<DOC> [107th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:82355.wais] LESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF 2000 ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT EFFICIENCY, FINANCIAL MANAGEMENT AND INTERGOVERNMENTAL RELATIONS of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS SECOND SESSION __________ MARCH 6, 2002 __________ Serial No. 107-124 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform U.S. GOVERNMENT PRINTING OFFICE 82-355 WASHINGTON : 2002 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania STEPHEN HORN, California PATSY T. MINK, Hawaii JOHN L. MICA, Florida CAROLYN B. MALONEY, New York THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland BOB BARR, Georgia DENNIS J. KUCINICH, Ohio DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois DOUG OSE, California DANNY K. DAVIS, Illinois RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts JO ANN DAVIS, Virginia JIM TURNER, Texas TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois CHRIS CANNON, Utah WM. LACY CLAY, Missouri ADAM H. PUTNAM, Florida DIANE E. WATSON, California C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia ------ JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont ------ ------ (Independent) Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director James C. Wilson, Chief Counsel Robert A. Briggs, Chief Clerk Phil Schiliro, Minority Staff Director Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations STEPHEN HORN, California, Chairman RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois DAN MILLER, Florida MAJOR R. OWENS, New York DOUG OSE, California PAUL E. KANJORSKI, Pennsylvania ADAM H. PUTNAM, Florida CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Claire Buckles, Professional Staff Member Justin Paulhamus, Clerk David McMillen, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on March 6, 2002.................................... 1 Statement of: Dacey, Robert F., Director, Information Security, U.S. General Accounting Office; Mark A. Forman, Associate Director, Office of Information Technology and e- Government, Office of Management and Budget; Arden L. Bement, Jr., director, National Institute of Standards and Technology; Roberta L. Gross, former Inspector General, National Aeronautics and Space Administration; Robert G. Gorrie, Deputy Staff Director, Defense-wide Information Assurance Program Office, Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence; and Karen S. Evans, Chief Information Officer, Department of Energy.............................. 17 Davis, Hon. Thomas M., a Representative in Congress from the Commonwealth of Virginia................................... 6 Letters, statements, etc., submitted for the record by: Bement, Arden L., Jr., director, National Institute of Standards and Technology: Followup questions and responses......................... 120 Prepared statement of.................................... 73 Dacey, Robert F., Director, Information Security, U.S. General Accounting Office, prepared statement of........... 20 Davis, Hon. Thomas M., a Representative in Congress from the Commonwealth of Virginia, prepared statement of............ 10 Evans, Karen S., Chief Information Officer, Department of Energy, prepared statement of.............................. 109 Forman, Mark A., Associate Director, Office of Information Technology and e-Government, Office of Management and Budget, prepared statement of.............................. 54 Gorrie, Robert G., Deputy Staff Director, Defense-wide Information Assurance Program Office, Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence, prepared statement of..... 98 Gross, Roberta L., former Inspector General, National Aeronautics and Space Administration, prepared statement of 86 Horn, Hon. Stephen, a Representative in Congress from the State of California, prepared statement of................. 3 Schakowsky, Hon. Janice D., a Representative in Congress from the State of Illinois, prepared statement of............... 69 LESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF 2000 ---------- WEDNESDAY, MARCH 6, 2002 House of Representatives, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2154, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn, Schakowsky, and Maloney. Staff Present: J. Russell George, staff director and chief counsel; Bonnie Heald, deputy staff director; Claire Buckles, professional staff member; Justin Paulhamus, clerk; Michael Sazonoff, intern; David McMillen, minority professional staff member; and Jean Gosa, minority assistant clerk. Mr. Horn. A quorum being present, the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations will come to order. The Federal Government relies on computer systems to provide essential services to the Nation and its people. These large, complex systems help regulate the economy, collect taxes, pay benefits, and defend the Nation. The speed and accessibility of the technology have greatly enhanced government operations and have provided citizens with nearly instant access to their government. Yet, those operations are at risk. Computers at the White House, the Department of Defense, the Department of the Treasury, and the Department of the Interior have all been successfully attacked. The security vulnerabilities at the Department of the Interior are so severe that a U.S. District Court judge in Washington has ordered the Department to disconnect its Trust Asset and Accounting Management System from the Internet. This system handles about $500 million a year in royalty and lease payments to Native Americans. These are not the only troubled agencies, however. In November 2001, the subcommittee issued its second annual report card grading computer security efforts at 24 major executive branch agencies. Overall, the executive branch earned an abysmal grade of ``F.'' That grade was the same during the Clinton administration and now the Bush administration. We have known for more than a decade that the government's information systems are vulnerable, yet little has changed. In a report issued last month, the Office of Management and Budget concluded that a significant part of the problem falls to senior managers who have failed to focus sufficient attention on computer security. I agree. The various bureaucracies need to be pushed by the political appointees, so we can have a better record. Since 1987, Congress has passed legislation to address Federal computer security weaknesses. The most recent law, the Government Information Security Reform Act, was enacted in the year 2000. This law requires Federal agencies to assess the nature and sensitivity of the information stored in their computers and then develop appropriate security plans to protect that information. In addition, it requires that, for the first time, agencies conduct annual computer security evaluations and report the results to the Office of Management and Budget. Agencies filed their first reports in September 2001. Clearly, the full benefits of the law have not been realized. Agencies have not yet developed security plans that balance protection and risk. However, they are beginning to focus on the problem. The act is scheduled to sunset next year. Today's hearing will explore how Federal agencies have implemented the act and what additional steps might be taken to ensure that effective safeguards are in place. We must identify the weaknesses in order to correct them. We must use the ``lessons learned'' from the Government Information Security Reform Act to take effective, urgently needed action to ensure that it is reauthorized and improved. I welcome today's witnesses, and I look forward to working with each of you to ensure the security of the government's information technology resources. I will enter into the record at this point as an exhibit after my opening remarks the Computer Security Report Card of November 9, 2001. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] 82355.001 [GRAPHIC] [TIFF OMITTED] 82355.002 [GRAPHIC] [TIFF OMITTED] 82355.003 Mr. Horn. The ranking member is coming, and I see that my colleague, Mr. Davis, has been here now as panel one, and we're delighted to have you here. You have been a major force in the work of e-government and the work of technology generally. So the gentleman from Virginia, Mr. Davis. STATEMENT OF HON. THOMAS M. DAVIS, A REPRESENTATIVE IN CONGRESS FROM THE COMMONWEALTH OF VIRGINIA Mr. Davis. Let me first commend you and your staff for the tremendous work you have done on Federal information security during your tenure as chairman of this subcommittee and your previous chairmanship of the Government Management, Information, and Technology Subcommittee. It's a privilege working with you on this critical topic. I want to thank you for giving me the opportunity to speak on this issue in the context of today's hearing, examining the lessons learned from the implementation of the Government Information Security Reform Act of 2000 [GISRA]. Unquestionably, the events of September 11th and the ensuing war on terrorism have produced a variety of responses throughout the world. Nowhere has the response been so fervent as here in our Nation's Capital. From the creation of the new Office of Homeland Security to security-related legislation, there is an unprecedented awareness of the vulnerabilities we face. This new awareness has naturally focused more attention on security matters, particularly with respect to information security. Yet, this issue and the fact that Federal information systems continue to be woefully unprotected from both malevolent acts and benign interruptions have presented a grave concern to me for a number of years. I know that you and the members of this subcommittee share that concern as well. From our work in the Government Reform Committee, it is clear that the state of Federal information security suffers from a lack of coordinated, uniform management. Resolving this problem becomes even more imperative when you consider the many objectives we hope to achieve through the efficient and cost- effective use of information technology and the advancement of electronic government. These objectives include electronic procurement, telecommuting, a comprehensive information-sharing network, and improved provision of services to citizens and businesses. The common element of these goals is the interconnectivity that they each require to facilitate communications between different public and private entities. Poor information security management has persisted in both the public and private sectors long before IT became the ubiquitous engine driving governmental, business, and even home activities. After all, the information security implicates both the physical and the cyber-environment. A decade ago, technology stood as one of many factors important to the mission and performance objectives of the Federal Government. But no longer is technology ``one of many.'' Instead, the Information Revolution and the ever- evolving technologies that support its collection, assimilation, and communications have become integral to the functioning of our government. As our reliance on technology and our desire for interconnectivity have grown over the past decade, intensifying with the advent of the Internet, our vulnerability to attacks has grown exponentially. The high degree of interdependence between information systems, both internally and externally, exposes the Federal Government's computer networks to benign and destructive disruptions. This fact is tremendously important in understanding how we devise a comprehensive and yet flexible strategy for coordinating, implementing, and maintaining Federal information security practices throughout the Federal Government as the threat of electronic terrorism increases. Yet, Federal information security management continues to falter. Despite consistent evaluations since 1997 showing that Federal information security is a government-wide, high-risk issue, GAO continues to find ``pervasive and continuing weaknesses.'' And, of course, as this subcommittee found last November, 16 of the 24 Federal agencies evaluated in 2001 each received a disappointing grade of ``F,'' with only one agency receiving a grade higher than a ``C+.'' Of course, while these grades are disappointing, they reflect the difficulty of implementing effective security management without sufficient commitment and guidance from an accountable entity within each agency, and for the Federal Government as a whole. In July 2000, I introduced legislation that would have created, among other things, a new Federal Chief Information Officer in the Executive Office of the President. One of the primary components of that bill expanded upon the then yet-to- be-enacted Government Information Security Reform Act [GISRA], introduced by Senators Fred Thompson and Joe Lieberman. My legislation, entitled, ``the