHIC] [TIFF OMITTED] T1648.123 [GRAPHIC] [TIFF OMITTED] T1648.124 [GRAPHIC] [TIFF OMITTED] T1648.125 [GRAPHIC] [TIFF OMITTED] T1648.126 [GRAPHIC] [TIFF OMITTED] T1648.127 [GRAPHIC] [TIFF OMITTED] T1648.128 [GRAPHIC] [TIFF OMITTED] T1648.129 Mr. Putnam. I want to read for you what I read to the first panel out of an article from the Federal Times, from an information security specialist in an anonymous social service agency. They state, ``Someone at our parent department told OMB we would have it done in July. We can't get it done right by then, so we will throw together some documentation and make it look like we did.'' That never happens in any of your departments. Does it? Mr. Frazier. Of course it happens. Of course it happens. Notwithstanding the anonymity of the person who stated that, we know that people try to meet these artificial deadlines, and in the process, they--haste makes waste. And it happens. Mr. Putnam. Anyone else wish to jump out there? Mr. Cobb. I think that it's not that they are necessarily preparing a fraudulent set of paperwork or that's necessarily occurring. Instead it's a question of thoroughness. Specifically, how thorough are the examinations, planning, testing, and the different elements of the security plans. Mr. Putnam. Mr. Ladner. Mr. Ladner. My view is that the process will continue to be compromised until there is a plan that not only addresses the objectives that are set out by the statutes which we have to comply with, but that we go the extra mile. And so what we are doing at Treasury is to certainly hit our numbers on CIA, certainly hit the other objectives, but ensure that we actually have a security governance process and plan in place. Second, I think that the process will continue to be compromised if we view it in static terms instead of dynamic. What I mean by that, is that we need to be able to have real- time visibility into what's happening at, in our case, the bureau level so that we can see on an ongoing basis what the numbers are. And I think over time the data quality will improve, so that we reduce the probability of individuals being able to toss over the wall data and reports that are less than accurate. Mr. Putnam. I'm told that it's been 3 years since agencies were told to complete their inventory of systems, and that has not yet been fully completed. Is that correct? Mr. Morrison. One of the first things that I did after taking over as CIO was to complete an inventory of systems using OMB and National Institute of Standards and Technology guidelines. So it is true that was only done at the State Department this year. Mr. Putnam. So we've had 3 years of artificial deadlines. That's fairly dynamic, and it took 3 years to get there. What about Treasury? Mr. Ladner. Whether it's ensuring that we have a good security program or ensuring that, for example, Treasury is delivering services at low cost--at high service levels--to our bureaus from our large network, we need to make sure that we understand what infrastructure we have. And so we have directed the bureaus to participate in a Treasury-wide total cost of ownership review, which will enable us to know what we have and therefore be able to drive enterprise architecture and the ability to drive the security programs much more effectively. So we will have that probably within several months, by fall. Mr. Putnam. We look forward to seeing it in the fall. But that will still be substantially beyond when it was to be completed. Correct? Mr. Ladner. That's my understanding based on what I've learned in the last 3 months. That's correct. Mr. Putnam. OK. What about Ag? Mr. Charbo. We are in the process as well of looking at what systems we have and where they are. We have 576 IT projects. Our focus right now is to consolidate those down to a more manageable level. Let's retire those that are legacy, let's retire them, move on, identify those under redevelopment, bring those into the planning and investment process so that security, as Mark discussed earlier, can be placed up front where it is more cost effective and easier to manage. Mr. Putnam. Mr. Charbo, you came from FSA, so I am going to pick on you first. In the article the same unnamed person said, in expressing their frustration not having appropriate authority, ``they have their own funding and don't report to us. When I call them and ask for this or that report, they just ignore me.'' Is that something that you found in your role at FSA, that you had difficulty getting the different branches around the country to take your requests seriously? Mr. Charbo. From a security perspective, that is somewhat better managed at FSA within the Department. Most of that funding is being placed under the common computing environment budget which is a centralized budget for the service center agencies. So we have a better handle on how the security is being done in those agencies within the service center, FSA included. Mr. Putnam. So that's not a problem at FSA. Is it a problem in other parts of the department? Mr. Charbo. I won't deny that at times it is difficult to get information out of agencies, yes. And when we experience that, my position is to go to the Deputy Secretary, the administrators, or directly to the Secretary if we need movement. And I've been getting that support when we do that. Mr. Putnam. Anyone else wish to add to that or comment on that? Mr. Morrison. I think the State Department made a big step forward this year by organizing an E-government program board that now governs the entire IT budget. That was a very necessary step to carry out the act. Mr. Frazier. Mr. Chair, at Commerce, one of the biggest battles that we've fought, but I think one of the battles that was absolutely essential, was to make certain that all of the individual agency CIOs reported to, at least for part of their management responsibility, to the Department's CIO. And so those individual bureau CIOs now have more authority to override some of the concerns, override even their program head if they disagree with him. So that is