<DOC>
[108th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:91648.wais]
CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF
THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL
AGENCIES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
JUNE 24, 2003
__________
Serial No. 108-100
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
91-648 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma C.A. ``DUTCH'' RUPPERSBERGER,
NATHAN DEAL, Georgia Maryland
CANDICE S. MILLER, Michigan ELEANOR HOLMES NORTON, District of
TIM MURPHY, Pennsylvania Columbia
MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee
JOHN R. CARTER, Texas CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota ------
MARSHA BLACKBURN, Tennessee BERNARD SANDERS, Vermont
(Independent)
Peter Sirh, Staff Director
Melissa Wojciak, Deputy Staff Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Philip M. Schiliro, Minority Staff Director
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California DIANE E. WATSON, California
TIM MURPHY, Pennsylvania STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
Chip Walker, Professional Staff Member
Ursula Wojciechowski, Clerk
David McMillen, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on June 24, 2003.................................... 1
Statement of:
Charbo, Scott, Chief Information Officer, Department of
Agriculture................................................ 115
Cobb, Robert, Inspector General, NASA........................ 101
Dacey, Robert F., Director, Information Security Issues,
General Accounting Office.................................. 23
Forman, Mark A., Administator for Electronic Government and
Information Technology, Office of Management and Budget.... 12
Frazier, Johnnie E., Inspector General, Department of
Commerce................................................... 71
Ladner, Drew, Chief Information Officer, Department of
Treasury................................................... 126
Morrison, Bruce, acting Chief Information Officer, Department
of State................................................... 146
Letters, statements, etc., submitted for the record by:
Charbo, Scott, Chief Information Officer, Department of
Agriculture, prepared statement of......................... 118
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 58
Cobb, Robert, Inspector General, NASA, prepared statement of. 104
Dacey, Robert F., Director, Information Security Issues,
General Accounting Office, prepared statement of........... 25
Forman, Mark A., Administator for Electronic Government and
Information Technology, Office of Management and Budget,
prepared statement of...................................... 15
Frazier, Johnnie E., Inspector General, Department of
Commerce, prepared statement of............................ 73
Ladner, Drew, Chief Information Officer, Department of
Treasu128..................................................
Miller, Hon. Candice S., a Representative in Congress from
the State of Michigan, prepared statement of............... 10
Morrison, Bruce, acting Chief Information Officer, Department
of State, prepared statement of............................ 148
Putnam, Hon. Adam H., a Representative in Congress from the
State of Florida, prepared statement of.................... 5
CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF
THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL
AGENCIES
----------
TUESDAY, JUNE 24, 2003
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Adam Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam, Miller, Clay and Watson.
Staff present: Bob Dix, staff director; John Hambel, senior
counsel; Chip Walker and Lori Martin, professional staff
members; Ursula Wojciechowski, clerk; Suzanne Lightman, fellow;
Bill Vigen and Richard McAdams, interns; Jamie Harper and Kim
Bird, legislative assistants; David McMillen, minority
professional staff member; and Cecelia Morton, minority office
manager.
Mr. Putnam. A quorum being present, this hearing on the
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census will come to order.
Good morning, and welcome to the second in a planned series of
hearings addressing the important subject of cyber security.
Today we continue our in-depth review of cyber security
issues affecting our Nation. Specifically this hearing will
focus sharply on the efforts within the Federal Government to
secure our own computer networks. Our critical infrastructure
of the cyber kind must have the same level of protection as our
physical security if we are to be secure as a Nation from
random hacker intrusions, malicious viruses or, worse, serious
cyber terrorism.
There are several things unique to cyber attacks that make
the task of preventing them particularly difficult. Cyber
attacks can occur from anywhere around the globe, from the
caves of Afghanistan to the warfields of Iraq, from the most
remote regions of the world, or simply right here in our own
backyard. The technology used for cyber attacks is readily
available and changes continually, and maybe most dangerous of
all, is the failure of many people critical to securing these
networks and information from attack to take the threats
seriously, to receive adequate training and to take the steps
necessary to secure their networks.
A serious cyber attack would have serious repercussions
throughout the Nation in a physical sense and in very real
economic terms. A recent report under Government Information
Security Reform Act once again demonstrates that we have a long
way to go in the Federal Government to feel the least bit
confident that we have secure computer networks. Before going
into more detail about the report, I want to comment briefly
about the timing. This latest GISRA report was released this
May. It was based on information provided to OMB in September
2002. This is kind of like being an astronomer and looking in
the telescope at the stars, all the while realizing that what
you are viewing actually occurred a long, long time ago. We
need to find a way to get more real-time reporting, and I want
to work with OMB on improving the timeliness of their
information.
The current GISRA report demonstrates that progress in
computer security at Federal agencies is proceeding slowly, and
that simply is no longer acceptable. The OMB report to Congress
identified a number of serious weaknesses. Many agencies are
facing the same security weaknesses year after year, such as
the lack of system-level security plans and certifications and
accreditations. Some IGs and CIOs from within the same agencies
have vastly different views of the state of the agency security
programs. Many agencies are not adequately prioritizing their
IT investments and are seeking funding to develop new systems
while significant weaknesses exist in their legacy systems. Not
all agencies are reviewing all programs and systems every year
as required by GISRA. More agency program officials must engage
and be held accountable for ensuring that the systems that
support their programs and operations are secure. The old
thinking of IT security as the responsibility of a single
agency official or the agency's IT security office is out of
date, contrary to law and policy, and that significantly
endangers the ability of these agencies to safeguard their IT
investments.
The Departments of Treasury, State and Agriculture all have
serious problems with their information security. Both the CIOs
and the IGs of these agencies have concerns. In addition, GAO
has indicated a concern with computer security for all three
agencies in its performance and accountability series.
In the fiscal year 2002 GISRA report, the Department of
Agriculture reported that less than 26 percent of its systems
were in compliance with the eight metrics that the OMB
reported. The agency had 70 material weaknesses in the area of
information security reported by the IG. In addition, according
to the IG, the agency is not conducting risk assessments of its
systems in compliance with either OMB or GISRA's requirements.
This year the agency reported an increase in systems operating
without written authority and an increase in systems that do
not have up-to-date IT security plans.
The Department of State did not report information for the
fiscal year 2001 GISRA report. It reported three material
weaknesses for information security for fiscal year 2002. In
June 2001, the Department's IG released a report that
highlighted a number of areas that State needs to address. They
included assessing vulnerability of systems, conducting
security control evaluations at least once every 3 years, and
testing security controls. State reported in their fiscal year
2002 report that none of its systems have been certified and
authorized, and only 15 percent have an up-to-date IT security
plan. Finally, State reported that only 11 percent of its
systems have contingency plans, and of those, none had ever
been tested.
Although the Department of Treasury reported that, in the
2002 GISRA report, 41 percent of its systems were assessed for
risk, its IG reported that Treasury did not use an adequate
methodology to determine that risk; therefore, its assessments
were not valid under the law. There are also significant
discrepancies in many of the metrics reported in the GISRA
report between the Department and its IG. For example, the
Department reported 451 of its systems were reviewed; however,
the IG reports that only 204 systems were reviewed. Treasury
has also reported 11 material weaknesses related to information
security.
I understand that many of those testifying today are
relatively new to their jobs. We are not here today to point
fingers, although I have serious questions about accountability
and responsibility for these egregious failures to perform
minimum requirements. We are here to identify weaknesses or
roadblocks, find solutions and make progress.
In a recent edition of the Federal Times headlined
``Computer Security Dilemma: Agencies Must Choose--Follow the
Law or Fix the Problem,'' several government IT managers
complained that the documentation process set up by Congress
gives them a choice to document their security problems for
Congress or to fix them. This attitude is disturbing, to say
the least. For most IT managers, the documentation process set
up by Congress is the only reason they discovered many of their
security weaknesses. Before the documentation process, many IT
managers couldn't identify their critical systems. Sadly, even
with the documentation process required by Congress, many
systems are still unidentified. That said, the committee will
try and remain open-minded, and if any of the witnesses today
would like to support this either/or contention as reflected by
the article, we look forward to hearing it.
As the subcommittee continues to examine the cyber security
issue, we see the same recurring theme. Securing these networks
is not about money or technology, but about management. The
weaknesses identified are weaknesses that would be
significantly reduced if approved procedures and protocols or
best practices were actually followed. For example, GAO still
conducts audits to this day where they find default passwords
in place or where systems have not been tested in a production
environment. Patches remain uninstalled on systems for months
after known vulnerabilities are identified. These rudimentary
lapses are not acceptable.
There are a number of issues still up for consideration
before the Congress. These include requiring that the common
criteria be the standard government-wide; automated
vulnerability scanning; new levels of accountability; and
confronting the issue of CIO retention head on.
While some progress is clearly being made at Federal
agencies, going from an F to a D is not saying a lot. It is my
hope that the Congress, OMB, the CIOs, the IGs and the GAO can
work together to move our level of IT security government-wide
into a range where we have some degree of comfort that our
systems are secure. We are far from that point today.
I would like to thank the witnesses for coming today and
presenting the valuable testimony. As with all of our hearings,
today's can be viewed live via Webcast by going to
reform.house.gov and clicking on the link under multimedia.
[The prepared statement of Hon. Adam H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T1648.001
[GRAPHIC] [TIFF OMITTED] T1648.002
[GRAPHIC] [TIFF OMITTED] T1648.003
[GRAPHIC] [TIFF OMITTED] T1648.004
Mr. Putnam. At this point I would like to yield to the vice
chairwoman of the subcommittee, the gentlelady from Michigan,
Mrs. Miller.
Mrs. Miller. Thank you, Mr. Chairman.
In a post-September 11 environment, the Federal Government
has been forced to reevaluate its security procedures. The
logistics associated with such an attack are huge, and today we
focus on the security of Federal information systems.
There has been a long-held belief that there should be one
oversight facilitator for the entire Federal Government,
government chief technology officer in a sense. I think this
idea has some merit in order to ensure that government-wide
uniformity occurs. However, one thing is clear, as technology
continues to evolve at quite an astonishing rate, quite
frankly, the Federal Government must not be left behind
utilizing technology and systems designed for a different time
and different type of threat. For these reasons, I am pleased,
Mr. Chairman, that you have called this hearing so that
Congress has an opportunity to objectively evaluate security
measures taken by Federal agencies.
To be frank, with the active measures that international
terrorists are taking against our freedoms, I am concerned that
certain Federal agencies appear to be lax with their efforts to
improve system safeguards. Oversight reports by the GAO and the
OMB frequently identify areas of concern and countless examples
of Federal agencies in noncompliance with various laws and
regulations related to system securities. Incomplete and
inaccurate reports that are required of Federal agencies, the
apparent inability of agencies to reach their own stated
performance goals, and in many cases the blatant and utter
disregard of federally mandated requirements are just some of
the issues that we face in this regard.
Since September 11, Americans have stated in poll after
poll that homeland security and the war against terror is the
most important issue facing our great Nation. I am concerned
that individuals within the Federal Government, individuals
that Americans trust to protect them and their families, do not
seem to understand the nature of the cyber threat. However, in
spite of current problems, the government is faced with a
historic opportunity. With the passage of GISRA and the E-
Government Act of 2002, which includes the FISMA, Federal
agencies now have the tools and the necessary support to
develop and implement substantial information security reform.
There has been some success, as the government moves
forward. The work being done at the Department of Commerce is
really a great example. And those examples of success should be
used as a model for other agencies. I certainly look forward to
working with you, Mr. Chairman, and the other members of this
committee to assist agencies with their reform objectives.
Thank you.
Mr. Putnam. I thank the gentlelady for her interest in
these issues and her outstanding work on behalf of the
subcommittee.
[The prepared statement of Hon. Candice S. Miller follows:]
[GRAPHIC] [TIFF OMITTED] T1648.005
[GRAPHIC] [TIFF OMITTED] T1648.006
Mr. Putnam. At this time we will move to witness testimony.
Witnesses will please rise and raise their right hands for the
oath.
[Witnesses sworn.]
Mr. Putnam. Note for the record both witnesses responded in
the affirmative, and we will move forward with opening
statements. I will begin with our first witness for his 5-
minute statement, Mark Forman. In June 2001, Mr. Forman was
appointed by President Bush to oversee implementation of the
21st century information technology throughout the Federal
Government. Mr. Forman is the first person in the Federal
Government to fulfill responsibilities normally associated with
a corporate chief information officer. Under his leadership,
the Federal Government has received broad recognition for its
successful use of technology in the government. He manages over
$58 billion in IT investments and leads the President's E-
Government Initiative to create a more productive
citizencentric government. He is a frequent guest of our
hearings and always has a very fruitful and candid view of the
government's progress in all matters related to technology and
electronic government.
Mr. Forman, you are recognized for 5 minutes. Welcome to
the subcommittee.
STATEMENT OF MARK A. FORMAN, ADMINISTATOR FOR ELECTRONIC
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND
BUDGET
Mr. Forman. Thank you, Mr. Chairman and Congresswoman
Miller. Thank you for inviting me to discuss the status of the
Federal information security and the effects of FISMA at the
departments and agencies. I do look forward to working with you
to improve the timeliness of our report, and I agree with you
that it should come up early as well.