Federal Information Policy Act'' [FIPA], reflected my firm belief that there needs to be an executive branch office that holds both the prestige and the accountability for strategically modernizing our stovepipe IT structure. At the same time, that office must have the authority to prioritize cross-jurisdictional e-government initiatives and networked information and telecommunications networks, in order to achieve efficiencies and secure Federal information systems. With the establishment of a new office of Associate Director of IT and Electronic Government within the OMB, I have opted to withhold the reintroduction of Federal CIO legislation until I have had an opportunity to evaluate the progress that OMB has been able to achieve in carrying out the administration's Enterprise Information Management and Integration initiative. That said, my concerns regarding the pervasive and persistent weaknesses in Federal information security management, infrastructure, and accountability remain strong. These are concerns I know you also share, Mr. Chairman, and I applaud your subcommittee's steady work in bringing to the forefront the critical need for immediate and focused attention on this issue. Yet, I would add that, to the extent that increased security concerns rely on the ability of the public and private sectors to share information securely, it is even more critical that the Federal Government put its own house in order with respect to the security of its own Federal information and telecommunications systems. It is for this reason that I have just introduced legislation similar to the information security provisions in FIPA, and I am very pleased that you have agreed to co-sponsor this measure with me, Mr. Chairman. The overall purpose of these efforts is to strengthen the information security management infrastructure of the Federal Government. The bill, entitled, ``the Federal Information Security Management Act'' [FISMA], undertakes this objective by building on the foundations laid out by GISRA. As you know, GISRA requires every Federal agency to develop and implement security policies that include risk assessment, risk-based policies, security awareness training, and periodic reviews. With GISRA set to expire on November 29th of this year, the Federal Information Security Management Act permanently reauthorizes this legislation and implements additional measures designed to enable the Federal Government to become a reliable public partner for protecting America's information highways. In general, FISMA streamlines GISRA's provisions and requires that agencies utilize information security best practices that will ensure the integrity, confidentiality, and availability of Federal information systems. Moreover, the bill seeks to strengthen the role played by the National Institute of Standards and Technology in developing and maintaining standards and guidelines for minimum information security controls. Agencies would be required to identify the risk levels associated with their systems and implement the appropriate level of protections accordingly. This latter objective is especially important in light of the interconnectivity of information systems. We need to implement a framework that ensures that when systems interconnect with each other, there is a uniform management infrastructure and universal benchmark for measuring the risks and vulnerabilities of Federal information systems. We cannot afford to delay enactment of this legislation. At a time when uncertainty threatens confidence in our Nation's preparedness, the Federal Government must make information security a priority. I am heartened by the President's bold commitment to tying the budget process to individual agency performance, and to using information security as one measurement of that performance. However, the information security cannot go the way of any other ``issue du jour.'' It is a constant management requirement that requires eternal vigilance, and the ranking of its importance to Federal operations cannot fluctuate from one administration to the next. It is my hope that we take this opportunity, in the context of extending GISRA, to signal Congress' deep concerns that information security is not being taken seriously by every agency and department. We must demand that in our networked era, where technology is the driver, every Federal information system must be managed in a way that minimizes both the risk that a breach or disruption will occur and the harm that would result should such a disruption take place. We will learn a lot today as we determine the impact that GISRA has had on the information security practices throughout the Federal Government. I very much look forward to working with you, Mr. Chairman, the members of this subcommittee, and other concerned Members of the House and Senate as we move forward on strengthening GISRA and improving our government's overall information security management. Thank you. [The prepared statement of Hon. Thomas M. Davis follows:] [GRAPHIC] [TIFF OMITTED] 82355.004 [GRAPHIC] [TIFF OMITTED] 82355.005 [GRAPHIC] [TIFF OMITTED] 82355.006 [GRAPHIC] [TIFF OMITTED] 82355.007 [GRAPHIC] [TIFF OMITTED] 82355.008 [GRAPHIC] [TIFF OMITTED] 82355.009 Mr. Horn. I thank you for all the work you have done. Could you translate those two things, like ``FISMA'', was it, or something? Mr. Davis. Right, it's the Federal Information Security Management Act. Of course, GISRA was the previous act. Mr. Horn. Now is it true that Mr. Richard Clark is really fulfilling the office that you and some of our friends in the Senate wanted to do? Mr. Davis. Part of it. I think that is as close as we can come to it, yes, sir. Mr. Horn. Yes. Well, my understanding is that he is a pretty tough-minded person. Mr. Davis. He is a tough-minded guy. Mr. Horn. So that is what we want. Mr. Davis. Exactly. Mr. Horn. OK. So, in a sense, part of that which everybody has wanted is now underway. So we just have to wait to see what OMB and he do to get the thing done. Mr. Davis. Mr. Chairman, the question always is you have a tough-minded person, but how much authority do they actually have, when push comes to shove? When they get on the phone, who are they calling from, how seriously are they taken at the other end of the line? That is what really remains to be seen. Mr. Horn. Yes, well, you are certainly right on that. If the President backs him up, the Cabinet Secretaries I am sure will listen, and if it becomes part of a Cabinet agenda, that will help on this. Mr. Davis. Mr. Chairman, as you know, we went through this with the Y2K issues---- Mr. Horn. Right. Mr. Davis. [continuing]. Where they went through two or three czars. Mr. Horn. Right. Mr. Davis. Most of them having two or three other jobs and not having the clout until the administration finally brought in the appropriate person who had the clout and put it together at the end. Mr. Horn. And had the ear of the President. Mr. Davis. Yes, had the ear of the President. Mr. Horn. Knew him before he was here. Mr. Davis. Exactly, and, more importantly, when they called, the people on the other end of the phone knew that he was speaking for the President. Mr. Horn. Yes. Mr. Davis. And John Koskinen turned that around. Mr. Horn. Right. Well, thank you very much---- Mr. Davis. Thank you. Mr. Horn [continuing]. For your presentation. If you would like to stay with us, we are delighted to have you, if you wish. Mr. Davis. I will stay for a few minutes. Thank you, Mr. Chairman. Mr. Horn. OK. We will now swear in panel two, and that is Robert F. Dacey, Director, Information Security, U.S. General Accounting Office; Mark A. Forman, Associate Director, Office of Information Technology and E-Government, Office of Management and Budget; the Honorable Arden L. Bement, Jr., Ph.D., Director, National Institute of Standards and Technology; the Honorable Roberta L. Gross, Former Inspector General, National Aeronautics and Space Administration; Robert G. Gorrie, Deputy Staff Director, Defense-wide Information Assurance Program Office, Assistant Secretary of Defense for Command, Control, Communications and Intelligence, and our last presenter on this panel will be Karen S. Evans, Chief Information Officer, Department of Energy. As you know, since this is an investigating subcommittee, you raise your right hands to accept the oath. [Witnesses sworn.] Mr. Horn. The clerk will note that all six witnesses affirmed. Please be seated. We will start with Mr. Dacey, the Director of Information Security, U.S. General Accounting Office, which is Congress' right arm in terms of getting things done. GAO is presided over by the Comptroller General of the United States. We have a first-rate person in that role right now in General Walker. So we are always glad to hear what the General Accounting Office has to say on these areas. STATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY, U.S. GENERAL ACCOUNTING OFFICE; MARK A. FORMAN, ASSOCIATE DIRECTOR, OFFICE OF INFORMATION TECHNOLOGY AND E-GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET; ARDEN L. BEMENT, JR., DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY; ROBERTA L. GROSS, FORMER INSPECTOR GENERAL, NATIONAL AERONAUTICS AND SPACE ADMINISTRATION; ROBERT G. GORRIE, DEPUTY STAFF DIRECTOR, DEFENSE-WIDE INFORMATION ASSURANCE PROGRAM OFFICE, OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE FOR COMMAND, CONTROL, COMMUNICATIONS AND INTELLIGENCE; AND KAREN S. EVANS, CHIEF INFORMATION OFFICER, DEPARTMENT OF ENERGY Mr. Dacey. Mr. Chairman and members of the subcommittee, I am pleased to be here today to discuss the Federal Government's first-year implementation of government information security reform provisions. As you requested, I will briefly summarize our written statement. Federal agencies rely extensively on computerized systems and electronic data to support their missions and critical operations. Concerned with reports that continuing pervasive computer security weaknesses place Federal operations at significant risk of disruption, tampering, fraud, and inappropriate disclosures of sensitive information, the Congress enacted the reform provisions to reduce these risks and provide for more effective oversight of Federal information security. Mr. Chairman, as you know, we have been conducting a review of the implementation of the reform provisions for you and the Ranking Member. Today I will provide a preliminary result of our review. The initial implementation of reform provisions is a significant step in improving Federal agencies' information security programs and addressing their information security weaknesses. The legislation consolidates information security requirements into an overall management framework covering all agency systems. It adds new statutory evaluation and reporting requirements and OMB and congressional oversight. Agencies have noted a number of benefits of this first-year implementation, including increased management attention to, and accountability for, information security. In addition, the legislation has resulted in other important actions by the administration, such as plans to integrate information security into the President's management agenda scorecard. Also, agencies have taken steps to redesign and strengthen their information security. OMB oversight, which included formal guidance, review and analysis of agency-reported material, agency discussion and feedback, and monitoring of corrective actions, has helped agency implementation and reporting efforts. Although agencies generally considered OMB guidance beneficial, the initial implementation of reform provisions highlighted the need for further guidance in several areas. Last month OMB released its first required annual report to the Congress on the results of agency implementation efforts. As a result, in this report OMB commended agency improvement efforts, but noted that many agencies have significant deficiencies in every important area of security. OMB also identified a number of common agency security weaknesses, including lack of senior management attention, inadequate accountability for job and program performance, and a limited capability to detect vulnerabilities or intrusions. We agree that OMB's report to the Congress and the agency reports are a valuable baseline and believe that OMB's report provides a useful overview of OMB and agency efforts to comply with the reform provisions. I would like to personally commend the OMB staff for their efforts in this endeavor. Nonetheless, certain additional information, including the adequacy of agency corrective action plans and the results of audits of evaluations for national security systems, is needed by Congress to fully assess and oversee these efforts and deliberate over agency budgets. OMB has not authorized agencies to release some agency material, such as agency corrective action plans, to the Congress or