something that has, I think been absolutely critical to improving the process at Commerce where you have the individual CIOs reporting to a head CIO at the departmental level. Mr. Ladner. In my first month at Treasury, we created with the Treasury Budget Office, a Technology Investment Review Board that reviews all IT investments across Treasury. And so I think that, as bureaus understand both from a statutory standpoint as well as an end-user standpoint that we have to have security considerations integrated into the budget process, that increasingly that close collaborative relationship is being created. Mr. Putnam. Mr. Cobb, you have heard Mr. Frazier's testimony expressing some concern about artificial deadlines or overly aggressive schedules that would cause people to potentially cut corners in their quest to get certified or accredited. NASA has worked rather hard to improve its performance and has made some progress. How did you ensure that the agency's desire to make that progress didn't lead to skimping on the work of correcting vulnerabilities? Mr. Cobb. Well, our audit strategy has been primarily aimed at looking at specific systems, and as I mentioned we've done 26 audits last year of specific systems. Some were agency-wide. And I took note of the biweekly meetings at State. We don't have those biweekly meetings and we should have them; because, for example, we didn't see NASA's executive summary until a week before they submitted the GISRA report. So we were not on top of the reports of improvement of the NASA programs and NASA's assessments of its systems, by the time we filed our GISRA report. The way in which we are going to get after that is by assessing exactly how thorough NASA was in their systems analyses. In addition, we're going to continue to do our aggressive auditing of NASA systems to determine the thoroughness of their systems' analyses and we will try to verigy their results through sampling. Mr. Putnam. You have heard the recurring theme that this is a management issue or a technology issue, it's not a money issue. Mr. Ladner, your IG stated that there is a general feeling that some bureaus, ``appeared to view the GISRA annual reporting process as a pro forma exercise.'' In your GISRA report to OMB, 8 of the 10 current material weaknesses in IT security were repeats from 2001. Mr. Morrison, your IG stated that the lack of security planning and missions is the result of, ``insufficient guidance from the Department, and a general belief that IT information security is less important than other elements of security.'' Mr. Charbo, your IG at USDA said, ``The Department did not have security plans in place for all its major applications and general support systems, had not planned for contingency, had not certified security controls in place and authorized processing for all of its systems. Nor had the Department identified all of its mission-essential infrastructure, conducted risk assessments, or prepared mitigation plans on the identified risks.'' What are you all going to do to change the culture at your departments? Mr. Charbo. We have been doing this in a process where the first thing is discovery. We feel that we've identified the projects on the IT basis by doing a few things. One is we've lowered our waiver process of how departments and agencies within USDA can spend their dollars for IT so that we can identify where is the money going and what things are being done with this. We've also incorporated that into the investment process with OMB, the 300 business case analysis which now requires two key things for this. One is project management skills. Even though we have a project identified, that does not mean it's going to get delivered on time, on budget, and meeting the requirements that the system was intended to do. We now have a process in place that we believe will do that, and that is requiring a name, an accountable person with the skills to deliver that project on time on budget and with the requirements. Security is a major component. Given all the requirements in that document, if security is lacking, it will not go forward. We will not approve that investment moving forward. We have also made our senior executives accountable under a security grading process that we have within the chief information officers. We've started monthly meetings with administrators. Typically what we do is we have to identify what have you spent on security rather than it being a definite budgeted line item for security. So we are talking more of a proactive than reactive, which, in a lot of the cases, the reports represent. It's just trying to find out what has been done rather than where we are going. We have identified where do we want to be in the next year. Within our office through July, we have identified, on a quarterly basis, where we want to be with security. We have done that with our e-government areas, our network management and several key areas within the IT area of the Department of Agriculture. Mr. Putnam. Mr. Ladner and Mr. Morrison. Mr. Ladner. At Treasury, I mentioned our focus on the capital planning process. We believe that is absolutely critical if we are going to get change across the Department. One of the actions we've taken in the last 3 months is to create, for the first time, an office of policy and planning that pulls together the IT government's enterprise architecture and our tracking of E-Government services so we can integrate security--not in a silo-like fashion--but truly across all of our functions and across the Department. Second, we have deployed a PKI, a public key infrastructure, and we are looking forward to having a framework with specific examples where we can move the ball forward in improving our security. And I think that where the bureaus see the CIO and the CIO leadership actively engaged in spending time on improving our security, I think that sends a very strong signal. For example, last week the Bureau of Engraving and Printing affixed, for the first time in our Department, a digital signature