I think we have a number of actions at the staff level. We
have been working with your staff to accelerate the reporting
and make sure we are both getting good data on the status. As
noted in our report to Congress, progress has been made in
identifying and remediating longstanding IT security problems,
but there is much work that remains before we can say IT
systems are adequately secured in the Federal Government.
FISMA requires that Federal agencies report as a material
weakness any significant deficiency in a policy, procedure or
practice, and over half of the large agencies have declared at
least one material weakness relating to IT security.
Deficiencies exist in a number of areas, including access
controls, configuration management, security policy and
training. From a government-wide perspective, the most common
weaknesses include a lack of system-level security plans,
legacy systems that are not appropriately secured, and plans of
actions and milestones that do not include all of the agency
systems.
Nonetheless, in fiscal year 2002, departments and agencies
have made measurable progress in IT security by conducting
activities such as risk assessment, security planning,
certification and accreditation, training and contingency
planning. Of Federal systems in fiscal year 2002, 65 percent
have been assessed for risk; 62 percent had an up-to-date
security plan, 47 percent had been certified and accredited,
and 55 percent had a contingency plan. We believe that is about
double the status of IT security in 2001. I know the General
Accounting Office has some difference and would be glad to
discuss that.
As noted in our report to Congress, agencies are testing an
increasing percentage of their systems for management,
operational and technical control weaknesses. These weaknesses,
once identified, are included in agencies' plans of actions and
milestones for prioritization, tracking and correction.
The administration is committed to rapid progress, so by
the end of this calendar year, all agencies will have a
rigorous process for developing and implementing plans of
actions and milestones. As you mentioned this is a management
issue. And second, 80 percent of the systems will be certified
and accredited.
One reason we believe that IT security can be rapidly
improved is that Federal agencies are incorporating security
considerations into their capital planning process. Our
analysis shows the percentage of Federal systems with security
costs integrated into the life cycle of a system now stands at
62 percent.
Improving Federal information security requires that we
focus on enterprise architecture rather than firewalls,
intrusion detection, vulnerability patches or the latest IT
security technology. FEA, the Federal Enterprise Architecture,
reference models will enable better use of standards and
configuration management that we need to secure the Federal
information systems. In addition, improvements in agency
enterprise architectures will enable CIOs to better ensure that
security and privacy are properly incorporated into their IT
operations.
To assist agency EA efforts in accordance with the
responsibilities under FISMA, the National Institute of
Standards and Technology recently published draft standards for
security categorization of Federal information and information
systems. This proposed standard will be used by all agencies to
categorize systems according to risk. NIST is also drafting
companion guidelines recommending the types of information
systems to be included in each category as well as minimum
information security requirements.
OMB and the CIO Council have developed a process to rapidly
identify and respond to cyber threats and critical
vulnerabilities. CIOs are advised via conference calls as well
as e-mails of specific actions needed to protect systems.
Agencies must then report to OMB on the implementation of
countermeasures usually in 24 to 72 hours. As a result of these
early alerts, agencies have been rapidly closing
vulnerabilities that otherwise might have been exploited, and
this includes use of patch management services to ensure rapid
application of patches.
The Federal Information Security Management Act will be
instrumental in improving the state of Federal IT security. The
framework and processes in law and OMB policy highlight the
importance of management, implementation evaluation and
remediation for achieving progress.
In closing, the administration is committed to a Federal
Government with secure information systems doing the
significant work of this committee, Federal IGs and the
agencies. I think we are able to point to real improvements in
government IT security, but there is much more work to be done.
Thank you.
Mr. Putnam. Thank you, Mr. Forman.
[The prepared statement of Mr. Forman follows:]
[GRAPHIC] [TIFF OMITTED] T1648.007
[GRAPHIC] [TIFF OMITTED] T1648.008
[GRAPHIC] [TIFF OMITTED] T1648.009
[GRAPHIC] [TIFF OMITTED] T1648.010
[GRAPHIC] [TIFF OMITTED] T1648.011
[GRAPHIC] [TIFF OMITTED] T1648.012
[GRAPHIC] [TIFF OMITTED] T1648.013
[GRAPHIC] [TIFF OMITTED] T1648.014
Mr. Putnam. I would like to introduce our second witness
and welcome our ranking member on the panel to the subcommittee
hearing. We will move forward with Mr. Dacey's opening
statement and then recognize Mr. Clay for his.
Mr. Dacey is currently Director of Information Security
issues at the GAO. His responsibilities include evaluating
information systems security in Federal agencies and
corporations, including the development of related
methodologies, assessing the Federal infrastructure for
managing information security, evaluating the Federal
Government's efforts to protect our Nation's private and public
critical infrastructure from cyber threats, and identifying
best security practices at leading organizations and promoting
their adoption by Federal agencies.
We welcome you and your insight to the subcommittee and
appreciate the work that you and GAO have done for us. You are
recognized for 5 minutes.
STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY
ISSUES, GENERAL ACCOUNTING OFFICE
Mr. Dacey. Thank you, Mr. Chairman and members of the
subcommittee. I am pleased to be here today to discuss efforts
by Federal agencies and the administration to implement GISRA
and briefly discuss additional provisions of FISMA, which
permanently authorized and strengthened GISRA's requirements. I
will briefly summarize my written statement, which provides
detail on the status and progress of these efforts.
This chart illustrates the average fiscal year 2001 and
2002 performance and related progress for 23 of the largest
Federal agencies based on 6 selected performance measures
detailed in OMB's fiscal year 2002 GISRA report. In summary,
average improvements generally ranged from 3 to 10 percentage
points for the selected measures. Our analysis excluded data
for one agency that were not comparable for both years.
Further, our analysis of individual agency reports showed mixed
agency performance and progress, and that overall many agencies
had not implemented security requirements for most of their
systems. Nonetheless, the second-year implementation of GISRA
yielded a number of benefits such as increased management
attention to information security; important actions by the
administration, such as integrating information security into
the President's Management Agenda Scorecard; an increase in the
types of information being reported and made available for
oversight; and the establishment of a base line for measuring
agency performance.
Also, in its fiscal year 2002 GISRA report, OMB highlighted
actions and progress to address previously identified
government-wide weaknesses as well as planned actions to
address newly reported challenges.
Overall, GISRA reports continue to highlight that, as we
have reported for the last several years, agencies have
significant weaknesses in agency security management programs.
For example, developing an effective corrective action plan is
a key element of a security management program to ensure
remedial action is taken to address significant deficiencies.
However, of the 14 IGs who reported whether their agencies'
corrective action plan addressed all significant weaknesses,
five reported that their agency's plans did include them, but
nine reported that they did not include all material
weaknesses.
It is important for agencies to ensure that they have the
appropriate information security management structures and
processes in place to strategically manage information security
as well as to ensure the reliability of performance
information. For example, processes to routinely provide an
agency with reliable, useful and timely information for day-to-
day management of information security could help to
significantly improve performance. Further, continued
congressional and administration oversight will undoubtedly be
needed to achieve significant and sustainable results,
including the implementation of new FISMA requirements.
FISMA established additional requirements that can assist
agencies in implementing effective information security
programs, help ensure that agencies incorporate appropriate
controls and provide information for administration and
congressional oversight. These requirements include the
designation of and the establishment of specific
responsibilities for an agency senior information security
officer, implementation of minimum information security
requirements for agency systems, required agency reporting to
the Congress and inventories of major systems.
Successful implementation of FISMA is essential to
sustaining agency efforts to identify and correct weaknesses.
As FISMA is implemented, it will be important to continue
efforts to establish agencywide security management programs;
to certify, accredit, and regularly test systems to identify
and correct all vulnerabilities; to complete development of and
test contingency plans to ensure that critical systems can
resume operations after an emergency; to validate agency
reported information through independent evaluations; and to
achieve other FISMA requirements.
Mr. Chairman and members of the subcommittee, this
concludes my statement. I will be pleased to answer any
questions that you or other members of the subcommittee may
have at this time.
Mr. Putnam. Thank you, Mr. Dacey.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] T1648.015
[GRAPHIC] [TIFF OMITTED] T1648.016
[GRAPHIC] [TIFF OMITTED] T1648.017
[GRAPHIC] [TIFF OMITTED] T1648.018
[GRAPHIC] [TIFF OMITTED] T1648.019
[GRAPHIC] [TIFF OMITTED] T1648.020
[GRAPHIC] [TIFF OMITTED] T1648.021
[GRAPHIC] [TIFF OMITTED] T1648.022
[GRAPHIC] [TIFF OMITTED] T1648.023
[GRAPHIC] [TIFF OMITTED] T1648.024
[GRAPHIC] [TIFF OMITTED] T1648.025
[GRAPHIC] [TIFF OMITTED] T1648.026
[GRAPHIC] [TIFF OMITTED] T1648.027
[GRAPHIC] [TIFF OMITTED] T1648.028
[GRAPHIC] [TIFF OMITTED] T1648.029
[GRAPHIC] [TIFF OMITTED] T1648.030
[GRAPHIC] [TIFF OMITTED] T1648.031
[GRAPHIC] [TIFF OMITTED] T1648.032
[GRAPHIC] [TIFF OMITTED] T1648.033
[GRAPHIC] [TIFF OMITTED] T1648.034
[GRAPHIC] [TIFF OMITTED] T1648.035
[GRAPHIC] [TIFF OMITTED] T1648.036
[GRAPHIC] [TIFF OMITTED] T1648.037
[GRAPHIC] [TIFF OMITTED] T1648.038
[GRAPHIC] [TIFF OMITTED] T1648.039
[GRAPHIC] [TIFF OMITTED] T1648.040
[GRAPHIC] [TIFF OMITTED] T1648.041
[GRAPHIC] [TIFF OMITTED] T1648.042
[GRAPHIC] [TIFF OMITTED] T1648.043
[GRAPHIC] [TIFF OMITTED] T1648.044
[GRAPHIC] [TIFF OMITTED] T1648.045
[GRAPHIC] [TIFF OMITTED] T1648.046
Mr. Putnam. I would also like to recognize and thank Ms.
Watson for joining the subcommittee and recognize the ranking
member for his opening statement.
Mr. Clay, you are recognized for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman, for calling this
hearing. I have asked my staff to put up a poster that is from
the last computer security hearing held by the Subcommittee on
Government Efficiency in the 107th Congress. The majority
staff, working from the same agency reports that are the basis
of the OMB report issued last month, created this report card.
However, the story this report details is quite different from
the more optimistic tone laid out by the administration.
Of the 24 agencies examined, 12 showed no improvement in
computer security, and 11 of those agencies had a grade of F in
both 2001 and 2002. Those agencies include the General Services
Administration, which had a grade of D both years; the
Departments of Agriculture, Defense, Energy, Interior, Justice,
Transportation, Treasury and Veterans Affairs; the Agency for
International Development; the Office of Personnel Management;
and Small Business Administration. Other agencies showed
dramatic decline in grade. For example, the National Science
Foundation went from a B plus in 2001 to a D minus in 2002. The
National Aeronautics and Space Administration went from a C
minus to a D plus. The Environmental Protection Agency went
from a D plus to a D minus. The Department of State went from a
D plus to an F. The Federal Emergency Management Agency went
from a D to an F. And the Department of Housing and Urban
Development went from a D to an F. However, if we look at the
chart on page 11 of the administration's report, the government
is improving on nearly every indicator.
One conclusion might be that the agencies have done a lot
of work between last November and now. Unfortunately, this
report card and the OMB report are drawn from the exact same
agency report. Last week I sent my staff over to the Department
of Transportation, which, according to this report card, is one
of the failing agencies, and they came back with a report of an
agency that was making significant improvement in computer
security. In fact, the Department of Transportation may well be
a leader in implementing the requirements of the Federal
Information Security Management Act. I hope today we can learn
why we have such different summaries on the same agency report.
And again, thank you, Mr. Chairman, and my thanks to the
witnesses for taking their time to be here today.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T1648.047
Mr. Putnam. I thank the gentleman from Missouri and would
recognize the gentlelady from California for her opening
statement, if she would like to make one.
Ms. Watson. Mr. Chairman, thank you. I don't have an
opening statement, but I am looking at the details of the
report card, and the question comes--and this is from GAO.
Apparently they have described the shortfall. My question to
anyone on the panel is why don't we see more progress, more
upward movement in the security, and what accounts for these
low grades, the grades of F?
Mr. Putnam. If it is OK, Ms. Watson, we will give them a
heads up. We will lead off with Mrs. Miller and then come back.
At this time I recognize the vice chairwoman of the
subcommittee Mrs. Miller for the first round of questions. You
are recognized for 5 minutes.
Mrs. Miller. Thank you, Mr. Chairman, I will be a few
moments here, but I am new to the Congress and obviously new to
the subcommittee, but I have to say that looking at that report
card is rather startling when we think about the piece of
educational legislation, No Child Left Behind. Fortunately we
are not being graded on that kind accountability with where we
are, but as a former elected official at the local level, State
level, dealing with audits for the last 25 years, any time I
would see the term ``material weakness,'' you know, your heart
would begin to pound. Material weakness is a bad thing,
obviously.
And, Mr. Forman, I think you mentioned--I was taking some
notes--over half of all the government agencies are reporting.
Was that just in the last go-around, reporting material
weaknesses in information security? And is that operational
audits that are being conducted, performance evaluations?