GAO. We plan to continue working with OMB in an effort to find workable solutions to obtain this information. Agency reports to OMB show that agencies have not established information security programs consistent with the provisions of the legislation and that significant weaknesses exist. Although agency actions are now underway to strengthen information security and implement these requirements, significant improvements will require sustained management attention, as well as OMB and congressional oversight. The IG's independent evaluations of agency implementation efforts also played a key role in the implementation process. The IG's first-year efforts were largely based on existing or ongoing audit work that had been planned to evaluate agency information security, which in a number of instances consisted primarily of audits of financial systems. While their future efforts should expand to include more systems, the IG's first-year evaluations helped to identify significant weaknesses in all 24 agencies, weaknesses that were not always identified by agencies in their reports. Given the recent events and reports that critical operations and assets are highly vulnerable to cyber-attack, it is essential that Congress have adequate information to oversee and fund the Federal information security efforts, and that these efforts be guided by a comprehensive strategy for improvement. In addition, there are a number of important steps that the administration and the agencies should take, including delineating the roles and responsibilities of the numerous entities involved in Federal information security and the related aspects of critical infrastructure protection, providing more specific guidance to agencies on the security controls they need to implement, and allocating sufficient agency resources for information security. Mr. Chairman, this concludes my statement. I would be pleased to answer any questions that you or other members of the subcommittee may have. [The prepared statement of Mr. Dacey follows:] [GRAPHIC] [TIFF OMITTED] 82355.010 [GRAPHIC] [TIFF OMITTED] 82355.011 [GRAPHIC] [TIFF OMITTED] 82355.012 [GRAPHIC] [TIFF OMITTED] 82355.013 [GRAPHIC] [TIFF OMITTED] 82355.014 [GRAPHIC] [TIFF OMITTED] 82355.015 [GRAPHIC] [TIFF OMITTED] 82355.016 [GRAPHIC] [TIFF OMITTED] 82355.017 [GRAPHIC] [TIFF OMITTED] 82355.018 [GRAPHIC] [TIFF OMITTED] 82355.019 [GRAPHIC] [TIFF OMITTED] 82355.020 [GRAPHIC] [TIFF OMITTED] 82355.021 [GRAPHIC] [TIFF OMITTED] 82355.022 [GRAPHIC] [TIFF OMITTED] 82355.023 [GRAPHIC] [TIFF OMITTED] 82355.024 [GRAPHIC] [TIFF OMITTED] 82355.025 [GRAPHIC] [TIFF OMITTED] 82355.026 [GRAPHIC] [TIFF OMITTED] 82355.027 [GRAPHIC] [TIFF OMITTED] 82355.028 [GRAPHIC] [TIFF OMITTED] 82355.029 [GRAPHIC] [TIFF OMITTED] 82355.030 [GRAPHIC] [TIFF OMITTED] 82355.031 [GRAPHIC] [TIFF OMITTED] 82355.032 [GRAPHIC] [TIFF OMITTED] 82355.033 [GRAPHIC] [TIFF OMITTED] 82355.034 [GRAPHIC] [TIFF OMITTED] 82355.035 [GRAPHIC] [TIFF OMITTED] 82355.036 [GRAPHIC] [TIFF OMITTED] 82355.037 [GRAPHIC] [TIFF OMITTED] 82355.038 [GRAPHIC] [TIFF OMITTED] 82355.039 [GRAPHIC] [TIFF OMITTED] 82355.040 Mr. Horn. Thank you very much for that succinct opening. Mark A. Forman is the Associate Director, Office of Information Technology and e-Government, Office of Management and Budget. Welcome. Mr. Forman. Thank you, Mr. Chairman, and thank you, Congressman Davis, both for your leadership and your vision as it relates to e-government and computer security. Having your focus and the oversight on this issue is critically important to the success of the initiatives that we are trying to accomplish for governmentwide security. We understand not only the need for this, but we appreciate your having the hearing and the focus on this. I would like to say good morning and thank you for inviting me here to discuss the lessons learned from the implementation of the Government Information Security Reform Act. I, too, have submitted the prepared testimony, and I will take a synopsis of that in my oral presentation. As you know, the President has given a high-priority to security of government assets, and this includes government information systems and protection of the Nation's critical information assets from cyber threats and physical attack. We believe that protecting the information and the information systems on which the Federal Government depends requires agencies, first, to identify and resolve the current weaknesses and risks, as well as to then protect against the future vulnerabilities and threats. Last October the President issued Executive Order 13231, the Critical Infrastructure Protection in the Information Age. That established the Critical Infrastructure Protection Board and created the chair as a special advisor to the President for Cyberspace Security. Now the President has made OMB a critical member of this board. Our presence reflects our statutory role regarding security of Federal information systems. In addition, there are several committees under the board, and we chair the Standing Committee on Executive Branch Information Systems Security. The administration has been proactive in implementation of the Government Information Security Reform Act, and I will refer to this from now on as the Security Act. This includes expanding the reporting requirements to include the Chief Information Officer and senior agencies' officials' input with the Inspectors General. We have moved beyond simply reporting security weaknesses and are focusing on agency work to remediate the security weaknesses. The basic push behind our continuing work is a strong focus on management implementation of security. We have recently taken the following two steps to help ensure a strong focus on maintaining senior management attention to security: First, in January, OMB Director Mitch Daniels sent letters to the heads of agencies and departments communicating our concerns regarding their fiscal year 2001 security performance. In general, agency heads responded back in writing with a commitment to resolve their past flaws. OMB will soon meet with all of the 24 large agencies and departments to discuss the work in implementing their corrective action plans. Second, the President has charged Director Daniels with overseeing implementation of the management agenda through the use of an executive branch management scorecard. This scorecard tracks agency improvement in five governmentwide areas and assigns a red, yellow, or green score. One of these areas is expanding electronic government, and we are incorporating IT as a core criterion within that. This means that if an agency does not meet IT security criteria, it will not achieve a green score, regardless of the agency's performance under the other e-government criteria. I would now like to talk a little bit about our report to Congress, the findings, some of the next steps. As you know, one of OMB's responsibilities under the Security Act is to submit each year a report to Congress that summarizes the results of security evaluations conducted by agencies and reported to OMB. On February 13th of this year, Director Daniels transmitted this report to the Congress. At this time I would like to recognize the tremendous amount of work of agency program officials, CIOs, IGs, my staff, and all of their staffs in conducting the reviews and evaluations upon which the report is based. This was a large effort for all involved, and the report illustrates this work, as well as the ongoing efforts of agencies to remediate their weaknesses. Additionally, the National Institutes of Standards of Technology continue to play their critical role in promoting IT security requirements among agencies. OMB policy requires that each agency's program implement policy standards and procedures consistent with NIST guidance. NIST has developed a security questionnaire, and most agencies use this document as the basis for conducting their annual reviews under the Security Act. The OMB report represents a first year of implementation. It is a valuable baseline that has recorded the security agency performance. Even though the Security Act only required us to summarize the results, we expanded the report. We included the results of CIO and program official reviews in the recent activities we have undertaken in preparing the fiscal year 2003 budget decisions, OMB findings, and next steps, as well as additional efforts that we have undertaken and the agencies have taken to improve Federal information technology security. From our assessment of agency performance, we have both validated the earlier positions on what the problems were and identified at a high-level important lessons learned. I would like to briefly sum those up. First, security is primarily a management problem, not a technical or funding problem. Are you willing to support us if we push to get someone fired because they will not implement a security plan? Second, increased spending does not necessarily translate into increased security performance. Third, high- quality IG audits are necessary. The IGs provide an important, independent validation function. Fourth, agency employees with specific security responsibilities must have the authority to fulfill their responsibilities and at the same time have to be held accountable for their performance. There are a number of additional actions I have described. A key part of the written testimony I would ask you to look at are the actions under the OMB Security Committee of the Critical Infrastructure Protection Board. Therein we have laid out a process to focus more rapidly on actions needing to be addressed, because this is an ever-changing issue both in terms of vulnerability and threats. I would also ask you to take a look at the decisions that we have made in the budget, and would ask your support in the appropriations decisions that ultimately will have to make these into reality. Finally, I would like to focus on the governmentwide initiatives that we have underway leveraging the project matrix work and the enterprise architecture work. The development of the governmentwide enterprise architecture assessment is critical and a central part of not only our e-government efforts, but our cyber-security efforts. Basically, to more clearly identify and prioritize the security needs for government assets, OMB is going to direct all large agencies to undertake a project matrix review, and that was a key element of the 2003 budget. Again, I would like to thank you for the opportunity to testify. We have a summary in the testimony of the six government problems that we identified in the report, and I would be willing to answer any questions in that regard at the appropriate time. [The prepared statement of Mr. Forman follows:] [GRAPHIC] [TIFF OMITTED] 82355.041 [GRAPHIC] [TIFF OMITTED] 82355.042 [GRAPHIC] [TIFF OMITTED] 82355.043 [GRAPHIC] [TIFF OMITTED] 82355.044 [GRAPHIC] [TIFF OMITTED] 82355.045 [GRAPHIC] [TIFF OMITTED] 82355.046 [GRAPHIC] [TIFF OMITTED] 82355.047 [GRAPHIC] [TIFF OMITTED] 82355.048 [GRAPHIC] [TIFF OMITTED] 82355.049 [GRAPHIC] [TIFF OMITTED] 82355.050 [GRAPHIC] [TIFF OMITTED] 82355.051 [GRAPHIC] [TIFF OMITTED] 82355.052 [GRAPHIC] [TIFF OMITTED] 82355.053 Mr. Horn. Well, thank you very much. I want to emphasize what you just did now, the President's Executive order, which was Critical Infrastructure Protection in the Information Age, and he established a board, as you suggested. The chair, who serves as a special advisor to the President for Cyberspace Security, and that, of course, is Richard Clark, who serves as the Board and he is the Special Advisor to the President for Cyberspace Security. He reports both to Governor Ridge on issues that affect homeland security and to the National Security Advisor, Condoleezza Rice, on the issues that affect national security. The President has made OMB a member of the Critical Infrastructure Protection Board. Are you on that board as part of it? Mr. Forman. Yes, I am. Mr. Horn. I think it shows the President has taken some real action with people that did have his ear. I am going to have to recess now. When I come back, the ranking member, Ms. Schakowsky, will have her statement in, and we will then go down the line. We have a Journal vote before us. Ms. Schakowsky. Is there an opportunity for me to do that now? Mr. Horn. Sure, sure. She will put it in now, and once she finishes, we are in recess. Ms. Schakowsky. Thank you, Mr. Chairman. I appreciate that. I want to thank the chairman for holding this hearing and for his leadership on computer security issues in the House. I look forward to working with him to improve government information security reform language that was passed in the Congress. It was passed in the last Congress as a part of the Defense Authorization Act, and as such, really didn't get, in my view, adequate review in the House. No hearings were held, and we had very little opportunity to