to a form. We are actively trying to not only improve security but also essential PKI vehicles. I am very involved in that and I think that sends a very strong signal to the rest of the bureaus. I would also add, in addition to what Scott said about accountability, that at the IRS where security has been an issue with regard to reports, they are working very hard with my office to address and to fix our exhibit 300's issue. And I think at the end of the day, we can't wave the flag on progress unless we have really made progress and that's the test of fixing the 300's. In addition, the IRS is holding their managers accountable for fixing their security issues on those 300's and I think that's a real sign. Getting to your question on the cultural dimension, we're in fact making progress on the cultural dimension--but there's a long way to go. Mr. Morrison. Mr. Chairman, Under Secretary Green is leading aggressively on the IT security issue. I'm engaged directly with the other assistant secretaries. I'm happy to say that in the last two quarters, we now have over 90 percent of the State Department bureaus engaged in the plans of action and milestone process. As my colleagues have mentioned, it's vitally important that security become an integral element of the budget process, which we achieved this spring. So in summary, it's a slow painful process, but we are making progress at changing the culture. Mr. Putnam. Mr. Clay, you're recognized. Mr. Clay. Thank you, Mr. Chairman. Mr. Frazier, the Department of Commerce accounts for much of the improvement in the OMB table. The subcommittee's report card shows only modest improvement at the Department between 2001 and 2002. Can you explain the difference, and which do you believe is the more accurate reflection of the situation at the Department? Mr. Frazier. I guess I could start with a quote from something my grandmother used to say to me: ``You know, we are not where we should be and where we want to be, but thank God we're not where we used to be.'' So I think there is a mind-set in the Department that recognizes that we have made tremendous progress. But I have to tell you, we still have a long way to go. I don't want to speak for what GAO says or even what the Department CIO says, I'll just speak for what my systems evaluators have found. Every time they have gone into an area that has supposedly been certified and has been accredited, they have found problems that continue. Here I will quote Ronald Reagan: ``trust but verify.'' There is usually this mind-set that because somebody tells you something, it must be true, and that is not always the case. And I don't think there is any intent to deceive as much as it is as let's get this done and let's get that done. And as we go back and start to verify and see that there are still gaps, we have also been tremendously impressed with how responsive the Department has been to deal with our issues. And so now you begin to see that they are saying before we send this forward, maybe we ought to go out and do some testing and do some validating. So I think that the explanation is that we still have a ways to go. We have made progress. But part of it is in the mind-set. I think the Chair has hit it a number of times on the head by saying that the management philosophy has changed. Take this seriously. The Secretary is making sure that people are held accountable for this. One area that I remain concerned with is that I see that the managers, the CIOs have gotten the message. I still have concerns as to whether the folks on the front lines have gotten the message. I can't tell you how many times we have gone back to tell a CIO of a particular bureau who thinks this is one of their model systems. And I say let me show what we have found. And of course they become very disappointed. So there is still a great deal of work to be done but I have to tell you that significant progress has been made. Being one of the folks that has been around a little while and again when I was here 2 years ago, it was such a dismal report. So I can take pride in saying that a lot has happened, but we still have a long way to go. Mr. Clay. Thank you for that response. Mr. Cobb, NASA accounts for most of the rest of the improvement in the table. The subcommittee's report card shows a decline in performance in that Department between 2001 and 2002. Can you explain that difference and which do you believe is the more accurate reflection of the situation at NASA? Mr. Cobb. Well, I think the variance in the views between the IG's and CIO's may be due to the differences in interpretating of the data. I think that's the same reason that you have a different story between how the subcommittee views the meaing of data and how OMB views the data. My impression from what I have seen in the 1 year that I have been the NASA IG is that NASA is doing much better than when I came in. The reason is because the senior levels of management and the CIO's office, have acknowledged the fact that they have serious problems. They have had a number of management changes in the CIO's office. They have a lot of plans and programs that are underway. The verdict is out on whether or not they're going to effectively meet the challenges of IT security. But certainly, in terms of the cultural change and what they have not done, is make the center CIO's report to the CIO's NASA has 10 or so centers that report to the center directors. The CIO doesn't write their evaluation. I think NASA is doing much better. They're focusing on the problems and we keep beating the drum right behind them. Mr. Clay. How are the front line workers implementing these applications and systems? Mr. Cobb. NASA has a very large number of systems and related systems' NASA reports. But there may be systems and applications of systems that information managers don't even know about. The scientific community, in terms of the front lines, are very mission-oriented, and I don't think that they view their mission is IT security. I think their mission is doing incredible