<DOC>
[107th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:82355.wais]
LESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF
2000
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
FINANCIAL MANAGEMENT AND
INTERGOVERNMENTAL RELATIONS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
MARCH 6, 2002
__________
Serial No. 107-124
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
82-355 WASHINGTON : 2002
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California PATSY T. MINK, Hawaii
JOHN L. MICA, Florida CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine
DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia ------
JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont
------ ------ (Independent)
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Chief Clerk
Phil Schiliro, Minority Staff Director
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations
STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida MAJOR R. OWENS, New York
DOUG OSE, California PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Claire Buckles, Professional Staff Member
Justin Paulhamus, Clerk
David McMillen, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on March 6, 2002.................................... 1
Statement of:
Dacey, Robert F., Director, Information Security, U.S.
General Accounting Office; Mark A. Forman, Associate
Director, Office of Information Technology and e-
Government, Office of Management and Budget; Arden L.
Bement, Jr., director, National Institute of Standards and
Technology; Roberta L. Gross, former Inspector General,
National Aeronautics and Space Administration; Robert G.
Gorrie, Deputy Staff Director, Defense-wide Information
Assurance Program Office, Office of the Assistant Secretary
of Defense for Command, Control, Communications and
Intelligence; and Karen S. Evans, Chief Information
Officer, Department of Energy.............................. 17
Davis, Hon. Thomas M., a Representative in Congress from the
Commonwealth of Virginia................................... 6
Letters, statements, etc., submitted for the record by:
Bement, Arden L., Jr., director, National Institute of
Standards and Technology:
Followup questions and responses......................... 120
Prepared statement of.................................... 73
Dacey, Robert F., Director, Information Security, U.S.
General Accounting Office, prepared statement of........... 20
Davis, Hon. Thomas M., a Representative in Congress from the
Commonwealth of Virginia, prepared statement of............ 10
Evans, Karen S., Chief Information Officer, Department of
Energy, prepared statement of.............................. 109
Forman, Mark A., Associate Director, Office of Information
Technology and e-Government, Office of Management and
Budget, prepared statement of.............................. 54
Gorrie, Robert G., Deputy Staff Director, Defense-wide
Information Assurance Program Office, Office of the
Assistant Secretary of Defense for Command, Control,
Communications and Intelligence, prepared statement of..... 98
Gross, Roberta L., former Inspector General, National
Aeronautics and Space Administration, prepared statement of 86
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 3
Schakowsky, Hon. Janice D., a Representative in Congress from
the State of Illinois, prepared statement of............... 69
LESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF
2000
----------
WEDNESDAY, MARCH 6, 2002
House of Representatives,
Subcommittee on Government Efficiency, Financial
Management and Intergovernmental Relations,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn, Schakowsky, and Maloney.
Staff Present: J. Russell George, staff director and chief
counsel; Bonnie Heald, deputy staff director; Claire Buckles,
professional staff member; Justin Paulhamus, clerk; Michael
Sazonoff, intern; David McMillen, minority professional staff
member; and Jean Gosa, minority assistant clerk.
Mr. Horn. A quorum being present, the Subcommittee on
Government Efficiency, Financial Management and
Intergovernmental Relations will come to order.
The Federal Government relies on computer systems to
provide essential services to the Nation and its people. These
large, complex systems help regulate the economy, collect
taxes, pay benefits, and defend the Nation. The speed and
accessibility of the technology have greatly enhanced
government operations and have provided citizens with nearly
instant access to their government.
Yet, those operations are at risk. Computers at the White
House, the Department of Defense, the Department of the
Treasury, and the Department of the Interior have all been
successfully attacked. The security vulnerabilities at the
Department of the Interior are so severe that a U.S. District
Court judge in Washington has ordered the Department to
disconnect its Trust Asset and Accounting Management System
from the Internet. This system handles about $500 million a
year in royalty and lease payments to Native Americans.
These are not the only troubled agencies, however. In
November 2001, the subcommittee issued its second annual report
card grading computer security efforts at 24 major executive
branch agencies. Overall, the executive branch earned an
abysmal grade of ``F.'' That grade was the same during the
Clinton administration and now the Bush administration.