affect the content. Consequently, under Representative Waxman's leadership, we sought and received a 2-year sunset on this legislation. Our experience over the past year has substantiated the wisdom of that approach. There are a number of problems in this legislation that have already come to our attention. I am hopeful that today's hearing will help us put together a more complete picture of the actions to make this legislation more effective. One problem has already come to our attention. One of the problems is the reports prepared by the agencies. We asked the GAO to use agency information security reports to develop the scorecards for our hearing last fall. It came as a surprise when the administration refused to allow access to those reports, claiming that they were predecisional and part of the budget process. After much negotiation, we were finally given access to executive summaries, hardly a satisfactory outcome. A more serious shortcoming of this legislation is the absence of any system to assure that all agency systems are checked and protected. Today few, if any, agencies have a complete inventory of its computer systems, even though just such an inventory was required for Y2K compliance just 2 years ago. Without a complete inventory, it is impossible to know if all systems have had the risks assessed and the protections tested. We must make sure that every agency maintains a current inventory of systems and has in place a systematic process to assess risk for those systems and to test the protections in place. I am sorry that I was late. I do look forward to hearing today's witnesses, if not reading the testimony, and hope that each of you will understand that we share the common goal of assuring the public that our systems have adequate protection. So I thank you all for coming today. We will be back. [The prepared statement of Hon. Janice D. Schakowsky follows:] [GRAPHIC] [TIFF OMITTED] 82355.054 [GRAPHIC] [TIFF OMITTED] 82355.055 [Recess.] Mr. Horn. Recess has ended, and we will begin next with Mr. Bement, who is the Director of the National Institute of Standards and Technology [NIST]--not in the mist, but NIST. [Laughter.] Dr. Bement. Right. Thank you, Mr. Chairman. Mr. Horn. As a little kid, I remembered well the standards and your beautiful campus out there. Dr. Bement. You are more than welcome anytime, Mr. Chairman. Thank you very much for giving me the opportunity to speak to you about NIST's role in cyber-security. NIST's Computer Security Program supports the vision of strong cyber-security and its critical role both in homeland security and e- government. Our agency has specific statutory responsibilities under both GISRA and the Computer Security Act of 1987 for developing standards and guidances that help Federal agencies to protect sensitive, unclassified information. Specifically, NIST has published a guidance for firewalls, intrusion detection, cryptography, public Web servers, and risk management. We also conduct computer security research in close cooperation with industry and academia. We work to find ways to apply new technologies in a secure manner. The solutions that we develop are made available to both public and private users. This research helps us to find more cost-effective ways to implement and address security requirements. I would now like to highlight a few of our more important recent contributions to improve cyber-security in Federal agencies. In December the Secretary of Commerce approved the Advanced Encryption Standard [AES], as a Federal security standard. Within days, commercial firms were announcing products that incorporated the AES. It is clear that AES soon will be used extensively internationally and be available in a wide array of commercial products to protect sensitive Federal information. We expect AES will be used daily to secure trillions of dollars in electronic transactions and to protect sensitive personal business and government information. The Chief Information Officers' Council and NIST developed a security assessment framework to assist agencies with a very high-level review of their security status. The framework established the groundwork for standardizing on five levels of security and defined the criteria agencies could use to determine if the levels were adequately implemented. By using the framework levels, an agency can prioritize agency efforts as well as to evaluate progress. Building from the framework, NIST issued a more detailed security questionnaire that most agencies use to conduct their programmed system reviews. This document provided guidance on applying the framework. In addition, the guide provides control objectives and techniques that can be measured for each area. Many agencies use this to prepare their GISRA responses to OMB. NIST also recently formed a team that specializes in helping Federal agencies navigate through the dangers of cyberspace. The Computer Security Expert Assist Team [CSEAT], helps agencies understand how to protect their computer systems, how to identify and fix existing vulnerabilities, and how to anticipate and prepare for future security threats. The CSEAT reviews are also valuable to NIST. They give us a firsthand look at how NIST guidance is implemented, helping us to improve our products and processes. Our new information-sharing Web site for Federal agency security practices covers a host of topics ranging from contingency planning to network security. Computer security professionals from various Federal agencies have contributed much of the material on the site. The site also contains the best practices for critical infrastructure protection and computer security identified by the Federal Chief Information Officers' Council. The site is one of the latest additions to NIST's Computer Security Resource Center and is one of the busiest and most popular spots on the entire NIST Web site. Another aspect of our work involves security testing which complements security standards by giving users confidence that the security standards and specifications are implemented correctly in the products they buy. NIST and our Canadian counterpart have set up a joint program to help ensure correct and secure implementation of unclassified cryptographic algorithms and products. Statistics show that 48 percent of the modules tested voluntarily under this program have security flaws that were corrected during testing. So, without our program, the Federal Government would have only a 50/50 chance of buying products that correctly implemented cryptography. I would like to point out that in carrying out our responsibilities under GISRA and the Computer Security Act, we consult frequency with other agencies. In particular, we work very closely with the Office of Management and Budget. We consult with OMB representatives on the Federal Chief Information Officers' Council, the Federal Computer Security Program Managers' Forum, and the Committee on National Security Systems. We soon will serve on the newly formed Committee on Executive Branch Information Systems Security. I would like to take this opportunity to commend my OMB colleagues for their steadfast support in promoting our security standards and guidelines with Federal agencies. Let me close by emphasizing that our national commitment to improved cyber-security must be increased in Federal agencies and elsewhere. NIST has a proven track record of success and stands ready to play key roles in this and other facets of homeland security. Thank you very much, Mr. Chairman. I will be pleased to answer any of your questions. [The prepared statement of Dr. Bement follows:] [GRAPHIC] [TIFF OMITTED] 82355.056 [GRAPHIC] [TIFF OMITTED] 82355.057 [GRAPHIC] [TIFF OMITTED] 82355.058 [GRAPHIC] [TIFF OMITTED] 82355.059 [GRAPHIC] [TIFF OMITTED] 82355.060 [GRAPHIC] [TIFF OMITTED] 82355.061 [GRAPHIC] [TIFF OMITTED] 82355.062 [GRAPHIC] [TIFF OMITTED] 82355.063 Mr. Horn. Thank you, and we are delighted to have your paper in particular. We now turn to the Honorable Roberta L. Gross, former Inspector General, National Aeronautics and Space Administration. I lost track of you. You have been a witness here before. When did you leave the Inspector General's position? Ms. Gross. Saturday. Mr. Horn. Saturday? OK. Ms. Gross. But your staffer had asked me prior to the time, and I had told her that I would be leaving, but we talked about I would still come. So here I am. Mr. Horn. Great. Well, welcome. So if we could summarize your testimony? Ms. Gross. Absolutely. I thank you for inviting me to testify today on GISRA, and my testimony is obviously based on my recent experience as NASA's Inspector General. I served in that post from August 1995 through March 2, 2002. I am also basing it on my experience as being the former Chair of the IGs' IT Roundtable, where we discuss cross-cutting issues across the government. Last year I, along with a representative of the GAO, testified before the Senate Committee on Governmental Affairs on a precursor of GISRA, Senate bill 1993. The then-chair of the committee, the Honorable Senator Thompson, began his opening statement by recounting how time after time the GAO kept writing reports, Inspectors General kept writing reports, about serious lapses in IT security, deficiencies in IT capital, in human resources planning. He observed that over the years law after law was passed, regulation after regulation, and the issues seemed to reoccur and nothing seemed to get better, and it was no wonder, with so many laws and regulations, that this Senator rhetorically asked, ``Why are we enacting GISRA?'' The answer is that GISRA was needed, GISRA has had success, and it can be improved. My remarks are going to be divided into three sections: bad news--I couldn't be an Inspector General, or former Inspector General, without that, right? Good news, next steps, and lessons learned. During our GISRA reviews and audits at NASA, we found problems in each of the six areas highlighted by OMB. I am only going to address three of them, using NASA as an illustration, and I incorporate by reference my written testimony. The three that I would like to use as illustration are, one, lack of senior management attention; two, limited programs for security awareness and education, and, three, failure to exercise oversight of contractor security services. While some of the agency's IT practices are more mature than those at many agencies, and I notice that NASA got a ``C- ,'' and they are above one of the yellow lines, NASA management has historically been unwilling to recognize and/or fully acknowledge the significance of the IT weaknesses and deal with them in a timely manner. There are various interrelated reasons for that. They were engaged, since I have been there, in downsizing, funding problems, but also, seriously, an unwillingness of middle management or IT security officials to tell senior management the extent of the problem, as well as lack of reception by senior management to hear about the extent of the problem. So that is a good segueway into the first problem: senior management attention. Leaderships of all the agencies occupy bully pulpits by virtue of their positions. They can regularly remind staff of their IT responsibilities and obligations. No cost; talk is cheap. What should they be doing? They should be addressing their employees in as many forums as possible and reinforce that IT security is everybody's responsibility. For example, we saw that the former Administrator used his office--this is at NASA again--used his office as a bully pulpit for safety. Safety was NASA's No. 1 core value. At senior staff meetings, leadership reiterated this value, discussed lessons learned, and tracked programs related to safety. However, no similar attention to ITS, other than during the Y2 crisis. Y2 came and went, and senior management attention came and went. I hope the new Administrator will use his office as a bully pulpit on IT issues. Let's talk about the CIO. The CIO also did not utilize the bully pulpit to communicate IG findings, and we had the same findings over and over again, and NASA agreed to implement our recommendations over and over again. They didn't monitor these recommendations that they agreed to implement. Instead of using the bully pulpit and communicating to the staff and saying, ``Don't wait for the IG. Why don't you look to see if your systems have similar problems? And here are some suggestions that the agency IG recommended. Maybe these will be fixes for you.'' This really didn't happen. But I do want to point out the good news. Since the GISRA report, the CIO has shown improvement in communicating and sharing his communications with the OIG about IT vulnerabilities we identified in the IT reviews. I used lack of communication as one of the reasons why we found material weakness for purposes of the GISRA report; the CIO failed to use a very low-cost/no-cost forum. No. 