Mr. Forman. These were part of the financial management
audits where it is required, and I think, as the chairman
pointed to, a good example of that would have been the Treasury
Department. That was one area where as part of the reviews of
the reports from the IG and the CIOs, at that time Assistant
Secretary for Management Ed Kingman noticed the significant
gap, tracked it down, and indeed recognized that would be a
reportable or should be considered as a reportable material
weakness, and I think properly handled it at that point.
Mrs. Miller. You know, when you do certification, I think
that starts with accountability. It appears as though we have
some difficulty in the Federal Government of retaining CIOs.
You have a revolving door going with some of these CIOs. Is
this something that Congress could assist you in addressing?
Could you tell us a little bit to why we have that situation?
You have to have a point person, and you have to have
accountability if we are losing some of our brain trusts there
and the institutional knowledge is going out the door with
them. What can we do there?
Mr. Forman. Officially we are looking at this as part of
the skills gap assessment, Clinger-Cohen reports that never
were really done, the Ego Vac site, we would like to make sure
the agencies do that, and as well the agencies should modernize
those reports. The Ego Vac did have rather strong human capital
work force reporting. And we in the budget passed back to the
agencies and said that those reports must come into OMB this
September. So I think sometime in the fall would be appropriate
after we have had time to look at those reports.
Traditionally the issues that have come up are money-
related, and the administration did ask for the performance
fund. I think that will help a tremendous amount.
Now on a less than official side, the personal note, we are
trying to drive an awful lot of transformation through the
agencies, and these have become some of the most stressful
jobs. The area is--and you will hear from some of the folks
that are driving major changes. The areas that need the most
change, like computer security, forces an awful lot of
management reform. I think the chairman was exactly correct.
This is very much a management issue, and I am not quite sure
yet how you keep people from burning out, although that is
something we are going to have to start looking at more and
more, because we do need this magnitude of change, and we can't
let that stop as the people change. We have to figure out how
we deal a little better with the stress, because I would not
like us to slow down on some of the transformation in this
important area in particular.
Mrs. Miller. Just a note on that, the burn-out in those
kinds of jobs is not particularly inherent to the Federal
Government. You find it throughout the inventory really now
because there is so much stress.
Looking at some of the States that are really on the
leading edge of utilizing technology, they are all struggling
with the same thing that the Federal Government is, is
retaining those kinds of individuals so they don't lose them
off into the private sector.
But you talked about money in those kinds of things, and in
the GISRA report you are saying approximately 500 systems are
sort of at risk again with the security weaknesses and
apparently subject to having some of their funding withheld. Is
that an appropriate thing for us to be doing as a Congress? I
mean, we want to encourage improvement in this report card
certainly, and we don't want to be a rat holding the taxpayers'
money. On the other hand, how does all of that work, with you
doing your performance evaluations and withholding dollars from
the agencies?
Mr. Forman. The framework is investment justification. We
call it the business case, and the way it works is that there
are a number of criteria that we know if we don't adequately
address before the project really starts to ramp up, chances
are we will be picking up the pieces in the end. The way that
plays out in cyber security is that it costs us a lot more to
go back and fix the security problems of the systems that are
deployed. Had this been correctly addressed early on in the
program, it would have been done much more effectively and at a
lower cost. So our policy position has been until that gets
built in from the beginning, we don't want the system to go
forward because we know it increases both the risk and the cost
of the system.
Mrs. Miller. When you are making those kinds of
determinations about withholding funding, how do you interact
with the Congress as far as talking to the appropriators and
those kinds of things? And is there some sort of exemption they
could get if they show you measurable performance increase?
Mr. Forman. There are a set of criteria. It is based on
NIST standards and OMB guidance, A-130, that we use, and
generally that is part of the budget process discussed with the
agencies via Circular A-11, the basic document used to put the
budget together. That is associated with what is called an
apportionment process, which is a financial term of art for how
appropriations dollars are managed, and that is worked through
with the appropriators.
I will say the understanding of all that as it relates to
IT varies from agency to agency because so much of the IT
budget is not explicitly appropriated. It is funded out of
working capital. There are salaries and expenses.
Mrs. Miller. Just a quick question.
Mr. Putnam. We are going to have to wrap up this first
round if that is OK, Mrs. Miller.
And Mr. Clay is glad to defer to Ms. Watson, so you get
another crack at it, and you are recognized for 5 minutes.
Ms. Watson. Thank you, Mr. Chair.
I guess if I read the GAO report, I would have my questions
answered, but listening very closely, I hear you really have a
personal management resource factor that gets in the way of
making more progress. Can you expound a bit?
Mr. Forman. First of all, let me say about the grade, I
think there are two aspects of this: Where are you in terms of
status, and how much progress are you making. And I will tell
you in terms of progress, there is clear progress. We have laid
out an 80 percent target, to move from 60 percent to 80 percent
this year, and very much I am accountable. I am the person to
hold me accountable. It helps me hold the agency accountable
for that. So I am the person that has signed up to the Congress
to make sure we achieve that under FISMA and the EGO VAC. And
you will see some of the CIOs, there is a commitment throughout
the administration making the progress, and the management
commitment from the leadership level is key to making this a
success. I am fairly comfortable we are making progress. We are
tracking that quarterly, and you will be getting data to see
that as well.
On the status side, whether it is an F or D minus, I would
ask that you not grade us on a bell curve, that you hold us to
standard academic levels of success.
Ms. Watson. Let me just ask, what is the source of this
grading chart?
Mr. Dacey. Let me jump in a minute. The grades were given
by the committee essentially based upon, for fiscal 2002, the
GISRA reports that were provided by the various agencies. The
committee weighted those responses and came up with a composite
grade, and that yielded the scores. The prior year was based
upon some--the work on 2001 from the GISRA report. So it is
pretty much coming from the GISRA reports and the various
performance measures and information that are reported therein.
Ms. Watson. What kind of progress have you made since this
came out in November 2002 up to what you have today?
Mr. Dacey. One of the challenges is measuring that
progress, and that is something the chairman mentioned in his
opening statement, and that is the need to be looking at more
frequent reporting, and Mark might talk about some of the
quarterly reporting they are moving to for FISMA in the first
year. But I think that is a key element. As I said in my oral
statement, it is going to be important for agencies to really
build this into a systematic process so they are getting
information to regularly manage information security along with
other IT and other areas that they manage. And it is going to
be important to build those systems, so that GISRA and FISMA
reporting are an outgrowth of those systems, not the primary
direction for gathering the data to include in the reports. And
some of that is going to happen, but I think that an important
element to make this succeed is to really have that management
process in place and some of this information regularly coming
to agencywide management CIOs and so forth, and they have the
right responsibilities and authorities to move forward and make
sure that security's improved.
In terms of the overall issue you mentioned in your initial
question, I think it's going to be important, as I said, to
make sure we have security management programs in place. And
that's the management structure at the top and commitment by
leadership to these things, because it does come down to a
management issue to make sure that technology is properly
implemented.
Ms. Watson. Have we appropriated the funds to be able to
put management personnel in the right place?
Mr. Dacey. There's a process, and Mr. Forman may want to
speak, but it's part of the process of requesting budgets and
so forth and so on. They do request what they need. And Mr.
Forman might want to expand upon that a little more.
Mr. Forman. Virtually all the agencies have chief
information security officers. What really is, I think, the
heart of getting the Federal Government more secure is what we
are doing with the infrastructure, networks,
telecommunications, the basic competing platforms that we're
using. We have tried to, in this year's budget process,
significantly empower the CIOs. It gets to an esoteric risk
level the way we are managing IT in the Federal Government, but
we use a business case. And last year we had hundreds of
projects. The rule of thumb in security is the more systems you
have, the harder it is to make sure they're secure. You want to
integrate and consolidate infrastructure.
Ms. Watson. Let me cut through this. You are talking
insider language. Do you have the necessary resources to
organize in a way that will guarantee greater security at a
time when the technology has gone above the line, and people
can hack in and expose information, reveal information that can
be very harmful and damaging? And particularly when I look at
NASA and other security systems, I get really worried. Have we
done all we can for you, or is it that you are having
challenges in organizing and placing--you know, how do we get
to the problem and show progress? That's my interest.
Mr. Forman. I think we're fine with resources. We've added
a significant amount of resources.
Ms. Watson. And the challenge is?
Mr. Forman. It is a lot of work, and it takes time. The
older the systems, less security was built in, the more you
find when you do the audit of the system, and then there is
work to fix that.
Ms. Watson. So it's the timing of trying to improve these
sluggish systems and bring them up to top operation capacity.
Mr. Forman. And we continue to modernize. By the same token
we continue to modernize. And I believe we've learned our
lesson as a government that if you do not work in security
before you start the system, it's going to take you longer and
cost you more to fix it at the back end. So we're trying to fix
the things that are out there, the so-called legacy systems.
But we have made good progress in building in--before we move
forward, making sure security is built in and hence
Congresswoman Miller's questions.
Ms. Watson. Thank you, Mr. Chairman.
Mr. Putnam. Let me follow up on Ms. Watson's question.
Federal Times ran an article, essentially highlighting some of
the excuses that agencies have used for not being in
compliance. And the FAA said this: ``We have told OMB that we
can't be in compliance for a while. We don't have the money to
both secure our systems and document we have done so.'' Do you
buy that, Mr. Forman?
Mr. Forman. No.
Mr. Putnam. Later in the article, an anonymous information
security specialist from a social service agency stated,
``someone at our parent department told OMB we would have it
done in July. We can't get it done right by then, so we will
throw together some documentation and make it look like we
did.'' They go on to say that same information security
specialist at the social service agency points out that even if
they had the money to do the assessments, they do not have the
authority to make local offices cooperate. ``They have their
own funding and don't report to us. When I call them and ask
for this or that, they just ignore me,'' the specialist said.
Have you received reports that were so off or so inaccurate
or so hastily put together that you believe that they
deliberately put something together to meet an artificial
deadline but knowingly submitted something that was not
accurate or complete?
Mr. Forman. I think the Treasury situation that you alluded
to in your opening statement is very clear documentation that
happens. It is so important to have the independent review by
the ITs come concurrent with the report from the CIOs. There
are so many pressures. I know funding issues. We cannot allow
ourselves to make this into a paperwork exercise. And so the
audit is incredibly important to us.
On the other hand, what I would say is the market is
stepping up. There are an awful lot of automated tools out
there that reduce the cost. And the other thing is NIST is in
the second iteration of a tool kit that assists agencies in
classifying. The lower the risk of the system or the fact that
may be disconnected in the Internet means that there are
cheaper and faster ways to get the certification and
accreditation done. And that is laid out in the new set of NIST
guidelines.
Mr. Putnam. Everybody seems to agree this is a management
issue. So what are the consequences for someone with that
responsibility who would submit such a report?
Mr. Forman. Well, I can't say in blanket how this works. I
would ask you to keep in mind the reason that the CIO at the
State Department did change out, and while I can't speak to all
the specifics and the details here, there's no question that
the State Department acted partly in response to the IG report
that indicated lack of progress in IT security. We downgraded
the score on the scorecard--progress, that is, and that had a
substantial impact, ultimately resulting, I believe, is my
personal belief, in restructuring greater emphasis in some very
tough management decisions including allocation of funding that
weren't being taken before.
Mr. Putnam. Mr. Dacey, how widespread do you believe that
this attitude is, that it's just another congressional report,
just another paper that is supposed to be filed, its fine
whether its done or not?
Mr. Dacey. Mr. Chairman, I am not aware of any instances
where we know that reports have been intentionally prepared
with improper data or data that's not accurate. At the same
time, in looking at FISMA and its implementation, I think it
will be important in the long term, as Mr. Forman suggested,
that we have an independent audit process that starts to begin
to look at those performance measures and do auditing on the
performance measures, which is not currently required, and
think about that as part of that process. I think that would
give more credibility to the numbers. It would also make it
clear to people in the agencies that someone was going to be
auditing the numbers and lessen the likelihood of people
preparing statements that might not be accurate.
Mr. Putnam. You said there is no indication of anyone
having deliberately done it. But clearly, you just didn't fall
off the turnip truck. Somebody has been quoted by a reporter
saying this. It's probably indicative of something more
widespread, don't you suspect?
Mr. Dacey. I suspect without any cross-checks that there is
great pressure to report such information. That could have
happened, sure. But again, it gets backs to the issue I think
FISMA is a basic process that will work. We really need to put
in place a process to make sure those numbers are accurate.
They are self-reported so that the numbers you see in our chart
and in OMB's testimony are self-reported numbers inherently not
audited in any way, shape or form other than some information
we have on inventories which was specifically asked for in the
OMB requirements. I think that will always be a challenge
unless we put in some kind of effort that is going to assure
both the agency, the administration and Congress that these
numbers that are being reported are accurate. Until that
happens, there is a possibility that their reporting could be
inaccurate.
Mr. Putnam. I will abide by my own time element and
recognize the ranking member, Mr. Clay, for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman.
I'd like each of the witnesses to explain for me the
difference between the report card prepared by former Chairman
Horn and the OMB report before us today. Which is correct, and
has the government improved since 2001 in the OMB reports, or
is the government still failing and going from bad to worse as
the subcommittee reported last year?