We have known for more than a decade that the government's
information systems are vulnerable, yet little has changed. In
a report issued last month, the Office of Management and Budget
concluded that a significant part of the problem falls to
senior managers who have failed to focus sufficient attention
on computer security. I agree. The various bureaucracies need
to be pushed by the political appointees, so we can have a
better record.
Since 1987, Congress has passed legislation to address
Federal computer security weaknesses. The most recent law, the
Government Information Security Reform Act, was enacted in the
year 2000. This law requires Federal agencies to assess the
nature and sensitivity of the information stored in their
computers and then develop appropriate security plans to
protect that information. In addition, it requires that, for
the first time, agencies conduct annual computer security
evaluations and report the results to the Office of Management
and Budget.
Agencies filed their first reports in September 2001.
Clearly, the full benefits of the law have not been realized.
Agencies have not yet developed security plans that balance
protection and risk. However, they are beginning to focus on
the problem. The act is scheduled to sunset next year.
Today's hearing will explore how Federal agencies have
implemented the act and what additional steps might be taken to
ensure that effective safeguards are in place. We must identify
the weaknesses in order to correct them. We must use the
``lessons learned'' from the Government Information Security
Reform Act to take effective, urgently needed action to ensure
that it is reauthorized and improved.
I welcome today's witnesses, and I look forward to working
with each of you to ensure the security of the government's
information technology resources.
I will enter into the record at this point as an exhibit
after my opening remarks the Computer Security Report Card of
November 9, 2001.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] 82355.001
[GRAPHIC] [TIFF OMITTED] 82355.002
[GRAPHIC] [TIFF OMITTED] 82355.003
Mr. Horn. The ranking member is coming, and I see that my
colleague, Mr. Davis, has been here now as panel one, and we're
delighted to have you here. You have been a major force in the
work of e-government and the work of technology generally. So
the gentleman from Virginia, Mr. Davis.
STATEMENT OF HON. THOMAS M. DAVIS, A REPRESENTATIVE IN CONGRESS
FROM THE COMMONWEALTH OF VIRGINIA
Mr. Davis. Let me first commend you and your staff for the
tremendous work you have done on Federal information security
during your tenure as chairman of this subcommittee and your
previous chairmanship of the Government Management,
Information, and Technology Subcommittee. It's a privilege
working with you on this critical topic.
I want to thank you for giving me the opportunity to speak
on this issue in the context of today's hearing, examining the
lessons learned from the implementation of the Government
Information Security Reform Act of 2000 [GISRA].
Unquestionably, the events of September 11th and the
ensuing war on terrorism have produced a variety of responses
throughout the world. Nowhere has the response been so fervent
as here in our Nation's Capital. From the creation of the new
Office of Homeland Security to security-related legislation,
there is an unprecedented awareness of the vulnerabilities we
face.
This new awareness has naturally focused more attention on
security matters, particularly with respect to information
security. Yet, this issue and the fact that Federal information
systems continue to be woefully unprotected from both
malevolent acts and benign interruptions have presented a grave
concern to me for a number of years. I know that you and the
members of this subcommittee share that concern as well.
From our work in the Government Reform Committee, it is
clear that the state of Federal information security suffers
from a lack of coordinated, uniform management. Resolving this
problem becomes even more imperative when you consider the many
objectives we hope to achieve through the efficient and cost-
effective use of information technology and the advancement of
electronic government. These objectives include electronic
procurement, telecommuting, a comprehensive information-sharing
network, and improved provision of services to citizens and
businesses. The common element of these goals is the
interconnectivity that they each require to facilitate
communications between different public and private entities.
Poor information security management has persisted in both
the public and private sectors long before IT became the
ubiquitous engine driving governmental, business, and even home
activities. After all, the information security implicates both
the physical and the cyber-environment.
A decade ago, technology stood as one of many factors
important to the mission and performance objectives of the
Federal Government. But no longer is technology ``one of
many.'' Instead, the Information Revolution and the ever-
evolving technologies that support its collection,
assimilation, and communications have become integral to the
functioning of our government.