2, another problem highlighted by OMB, as well as the IGs, is insufficient security awareness and training. Civil servants and contractors, they all need to have the training before being given access to systems. If personnel have more responsibilities and higher-level sensitivities to systems, they need to have different kind of training. But NASA did not establish 100 percent training participation for the targeted groups for all its measures, despite the age-old adage: ``You're only as good as your weakest link.'' The point is not that you are going to make 100 percent of your goal, but shouldn't that be your goal? How could you have less than 100 percent for people to be trained as your goal? Otherwise, you're going to allow and accept weak links. Our biggest complaint on this training issue was that NASA did not have all of its civil servant system administrators trained, but even more significant is that they excluded, as their performance measure, contractor personnel. Guess what? Seventy-nine percent of NASA's systems administrators are contractors. Their training is not even measured; they are not even tracked in terms of whether they have the appropriate training. This is an obvious risk for which NASA did not implement compensating controls. Oversight of contractor responsibility. Over and beyond incorporating IT clauses into contracts, which OMB addressed and we address, you still have to make sure that you know who these contractors are with who you are working with. They have wide-range responsibilities. Think about it. They are your systems administrators. They purchase and provide desktops. They are the ones that safeguard sensitive information. They maintain your systems. They put the patches in your system. Who are these people? What are they doing? And are you oversighting them? Contractor oversight is an area where the government needs to be attentive, and certainly NASA does. OK, good news. OMB focuses greater cooperation between OIGs and CIOs. I do want to say and give credit to two individuals who are here. Never say IGs don't say good things about people. Glen Schlarman and Kamela White are both here. There's Glen, and Kamela, she's hiding over there. Mr. Horn. Why don't you speak that back into the mike? They didn't quite catch it. Ms. Gross. OK. Both Kamela and Glen are here. In forwarding their summary report to Congress, they did not try to paint a rosy picture, but tried to present an accurate picture, and this wasn't always easy because sometimes it looked like the IGs and the agencies were reporting on two different worlds. I also want to commend them for their steadfast insistence that management work with IGs in developing corrective action plans. This has been a welcomed increase in cooperation between IGs and CIOs. IG after IG report this. Equally important, GISRA brought accountability to the heads of the agencies. They had to forward the report. They had to forward an IG report as well as the agency report and put their name on it. It was their report. No more plausible deniability. They couldn't claim they didn't know what the IT issues were at their agencies. That was real good. OK, next steps, and I'm going quickly--GISRA I think should be extended in some form for 2 to 5 years, so that agencies will implement agreed-upon changes. In subsequent legislation, Congress should consider to allow the IGs to have more flexibility in their reporting responsibilities. This year it will still be the same, but if you still have to do this kind of level of intensity without having additional funding from the agency and OMB, you are not going to be able to move into other high-risk areas. Unlike when Congress passed the CFO audit and most IGs got more resources, that didn't happen for GISRA. Another suggestion is that there should be a sunset provision maybe in the 3 to 5 years, so you can evaluate is what you want to do. Are the means overtaking the end? So I think a sunset provision is good. Another way to ensure greater uniformity is to eliminate the act's bifurcation of responsibilities for national security programs. Under the act, the agency head asks an outside evaluator to come in, look at national security systems, which the IG later reviews. NASA's IG's office never got that security report in time to review it for the GISRA Act. The IGs use at the least, a uniform evaluation methodology. They will either use government standards, PCIE-wide standards for reviews, or GAGAS, government auditing standards for their audits. This is not always the case. Agency heads bring in different people. Who knows what standards they are using? So this should be eliminated, and it should be having the IGs do 100 percent of that. These next steps require a focus on agencies' infrastructure for reporting intrusions, and also the agencies' first-responders. Are they training first-responders? When you have a program manager they want to fix the problem. Often their fixes may increase the problem. Maybe the intruder is still in the network trojanizing the systems. Program managers don't always know what they are doing when they fix problems, partly because they are not coordinating with law enforcement. IGs must look at, and I think this should be an area of Congress could look at to see if they are actually, the agencies, are implementing law enforecement coordination. The Congress passed the USA Patriot's Act of 2001 to help law enforcement with the cyber war. One section allows victims of computer attacks to authorize persons acting in color of law to monitor trespassers on their computer systems. This provides law enforcement with the same authority in the cyber world that a police officer has in the normal world if there is a burglary in progress. This had to be amended so the monitoring wouldn't be considered wiretapping. This is important. I want to commend Howard Schmidt, vice chair, President's Critical Infrastructure Board. He is working with Richard Clark. He has initiated contacts with NASA's Inspector General's office to help frame a OIG-wide response for the victim agencies. NASA, under my term, established the first Inspector General's Computer Crimes Unit, and Howard was turning to our unit in part because we were recognized both nationally and internationally for our expertise. It is crucial that OIGs help their victim agencies and those agencies look to this monitoring provision. Let's not wait for the cyber-attack, the law has already passed. Nobody has procedures. I know, because I put a request for monitoring into the agency, and it is under review. We need to have more sense of urgency for something like this. The law was passed because there was an urgent situation. That urgency cannot wait for the next attack, and if that is a cyber attack---- Mr. Horn. Let me ask you a minute about this particular aspect on the follow up and getting that. Did they use the Carnegie-Mellon operation in part or did they use the FBI one? Ms. Gross. Carnegie-Mellon is not a law enforcement entity. They get information from both the private sector, and government agencies. Part of the way Carnegie-Mellon works, is sharing of information. Although it is not a law enforcement entity, they do have a member of the FBI on the Cert. They do share information with law enforcement. It goes back and forth, but it is not a law enforcement entity. The FBI also wanted this Computer Security Act passed. They, like any other law enforcement entity needed that in order to do the monitoring; consensual monitoring by the owners of systems when you know there is a burglary, a cyber burglary in process, they can monitor. They needed that provision. There's no nationwide or agencywide practices on how to use that authority though. But, again, remember with the FBI, the FBI has to look at the private sector, universities and international entities. The group that really looks for their victim agencies is the OIGs. Many of them know the agency people; they know the systems; they know the programs. You might have a shot at figuring out the intent and motive of intruders if IGs are involved. They have fully qualified law enforcement special agents. This is a way of ensuring those much needed protections. Right now, you have a focus of the FBI looking at physical terrorism. The role of the IGs becomes even more paramount because of that. They need to step-up to the plate. I would be glad to speak more on that. I can wax eloquent on that issue. Mr. Horn. We will get to that again, but we will move on to Mr. Gorrie. Ms. Gross. Yes. [The prepared statement of Ms. Gross follows:] [GRAPHIC] [TIFF OMITTED] 82355.064 [GRAPHIC] [TIFF OMITTED] 82355.065 [GRAPHIC] [TIFF OMITTED] 82355.066 [GRAPHIC] [TIFF OMITTED] 82355.067 [GRAPHIC] [TIFF OMITTED] 82355.068 [GRAPHIC] [TIFF OMITTED] 82355.069 [GRAPHIC] [TIFF OMITTED] 82355.070 [GRAPHIC] [TIFF OMITTED] 82355.071 [GRAPHIC] [TIFF OMITTED] 82355.072 Mr. Horn. Robert G. Gorrie is the Deputy Staff Director, Defense-wide Information Assurance Program Office, and Assistant Secretary of Defense for Command, Control, Communications and Intelligence. When did you fill that Assistant Secretaryship? Mr. Gorrie. No, sir, I am Office of the Assistant Secretary. They have that a little backward there. Mr. Horn. I see, OK. Mr. Gorrie. I conspire to that, though, but---- Mr. Horn. Well, remind me, who is the Assistant Secretary in that area? Mr. Gorrie. Mr. Stenbit is, sir. Mr. Horn. Mr. Who? Mr. Gorrie. John Stenbit. Mr. Horn. How do you spell the last name? Mr. Gorrie. S-T-E-N-B-I-T. Mr. Horn. OK, yes, because I haven't really followed it, but in the days of Y2K, until the General occupying the effort left, I know there's been sort of up and down under the previous administration. I assume Mr. Stenbit, then, is the Bush administration? Mr. Gorrie. Yes, sir, he followed Mr. Art Money, who was the previous ASDC3I. Mr. Horn. Well, go ahead. Mr. Gorrie. Yes, sir, thank you, Mr. Chairman and members of the subcommittee. I am honored to be here and pleased to have the opportunity to speak with your committee about lessons learned by DOD from assessments we conducted in response to the Government Information Security Reform legislation. Secretary Rumsfeld, in his testimony last month before the House Appropriations Defense Subcommittee, identified six key transformational goals for the Department. Leveraging information technology to create seamless, interoperable network-centric environments is one of those foundation transformational goals. However, as our dependence on information networks increases, it creates new vulnerabilities, as adversaries develop new ways of attacking and disrupting U.S. forces. In recognition of this dichotomy, the Secretary established the protection of U.S. information networks from attack as another foundation transformational goal. Emphasizing that transformation is not an event, Secretary Rumsfeld described it as an ongoing process or a journey that begins with a transformed leading-edge force. Mr. Stenbit, the DOD CIO, is committed to support our transformation by providing the power to that information leading edge. To do that, he established three goals for his supporting efforts of Mr. Rumsfeld, and one of those is making the exchange of information available on a network that people depend and trust. Now all of these goals in large measure are influenced by our ability to provide information assurance to the edge and throughout the entire information enterprise. Our senior leadership's stated commitment to these goals is testament to the importance placed on information assurance within DOD. The Department initiated work on its 2001 assessment in January 2001. The former DOD CIO, Mr. Art Money, established an IA Integrated Process Team to lead the assessments. In addition, the DOD IG ensured that independent audits were performed to assess and test DOD programs and policies for effectiveness and compliance with the law and other policies, procedures, standards, and guidelines. The analysis of the system-specific data and the responses to the OMB questions indicate that DOD has good IA policies, practices, and procedures in place, but needs verification of compliance. Without a capability to enforce and properly audit IA policy compliance, it is difficult to ensure that all systems operate based on up-to-date procedures and proper configurations. Based on the data analysis, however, it is evident that even for those systems lacking accreditation, most have robust IA measures in place and programs with high IA awareness. DOD has a strong foundation in IA that will be expanded and more fully developed as that program matures. Without question, though, the biggest single lesson learned during the conduct of GISRA 2001 was the problems associated with our Security Certification and Accreditation Program. Compliance is a major issue. However, stricter audit and enforcement of DITSCAP, which