Mr. Forman. I think there are substantial improvements. I
can go through from the data some differences that I would have
in the grades. But let me just say, there are some agencies
that are doing really well. And if you scored a 60 percent as
a--if you were generous and you scored that as a D, at best,
most of the agencies would get a D. It's not good enough. It's
just not flat good enough. We need to be up in the 80 or 90
percent range, or A and B range. And that has to be the
standard. We can talk about how much progress that we made or
not, but for me a progress from an F to a D is not enough. It's
just not simply good enough.
Mr. Dacey. I would like to point out again that this is the
same basic information both for the GISRA report from OMB, our
testimony and all the grades. So the most recent data we have
Governmentwide is September 2002 data, and that gets back to
the point where there is a consistency. The grades are the way
in which the committee assessed and weighted the responses in
the GISRA report. What we have presented and what has been
included in OMB's report is some of the statistics and averages
that are included in there for the same measures. It is a
matter of looking at the same information in slightly different
ways. It gets back to how do we know from September 2002 until
today whether we have made improvements, and the point is we
don't really have good reporting processes in place to get that
information on a more timely basis. Right now the next set of
information we will get is September 2003.
Mr. Clay. In your testimony last fall, you indicated all 24
agencies had significant weaknesses in program management in
both 2001 and 2002, and only 2 agencies improved performance in
access control. Would you agree that shows little or no
progress?
Mr. Dacey. It shows some progress, but we still have
serious problems. Again, we have had general progress at least
in reported information across all the categories. The
challenge is, as Mr. Forman indicated, whether it is F or D, we
still have a long way to go to get to where we need to be. Yes,
that is in the report, and that is probably still the case, and
that is one of the areas that I think is particularly important
that you have these structures in place for the agencies to
manage information security.
FISMA started to provide some of that by creating
information security officers and coming up with a set of
requirements for them in the agencies. And I believe most of
the agencies now have a designated information security--if not
all--have a designated security information officer.
We also--there's a need to have this process in place to
report. Again, we don't have specific information, but I
believe a lot of the information for GISRA reporting came from
efforts to accumulate that information for the purpose of GISRA
reporting and not as part of a routine process that management
was getting the information to use to manage their security
program. I think that has to change to be effective.
Mr. Clay. Well, in the OMB report, they list six areas of
government-wide security weaknesses and then report that the
government shows improvement over 2001. Do you agree with that
assessment?
Mr. Dacey. I agree with the characterization in OMB's
report with respect to the actions that have been taken. It's
consistent with what we have seen in doing our work as well. So
there has been action taken in each of those areas.
And five new areas, or five areas that are newly reported,
I think those are areas that we knew there were some challenges
in the past; but identification of five new areas and action
plans, is important to try to address those in going forward.
Mr. Clay. Mr. Forman, according to your report, there are
only 8,000 reporting systems in the Federal Government. Now, I
find that difficult to believe. Can you explain to the
committee what that number represents and what systems are not
included in that count?
Mr. Forman. Generally these are combinations of
applications that work together to perform a function. So, do
we have more than 8,000 systems? Probably. The number of
reporting went up in 2002 compared to fiscal year 2001. I
suspect it will go up again this year.
But, that said, we know there are many more applications
than that number. It's just agencies under the definition in
GISRA are allowed to bundle together applications and call that
a system. This is the best reporting we've had.
I think, for security purposes, that makes sense, because
they are generally used by the same group of people, tied to
the same network, and work together to support a business
process. At the end of the day, you want to secure all the
information around a business process, and you want to make
sure that's secure, that business process can keep operating
even if it's attacked. So I'm fairly comfortable with the
definition that Congress came up with for GISRA. I think it
exists fairly the same, except for national security systems,
all training in FISMA. But the focus is appropriate.
Mr. Clay. Thank you both for your answers.
Thank you, Mr. Chairman.
Mr. Putnam. Thank you, Mr. Clay.
Mrs. Miller, do you have another round of questions?
Mrs. Miller. Just one.
You know, I'm looking at this blue chart over there from
the GAO about performance measures and those kinds of things.
Mr. Dacey, can you give me a little more specific about what
kind of performance evaluations you actually do? I can hardly
see the bottom. Give me an example of what kind of performance
measures. I mean, we keep talking about this is a management
problem, apparently not a financial resource situation; it's a
management problem. So just what kinds of things do you
actually look at to measure this performance evaluation?
Mr. Dacey. Let me talk about that a minute. And hopefully
you have something that looks like this up on your desk area
that you can see better.
In any case, these are six of the areas that were included
in OMB's report. And what we put together in the chart was to
try to really reflect the change from year to year, from 2001
to 2002, and on average for 23 of the largest agencies. Again,
as I said before, the information that goes into these is a
whole series of performance measures that were required by OMB
in reporting on the second year GISRA implementation. And these
have been important, because they really are establishing a
baseline and a basis for comparison from year to year. And this
is the first year we have comparative information government-
wide that we can look at.
These are six of the many performance measures that were
required to be reported. These particular ones I think are
somewhat illustrative because it gets to some of the critical
challenges that we have. If you look at the first column on
risk assessment, that's whether the agencies have assessed risk
in their systems to know what level risk they are accepting and
operating them.
The second is a security plan in place----
Mrs. Miller. Let me just ask you about the risk.
Mr. Dacey. Sure.
Mrs. Miller. What kind of risk assessments, for instance? I
don't want to go through the whole thing, but just in that
particular column there. What kind of risk assessments do you
actually do? I mean, risk of terrorists? I mean, some guy with
a laptop in a cave in Afghanistan being able to get into one of
the systems in DOD? And are the evaluations for risk
assessments uniform throughout these last two report cards and
as we are entering September now?
Mr. Dacey. Well, I think--I guess my observations on risk
assessments would be, they're supposed to include the threats
to the system. And that's the normal process. We actually have
a best practices report we issued on risk assessment; it's
something that OMB requires to be done. The format and
structure of them has a lot--some flexibility built into how
detailed they are. So I couldn't say that every agency does it
the same way. But what this number represents is the number of
systems that those agencies reported that they had assessed
risk for, and that's what those columns represent, both the
gold for 2001 and the blue for 2002.
Mrs. Miller. So risk of the type of information that you
are gathering? Risk of the type of access that individuals
would have to it? Risk of security of that information, those
kind of things?
Mr. Forman. And then the final aspect of that is risk that
you wouldn't--the agency wouldn't be able to complete its
mission if either the information was stolen, disrupted, or the
system processing was shut off.
Mr. Dacey. As part of that process, just to point out, one
of the provisions of FISMA is to actually come up with risk
levels. I think that can help a lot, because that will
standardize the process by which agencies assess risks and can
communicate more effectively between each other and within the
agency as to when they are hooking systems together and what
the risk levels are. So I think that would be an important
improvement. Right now, the risk assessment is a little more
subjective, not that it won't be somewhat subjective, but at
least it will have a structure that is proposed by NIST as part
of the FISMA law.
Mrs. Miller. Thank you, Mr. Chairman.
Mr. Putnam. Thank you, Mrs. Miller. Now I'd like to ask
each of you: does every agency currently have an acceptable
business continuity plan?
Mr. Forman. Generally we look at that down to the system
level. And the answer is, no. That there are big gaps in some
agencies and really good success in other agencies. That's part
of the data that is tracked and I think was in our report. I
would ask you not only to take a look at the agencies that have
a valid contingency plan, but also what I think we need to do
one step further that has been tested and validated, very
similar to the work that we had to do with the year 2000
contingency plans.
Mr. Putnam. OK. While we are talking about that, in Mr.
Dacey's testimony, he said that less than 50 percent of the
contingency plans at 19 out of 24 agencies have been tested.
Less than half have been tested. So does that mean that those
plans might not work?
Mr. Dacey. Yeah. I think that really signifies that--until
you test it, you don't know it will work, in fact. And there
are two issues here. The other number that we have is also the
fact that there are a significant number of systems for which
they don't have contingency plans. I think it is reported now
at about 50 percent, 55 percent, just have the plans to start
with; and then the second step is testing those plans to be
sure that they would be effective in case of an emergency.
I think that is a critical area, because absent some of
these other controls in other areas, particularly for critical
systems, it would be very vital to make sure that those systems
could be recoverable in case some of these other weakness areas
were exploited and the system availability was lost.
Mr. Putnam. Nobody ever wants to say that one agency or
department is more important than another one. But in terms of
the ramifications of having a contingency plan or a disaster
management plan, are the agencies that are most at risk and
most critical to national security or homeland security the
ones who have tested? Has the Social Security Administration
tested their contingency plans, and Defense not? Has Homeland
Security, has FEMA?
Mr. Forman. It's a mix. And you will find the data in the
table. You will see, for example, you are absolutely right.
Social Security has tested their contingency plans. They are in
pretty good shape. By the same token, FEMA did not test their
contingency plans.
Mr. Putnam. So the Emergency Management Agency has no
emergency management plan?
Mr. Forman. They have the plans for--as of the end of last
year they had some of the plans. They don't have enough plans.
And, moreover, they haven't tested the ones they have. There is
significant work that needs to be done here.
Mr. Putnam. Let's talk about patches very briefly in my
remaining time. Then we are going to move to the second panel.
Patch management is critical to information security. It goes a
long way toward protecting our systems from viruses and other
attacks. The PAD-C, the patch authentication and dissemination
capability, will provide a system to Federal agencies to manage
the patching of their systems. How far along are we in that?
How are the agencies participating? Are they responding to
OMB's encouragement?
Mr. Forman. I don't believe I have the exact numbers on how
many agencies have signed up. They continue to get more
agencies to sign up. This is, again, part of our concept of buy
one, choose many. Patches are obviously to use a software code.
And to the extend that people have common software--and we have
an awful lot of common software in the government--it's better
to buy that patch once and then have an automated way to
distribute it. So that's why we invested in this patch
management, buy-one, choose-many concept.
I need to get back to you on exactly how many agencies, and
I will do that.
Mr. Putnam. Do you want to add something, Mr. Dacey?
Mr. Dacey. I don't have the information right in front of
me, but a fair number of agencies have signed up for PAD-C. I
forget the number. It might be in our testimony. OK. I don't
have that with us today. We can certainly get back to you on
that. But it is an important area because it does provide a
central source for patches that have been tested and
authenticated and placed out there. I think one of the key
issues in patch management is that even with that, agencies
need to have a process to ensure that these patches are
installed and installed properly and don't break other parts of
the system. And so they need to take efforts to put that in
place. And NIST has some draft guidance out in how to do patch
management that is very informative.
Mr. Putnam. Well, the committee has submitted a letter to
the secretaries of the departments, their IGs and CIOs,
requesting more frequent updates of information and given them
August 1 as a deadline for the update. And we will also be
picking up where Mr. Horn left off with the score cards this
fall. I think that our first panel will note that this is
bipartisan frustration with this, with the inadequate progress
on the part of the Federal agencies, and we will continue to
monitor this very closely.
My parting question would be this: are the differences in
reports due to different interpretations of what the law
requires or a genuine disagreement over the level of
information security that exists at the agencies?
Mr. Dacey. Just for clarification. Difference in which
reports are you referring to, Mr. Chairman?
Mr. Putnam. Different interpretations of the FISMA, GISRA
requirements, or to a genuine disagreement over the status of
information security between the IGs.
Mr. Dacey. Between the IGs and the agencies?
Mr. Putnam. Yes.
Mr. Dacey. That's an interesting question. There were a
number of IGs that did disagree, and I think OMB in fact in
their report pointed out that was one of the new challenges
that needs to be really looked at and addressed. And Mr. Forman
might speak more to that. That's an area at least that's
highlighting where there are differences that go back to the
FISMA model and talk about the agency and the IG both working
together and the agency providing some validation of that
information.
So I think it's good that we are pointing out where there
are differences, and it's also a need then to followup on those
differences and find out why they exist. I don't know that we
have any information on why the differences exist. In some
cases it may be just differences of thought or differences in
the systems that were looked at. I do know that when we deal
with some of these issues from our audit perspective at GAO,
there's not always unanimity in how you interpret the results
of your reviews. And a lot of our discussion goes around what
does this really mean, how serious of an issue is it. So there
also--there can be differences of opinion as well.
Mr. Putnam. Do you want to add anything, Mr. Forman?
Mr. Forman. First of all, let me say that we do have some
data in followup to your past question on the patch management
contract. There are 37 agencies that subscribe to that today.
What I need to do in getting back to you is find out how many
are Cabinet-level agencies versus small agencies. Obviously,
the small agencies really like to use the shared approaches.
I think that actually the debate is good on what is a
covered system and the amount of risk. To have the IG have that
independent view and say this system is actually more mission
critical or it is more important to the agency's mission than a
CIO may say, really reveals to us something about the
positioning of the CIO. And generally, as in some of the
examples you cited, I notice that the CIO may not have the
appropriate status that, sure, maybe in the agency to come
forward and say a system is badly performing. They may be kept
out because of the differences between the IT organizations and
the bureau program offices.
So, I think, first of all, it's not necessarily bad to have
the disagreement. And, second, it is very important that the IG
stay aggressive in this area so that it can reveal to us where
are the areas to look.
Mr. Putnam. Thank you very much for your testimony.
At this time we will dismiss panel one and seat panel two
and move as quickly as possible. Thank you very much, Mr.