As our reliance on technology and our desire for
interconnectivity have grown over the past decade, intensifying
with the advent of the Internet, our vulnerability to attacks
has grown exponentially. The high degree of interdependence
between information systems, both internally and externally,
exposes the Federal Government's computer networks to benign
and destructive disruptions. This fact is tremendously
important in understanding how we devise a comprehensive and
yet flexible strategy for coordinating, implementing, and
maintaining Federal information security practices throughout
the Federal Government as the threat of electronic terrorism
increases.
Yet, Federal information security management continues to
falter. Despite consistent evaluations since 1997 showing that
Federal information security is a government-wide, high-risk
issue, GAO continues to find ``pervasive and continuing
weaknesses.'' And, of course, as this subcommittee found last
November, 16 of the 24 Federal agencies evaluated in 2001 each
received a disappointing grade of ``F,'' with only one agency
receiving a grade higher than a ``C+.''
Of course, while these grades are disappointing, they
reflect the difficulty of implementing effective security
management without sufficient commitment and guidance from an
accountable entity within each agency, and for the Federal
Government as a whole.
In July 2000, I introduced legislation that would have
created, among other things, a new Federal Chief Information
Officer in the Executive Office of the President. One of the
primary components of that bill expanded upon the then yet-to-
be-enacted Government Information Security Reform Act [GISRA],
introduced by Senators Fred Thompson and Joe Lieberman.
My legislation, entitled, ``the Federal Information Policy
Act'' [FIPA], reflected my firm belief that there needs to be
an executive branch office that holds both the prestige and the
accountability for strategically modernizing our stovepipe IT
structure. At the same time, that office must have the
authority to prioritize cross-jurisdictional e-government
initiatives and networked information and telecommunications
networks, in order to achieve efficiencies and secure Federal
information systems.
With the establishment of a new office of Associate
Director of IT and Electronic Government within the OMB, I have
opted to withhold the reintroduction of Federal CIO legislation
until I have had an opportunity to evaluate the progress that
OMB has been able to achieve in carrying out the
administration's Enterprise Information Management and
Integration initiative.
That said, my concerns regarding the pervasive and
persistent weaknesses in Federal information security
management, infrastructure, and accountability remain strong.
These are concerns I know you also share, Mr. Chairman, and I
applaud your subcommittee's steady work in bringing to the
forefront the critical need for immediate and focused attention
on this issue.
Yet, I would add that, to the extent that increased
security concerns rely on the ability of the public and private
sectors to share information securely, it is even more critical
that the Federal Government put its own house in order with
respect to the security of its own Federal information and
telecommunications systems. It is for this reason that I have
just introduced legislation similar to the information security
provisions in FIPA, and I am very pleased that you have agreed
to co-sponsor this measure with me, Mr. Chairman.
The overall purpose of these efforts is to strengthen the
information security management infrastructure of the Federal
Government. The bill, entitled, ``the Federal Information
Security Management Act'' [FISMA], undertakes this objective by
building on the foundations laid out by GISRA. As you know,
GISRA requires every Federal agency to develop and implement
security policies that include risk assessment, risk-based
policies, security awareness training, and periodic reviews.
With GISRA set to expire on November 29th of this year, the
Federal Information Security Management Act permanently
reauthorizes this legislation and implements additional
measures designed to enable the Federal Government to become a
reliable public partner for protecting America's information
highways. In general, FISMA streamlines GISRA's provisions and
requires that agencies utilize information security best
practices that will ensure the integrity, confidentiality, and
availability of Federal information systems.
Moreover, the bill seeks to strengthen the role played by
the National Institute of Standards and Technology in
developing and maintaining standards and guidelines for minimum
information security controls. Agencies would be required to
identify the risk levels associated with their systems and
implement the appropriate level of protections accordingly.
This latter objective is especially important in light of the
interconnectivity of information systems. We need to implement
a framework that ensures that when systems interconnect with
each other, there is a uniform management infrastructure and
universal benchmark for measuring the risks and vulnerabilities
of Federal information systems.