is our Defense Information Technology Security, Certification, and Accreditation Program, stricter audit and enforcement of that will not necessarily rectify the problem. Non-compliance is more a symptom of the complexity of that process and the clarity of its implementing policy. These problems were previously identified, but definitively confirmed in the GISRA 2001 assessment. That certification and accreditation policy is undergoing dramatic modification in policy as well as in implementation. The DOD policy governing DITSCAP will streamline the certification and accreditation process and provide better clarity on definitions and responsibilities. DOD is also pursuing the use of automated tools to ease the documentation burden on security and systems administrators. The combination of these two efforts should significantly improve our ability to conduct certification and accreditation and, as a result, improve compliance. DOD, through the Defense Information System Agency, has also aggressively implemented comprehensive connection approval programs for both our Non-Secure and Secret Internet Protocol Router Networks, the SIPRNET and the NIPRNET. These programs have initial and subsequent periodic validation of network certification and accreditation as a precondition for connection to the network, and this will serve as a valuable compliance control mechanism to make sure that those programs are fully carried out. The DOD IG identified oversight and review of IA policy implementation and programming of funds and resources to support IA as areas requiring attention in the last GISRA assessment. Conduct of worthwhile oversight and review of IA policy implementation requires not only an established process, but also relevant and current IA policy. As mentioned in the IG report, DOD Directive 5200.28 was, or still is, our current security policy, but that happened to be written in 1992 and was woefully out-of-date. In its place, DOD is issuing a series of new IA directives and instructions to accommodate a more complex IA environment. The capstone directive is in formal coordination now within the Department and will be released soon. Other supporting directives have recently been released or will be released later this year. The responsibilities established in these directives are clear and concise, as are the management controls associated with the policies. Oversight of budgets and programming to support IA is one of the functions of my office, the Defense-wide Information Assurance Program Office. We are now reviewing, with all the DOD components, the services, and the agencies, IA budgets and programs during their development to coordinate efforts across the Department and to check for policy implementation. Subsequent to that, we conduct reviews to match the resource allocations and expenditures with the original plans to make sure that they match. Now, those were the things we noticed during regular GISRA. However, there were some procedural lessons learned that we also developed. One, as was mentioned previously, was to work closely with the DOD IG in the conduct of GISRA. Unfortunately, during last year's GISRA, we weren't able to do that because of time constraints and previous scheduling problems with the DOD IG. They looked at one small population of DOD systems, and we looked at another population. Optimally, we would have looked, both we would have done an assessment of DOD systems and then the IG would have come behind us and audited the same systems to verify the veracity of the information that we were getting. Because of that, DOD's Fiscal Year 2002 GISRA assessment efforts will focus on three particular areas. One is review of selected systems from 2001, and then we will go in and take a look at the major DOD networks, and also the third part of that is the departmental response to OMB IA management process questions. Approximately 168 systems from the 2001 assessment will be reviewed. The second area of this year's effort will focus on a random sample of major local, wide, and metropolitan DOD area networks. Then the final area in 2001 will be the response to the OMB IA management questions. OMB has indicated that the questions will be similar to those in the 2001 assessment, and will encompass all aspects of IA throughout the Department, from training and awareness to response capability. As DOD components conduct their assessments, the DOD IG will audit the subset of the 168 systems from last year, again, as I said before, to verify compliance and the veracity of the information that we collected. We in DOD find the GISRA assessments as a valuable tool. Combined with other assessment tools we have--for instance, the Joint Chiefs of Staff Joint Monthly Readiness Reviews, the Commanders-in-Chief's Integrated Priority Lists, Mission Need Statements, and other requirements documents--we are better able to discern what actions and direction are needed to be taken to sustain our IA posture and to transition to a more robust posture. Having identified these necessary actions and directions, we were able to better coordinate more effectively our oversight and coordination of the Department's IA budgets and the entire enterprise-wide program. That's it, sir. [The prepared statement of Mr. Gorrie follows:] [GRAPHIC] [TIFF OMITTED] 82355.073 [GRAPHIC] [TIFF OMITTED] 82355.074 [GRAPHIC] [TIFF OMITTED] 82355.075 [GRAPHIC] [TIFF OMITTED] 82355.076 [GRAPHIC] [TIFF OMITTED] 82355.077 [GRAPHIC] [TIFF OMITTED] 82355.078 [GRAPHIC] [TIFF OMITTED] 82355.079 Mr. Horn. Thank you very much. I want to ask you about the role of Mr. Stenbit. Now he is Assistant Secretary for the three C's--Command, Communications, and what else is it? Mr. Gorrie. Command, Communications, and Control and Intelligence. Mr. Horn. Control and Intelligence? Mr. Gorrie. Yes, sir, and he is also the DOD CIO. Mr. Horn. Yes. Now is that too much for one person to handle? Mr. Gorrie. No, sir. Actually, it is probably a pretty good combination because not only does he see or oversee the policy and the budgetary parts of IT within the Department, but then, again, as the CIO of DOD, that gives him a more pervasive view not only of the programming and budgeting aspect and bringing new systems on board, but getting into the daily operational things that go on within the Department. Is it too big of a job to handle? No. I mean, he obviously has staff to deal with his CIO functions and also with his Assistant Secretary functions, but to have that all brought together in one person is valuable, because you get to see not only the policy development and also the procurement side of it, but also the operational side of it. Now there are people who would disagree with that and say that we should split this function and have a separate DOD CIO and a separate Assistant Secretary for Command, Control, Communications and Intelligence. The jury is still out on that. I don't personally subscribe to splitting those responsibilities, but until I become the Secretary, I won't be able to make that decision, sir. [Laughter.] Mr. Horn. Well, I would like a little table with little boxes as to how many people we have for those various functions. I have gone through this with another agency 5 or 6 years ago. They piled everything onto what Congress had said about Chief Financial Officers, Chief Information Officers, and the thrust of that was to get somebody of high-rank that we could get in the private sector or in the executive branch out of the Senior Service. We just looked at it, and not much was happening because the poor soul was overloaded. So I would like a chart at this point in the record. Without objection, it will be put there. So if you and everybody else can give us one, just so we can see the picture of who's helping and how many are helping and addressed to this? Mr. Gorrie. Yes, sir. And if I might add one other reason why I don't think you necessarily want to separate those functions is because the level--if you split those functions, I don't know that necessarily the level of importance of the person holding that job would carry enough sway within the Department to have influence. At the Assistant Secretary level--and, actually, I think it should be at the Under Secretary level, but, again, I am not in a position to make that call--there is enough leverage there, and they have enough influence and the ear of the Secretary of Defense to make things happen. If you split it and diluted it, that might not necessarily be the case. Mr. Horn. I have great admiration for the Secretary of Defense. I remember, going back about seven administrations, one person had about 12 of the functions we now have Assistant Secretaries hold. As you know, he did a very fine job. But when we have troubles in this area, where we haven't had it yet up where they can get a C, B, or A in looking at the computing operation, it just means we have got to focus on that and not be waylaid by all the other things that are very important. Mr. Gorrie. Yes, sir. Mr. Horn. OK, so we now have our last presenter, Chief Information Officer Karen S. Evans of the U.S. Department of Energy. Glad to have you here. When were you appointed? I see January 28th. Ms. Evans. Yes, sir, just 6 weeks ago. Good morning, and thank you for this opportunity to appear today to address the very important issue of improving the security of our Federal information systems. I was named the Department of Energy's Chief Information Officer 6 weeks ago, on January 28, 2002. As the CIO, I believe that effective cyber security is a balance of managed policies, procedures, technology, training, and people. It is also a major enabler of our Department's information technology initiatives, especially our e-government initiatives. My remarks today focus on the implementation of the Government Information Security Reform Act, improvements in the Department's cyber security infrastructure, and our plans for further strengthening our cyber security posture. GISRA provides a comprehensive framework for establishing and ensuring effectiveness of security controls over information resources that support Federal operations and assets. Secretary Abraham submitted the Department's first annual security review last September. This committee established grading criteria, and the Department received an ``F.'' The scoring acknowledged that we were either complete or in the process of implementing 9 of 10 areas. Our raw score was 71. The score was weighed against weaknesses identified by our previous Department Inspector General and the Office of Independent Oversight and Performance assurance audits and assessments. Our final scoring was lowered to 51. Since the passage of GISRA, the Department has taken an active leadership role to further strengthen its cyber security posture. First, we developed and incorporated an enterprise- wide perimeter defense strategy to reduce the number and the severity of successful attacks. Analysis reveals that while the overall threat from virus and malicious code increased, the number of successful intrusions diminished. Virus and malicious code incidents dropped from 60 in fiscal year 2000 to 39 in fiscal year 2001, a 35 percent reduction. In addition, while probes and scans escalated over 2,000 percent from fiscal year 1999 to 2001, unauthorized access and Web defacements diminished by over 50 percent. In addition, we have trained 6,200 managers and cyber security staff in the last year alone, and are continuing an aggressive training and awareness program, so that every Department member is aware that cyber security is an integral part of his or her job. Like many other government agencies, we still have a long way to go, but we have an excellent foundation on which to build. We recognize the importance of cyber security as a management issue. Our goal is to give line management the authority to determine how to implement policy, because it is in the best position to assess the appropriate levels of protection. Our Performance Improvement Plan and Performance Report Card provide a clean remediation road map for those program offices with GISRA-identified deficiencies, and our sites have made significant progress toward their elimination. Today I am pleased to announce additional cyber security initiatives. First, I will focus initially on developing and implementing a Department-wide certification and accreditation process to ensure that our unclassified information systems comply with departmental cyber security policies. Our Certification and Accreditation Program will establish a Department-wide process to certify that an information system or a site complies with documented security requirements, and that the program will continue to maintain an accredited security posture throughout the system life cycle. Processes such as certification and accreditation are insufficient without adequate risk-management and