Forman and Mr. Dacey. The committee will recess for 3 minutes.
[Recess.]
Mr. Putnam. We will go ahead and seat the second panel and
reconvene the subcommittee hearing.
I would like to welcome our second panel of witnesses. As
is the custom of the subcommittee, we will swear in this panel.
I would ask that if you have personnel joining you today who
will be assisting you in answering, that they will also rise
and be sworn at this time. Please stand and raise your right
hands.
[Witnesses sworn.]
Mr. Putnam. Note for the record that all of the witnesses
and their supporting cast responded in the affirmative.
We will move right to panelists' testimony. I begin with
Johnnie Frazier. Mr. Frazier was appointed to the position of
Inspector General at the Department of Commerce in 1999. The
Presidential appointment capped more than three decades of
distinguished service at the Department in a variety of
leadership roles. During his tenure as IG, Mr. Frazier has
significantly strengthened that office's strategic agenda to
reflect the most pressing priorities for the Department and the
Nation. For example, he has directed key audits and
investigations of security weaknesses in Commerce's computer
networks information systems and personnel policies. He has
initiated assessments of emergency preparedness plans at
commerce facilities and prompted examinations of export
safeguards on sensitive U.S. technology. He has precisely
defined the IG's direction for the near future around a set of
core priorities that strategically target emerging audit and
inspection areas of need.
We welcome you to the subcommittee, and recognize you for 5
minutes for your testimony.
STATEMENT OF JOHNNIE E. FRAZIER, INSPECTOR GENERAL, DEPARTMENT
OF COMMERCE
Mr. Frazier. Mr. Chairman and members of the subcommittee,
I am pleased to appear before you today to provide the IG's
perspective on IT security in the Department of Commerce. You
know, although IT security and data have long been among the
Department's most critical assets, ensuring their security,
unfortunately, was not a high priority for the Department
before GISRA.
When I first testified on IT security 2 years ago, I had
few favorable observations to share. The Department was
striving to improve, but our work at that point revealed
pervasive security weaknesses that placed sensitive IT security
systems at serious risk. As a result, we identified IT security
as one of the top 10 management challenges facing Commerce. And
while much progress has been made, it still remains high on my
top 10 list.
OMB's fiscal year 2002 report to the Congress on Federal IT
security noted that progress is evident and that the government
is heading in the right direction. I am pleased to report that
Commerce, too, has made progress and is heading in the right
direction; but this department, like many others I'm sure, must
overcome a history of much neglect. As Commerce's CIO put it,
the Department has been coming from behind.
Our IG GISRA evaluations over the past few years have often
found the same basic weaknesses at Commerce that OMB has found
throughout the government. First and probably foremost, we have
seen the problems, the progress, and the potential that
surround senior management's attention to IT security. Before
GISRA, IT security was simply not on the radar screen of senior
Commerce management. Through the Secretary and Deputy
Secretary's efforts, and quite candidly their bully pulpit,
senior managers are increasingly coming to understand that they
are responsible for IT security.
Our independent observations on security education and
awareness previously highlighted this as an area of neglect.
Again, the Department has responded. Today, all employees and
contractors receive security awareness training. But
specialized training for personnel with significant IT security
responsibilities remains inadequate.
A third major area centers on the importance of management
religiously integrating funding and IT security into Commerce's
capital planning and investment control process. While the
Department has substantially increased its control over IT
investments, it often still struggles to adequately plan IT
security controls and costs for every system.
Our ongoing independent evaluation is also showing that the
Department has improved its capability to detect, report, and
share information on vulnerabilities. Before GISRA, only 4 of
Commerce's 14 operating units had a formal incident response
capability. Now, all Commerce operating units have such
capability.
Another matter of particular note to us is the importance
of ensuring that contractor services are adequately secure. Our
review of 40 of the Department's IT service contracts found
that contract provisions to safeguard sensitive systems and
information were either insufficient or nonexistent. Why, you
ask? Little Federal or departmental guidance or policy in this
area.
On the Federal level, a proposed Federal acquisition clause
for IT security is currently under review by the FAR Council. I
believe this clause will be beneficial government-wide. And I
am personally pleased that our IG contracting expert, Karen
DePerini, who first identified the contract problem at
Commerce, is co-chair of the OMB issue group that recommended
this clause and is identifying methods to improve security in
contracts. And last, but by no means least, aggressive
schedules for IT performance measures are having an impact on
all parties involved in the IT security effort.
It should be noted here, however, that although security
plans have been required for Federal IT systems since the
Computer Security Act of 1987, when I testified 2 years ago,
nearly two-thirds of the Department's systems lacked risk
assessments, almost half did not have a security plan, and more
than 90 percent were not certified or accredited. The
Department is vigorously addressing these serious deficiencies.
The Department's focus can best be seen by looking at its
performance measures for system certification and
accreditation. According to the Department, between fiscal
years 2000 and 2003, the percentage of systems certified and
accredited increased from a mere 8 percent to 77 percent of its
roughly 600 systems.
At the same time, I must caution that performance measures
do not tell the whole story. Overaggressive schedules can
actually weaken the process. Our evaluation suggests that
aggressive timeframes have often resulted in premature
certification and accreditation, where risk assessments,
security plans, testing, evaluation, and review have been
inadequate or sacrificed altogether.
In closing, I am proud that the independent evaluations
required of the IGs play a uniquely valuable role in confirming
the substance and quality of critical processes and control and
in helping ensure that the job is done right. Unfortunately,
our resource limitations have not allowed us to do such things
as validate the specific details of the Department's annual IT
security report. Likewise, we have not been able to perform
vulnerability assessments and penetration testing of
nonfinancial systems that would demonstrate whether
vulnerabilities exist and intrusions may occur.
I cannot overemphasize how critical it is that the rigor
and integrity of IT security processes be maintained;
otherwise, we will have paper security but lack true security.
Thank you.
Mr. Putnam. Thank you very much, Mr. Frazier.
[The prepared statement of Mr. Frazier follows:]
[GRAPHIC] [TIFF OMITTED] T1648.048
[GRAPHIC] [TIFF OMITTED] T1648.049
[GRAPHIC] [TIFF OMITTED] T1648.050
[GRAPHIC] [TIFF OMITTED] T1648.051
[GRAPHIC] [TIFF OMITTED] T1648.052
[GRAPHIC] [TIFF OMITTED] T1648.053
[GRAPHIC] [TIFF OMITTED] T1648.054
[GRAPHIC] [TIFF OMITTED] T1648.055
[GRAPHIC] [TIFF OMITTED] T1648.056
[GRAPHIC] [TIFF OMITTED] T1648.057
[GRAPHIC] [TIFF OMITTED] T1648.058
[GRAPHIC] [TIFF OMITTED] T1648.059
[GRAPHIC] [TIFF OMITTED] T1648.060
[GRAPHIC] [TIFF OMITTED] T1648.061
[GRAPHIC] [TIFF OMITTED] T1648.062
[GRAPHIC] [TIFF OMITTED] T1648.063
[GRAPHIC] [TIFF OMITTED] T1648.064
[GRAPHIC] [TIFF OMITTED] T1648.065
[GRAPHIC] [TIFF OMITTED] T1648.066
[GRAPHIC] [TIFF OMITTED] T1648.067
[GRAPHIC] [TIFF OMITTED] T1648.068
[GRAPHIC] [TIFF OMITTED] T1648.069
[GRAPHIC] [TIFF OMITTED] T1648.070
[GRAPHIC] [TIFF OMITTED] T1648.071
[GRAPHIC] [TIFF OMITTED] T1648.072
[GRAPHIC] [TIFF OMITTED] T1648.073
[GRAPHIC] [TIFF OMITTED] T1648.074
[GRAPHIC] [TIFF OMITTED] T1648.075
Mr. Putnam. At this time I would like to recognize Robert
Cobb. Following nomination by President Bush and confirmation
by the Senate, Robert Cobb took office as NASA's Inspector
General in April 2002. Mr. Cobb, in his capacity as a member of
the President's Council on Integrity and Efficiency, serves as
the Chair of that organization's Information Technology
Roundtable, which promotes a coordinated approach to
information technology issues among inspectors general across
the executive branch. He also serves as an observer to the
Columbia Accident Investigation Board, which is examining the
February 2003 loss of the space shuttle Columbia and her crew.
Mr. Cobb was previously associate counsel to the President.
In this role, he handled administration of the White House
ethics program under the supervision of the counsel to the
President, and was responsible for the administration of the
conflict of interest and financial disclosure clearance process
for candidates for nomination to Senate-confirmed positions.
Prior to joining the Office of the Counsel to the President,
Mr. Cobb worked for almost 9 years at the U.S. Office of
Government Ethics.
We welcome you. You are recognized for 5 minutes.
STATEMENT OF ROBERT COBB, INSPECTOR GENERAL, NASA
Mr. Cobb. Thank you, Chairman Putnam, Ranking Member Clay,
Vice Chair Miller. Thank you for the opportunity to discuss
information security at NASA and the impact of GISRA and FISMA
on the agency's information security program. The Office of
Inspector General is committed to helping the agency improve IT
security through our ongoing program of IT audits and
investigations. I will discuss three areas: the current state
of NASA IT security, our audit of the information NASA
submitted to OMB under GISRA in fiscal year 2002, and our plans
to audit the information submitted by NASA under FISMA in 2003.
First, I want to highlight some of the unique challenges
associated with securing NASA's IT resources. The NASA vision
and mission concern challenges for scientific exploration and
discovery. NASA pursues these challenges with a broad array of
programs, including research and development in aeronautics,
space exploration, and space flight. Needless to say, these
endeavors require a complex range of IT systems.
As context and setting for NASA's IT security challenges,
NASA carries out a civilian mission where the distribution of
information about scientific exploration, discovery, and
achievement is practiced by the agency and expected and desired
by the public. NASA is a highly visible agency, with many
readily available Web sites, and thus is a natural target for
those seeking to illegally access government systems. NASA's IT
security program is reliant on the participation and dedication
of all employees, contractors, and other partners with access
to NASA information. NASA, like every other agency, faces a
challenge in convincing its work force that IT security is a
primary rather than a secondary responsibility.
The OIG has examined the state of NASA's IT security, and
we identified it as a significant management challenge in our
December 2002 report to the Administrator. IT's security
activities at NASA have historically been carried out on a
decentralized basis. This has resulted in a lack of full
interoperability among the systems. NASA is moving toward a
one-NASA concept, with a greater centralization and
integration. However, as long as NASA's governance structure is
such that center CIOs and center security officials report to
center directors--who are program officials--rather than to
NASA's CIO and chief security officer, a fully integrated
approach to IT security will be practically impossible at NASA.
As part of our work, we conduct audits of information
security and perform investigations of the criminal misuse of
NASA IT systems. Our recent activities have addressed a broad
spectrum of security problems. There are examples from our
ongoing investigations where inadequate IT security, such as
weak password controls, resulted in unauthorized access to
significant amounts of NASA data that was sensitive, but
unclassified. The agency is aware of these cases and
acknowledges that serious compromises have occurred.
In our audit work, we have reported on issues including
inadequate security training for system administrators, an
inconsistently applied program for ensuring security of
sensitive systems, inadequate security plans for NASA's IT
systems, and an inadequate incident response capability.
It's important to note that NASA has been responsive to our
work and that corrective actions are planned or are underway to
address key IT security challenges. Our 2002 GISRA submission
reflected the results of 26 final reports and several ongoing
assignments related to IT security at NASA. Our submission also
reflected IT security-related work performed by the agency's
independent accountants as part of their annual review of
NASA's financial statements.
Additionally, we verified and validated the status of
weaknesses identified in NASA's Fiscal Year 2002 Plans of
Actions and Milestones. The agency generally incorporated our
suggestions into their final version that they submitted to
OMB.
Our fiscal year 2002 GISRA efforts were limited to
unclassified systems because NASA did not have the national
security information systems reviewed in accordance with GISRA
requirements.
During fiscal year 2003, my office continues to conduct a
series of IT security-related audits and assessments and will
incorporate the results of this work into our FISMA submission.
We will also followup on our 2002 GISRA report. Later this year
we plan to start an audit of NASA policies to protect
sensitive, but unclassified information.
The requirements of GISRA and FISMA are having a positive
effect on IT security at NASA. The legislation and related OMB
guidance provided NASA with a framework for more effectively
managing IT security. Because GISRA, and now FISMA, hold agency
heads responsible for IT security, NASA senior management is
more focused on it. The legislation also requires the agency to
consider the view of the Office of Inspector General and to
deal with the issues raised in our independent evaluations,
and, in my view, this has also had a positive impact on the
agency.
Last, I would like to note that in the NASA OIG, we have an
exceptional team of IT auditor, specialists and computer crimes
professionals. Because of the investment the OIG has made in
this area, we have been able to provide leadership in the IT
area to the IG community through my chairing of the IT
Roundtable of the President's Council on Integrity and
Efficiency. Through this roundtable, the NASA OIG has sought to
promote the sharing of best practices in IT audits and
investigations. This concludes my statement.
Mr. Putnam. Thank you very much, Mr. Cobb.