We cannot afford to delay enactment of this legislation. At
a time when uncertainty threatens confidence in our Nation's
preparedness, the Federal Government must make information
security a priority. I am heartened by the President's bold
commitment to tying the budget process to individual agency
performance, and to using information security as one
measurement of that performance. However, the information
security cannot go the way of any other ``issue du jour.'' It
is a constant management requirement that requires eternal
vigilance, and the ranking of its importance to Federal
operations cannot fluctuate from one administration to the
next.
It is my hope that we take this opportunity, in the context
of extending GISRA, to signal Congress' deep concerns that
information security is not being taken seriously by every
agency and department. We must demand that in our networked
era, where technology is the driver, every Federal information
system must be managed in a way that minimizes both the risk
that a breach or disruption will occur and the harm that would
result should such a disruption take place.
We will learn a lot today as we determine the impact that
GISRA has had on the information security practices throughout
the Federal Government. I very much look forward to working
with you, Mr. Chairman, the members of this subcommittee, and
other concerned Members of the House and Senate as we move
forward on strengthening GISRA and improving our government's
overall information security management. Thank you.
[The prepared statement of Hon. Thomas M. Davis follows:]
[GRAPHIC] [TIFF OMITTED] 82355.004
[GRAPHIC] [TIFF OMITTED] 82355.005
[GRAPHIC] [TIFF OMITTED] 82355.006
[GRAPHIC] [TIFF OMITTED] 82355.007
[GRAPHIC] [TIFF OMITTED] 82355.008
[GRAPHIC] [TIFF OMITTED] 82355.009
Mr. Horn. I thank you for all the work you have done. Could
you translate those two things, like ``FISMA'', was it, or
something?
Mr. Davis. Right, it's the Federal Information Security
Management Act. Of course, GISRA was the previous act.
Mr. Horn. Now is it true that Mr. Richard Clark is really
fulfilling the office that you and some of our friends in the
Senate wanted to do?
Mr. Davis. Part of it. I think that is as close as we can
come to it, yes, sir.
Mr. Horn. Yes. Well, my understanding is that he is a
pretty tough-minded person.
Mr. Davis. He is a tough-minded guy.
Mr. Horn. So that is what we want.
Mr. Davis. Exactly.
Mr. Horn. OK. So, in a sense, part of that which everybody
has wanted is now underway. So we just have to wait to see what
OMB and he do to get the thing done.
Mr. Davis. Mr. Chairman, the question always is you have a
tough-minded person, but how much authority do they actually
have, when push comes to shove? When they get on the phone, who
are they calling from, how seriously are they taken at the
other end of the line? That is what really remains to be seen.
Mr. Horn. Yes, well, you are certainly right on that. If
the President backs him up, the Cabinet Secretaries I am sure
will listen, and if it becomes part of a Cabinet agenda, that
will help on this.
Mr. Davis. Mr. Chairman, as you know, we went through this
with the Y2K issues----
Mr. Horn. Right.
Mr. Davis. [continuing]. Where they went through two or
three czars.
Mr. Horn. Right.
Mr. Davis. Most of them having two or three other jobs and
not having the clout until the administration finally brought
in the appropriate person who had the clout and put it together
at the end.
Mr. Horn. And had the ear of the President.
Mr. Davis. Yes, had the ear of the President.
Mr. Horn. Knew him before he was here.
Mr. Davis. Exactly, and, more importantly, when they
called, the people on the other end of the phone knew that he
was speaking for the President.
Mr. Horn. Yes.
Mr. Davis. And John Koskinen turned that around.
Mr. Horn. Right. Well, thank you very much----
Mr. Davis. Thank you.
Mr. Horn [continuing]. For your presentation. If you would
like to stay with us, we are delighted to have you, if you
wish.
Mr. Davis. I will stay for a few minutes. Thank you, Mr.
Chairman.