configuration management directives. The Department has identified some shortcomings in its approach in both areas, and I am committed to developing directives in these areas. The Department is also committed to protecting our national critical and mission-critical assets. As one of the first five agencies to complete the Critical Infrastructure Assurance Office Project Matrix Step One, we now have a comprehensive list of our most critical assets, which we used to focus our enhanced protection efforts. In addition, I am committed to implementing a robust, independent validation and verification process to provide an additional objective level of assurance regarding the continuity of operations for all of Department of Energy's mission-critical cyber assets. The Department has also initiated a renewed IT capital planning process to manage the cost of acquiring and maintaining IT assets. We are improving that process to ensure the seamless integration of security into each system's lifecycle costs. Although each of these efforts is only a part of our cyber security program, together they are effective tools to protect the Department's critical information assets. They will also serve as enablers for our electronic government efforts. I am intent on making the Department a national center of excellence for safeguarding classified and unclassified information on electronic systems. This will be accomplished through three objectives: strengthening the Department's cyber security community, ensuring a Department-wide risk-based approach to cyber security implementation, and enhancing protection of our internal cyber assets, especially our nationally critical and mission-critical assets. As CIO, I have been given programmatic authority to provide management oversight of the Department's cyber security program through the use of information technology capital planning and investment process. Our Performance Improvement Plan and Performance Report Card clearly communicate the status of identified issues of concern. This plan builds upon the foundation provided by GISRA and fosters solution-sharing within the enterprise. Our performance metric program provides us feedback on key elements for a healthy cyber security program. I am moving forward to strengthen our approach to risk and configuration management; implement a comprehensive certification and accreditation process, and an independent validation and verification process. With these initiatives, I am confident that the Department will continue to strengthen its cyber security posture. Success in this area takes continued and focused efforts due to the increasing complexity of threats and the rapid evolution of technology. We at the Department are committed to meeting this challenge. Mr. Chairman, this concludes my statement, and I would be happy to answer any questions. [The prepared statement of Ms. Evans follows:] [GRAPHIC] [TIFF OMITTED] 82355.080 [GRAPHIC] [TIFF OMITTED] 82355.081 [GRAPHIC] [TIFF OMITTED] 82355.082 [GRAPHIC] [TIFF OMITTED] 82355.083 [GRAPHIC] [TIFF OMITTED] 82355.084 [GRAPHIC] [TIFF OMITTED] 82355.085 [GRAPHIC] [TIFF OMITTED] 82355.086 [GRAPHIC] [TIFF OMITTED] 82355.087 Mr. Horn. Thank you very much. We appreciate your presentation. We are now going to go down the line for a few questions. I would like all of you to give us some information on them. The question basically is, are there adequate standards and known best practices to implement an effective information technology security program, especially for the CIOs, as to where that source is. Is it OMB? Is it GAO, so forth? Mr. Dacey. Mr. Dacey. Let me answer that question at two levels. I think we have some guidance at GAO with respect to overall security management programs. I have included that as best practices from leading organizations for security management programs and for risk-assessment. With respect to more details controls, I think there isn't consistent information out there. There is a lot of good information in industry, and there is a lot more being developed. I would say that NIST, a combination of NIST and the NSA, through the NIIAP, another organization, and some others, are starting to develop more detailed policies. These have been received fairly well for those who are trying to implement security in their systems. So it is, again, at two levels: one at the management level and one at the detailed standards level. Mr. Horn. Mr. Forman. Mr. Forman. I think the focus is wrong there. I think there are a plethora of standards, best practices tools. I think you have got to go beyond the United States and look at what the U.K. has done and other countries. The reality that we are working in, the environment that I am trying to bring about here, has to operate as fast as the Internet. Traditional bureaucratic processes simply will not give us the security we are looking for. We have--and I will lay out some of the elements of the puzzle--threat data aggregation, NIPC at the FBI, FedCirc for the Federal Government, Cert at Carnegie-Mellon, the Sands Institute, the National Security Agency, organizations within the Defense Department. So if there is a threat on the Internet and it moves at Internet speed, by the time any one of these organizations finds out about it and puts out an alert, you or I may hear about it on WTOP coming into the office in the morning. That is a day. We are talking about, on the other hand, an annual process with GISRA. We are moving to a quarterly process to oversee the management by the President's Management Council for Security Management. At once I feel, yea, finally, after for me 12 years of trying to get management attention, we've got the management attention; we've got a terrific set at both the policy levels and the technology levels of standards from NIST, from NSA, from DOD, and others. Those standards are adequate to do what we need to do for the management policy, but they are inadequate to address some of the major issues within the Internet in regards to vulnerabilities. We need to look at how we put in place a process, not standards. If, in the end, we want fast identification of threats, fast remediation of vulnerabilities, we need to make sure that we are providing for that infrastructure. I fear the path we are going on right now is identifying people who are accountable, identifying visible sets of metrics and are they following them? If so, the potential exists to ignore the fact this stuff is moving in hours or days, not months, quarters or years. In essence, this is what we are trying to bring about with the Critical Infrastructure Protection Board. The process needs threat data aggregation. It needs vulnerability assessment. We have to make some decisions as a country about the remediation and deployment of remediation. In other words, is that going to be industry-driven or government-driven? I fear that the type of structures we put in place for Y2K, from a bureaucratic standpoint, won't work now. So, clearly, all of that is evolving, and we are working through that. But, by the same time, there is this issue of enterprise security issue, and that has been the focus of GISRA. That has been the focus of many people at this table as well as many of our staff in the back for well over a decade. There we have made the progress. I would rather see the focus being on, ``What do we need to be successful at Internet time'' than, ``How do we continue down this path of enterprise security management in a bureaucratic process?'' Mr. Horn. You mentioned that there were certain nations that would seem to be ahead of us in some of these areas. Could you give us a feeling for that? Mr. Forman. I wouldn't say necessarily ahead of us in the sense that they have done a better job, but had some perhaps more complete or some accepted standards. I think the U.K was one of those. I know when I was at IBM, we used the U.K. standard for our security audits that we did in a number of industries. Since then, of course, NIST has, I believe, widely recognized, has put together a much broader set of standards from the technology level to the management level, which now many of the CIOs adopted. We didn't have that 2 years ago. Mr. Horn. Dr. Bement, how do you feel about what's happening abroad that we might use in our own administration? Dr. Bement. Well, in this area I think our current standards and accepted best practices are current and will put us in good standing, but it's very dynamic. The technology is changing rapidly. So we have to continually review these standards. Also, our risk models need to be changed as we get new threat information. So we have to keep on top of that. But we have cross-cutting alliances with Canada, with the U.K., and many other countries in the work that we do. Mr. Horn. How about Australia? Dr. Bement. Pardon me? Mr. Horn. How about Australia? Or New Zealand? I mean, they've got a particularly different government. Dr. Bement. I think all the members of the Coordinating Committee are very closely coupled with the work that we do, and Australia, New Zealand, Canada, the U.K. would be included in that. I feel that, apart from the standards and the best practices, and again we're going to come right back again to training, awareness, high-level oversight and compliance, there has to be enforcement of compliance. There has to be critical monitoring, and, of course, people really have to continually keep on top of the changes, as Mr. Forman mentioned. I think those are the critical issues. Mr. Horn. Moving to another country before we finish that part of the question, India produces a tremendous number of very talented people that relate to computing. Dr. Bement. Yes, that is correct. Mr. Horn. What do we know about India's Government. Many or most of the people probably come to the United States. I don't know if they are within the Government of India, but do you have any thoughts on that? Dr. Bement. I don't know that NIST has strong interactions with India and I don't know that we have a number of citizens from India working at NIST. We may have some. But I am certainly aware of the fact that industry looks to the talent and the capabilities in India and draws on that very actively. Of course, we also interact very much with industry. So indirectly we probably do have some connections. Mr. Horn. Ms. Gross---- Dr. Bement. Oh, Mr. Chairman, may I ask a privilege? Mr. Horn. Sure. Dr. Bement. I have another hearing in 15 minutes, and if I may, I would like to be excused. Mr. Horn. Fine, and if we have a couple of questions, we will send them to you, and we will put them in the record at this point. Dr. Bement. I would be pleased to respond to those. Thank you. Mr. Horn. Fine. Thank you. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] 82355.088 [GRAPHIC] [TIFF OMITTED] 82355.089 Mr. Horn. Ms. Gross, how do you feel about, are there adequate standards and known best practices to implement an effective information technology security program? Ms. Gross. I think there are a number of standards that are developing and, if implemented, would make our systems safer. I think you have to talk about human capital. You can have all the policies and all the procedures, but, ultimately, security is a matter of layers. It is policies; it is procedures; it is having the right people. If you don't have the right person as the CIO, you don't have the right people in law enforcement. It doesn't matter that you have an NIPC if the people there are not technical agents or they don't have technicians that know what they are doing. You can't have this vision of reacting to Internet speed unless you make sure that, in fact, you have the human capital in place. We need to start reacting with Internet speed; about making sure we have the right people in the right places. I think you can get your layers of policies and procedures, but I am not sure we have been good about sharing best practices. You have organizations like SANS to give out some and so does OMB. I think this focus needs to be done. What are those best practices? You can't have that many ``F's'' and say that we have people that know what best practices are or know what the right procedures are, or don't have the right people in place. Mr. Horn. How about your thoughts, Mr. Gorrie? Mr. Gorrie. Standards and best practices, yes, sir, there are standards and best practices out there, and we use them, but they have to be tailored to specific environments. You just can't run out willy-nilly and pull them out of the blue. The NIST guidance for evaluating systems, NASA, NIST, security configuration, guidance for operating systems, they're all good, but you have to bring them in and build them into your own system and then evolve your own system along the way. To just elaborate a little bit on what we heard about human capital, the training of people and the problems we have associated with that, people turning