[The prepared statement of Mr. Cobb follows:]
[GRAPHIC] [TIFF OMITTED] T1648.076
[GRAPHIC] [TIFF OMITTED] T1648.077
[GRAPHIC] [TIFF OMITTED] T1648.078
[GRAPHIC] [TIFF OMITTED] T1648.079
[GRAPHIC] [TIFF OMITTED] T1648.080
[GRAPHIC] [TIFF OMITTED] T1648.081
[GRAPHIC] [TIFF OMITTED] T1648.082
[GRAPHIC] [TIFF OMITTED] T1648.083
[GRAPHIC] [TIFF OMITTED] T1648.084
[GRAPHIC] [TIFF OMITTED] T1648.085
[GRAPHIC] [TIFF OMITTED] T1648.086
Mr. Putnam. We have a large panel, and I would ask that
everyone be respectful of our 5-minute time limit.
I now introduce Scott Charbo. Agriculture Secretary Ann
Veneman named Scott Charbo as Chief Information Officer at the
U.S. Department of Agriculture in August 2002. As CIO, Mr.
Charbo is responsible for the overall management of USDA's
information resources and IT assets, overseeing more than 4,000
IT professionals and $1.7 billion in physical assets. He comes
to the CIO position from the USDA Farm Service Agency where he
served as director of the Office of Business and Program
Integration since July 2002. He was responsible for planning,
developing, and administering the agency's programs and
policies, and provided direction in the areas of economic and
policy analysis, appeals and litigation, strategic management,
and corporate operations, outreach programs, and strategic
planning and leadership in the agency's citizen-centered E-
government initiatives.
Welcome to the subcommittee. You are recognized.
STATEMENT OF SCOTT CHARBO, CHIEF INFORMATION OFFICER,
DEPARTMENT OF AGRICULTURE
Mr. Charbo. Thank you, Mr. Chairman. With your permission,
I will submit my testimony.
At the Department of Agriculture, I am responsible for
computer systems that support billions of dollars in annual
program benefits. Information stored on these systems include
Federal payroll data and market-sensitive crop, commodity, and
farm data, information on food stamps and food safety and
proprietary research data. This information is one of USDA's
greatest assets.
Mr. Chairman, we at USDA are doing a better job initiating
change and managing information in IT security at USDA;
however, our size, decentralized organization, and the wide
array of hardware and software in use, combined with the
magnitude of today's cyber threats, mean that we have a
tremendous amount of work remaining to reduce the risk to our
information assets to an acceptable level.
Historically, each USDA agency and office funded and
managed its own IT investments independent of other
organizations in the department. Likewise, security controls
employed to protect these investments have been selected
independently. This decentralized management structure has
created an environment where some USDA agencies have addressed
the issues of security and risk while others have not.
Today, assuring a high level of information security in
every USDA agency is a critical issue of USDA's management.
Representative of this commitment, we have begun holding our
senior executives accountable by including a performance
measure in their annual performance plan directly tied to
implementing their FISMA plan of action milestones report. With
funds from Congress, we are continuing to build a central cyber
security program that is providing our agencies with uniformed
policies, guidance tools, and program management. We are
setting clear cyber security goals and then assisting agencies
in meeting them. Through our IT capital planning investment
control process, we are also doing a better job integrating
security in all phases of our IT project life cycle, from
initial planning to system retirement. This story of good
progress and change with much more work to do is representative
of our numbers.
In 2004, USDA plans to spend about 68 million to protect
our information assets. This represents an increase of 6
percent over the 64 million in securities spending estimates in
fiscal year 2003. In the past year, six agencies completed risk
assessments of their cyber security programs from qualified
security contractors, with an additional four now underway.
Similarly, nine USDA organizations created independent security
risk assessments on 26 separate systems. Many others are
currently in the process of completing assessments. Over the
past 2 years, we have deployed intrusion detection and
antivirus software across the Department. Just this month we
held a training session for agency IT staff on how to deploy
the Department's latest patch management software solution. By
deploying patch management software, we will ensure the most
recent releases of software patches.
Finally, our USDA FISMA and plan of action and milestones
report currently shows that we are taking 1,405 distinct
actions to address 243 program and system-level weaknesses.
While the numbers we report go up and down as threats to our
systems change, I am confident we will see progress in our
POA&M report.
At USDA, we are fortunate to have a strong senior
information security officer and staff who drive our
information and IT security efforts. They are the ones who
deserve the credit.
Mr. Chairman, in your invitation to this hearing, you asked
to discuss the actions that we are taking to remedy the
deficiencies in both our GISRA and financial reporting. I will
focus my comments on the highest-priority initiatives.
Information assurance starts with employee education and
awareness. We are spending--spreading the word across USDA
through online courses like the government standard GoLearn.gov
classroom training, and numerous technical and management
forums.
Recognizing the importance of this issue, the Secretary and
I are personally addressing these concerns at our subcabinet
meetings and during regular briefings for our agency heads. We
are making good progress establishing executable business
resumption and recovery plans for critical information systems.
At USDA, we are finalizing a standard certification
accreditation methodology and process for our agencies to
verify and attest that information security functions as
required.
As I mentioned earlier, we revised our IT capital planning
investment control guidance to ensure system owners address
security at all stages of an IT project's life cycle.
I would also like to mention one modernization project that
is critical to strengthening cyber security at USDA. We are
redesigning our long distance telecommunication network to
support the growing demand for E-government services, once
implemented. Our
system will greatly improve our ability to verify the integrity
and confidentiality of data transmitted over the network.
Thank you for the opportunity to be here, Mr. Chairman.
Thank you.
Mr. Putnam. Thank you very much.
[The prepared statement of Mr. Charbo follows:]
[GRAPHIC] [TIFF OMITTED] T1648.087
[GRAPHIC] [TIFF OMITTED] T1648.088
[GRAPHIC] [TIFF OMITTED] T1648.089
[GRAPHIC] [TIFF OMITTED] T1648.090
[GRAPHIC] [TIFF OMITTED] T1648.091
[GRAPHIC] [TIFF OMITTED] T1648.092
[GRAPHIC] [TIFF OMITTED] T1648.093
[GRAPHIC] [TIFF OMITTED] T1648.094
Mr. Putnam. I now recognize Mr. Ladner. Drew Ladner was
appointed Chief Information Officer of the U.S. Treasury
Department in March 2003. He is responsible for managing the
Treasury's $2.5 billion information technology strategy and
budget, serving as Treasury's official lead on E-government
initiatives, and providing policy direction and oversight of
the Department's security programs. Welcome to the
subcommittee. You are recognized.
STATEMENT OF DREW LADNER, CHIEF INFORMATION OFFICER, DEPARTMENT
OF TREASURY
Mr. Ladner. Thank you, Mr. Chairman.
Mr. Chairman, Ranking Member Clay, thank you for the
opportunity to appear today to discuss the state of Treasury's
IT security as well as the actions underway for remediating the
Department's material weaknesses. The continued leadership of
the chairman and the members of the subcommittee is essential
if we are to improve IT security and accountability not only at
Treasury but across the Federal Government.
The present state of Treasury's IT security requires
improvement to achieve our objective: closing all IT-related
material weaknesses as identified by GISRA's fiscal year 2002
review process. As of March 31, 2003, the Department had 14
material weaknesses. These included nine at the Internal
Revenue Service, three at the Financial Management Service, one
at the Mint, and one at the Departmental Offices.
To bolster IT security, Treasury has taken a number of
actions to date to resolve outstanding issues addressed by the
Treasury Inspector General and the Treasury Inspector General
for Tax Administration.
First, Treasury has implemented an aggressive oversight and
compliance program for IT security. During fiscal year 2003,
reviews will have been completed for all of the bureau's IT
security programs to establish a baseline for future annual
reviews. This is the first time that the Department has
conducted a complete review of the IT security programs.
Second, to maximize implementation success and
accountability, Treasury has set specific goals to improve
security with the use of performance measures, including the 80
percent to which Mark Forman alluded previously.
Third, a combined Federal Information Security Management
Act 2003 data call has just been instituted by the Treasury
CIO, IG, and TIGTA. This joint data call is expected to remedy
the inconsistency to which the chairman referred earlier in
reporting numbers in the last two surveys performed under
GISRA.
Fourth, Treasury has taken further action to ensure the
protection of our critical infrastructure cyber assets.
Fifth, to augment the FISMA requirement for periodic
security training, Treasury has scheduled an IT security
conference for the bureau's IT security managers and staffs.
This conference will include high-level training sessions and
targeted technical sessions focused on Treasury's IT security
issues, along with promoting new CD-ROM and Internet-accessible
training opportunities.
Treasury is committed to identifying the root causes of
unacceptable IT security and putting in place the structures,
processes, and systems that will ensure the Department has a
strong security regime. Let me describe several initiatives
briefly that are key.
First of all, as soon as I began as Treasury CIO, I decided
that my first priority as Treasury CIO would be IT governance.
Pursuant to the Clinger-Cohen Act, the CIO's mission is to
ensure that the Department wisely steward the funds of our
taxpayer citizens on technology systems so that we can deliver
ultimately valuable E-government services and other services.
Establishing the right structures, processes, and systems of
sound IT governance not only provides for sound planning and
budget allocation, but also necessitates incorporating security
considerations into our capital planning and investment
controls. It's a cardinal rule in business operations that the
quality of a design has a disproportionate impact on the life
cycle cost of the system. If Treasury's systems are not secure
when we develop and deploy, the Department leaves itself
vulnerable until deficiencies are remediated and taxpayer
dollars are not stewarded to boot.
An additional benefit is that Treasury increasingly aligns
its IT operations with Department goals and objectives,
achieving a more integrated, cohesive, and institutionalized
security regime across Treasury.
In short, achieving a strategic, robust, and integrated
security regime will be limited if our capital planning
investment control process does not share those same
characteristics.
In addition to the new IT governance regime, we are working
very hard on the enterprise architecture that also achieves the
goals that Mark Forman described previously. This will provide
us a baseline for planning our security regime as well.
Third, proactive interagency collaboration on IT security
provides additional evidence of the institutionalization of
Treasury's IT security. The measures thereof are included in my
submitted statement.
In the Office of the CIO, our mission is to steward
Treasury's information resources with integrity and
professionalism. I remain committed to doing that and working
on everything we can do to ensure that your goals and this
committee's on IT security are stewarded as well. Thank you
very much.
Mr. Putnam. Thank you very much.
[The prepared statement of Mr. Ladner follows:]
[GRAPHIC] [TIFF OMITTED] T1648.095
[GRAPHIC] [TIFF OMITTED] T1648.096
[GRAPHIC] [TIFF OMITTED] T1648.097
[GRAPHIC] [TIFF OMITTED] T1648.098
[GRAPHIC] [TIFF OMITTED] T1648.099
[GRAPHIC] [TIFF OMITTED] T1648.100
[GRAPHIC] [TIFF OMITTED] T1648.101
[GRAPHIC] [TIFF OMITTED] T1648.102
[GRAPHIC] [TIFF OMITTED] T1648.103
[GRAPHIC] [TIFF OMITTED] T1648.104
[GRAPHIC] [TIFF OMITTED] T1648.105
[GRAPHIC] [TIFF OMITTED] T1648.106
[GRAPHIC] [TIFF OMITTED] T1648.107
[GRAPHIC] [TIFF OMITTED] T1648.108
[GRAPHIC] [TIFF OMITTED] T1648.109
[GRAPHIC] [TIFF OMITTED] T1648.110
[GRAPHIC] [TIFF OMITTED] T1648.111
[GRAPHIC] [TIFF OMITTED] T1648.112
Mr. Putnam. I would like to recognize Bruce Morrison. Mr.
Morrison assumed his duties as Acting Chief Information Officer
in the Bureau of Information Resource Management in December
2002. Previously Mr. Morrison was Deputy Chief Information
Officer for Operations in the Bureau of Information Resource
Management. Mr. Morrison is a career senior Foreign Service
officer. During his 26-year career, he has held a succession of
information management positions, including serving as dean of
the School for Applied Information Technology in the Foreign
Service Institute. We look forward to your testimony. You are
recognized for 5 minutes. Welcome to the subcommittee.
STATEMENT OF BRUCE MORRISON, ACTING CHIEF INFORMATION OFFICER,
DEPARTMENT OF STATE
Mr. Morrison. Thank you, Mr. Chairman, and Ranking Member
Clay. I am honored to be here and appreciate the opportunity to
discuss information security at the Department of State. While
we are not where we would like to be in cyber security, I can
report on the initial stages of improving our program.
We at the State Department have the highest level of
support and attention from Secretary Powell and Under Secretary
for Management Green. Secretary Powell considers information
technology to be a strategic component in implementing U.S.
foreign policy.
Let me summarize IT security at State. We have long had a
strong perimeter defense, with technical, physical, and
personnel controls, including an antivirus program, firewalls,
intrusion detection, and incident reporting. However, we
realize that a sound cyber security program is built upon a
defense-in-depth strategy that includes management controls as
well as technical and operational measures. What we have lacked
in the past is a comprehensive management structure and a
serious systems authorization program.
It is a new day at State, with the convergence of several
events bringing a fresh approach and commitment to cyber
security.
First, GISRA, and then, FISMA focused top management
attention on cyber security. Second, we have new cyber security
leadership at State. I stepped into the position of acting CIO
6 months ago. Additionally, there is a new Assistant Secretary
for Diplomatic Security with whom we collaborate closely.