Mr. Horn. OK. We will now swear in panel two, and that is
Robert F. Dacey, Director, Information Security, U.S. General
Accounting Office; Mark A. Forman, Associate Director, Office
of Information Technology and E-Government, Office of
Management and Budget; the Honorable Arden L. Bement, Jr.,
Ph.D., Director, National Institute of Standards and
Technology; the Honorable Roberta L. Gross, Former Inspector
General, National Aeronautics and Space Administration; Robert
G. Gorrie, Deputy Staff Director, Defense-wide Information
Assurance Program Office, Assistant Secretary of Defense for
Command, Control, Communications and Intelligence, and our last
presenter on this panel will be Karen S. Evans, Chief
Information Officer, Department of Energy.
As you know, since this is an investigating subcommittee,
you raise your right hands to accept the oath.
[Witnesses sworn.]
Mr. Horn. The clerk will note that all six witnesses
affirmed.
Please be seated. We will start with Mr. Dacey, the
Director of Information Security, U.S. General Accounting
Office, which is Congress' right arm in terms of getting things
done. GAO is presided over by the Comptroller General of the
United States. We have a first-rate person in that role right
now in General Walker. So we are always glad to hear what the
General Accounting Office has to say on these areas.
STATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY,
U.S. GENERAL ACCOUNTING OFFICE; MARK A. FORMAN, ASSOCIATE
DIRECTOR, OFFICE OF INFORMATION TECHNOLOGY AND E-GOVERNMENT,
OFFICE OF MANAGEMENT AND BUDGET; ARDEN L. BEMENT, JR.,
DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY;
ROBERTA L. GROSS, FORMER INSPECTOR GENERAL, NATIONAL
AERONAUTICS AND SPACE ADMINISTRATION; ROBERT G. GORRIE, DEPUTY
STAFF DIRECTOR, DEFENSE-WIDE INFORMATION ASSURANCE PROGRAM
OFFICE, OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE FOR
COMMAND, CONTROL, COMMUNICATIONS AND INTELLIGENCE; AND KAREN S.
EVANS, CHIEF INFORMATION OFFICER, DEPARTMENT OF ENERGY
Mr. Dacey. Mr. Chairman and members of the subcommittee, I
am pleased to be here today to discuss the Federal Government's
first-year implementation of government information security
reform provisions. As you requested, I will briefly summarize
our written statement.
Federal agencies rely extensively on computerized systems
and electronic data to support their missions and critical
operations. Concerned with reports that continuing pervasive
computer security weaknesses place Federal operations at
significant risk of disruption, tampering, fraud, and
inappropriate disclosures of sensitive information, the
Congress enacted the reform provisions to reduce these risks
and provide for more effective oversight of Federal information
security.
Mr. Chairman, as you know, we have been conducting a review
of the implementation of the reform provisions for you and the
Ranking Member. Today I will provide a preliminary result of
our review.
The initial implementation of reform provisions is a
significant step in improving Federal agencies' information
security programs and addressing their information security
weaknesses. The legislation consolidates information security
requirements into an overall management framework covering all
agency systems. It adds new statutory evaluation and reporting
requirements and OMB and congressional oversight.
Agencies have noted a number of benefits of this first-year
implementation, including increased management attention to,
and accountability for, information security. In addition, the
legislation has resulted in other important actions by the
administration, such as plans to integrate information security
into the President's management agenda scorecard. Also,
agencies have taken steps to redesign and strengthen their
information security.
OMB oversight, which included formal guidance, review and
analysis of agency-reported material, agency discussion and
feedback, and monitoring of corrective actions, has helped
agency implementation and reporting efforts. Although agencies
generally considered OMB guidance beneficial, the initial
implementation of reform provisions highlighted the need for
further guidance in several areas.
Last month OMB released its first required annual report to
the Congress on the results of agency implementation efforts.
As a result, in this report OMB commended agency improvement
efforts, but noted that many agencies have significant
deficiencies in every important area of security. OMB also
identified a number of common agency security weaknesses,
including lack of senior management attention, inadequate
accountability for job and program performance, and a limited
capability to detect vulnerabilities or intrusions.