over and leaving the service and things like that, that is really more symptomatic of a deeper problem. That is again what was alluded to before, which is the velocity of the technology. In order for us to be able to track that velocity or track that technology as it moves forward, you are constantly having to retrain people, constantly having to modify operational techniques and procedures to keep up with that. However, as we look at that technology as it progresses along, we find that, in the terms of my boss, it isn't born secure, that security isn't built in from the beginning. That is what needs to be done, not only the technological security, the crypto- algorithms, the built-in entries and detection and things of that nature, but also a systemic view where you have to have security management built into it, too. It can be a very, very secure box, but if you can't put it in the system and be able to manage all these disparate security devices, then you're sort of barking up the wrong tree. I think Mike Vatis, when he testified before your committee last September, sort of alluded to that problem, that it is not necessarily the training of the people; it is not necessarily the operational techniques that you employ, is looking ahead to where technology is going and to try to track it. Now that is only part of the problem. You can track technology and try to build in security later, but the better part would be to engineer in security at the front, and not only the security technology, but to enable it to be managed effectively. Because today we have applications that are point-click, and before you used to have to sit down forever and a day to program these things out. What we need is security and security management that is also point and click, which would remediate some of our training problems, would remediate some of our operational problems, and go a long way to making this big bear of information security a little bit easier to tame. Mr. Horn. Two weeks ago I was talking about various things with members of the NATO Assembly. Of course, you have a lot of problems in terms of the various countries in the Eastern part of Europe. I wonder, is the CIO role of Mr. Stenbit, do they relate to NATO and different things, where we do a lot of computing? Mr. Gorrie. Yes, sir. As a matter of fact, one of the reasons I am here today, and not my boss, is that he is in first--not China, somewhere in the Far East, and then going down to Australia and New Zealand. But there is a very large international play in the ASDC3I and in the CIO, too. One, interface with the five I's, which are the five English-speaking nations, the United States, the U.K., Canada, New Zealand, and Australia. But then even further than that, in through all the NATO subcommittees that we sit on, and then the Partnership for Peace People, and all the other people that it is expanding to, and then actually to even third-party countries to make sure that, when we need to go somewhere, that we have not only infrastructure support, but infrastructure support that has high availability, security, and some confidence that there isn't anybody prowling around in that infrastructure. Mr. Horn. On Y2K, and now on this, where computing is a major factor, it comes up under Department of Defense, and they didn't do too well overall. When they have a lot of other things there besides the services. My instinct was that the Air Force was way ahead of the father, namely, the DOD, and we would have been giving them an ``A'' and still giving a ``D'' to the other groups, like Logistics and Procurement. I just wonder, is there a way to get the pressure so that the services that are doing well with CIOs--and maybe my instinct is wrong; you're on top of it, but I just think sometimes we ought to put the ``A's'' there if they are doing ``A'' work. Mr. Gorrie. I don't know if I can address that, sir. I mean, I work with not necessarily the CIOs, but their IA underlings. I don't know if I am qualified to answer that question. Mr. Horn. Well, if you could get me an answer, I would like to know that---- Mr. Gorrie. Yes, sir, I will. Mr. Horn [continuing]. Because we ought to see the breakdown by the services and make sure that they are moving along on a path, and they aren't just off in a corner. Mr. Gorrie. From that particular perspective, sir, at least as far as IA goes, and that is my area of responsibility, so the only thing that I can talk to, you have each of the services--at least about 3 years ago, when I was on the Joint Staff, there were certain services that excelled in particular areas. For instance, the Air Force was far ahead of the Navy and the Army in terms of its ability to do intrusion detection, consolidated intrusion detection, across the enterprise. Such is not the case now. They have pretty much become even-keeled, because of the sharing of best practices and being able to go in and audit the capabilities for the individual services to do those things and then to apply resources for those services and actually prod them along to come about a little bit better. Things like information assurance vulnerability alerts, where we find out that there is a particular vulnerability in a piece of equipment or piece of software, those things are starting to become enterprise-wide endeavors, and not strictly limited to the services. The services have realized that in order to be successful in this world, that they have to exercise enterprise-wide solutions and not just limit them strictly to services, because they are all vulnerable. They all ride the basic backbone network. They all, both security and non-secure, know that if they are going to succeed, that they have to cooperate, and by and large they are cooperating. So from that perspective, the IA perspective, I do not see a great disparity in the capability of either the Air Force, the Army, or the Navy, or, as a matter of fact, across any of the agencies. We have endeavored, like I said before, to try to enforce enterprise-wide solutions rather than stovepipe solutions within the services. Mr. Horn. If you would, just for the record, on IA, could you spell it out? Mr. Gorrie. Information Assurance. I'm sorry, sir. Mr. Horn. OK, and that's your office basically? Mr. Gorrie. The Defense-wide Information Assurance Program Office, yes, sir. Mr. Horn. Yes. Is that the way most of the agencies have-- -- Mr. Gorrie. Federal agencies or? Mr. Horn. Yes, Federal. Mr. Gorrie. I don't know that. The DIAP, or Defense-wide Information Assurance Program Office, was mandated in legislation, and I can't think off-the-top-of-my-head what that was, but it was in 1998, where the Secretary was told, ``You will have a defense-wide information assurance program,'' and a year after that's when the office that I belong to was formed. Now whether or not that is as pervasive across all of the other Federal agencies, I can't speak to that, sir. Mr. Horn. OK, thank you. That was Secretary Cohen that put that mandate in. Mr. Gorrie. Yes, sir. Mr. Horn. Yes, well, he was very knowledgeable in that area, as a Member of the Senate. Ms. Evans, any thoughts on best practices? Because you have put a lot of emphasis on it. Ms. Evans. Yes, I did. It is my opinion that we do have adequate standards and that there are best practices available today for a good security program. In many cases a lot of the best practices are obtained currently from our National Laboratories, and they are being used by other Federal departments and agencies. The Department itself does use the NIST standards best practices for our own classified systems, and we use the Committee on the National Security Systems for best practices for our classified systems. But I believe to have an effective security program, it is a discipline that needs to be practiced every day, and it has to be incorporated into the daily operations. So a lot of the comments that have been made by my esteemed colleagues here I support all the way down the line, in that as a CIO I need to incorporate that for the Department as a whole, so that it is practiced on a daily basis, so that we can effect remediation in Internet time, when a vulnerability is identified. Mr. Horn. Well, thank you. That is very helpful. Let me ask just a few more questions, and then we will call it a day. Ms. Gross---- Ms. Gross. Yes? Mr. Horn [continuing]. You've got a very active record, through the President's Council on Integrity and Efficiency, in helping both the agencies and Inspectors General implement the--excuse us. [Bells are ringing.] How many minutes? Ten? It is 9 minutes to go. You can see you are about to be released by the votes. This would be a great place if it wasn't for all the votes, you know. [Laughter.] You have given us some very good testimony. So, Ms. Gross, helping both the agencies and the Inspectors General implement the government information security reform provisions, I was just interested; you have been active in this. You have helped in that. What challenges do you see for Inspectors General expanding their annual evaluations to encompass all agency systems? Ms. Gross. I think the challenges for the Inspectors General are to make sure that there is implementation with agreed-upon recommendations, but I think a wider perspective than just the narrow, let's do the next GISRA report, which is very time-consuming and very resource-intensive, is to make sure that they are focusing on issues governmentwide. I think that it is very important that the individual Inspectors General go back into the PCIE, which is the IGs' group, and look to see both best practices and also look to see about how can they help. Since the President is going to have an initiative with e-government, IG's need to make sure that information will be available, that it will be secure, and that it will have integrity. Unless the IGs move out governmentwide and look past their own agencies, I think we are going to have a problem. So that would have been my thrust. Mr. Horn. Well, thank you. Mr. Forman, has your office considered imposing mandatory security standards and requirements on Federal agencies? Mr. Forman. Requirements we have; we will continue to do that, and we will tighten that up. Standards we rely on NIST, under the Computer Security Act for Federal information processing standards. There is another area where some people would call them standards, but they are architecture elements that are agreed upon. They are not technology standards at the NIST or FIPS level. For that, we have orchestrated--and I have actually done some changes in my role as directing the CIO Council. We have the Architecture Committee, which focuses on this. Lee Holcomb, the CIO at NASA, chairs it. John Gilligan, who had been chairing or co-chair of the Security Committee is now co-chair of the Architecture Committee. It is through that I believe we can be most successful. There is a final element, which is, how do we get patches out rapidly when major threats are identified? That is an area where we need to rapidly get in touch with at least 40,000 people. So I am making increasing use of FedCirc for that. Mr. Horn. Well, I want to thank the following people that prepared this hearing: J. Russell George, staff director and chief counsel, standing-up back there; and Bonnie Heald, deputy staff director; Claire Buckles, on my left, a very fine professional staff member on loan to us. And thank you. Earl Pierce, professional staff, isn't here today, and then Justin Paulhamus, majority clerk, is with us doing a great job. He just came in with us. And Michael Sazonov, subcommittee intern, and our court reporter, Joan Trumps. Thank you very much, and thanks to all of you. If we might, I think we will send you a few questions, and put them at this point in the record. So, unfortunately, I have got to get over there and vote. We are adjourned. [Whereupon, at 12:01 p.m., the subcommittee was adjourned, to reconvene at the call of the Chair.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] 82355.090 [GRAPHIC] [TIFF OMITTED] 82355.091 [GRAPHIC] [TIFF OMITTED] 82355.092 [GRAPHIC] [TIFF OMITTED] 82355.093 [GRAPHIC] [TIFF OMITTED] 82355.094 [GRAPHIC] [TIFF OMITTED] 82355.095 [GRAPHIC] [TIFF OMITTED] 82355.096 [GRAPHIC] [TIFF OMITTED] 82355.097 [GRAPHIC] [TIFF OMITTED] 82355.098 [GRAPHIC] [TIFF OMITTED] 82355.099 [GRAPHIC] [TIFF OMITTED] 82355.100 [GRAPHIC] [TIFF OMITTED] 82355.101 [GRAPHIC] [TIFF OMITTED] 82355.102 [GRAPHIC] [TIFF OMITTED] 82355.103 [GRAPHIC] [TIFF OMITTED] 82355.104 [GRAPHIC] [TIFF OMITTED] 82355.105 [GRAPHIC] [TIFF OMITTED] 82355.106 [GRAPHIC] [TIFF OMITTED] 82355.107 [GRAPHIC] [TIFF OMITTED] 82355.108 [GRAPHIC] [TIFF OMITTED] 82355.109 [GRAPHIC] [TIFF OMITTED] 82355.110 [GRAPHIC] [TIFF OMITTED] 82355.111 [GRAPHIC] [TIFF OMITTED] 82355.112 [GRAPHIC] [TIFF OMITTED] 82355.113 [GRAPHIC] [TIFF OMITTED] 82355.114 [GRAPHIC] [TIFF OMITTED] 82355.115 -