Finally, OMB very helpfully mandated that we authorize all
systems by the fourth quarter of 2004.
Our new organization is giving birth to a new cyber
security culture and is producing results. We have a new Office
of Information Assurance headed by a senior officer reporting
directly to me. This office handles IT security policy, program
management, performance measures, risk management, and
reporting. There is increased departmentwide cyber security
focus, as all offices are now involved to some degree in cyber
security through the plans of action and milestones process and
awareness programs. As I mentioned, there is an excellent
rapport and collaboration between the Chief Information Officer
and the Bureau of Diplomatic Security on all aspects of cyber
security. Similarly, a cooperative partnership exists with the
Chief Financial Officer on Critical Infrastructure Protection
and the information technology budget.
We have a senior-level multidisciplinary cyber security
advisory group. There is a close working relationship with the
Office of the Inspector General. In biweekly meetings with the
Inspector General, we discuss a variety of cyber security
issues, with FISMA requirements and systems authorization
taking center stage.
State has recently established an E-government program
board chaired by Under Secretary for Management Green to manage
all IT funds. Information assurance experts now review every IT
system budget request to assure that appropriate security
considerations are budgeted and executed. Very significantly,
we have developed a certification and authorization plan. It
was submitted to OMB in March, fully funded in mid-April. We
are on track with the plan, with 10 percent of our systems
done, and a goal of 33 percent by August 2003, and 100 percent
by August 2004.
We are taking specific steps to institutionalize cyber
security management and practices, enhancing policies,
developing a cyber security program management plan,
integrating security into planning, and providing training. New
systems are addressing security from the outset. Our future
budget request will include security costs. Regular awareness
sessions for all users, and mandatory training for security
practitioners will assist in institutionalizing cyber security.
In summary, we are still at the early stages of creating a
comprehensive cyber security program, but we have made great
strides over the past few months. This progress contributed to
our PMA scores going from red to yellow to green.
I appreciate the opportunity to talk before the committee.
Mr. Putnam. Thank you, Mr. Morrison. You timed it
perfectly, too.
[The prepared statement of Mr. Morrison follows:]
[GRAPHIC] [TIFF OMITTED] T1648.113
[GRAPHIC] [TIFF OMITTED] T1648.114
[GRAPHIC] [TIFF OMITTED] T1648.115
[GRAPHIC] [TIFF OMITTED] T1648.116
[GRAPHIC] [TIFF OMITTED] T1648.117
[GRAPHIC] [TIFF OMITTED] T1648.118
[GRAPHIC] [TIFF OMITTED] T1648.119
[GRAPHIC] [TIFF OMITTED] T1648.120
[GRAPHIC] [TIFF OMITTED] T1648.121
[GRAPHIC] [TIFF OMITTED] T1648.122
[GRAPHIC] [TIFF OMITTED] T1648.123
[GRAPHIC] [TIFF OMITTED] T1648.124
[GRAPHIC] [TIFF OMITTED] T1648.125
[GRAPHIC] [TIFF OMITTED] T1648.126
[GRAPHIC] [TIFF OMITTED] T1648.127
[GRAPHIC] [TIFF OMITTED] T1648.128
[GRAPHIC] [TIFF OMITTED] T1648.129
Mr. Putnam. I want to read for you what I read to the first
panel out of an article from the Federal Times, from an
information security specialist in an anonymous social service
agency. They state, ``Someone at our parent department told OMB
we would have it done in July. We can't get it done right by
then, so we will throw together some documentation and make it
look like we did.''
That never happens in any of your departments. Does it?
Mr. Frazier. Of course it happens. Of course it happens.
Notwithstanding the anonymity of the person who stated that, we
know that people try to meet these artificial deadlines, and in
the process, they--haste makes waste. And it happens.
Mr. Putnam. Anyone else wish to jump out there?
Mr. Cobb. I think that it's not that they are necessarily
preparing a fraudulent set of paperwork or that's necessarily
occurring. Instead it's a question of thoroughness.
Specifically, how thorough are the examinations, planning,
testing, and the different elements of the security plans.
Mr. Putnam. Mr. Ladner.
Mr. Ladner. My view is that the process will continue to be
compromised until there is a plan that not only addresses the
objectives that are set out by the statutes which we have to
comply with, but that we go the extra mile. And so what we are
doing at Treasury is to certainly hit our numbers on CIA,
certainly hit the other objectives, but ensure that we actually
have a security governance process and plan in place.
Second, I think that the process will continue to be
compromised if we view it in static terms instead of dynamic.
What I mean by that, is that we need to be able to have real-
time visibility into what's happening at, in our case, the
bureau level so that we can see on an ongoing basis what the
numbers are. And I think over time the data quality will
improve, so that we reduce the probability of individuals being
able to toss over the wall data and reports that are less than
accurate.
Mr. Putnam. I'm told that it's been 3 years since agencies
were told to complete their inventory of systems, and that has
not yet been fully completed. Is that correct?
Mr. Morrison. One of the first things that I did after
taking over as CIO was to complete an inventory of systems
using OMB and National Institute of Standards and Technology
guidelines. So it is true that was only done at the State
Department this year.
Mr. Putnam. So we've had 3 years of artificial deadlines.
That's fairly dynamic, and it took 3 years to get there.
What about Treasury?
Mr. Ladner. Whether it's ensuring that we have a good
security program or ensuring that, for example, Treasury is
delivering services at low cost--at high service levels--to our
bureaus from our large network, we need to make sure that we
understand what infrastructure we have. And so we have directed
the bureaus to participate in a Treasury-wide total cost of
ownership review, which will enable us to know what we have and
therefore be able to drive enterprise architecture and the
ability to drive the security programs much more effectively.
So we will have that probably within several months, by fall.
Mr. Putnam. We look forward to seeing it in the fall. But
that will still be substantially beyond when it was to be
completed. Correct?
Mr. Ladner. That's my understanding based on what I've
learned in the last 3 months. That's correct.
Mr. Putnam. OK. What about Ag?
Mr. Charbo. We are in the process as well of looking at
what systems we have and where they are. We have 576 IT
projects. Our focus right now is to consolidate those down to a
more manageable level. Let's retire those that are legacy,
let's retire them, move on, identify those under redevelopment,
bring those into the planning and investment process so that
security, as Mark discussed earlier, can be placed up front
where it is more cost effective and easier to manage.
Mr. Putnam. Mr. Charbo, you came from FSA, so I am going to
pick on you first. In the article the same unnamed person said,
in expressing their frustration not having appropriate
authority, ``they have their own funding and don't report to
us. When I call them and ask for this or that report, they just
ignore me.''
Is that something that you found in your role at FSA, that
you had difficulty getting the different branches around the
country to take your requests seriously?
Mr. Charbo. From a security perspective, that is somewhat
better managed at FSA within the Department. Most of that
funding is being placed under the common computing environment
budget which is a centralized budget for the service center
agencies. So we have a better handle on how the security is
being done in those agencies within the service center, FSA
included.
Mr. Putnam. So that's not a problem at FSA. Is it a problem
in other parts of the department?
Mr. Charbo. I won't deny that at times it is difficult to
get information out of agencies, yes. And when we experience
that, my position is to go to the Deputy Secretary, the
administrators, or directly to the Secretary if we need
movement. And I've been getting that support when we do that.
Mr. Putnam. Anyone else wish to add to that or comment on
that?
Mr. Morrison. I think the State Department made a big step
forward this year by organizing an E-government program board
that now governs the entire IT budget. That was a very
necessary step to carry out the act.
Mr. Frazier. Mr. Chair, at Commerce, one of the biggest
battles that we've fought, but I think one of the battles that
was absolutely essential, was to make certain that all of the
individual agency CIOs reported to, at least for part of their
management responsibility, to the Department's CIO. And so
those individual bureau CIOs now have more authority to
override some of the concerns, override even their program head
if they disagree with him. So that is something that has, I
think been absolutely critical to improving the process at
Commerce where you have the individual CIOs reporting to a head
CIO at the departmental level.
Mr. Ladner. In my first month at Treasury, we created with
the Treasury Budget Office, a Technology Investment Review
Board that reviews all IT investments across Treasury. And so I
think that, as bureaus understand both from a statutory
standpoint as well as an end-user standpoint that we have to
have security considerations integrated into the budget
process, that increasingly that close collaborative
relationship is being created.
Mr. Putnam. Mr. Cobb, you have heard Mr. Frazier's
testimony expressing some concern about artificial deadlines or
overly aggressive schedules that would cause people to
potentially cut corners in their quest to get certified or
accredited. NASA has worked rather hard to improve its
performance and has made some progress. How did you ensure that
the agency's desire to make that progress didn't lead to
skimping on the work of correcting vulnerabilities?
Mr. Cobb. Well, our audit strategy has been primarily aimed
at looking at specific systems, and as I mentioned we've done
26 audits last year of specific systems. Some were agency-wide.
And I took note of the biweekly meetings at State.
We don't have those biweekly meetings and we should have
them; because, for example, we didn't see NASA's executive
summary until a week before they submitted the GISRA report. So
we were not on top of the reports of improvement of the NASA
programs and NASA's assessments of its systems, by the time we
filed our GISRA report. The way in which we are going to get
after that is by assessing exactly how thorough NASA was in
their systems analyses. In addition, we're going to continue to
do our aggressive auditing of NASA systems to determine the
thoroughness of their systems' analyses and we will try to
verigy their results through sampling.
Mr. Putnam. You have heard the recurring theme that this is
a management issue or a technology issue, it's not a money
issue. Mr. Ladner, your IG stated that there is a general
feeling that some bureaus, ``appeared to view the GISRA annual
reporting process as a pro forma exercise.'' In your GISRA
report to OMB, 8 of the 10 current material weaknesses in IT
security were repeats from 2001.
Mr. Morrison, your IG stated that the lack of security
planning and missions is the result of, ``insufficient guidance
from the Department, and a general belief that IT information
security is less important than other elements of security.''
Mr. Charbo, your IG at USDA said, ``The Department did not
have security plans in place for all its major applications and
general support systems, had not planned for contingency, had
not certified security controls in place and authorized
processing for all of its systems. Nor had the Department
identified all of its mission-essential infrastructure,
conducted risk assessments, or prepared mitigation plans on the
identified risks.''
What are you all going to do to change the culture at your
departments?
Mr. Charbo. We have been doing this in a process where the
first thing is discovery. We feel that we've identified the
projects on the IT basis by doing a few things. One is we've
lowered our waiver process of how departments and agencies
within USDA can spend their dollars for IT so that we can
identify where is the money going and what things are being
done with this. We've also incorporated that into the
investment process with OMB, the 300 business case analysis
which now requires two key things for this. One is project
management skills. Even though we have a project identified,
that does not mean it's going to get delivered on time, on
budget, and meeting the requirements that the system was
intended to do.
We now have a process in place that we believe will do
that, and that is requiring a name, an accountable person with
the skills to deliver that project on time on budget and with
the requirements. Security is a major component. Given all the
requirements in that document, if security is lacking, it will
not go forward. We will not approve that investment moving
forward. We have also made our senior executives accountable
under a security grading process that we have within the chief
information officers. We've started monthly meetings with
administrators.
Typically what we do is we have to identify what have you
spent on security rather than it being a definite budgeted line
item for security. So we are talking more of a proactive than
reactive, which, in a lot of the cases, the reports represent.
It's just trying to find out what has been done rather than
where we are going. We have identified where do we want to be
in the next year. Within our office through July, we have
identified, on a quarterly basis, where we want to be with
security. We have done that with our e-government areas, our
network management and several key areas within the IT area of
the Department of Agriculture.
Mr. Putnam. Mr. Ladner and Mr. Morrison.
Mr. Ladner. At Treasury, I mentioned our focus on the
capital planning process. We believe that is absolutely
critical if we are going to get change across the Department.
One of the actions we've taken in the last 3 months is to
create, for the first time, an office of policy and planning
that pulls together the IT government's enterprise architecture
and our tracking of E-Government services so we can integrate
security--not in a silo-like fashion--but truly across all of
our functions and across the Department. Second, we have
deployed a PKI, a public key infrastructure, and we are looking
forward to having a framework with specific examples where we
can move the ball forward in improving our security. And I
think that where the bureaus see the CIO and the CIO leadership
actively engaged in spending time on improving our security, I
think that sends a very strong signal.
For example, last week the Bureau of Engraving and Printing
affixed, for the first time in our Department, a digital
signature to a form. We are actively trying to not only improve
security but also essential PKI vehicles. I am very involved in
that and I think that sends a very strong signal to the rest of
the bureaus.
I would also add, in addition to what Scott said about
accountability, that at the IRS where security has been an
issue with regard to reports, they are working very hard with
my office to address and to fix our exhibit 300's issue. And I
think at the end of the day, we can't wave the flag on progress
unless we have really made progress and that's the test of
fixing the 300's. In addition, the IRS is holding their
managers accountable for fixing their security issues on those
300's and I think that's a real sign. Getting to your question
on the cultural dimension, we're in fact making progress on the
cultural dimension--but there's a long way to go.
Mr. Morrison. Mr. Chairman, Under Secretary Green is
leading aggressively on the IT security issue. I'm engaged
directly with the other assistant secretaries. I'm happy to say
that in the last two quarters, we now have over 90 percent of
the State Department bureaus engaged in the plans of action and
milestone process. As my colleagues have mentioned, it's
vitally important that security become an integral element of
the budget process, which we achieved this spring. So in
summary, it's a slow painful process, but we are making
progress at changing the culture.