We agree that OMB's report to the Congress and the agency
reports are a valuable baseline and believe that OMB's report
provides a useful overview of OMB and agency efforts to comply
with the reform provisions. I would like to personally commend
the OMB staff for their efforts in this endeavor.
Nonetheless, certain additional information, including the
adequacy of agency corrective action plans and the results of
audits of evaluations for national security systems, is needed
by Congress to fully assess and oversee these efforts and
deliberate over agency budgets.
OMB has not authorized agencies to release some agency
material, such as agency corrective action plans, to the
Congress or GAO. We plan to continue working with OMB in an
effort to find workable solutions to obtain this information.
Agency reports to OMB show that agencies have not
established information security programs consistent with the
provisions of the legislation and that significant weaknesses
exist. Although agency actions are now underway to strengthen
information security and implement these requirements,
significant improvements will require sustained management
attention, as well as OMB and congressional oversight.
The IG's independent evaluations of agency implementation
efforts also played a key role in the implementation process.
The IG's first-year efforts were largely based on existing or
ongoing audit work that had been planned to evaluate agency
information security, which in a number of instances consisted
primarily of audits of financial systems.
While their future efforts should expand to include more
systems, the IG's first-year evaluations helped to identify
significant weaknesses in all 24 agencies, weaknesses that were
not always identified by agencies in their reports.
Given the recent events and reports that critical
operations and assets are highly vulnerable to cyber-attack, it
is essential that Congress have adequate information to oversee
and fund the Federal information security efforts, and that
these efforts be guided by a comprehensive strategy for
improvement. In addition, there are a number of important steps
that the administration and the agencies should take, including
delineating the roles and responsibilities of the numerous
entities involved in Federal information security and the
related aspects of critical infrastructure protection,
providing more specific guidance to agencies on the security
controls they need to implement, and allocating sufficient
agency resources for information security.
Mr. Chairman, this concludes my statement. I would be
pleased to answer any questions that you or other members of
the subcommittee may have.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] 82355.010
[GRAPHIC] [TIFF OMITTED] 82355.011
[GRAPHIC] [TIFF OMITTED] 82355.012
[GRAPHIC] [TIFF OMITTED] 82355.013
[GRAPHIC] [TIFF OMITTED] 82355.014
[GRAPHIC] [TIFF OMITTED] 82355.015
[GRAPHIC] [TIFF OMITTED] 82355.016
[GRAPHIC] [TIFF OMITTED] 82355.017
[GRAPHIC] [TIFF OMITTED] 82355.018
[GRAPHIC] [TIFF OMITTED] 82355.019
[GRAPHIC] [TIFF OMITTED] 82355.020
[GRAPHIC] [TIFF OMITTED] 82355.021
[GRAPHIC] [TIFF OMITTED] 82355.022
[GRAPHIC] [TIFF OMITTED] 82355.023
[GRAPHIC] [TIFF OMITTED] 82355.024
[GRAPHIC] [TIFF OMITTED] 82355.025
[GRAPHIC] [TIFF OMITTED] 82355.026
[GRAPHIC] [TIFF OMITTED] 82355.027
[GRAPHIC] [TIFF OMITTED] 82355.028
[GRAPHIC] [TIFF OMITTED] 82355.029
[GRAPHIC] [TIFF OMITTED] 82355.030
[GRAPHIC] [TIFF OMITTED] 82355.031
[GRAPHIC] [TIFF OMITTED] 82355.032
[GRAPHIC] [TIFF OMITTED] 82355.033
[GRAPHIC] [TIFF OMITTED] 82355.034
[GRAPHIC] [TIFF OMITTED] 82355.035
[GRAPHIC] [TIFF OMITTED] 82355.036
[GRAPHIC] [TIFF OMITTED] 82355.037
[GRAPHIC] [TIFF OMITTED] 82355.038
[GRAPHIC] [TIFF OMITTED] 82355.039
[GRAPHIC] [TIFF OMITTED] 82355.040
Mr. Horn. Thank you very much for that succinct opening.
Mark A. Forman is the Associate Director, Office of
Information Technology and e-Government, Office of Management
and Budget. Welcome.