scientific endeavors. And I would absolutely agree that the biggest challenge that any CIO has is how to get the entire organization inculcated with a concept that IT security is a primary responsibility rather than a secondary responsibility. Mr. Clay. Thank you. Mr. Morrison, the State Department was one of the agencies whose grade went down from 2001 to 2002. Can you explain that decline? Mr. Morrison. I wasn't the Chief Information Officer at that time, but I was there. I think that OMB summed it up very well that the Department lost its focus on IT security and allowed itself to concentrate more on other matters. We certainly don't dispute the findings of the OIG or the judgments of GAO or OMB. Mr. Clay. Mr. Charbo and Ladner, both of your agencies received failing grades in both 2001 and 2002. Can you explain why your agencies have not adequately addressed computer security over this period? Start with you, Mr. Ladner. Mr. Ladner. Like Mr. Morrison, I am fairly new, about 3 months, so my understanding from what my briefings have been is that the structures and processes and systems simply weren't in place to facilitate an enterprise-wide view of security, which is absolutely critical. And so, for example, at the IRS, where a number of the security issues have been, what the IRS has done is to transition more from a facilities based approach to an enterprise wide based approach. So this is something that now we are pushing both now on a Treasury-wide basis as well as at the bureau level. Mr. Clay. Mr. Charbo. Mr. Charbo. I guess just this one time we won't say much about consistency in the grades. From my perspective, I am not looking back at those. We are very focused on where we want to go. Using the FISMA report, we have identified over 1,400 tasks that we need to do to correct the 243 weaknesses that we have, rather than just, on a quarterly basis or an annual basis, coming back and trying to say OK, where are we now? We are taking ownership of those to reduce those. We have identified folks in every agency within the Department of who owns responsibility within those systems to correct it. And our vision is to reduce those numbers in half on the next mark if we can, identify the funds that we need in order to do that and move forward with those. Mr. Clay. And that process is occurring now. Mr. Charbo. That process is occurring right now. Mr. Clay. Thank you very much for all of your answers. I appreciate it. Mr. Putnam. Thank you, Mr. Clay. This panel has made several references to personal drive affecting their departments, the leadership, the priority, the sense of urgency that you have brought as fresh leadership in this area. My concern is that we have not institutionalized this as a priority in the departments, and that a year from now, when we have someone else sitting here, they say I have only been on the job 3 months or 6 months. I wasn't here for the last FISMA or GISRA report. And I know different ones of you have alluded to this, but what are the last institutional changes that you are deploying that will guarantee that regardless of who occupies your position, these information security measures will become a part of the culture all the way down to the front line level? Mr. Frazier, do you want to jump out there? Mr. Frazier. It is an interesting observation. You remember when you started earlier this morning, you read the quote from The Federal Times, and you were talking about documentation and someone had said that we don't think documentation is that important, we can either document something or we can get the work done. Well, here's where I disagree with that: That statement is absolutely wrong. Because when you document something, you leave a record so that it doesn't matter whether I am sitting as the CIO today and John Doe is sitting there next week. You have a base line. When something hasn't been documented, we haven't put it down. Every time a new CIO comes in, they are starting from scratch, so we don't make the kinds of progress that we should be building upon. Every time a new CIO comes in, there is a new plan that says let's really get this under control. And this is difficult work. One of my staff gave me a cartoon that said IT security is like a stubborn mule. You know, making progress with it is something that's very difficult but you shouldn't have to reinvent the wheel every time. So it's the documenting it so that you begin to institutionalize the process, so there's a frame of reference that we know where we were and all of us can talk on the same page, if you will. I think that's one of the important steps that should be taken. So I go back to that and I think that is indicative of the kinds of things that have to happen. Mr. Putnam. What about the attitudes of people you have to work with who think it is an either/or tradeoff? Mr. Frazier. We were lucky. I'll tell you that about 2 years ago when I came up to testify, we were highly critical of the Department. The new Deputy Secretary had just been on the job for less than 3 days and he was dragged before the committee to respond to Bob Dacey's report and my report, and I mean, they just ripped him apart. In the process, he left that meeting, called me into his office, and said, ``What do we need to do to get this turned around?'' So we have had the kind of cooperation that has made a tremendous difference, and it's because I think that he saw how serious the Congress was about this issue in that it wasn't something that was going to go away. And in the process he has instilled in his managers--we do some incredible work at Commerce, but people have to understand if you don't have systems and things that are secure, you put all of those programs at risk in the process. That message is out there, and it's out there and making a difference. Mr. Putnam. We are going to make sure that message gets to the FAA who made the comment. Anyone else? Mr. Morrison. I think that the FISMA Act itself, as well as OMB's Presidential management agenda process has gone a long ways toward