Mr. Putnam. Mr. Clay, you're recognized.
Mr. Clay. Thank you, Mr. Chairman. Mr. Frazier, the
Department of Commerce accounts for much of the improvement in
the OMB table. The subcommittee's report card shows only modest
improvement at the Department between 2001 and 2002. Can you
explain the difference, and which do you believe is the more
accurate reflection of the situation at the Department?
Mr. Frazier. I guess I could start with a quote from
something my grandmother used to say to me: ``You know, we are
not where we should be and where we want to be, but thank God
we're not where we used to be.'' So I think there is a mind-set
in the Department that recognizes that we have made tremendous
progress. But I have to tell you, we still have a long way to
go. I don't want to speak for what GAO says or even what the
Department CIO says, I'll just speak for what my systems
evaluators have found. Every time they have gone into an area
that has supposedly been certified and has been accredited,
they have found problems that continue.
Here I will quote Ronald Reagan: ``trust but verify.''
There is usually this mind-set that because somebody tells you
something, it must be true, and that is not always the case.
And I don't think there is any intent to deceive as much as it
is as let's get this done and let's get that done. And as we go
back and start to verify and see that there are still gaps, we
have also been tremendously impressed with how responsive the
Department has been to deal with our issues.
And so now you begin to see that they are saying before we
send this forward, maybe we ought to go out and do some testing
and do some validating. So I think that the explanation is that
we still have a ways to go. We have made progress. But part of
it is in the mind-set. I think the Chair has hit it a number of
times on the head by saying that the management philosophy has
changed. Take this seriously.
The Secretary is making sure that people are held
accountable for this. One area that I remain concerned with is
that I see that the managers, the CIOs have gotten the message.
I still have concerns as to whether the folks on the front
lines have gotten the message. I can't tell you how many times
we have gone back to tell a CIO of a particular bureau who
thinks this is one of their model systems. And I say let me
show what we have found. And of course they become very
disappointed. So there is still a great deal of work to be done
but I have to tell you that significant progress has been made.
Being one of the folks that has been around a little while and
again when I was here 2 years ago, it was such a dismal report.
So I can take pride in saying that a lot has happened, but we
still have a long way to go.
Mr. Clay. Thank you for that response. Mr. Cobb, NASA
accounts for most of the rest of the improvement in the table.
The subcommittee's report card shows a decline in performance
in that Department between 2001 and 2002. Can you explain that
difference and which do you believe is the more accurate
reflection of the situation at NASA?
Mr. Cobb. Well, I think the variance in the views between
the IG's and CIO's may be due to the differences in
interpretating of the data. I think that's the same reason that
you have a different story between how the subcommittee views
the meaing of data and how OMB views the data.
My impression from what I have seen in the 1 year that I
have been the NASA IG is that NASA is doing much better than
when I came in. The reason is because the senior levels of
management and the CIO's office, have acknowledged the fact
that they have serious problems. They have had a number of
management changes in the CIO's office. They have a lot of
plans and programs that are underway. The verdict is out on
whether or not they're going to effectively meet the challenges
of IT security.
But certainly, in terms of the cultural change and what
they have not done, is make the center CIO's report to the
CIO's NASA has 10 or so centers that report to the center
directors. The CIO doesn't write their evaluation. I think NASA
is doing much better. They're focusing on the problems and we
keep beating the drum right behind them.
Mr. Clay. How are the front line workers implementing these
applications and systems?
Mr. Cobb. NASA has a very large number of systems and
related systems' NASA reports. But there may be systems and
applications of systems that information managers don't even
know about. The scientific community, in terms of the front
lines, are very mission-oriented, and I don't think that they
view their mission is IT security. I think their mission is
doing incredible scientific endeavors. And I would absolutely
agree that the biggest challenge that any CIO has is how to get
the entire organization inculcated with a concept that IT
security is a primary responsibility rather than a secondary
responsibility.
Mr. Clay. Thank you.
Mr. Morrison, the State Department was one of the agencies
whose grade went down from 2001 to 2002. Can you explain that
decline?
Mr. Morrison. I wasn't the Chief Information Officer at
that time, but I was there. I think that OMB summed it up very
well that the Department lost its focus on IT security and
allowed itself to concentrate more on other matters. We
certainly don't dispute the findings of the OIG or the
judgments of GAO or OMB.
Mr. Clay. Mr. Charbo and Ladner, both of your agencies
received failing grades in both 2001 and 2002. Can you explain
why your agencies have not adequately addressed computer
security over this period? Start with you, Mr. Ladner.
Mr. Ladner. Like Mr. Morrison, I am fairly new, about 3
months, so my understanding from what my briefings have been is
that the structures and processes and systems simply weren't in
place to facilitate an enterprise-wide view of security, which
is absolutely critical. And so, for example, at the IRS, where
a number of the security issues have been, what the IRS has
done is to transition more from a facilities based approach to
an enterprise wide based approach.
So this is something that now we are pushing both now on a
Treasury-wide basis as well as at the bureau level.
Mr. Clay. Mr. Charbo.
Mr. Charbo. I guess just this one time we won't say much
about consistency in the grades. From my perspective, I am not
looking back at those. We are very focused on where we want to
go. Using the FISMA report, we have identified over 1,400 tasks
that we need to do to correct the 243 weaknesses that we have,
rather than just, on a quarterly basis or an annual basis,
coming back and trying to say OK, where are we now? We are
taking ownership of those to reduce those. We have identified
folks in every agency within the Department of who owns
responsibility within those systems to correct it. And our
vision is to reduce those numbers in half on the next mark if
we can, identify the funds that we need in order to do that and
move forward with those.
Mr. Clay. And that process is occurring now.
Mr. Charbo. That process is occurring right now.
Mr. Clay. Thank you very much for all of your answers. I
appreciate it.
Mr. Putnam. Thank you, Mr. Clay. This panel has made
several references to personal drive affecting their
departments, the leadership, the priority, the sense of urgency
that you have brought as fresh leadership in this area. My
concern is that we have not institutionalized this as a
priority in the departments, and that a year from now, when we
have someone else sitting here, they say I have only been on
the job 3 months or 6 months. I wasn't here for the last FISMA
or GISRA report. And I know different ones of you have alluded
to this, but what are the last institutional changes that you
are deploying that will guarantee that regardless of who
occupies your position, these information security measures
will become a part of the culture all the way down to the front
line level?
Mr. Frazier, do you want to jump out there?
Mr. Frazier. It is an interesting observation. You remember
when you started earlier this morning, you read the quote from
The Federal Times, and you were talking about documentation and
someone had said that we don't think documentation is that
important, we can either document something or we can get the
work done. Well, here's where I disagree with that: That
statement is absolutely wrong. Because when you document
something, you leave a record so that it doesn't matter whether
I am sitting as the CIO today and John Doe is sitting there
next week. You have a base line. When something hasn't been
documented, we haven't put it down.
Every time a new CIO comes in, they are starting from
scratch, so we don't make the kinds of progress that we should
be building upon. Every time a new CIO comes in, there is a new
plan that says let's really get this under control. And this is
difficult work. One of my staff gave me a cartoon that said IT
security is like a stubborn mule. You know, making progress
with it is something that's very difficult but you shouldn't
have to reinvent the wheel every time. So it's the documenting
it so that you begin to institutionalize the process, so
there's a frame of reference that we know where we were and all
of us can talk on the same page, if you will.
I think that's one of the important steps that should be
taken. So I go back to that and I think that is indicative of
the kinds of things that have to happen.
Mr. Putnam. What about the attitudes of people you have to
work with who think it is an either/or tradeoff?
Mr. Frazier. We were lucky. I'll tell you that about 2
years ago when I came up to testify, we were highly critical of
the Department. The new Deputy Secretary had just been on the
job for less than 3 days and he was dragged before the
committee to respond to Bob Dacey's report and my report, and I
mean, they just ripped him apart. In the process, he left that
meeting, called me into his office, and said, ``What do we need
to do to get this turned around?'' So we have had the kind of
cooperation that has made a tremendous difference, and it's
because I think that he saw how serious the Congress was about
this issue in that it wasn't something that was going to go
away.
And in the process he has instilled in his managers--we do
some incredible work at Commerce, but people have to understand
if you don't have systems and things that are secure, you put
all of those programs at risk in the process. That message is
out there, and it's out there and making a difference.
Mr. Putnam. We are going to make sure that message gets to
the FAA who made the comment. Anyone else?
Mr. Morrison. I think that the FISMA Act itself, as well as
OMB's Presidential management agenda process has gone a long
ways toward institutionalizing IT security. It certainly has
focused top management attention on this matter. We've made
fundamental changes in our budget process and frankly, there's
nothing like having to report every quarter, or in my case, I
have to report to the Under Secretary for management, both in
writing and orally every month. And there's nothing like having
to report frequently and regularly to focus your attention on
correcting problems. And I think that this framework that's
provided by the act and by OMB is not going to go away, if I go
away.
Mr. Ladner. The reason that change is enduring is that
there are structures, processes and systems in place that are
hard to change, and that's why our first step was IT
governance. So I think that if we want people on the front
lines to believe that their actions, or lack thereof, have an
impact, we have to tie resource allocation to performance. And
that's what IT governance and security governance ensures.
Clearly there's a long way to go on this front, but our
goal at the Treasury Department is to articulate a framework
which we have, and then pick out instances where we are showing
that the lack of performance results in resource reallocation.
And that's the kind of change that we believe will be more
enduring.
Mr. Charbo. If I could point out a few of the firsts that
we have done that will carry on, regardless of who sits in the
Chair that I sit in right now. We have released some governance
policy around security. It's quite a load to the agencies.
However, we are putting people in place and contracts in place
to help support them in correcting their security needs. We've
also started a configuration management and policy board to
manage the configurations across the Department. We are testing
our business systems, the ability to recover. We're doing that
at FSA, at NRCS, Rural Development, the National Finance
Center.
First time now we are consistently testing these on a timed
basis, so it's not just once when somebody asks whether or not
we're doing it, but it's on a regular cycle now that we're
testing those, and that's more and more systems that we're
doing it as well. We have also initiated a department-wide
process to identify what the plans are. Where one system is
dependent on another, if that system goes down, others may go
down. We're interested in those threats.
So we have initiated some process to connect those dots,
identify the trees that we need to initiate in the event of a
crisis. We have also changed our investment board around so now
that security is a key component in all of the investments
within USDA. The CIO owns those projects, positioning those
projects within that investment board. On April 1, we released
our first enterprise architecture vision of where we would like
to see the investments move in the Department of Agriculture as
well.
And last, we're training folks in project management. We've
initiated a number of classes. Those classes are done in
various locations throughout the country to provide us the
quality folks that we need to deliver on some of these things.
I believe those will continue, whether or not I'm in the chair
that I currently sit in.
Mr. Putnam. Mr. Cobb, do you have anything to add?
Mr. Cobb. I would agree with that. I think that FISMA is
providing our IG office with the tools to get after the agency
in terms of making sure that their programs are compliant with
what you would expect from a robust IT security system. One
concern I have about the structure of GISRA and FISMA is the
extent to which the act requires independent evaluations of the
system as a whole. Also, whether the system, from an umbrella
standpoint, is actually accomplishing the objective of
protecting information.
I would like to have my office work toward conducting a
review of the policies to see whether or not they are
substantively working. And the other big point that gets back
to that front line is that it is critical to inculcate all
Federal employees on the importance of IT security. There may
be an avenue for legislating training requirements to make sure
that this message is communicated. However, I'll leave that to
speculation at this point.
Mr. Putnam. We look forward to hearing your conclusion when
you reach it, and we'll let that be the final word for the
second panel. You know, it seems that the Federal Government
never really learned its lesson on physical security or
perimeter security and enforced protection until after Beirut,
and Oklahoma City and Khobar Towers and the U.S.S. Cole, and we
never really learned our lessons on aviation security until
after September 11. And it seems terribly frustrating that what
it would appear is that it will take a digital September 11 or
digital Pearl Harbor or some catastrophic cyber attack for
people to get the message that this is important, that this is
a priority, not just in some egghead CIO's office, but all the
way down to the front line as part of their daily
responsibilities.
And I think that is the part that is incredibly
frustrating. We hear an awful lot of connecting the dots and
learning from the mistakes of the past. As it relates to cyber
threats, there is very little indication that anyone takes the
threat seriously. I want to thank our witnesses for their
contribution to our efforts in understanding this issue better,
and I look forward to your continuing cooperation as we move
toward greater coordination and more progress in improving our
Federal Government's information security. I also want to thank
Mrs. Miller, Ms. Watson and Mr. Clay for their participation
and leadership on the subcommittee.
In the event that there may be additional questions that we
did not get to today, the record will remain open for 2 weeks
for submitted questions and answers. Thank you all very much
and the subcommittee stands adjourned.
[Whereupon, at 12:25 p.m., the subcommittee was adjourned.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T1648.130
[GRAPHIC] [TIFF OMITTED] T1648.131
[GRAPHIC] [TIFF OMITTED] T1648.132
[GRAPHIC] [TIFF OMITTED] T1648.133