institutionalizing IT security. It certainly has focused top management attention on this matter. We've made fundamental changes in our budget process and frankly, there's nothing like having to report every quarter, or in my case, I have to report to the Under Secretary for management, both in writing and orally every month. And there's nothing like having to report frequently and regularly to focus your attention on correcting problems. And I think that this framework that's provided by the act and by OMB is not going to go away, if I go away. Mr. Ladner. The reason that change is enduring is that there are structures, processes and systems in place that are hard to change, and that's why our first step was IT governance. So I think that if we want people on the front lines to believe that their actions, or lack thereof, have an impact, we have to tie resource allocation to performance. And that's what IT governance and security governance ensures. Clearly there's a long way to go on this front, but our goal at the Treasury Department is to articulate a framework which we have, and then pick out instances where we are showing that the lack of performance results in resource reallocation. And that's the kind of change that we believe will be more enduring. Mr. Charbo. If I could point out a few of the firsts that we have done that will carry on, regardless of who sits in the Chair that I sit in right now. We have released some governance policy around security. It's quite a load to the agencies. However, we are putting people in place and contracts in place to help support them in correcting their security needs. We've also started a configuration management and policy board to manage the configurations across the Department. We are testing our business systems, the ability to recover. We're doing that at FSA, at NRCS, Rural Development, the National Finance Center. First time now we are consistently testing these on a timed basis, so it's not just once when somebody asks whether or not we're doing it, but it's on a regular cycle now that we're testing those, and that's more and more systems that we're doing it as well. We have also initiated a department-wide process to identify what the plans are. Where one system is dependent on another, if that system goes down, others may go down. We're interested in those threats. So we have initiated some process to connect those dots, identify the trees that we need to initiate in the event of a crisis. We have also changed our investment board around so now that security is a key component in all of the investments within USDA. The CIO owns those projects, positioning those projects within that investment board. On April 1, we released our first enterprise architecture vision of where we would like to see the investments move in the Department of Agriculture as well. And last, we're training folks in project management. We've initiated a number of classes. Those classes are done in various locations throughout the country to provide us the quality folks that we need to deliver on some of these things. I believe those will continue, whether or not I'm in the chair that I currently sit in. Mr. Putnam. Mr. Cobb, do you have anything to add? Mr. Cobb. I would agree with that. I think that FISMA is providing our IG office with the tools to get after the agency in terms of making sure that their programs are compliant with what you would expect from a robust IT security system. One concern I have about the structure of GISRA and FISMA is the extent to which the act requires independent evaluations of the system as a whole. Also, whether the system, from an umbrella standpoint, is actually accomplishing the objective of protecting information. I would like to have my office work toward conducting a review of the policies to see whether or not they are substantively working. And the other big point that gets back to that front line is that it is critical to inculcate all Federal employees on the importance of IT security. There may be an avenue for legislating training requirements to make sure that this message is communicated. However, I'll leave that to speculation at this point. Mr. Putnam. We look forward to hearing your conclusion when you reach it, and we'll let that be the final word for the second panel. You know, it seems that the Federal Government never really learned its lesson on physical security or perimeter security and enforced protection until after Beirut, and Oklahoma City and Khobar Towers and the U.S.S. Cole, and we never really learned our lessons on aviation security until after September 11. And it seems terribly frustrating that what it would appear is that it will take a digital September 11 or digital Pearl Harbor or some catastrophic cyber attack for people to get the message that this is important, that this is a priority, not just in some egghead CIO's office, but all the way down to the front line as part of their daily responsibilities. And I think that is the part that is incredibly frustrating. We hear an awful lot of connecting the dots and learning from the mistakes of the past. As it relates to cyber threats, there is very little indication that anyone takes the threat seriously. I want to thank our witnesses for their contribution to our efforts in understanding this issue better, and I look forward to your continuing cooperation as we move toward greater coordination and more progress in improving our Federal Government's information security. I also want to thank Mrs. Miller, Ms. Watson and Mr. Clay for their participation and leadership on the subcommittee. In the event that there may be additional questions that we did not get to today, the record will remain open for 2 weeks for submitted questions and answers. Thank you all very much and the subcommittee stands adjourned. [Whereupon, at 12:25 p.m., the subcommittee was adjourned.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T1648.130 [GRAPHIC] [TIFF OMITTED] T1648.131 [GRAPHIC] [TIFF OMITTED] T1648.132 [GRAPHIC] [TIFF OMITTED] T1648.133