Mr. Forman. Thank you, Mr. Chairman, and thank you,
Congressman Davis, both for your leadership and your vision as
it relates to e-government and computer security. Having your
focus and the oversight on this issue is critically important
to the success of the initiatives that we are trying to
accomplish for governmentwide security. We understand not only
the need for this, but we appreciate your having the hearing
and the focus on this.
I would like to say good morning and thank you for inviting
me here to discuss the lessons learned from the implementation
of the Government Information Security Reform Act. I, too, have
submitted the prepared testimony, and I will take a synopsis of
that in my oral presentation.
As you know, the President has given a high-priority to
security of government assets, and this includes government
information systems and protection of the Nation's critical
information assets from cyber threats and physical attack. We
believe that protecting the information and the information
systems on which the Federal Government depends requires
agencies, first, to identify and resolve the current weaknesses
and risks, as well as to then protect against the future
vulnerabilities and threats.
Last October the President issued Executive Order 13231,
the Critical Infrastructure Protection in the Information Age.
That established the Critical Infrastructure Protection Board
and created the chair as a special advisor to the President for
Cyberspace Security.
Now the President has made OMB a critical member of this
board. Our presence reflects our statutory role regarding
security of Federal information systems. In addition, there are
several committees under the board, and we chair the Standing
Committee on Executive Branch Information Systems Security.
The administration has been proactive in implementation of
the Government Information Security Reform Act, and I will
refer to this from now on as the Security Act. This includes
expanding the reporting requirements to include the Chief
Information Officer and senior agencies' officials' input with
the Inspectors General.
We have moved beyond simply reporting security weaknesses
and are focusing on agency work to remediate the security
weaknesses. The basic push behind our continuing work is a
strong focus on management implementation of security.
We have recently taken the following two steps to help
ensure a strong focus on maintaining senior management
attention to security: First, in January, OMB Director Mitch
Daniels sent letters to the heads of agencies and departments
communicating our concerns regarding their fiscal year 2001
security performance. In general, agency heads responded back
in writing with a commitment to resolve their past flaws. OMB
will soon meet with all of the 24 large agencies and
departments to discuss the work in implementing their
corrective action plans.
Second, the President has charged Director Daniels with
overseeing implementation of the management agenda through the
use of an executive branch management scorecard. This scorecard
tracks agency improvement in five governmentwide areas and
assigns a red, yellow, or green score.
One of these areas is expanding electronic government, and
we are incorporating IT as a core criterion within that. This
means that if an agency does not meet IT security criteria, it
will not achieve a green score, regardless of the agency's
performance under the other e-government criteria.
I would now like to talk a little bit about our report to
Congress, the findings, some of the next steps. As you know,
one of OMB's responsibilities under the Security Act is to
submit each year a report to Congress that summarizes the
results of security evaluations conducted by agencies and
reported to OMB. On February 13th of this year, Director
Daniels transmitted this report to the Congress.
At this time I would like to recognize the tremendous
amount of work of agency program officials, CIOs, IGs, my
staff, and all of their staffs in conducting the reviews and
evaluations upon which the report is based. This was a large
effort for all involved, and the report illustrates this work,
as well as the ongoing efforts of agencies to remediate their
weaknesses.
Additionally, the National Institutes of Standards of
Technology continue to play their critical role in promoting IT
security requirements among agencies. OMB policy requires that
each agency's program implement policy standards and procedures
consistent with NIST guidance. NIST has developed a security
questionnaire, and most agencies use this document as the basis
for conducting their annual reviews under the Security Act.
The OMB report represents a first year of implementation.
It is a valuable baseline that has recorded the security agency
performance. Even though the Security Act only required us to
summarize the results, we expanded the report. We included the
results of CIO and program official reviews in the recent
activities we have undertaken in preparing the fiscal year 2003
budget decisions, OMB findings, and next steps, as well as
additional efforts that we have undertaken and the agencies
have taken to improve Federal information technology security.
From our assessment of agency performance, we have both
validated the earlier positions on what the problems were and
identified at a high-level important lessons learned. I would
like to briefly sum those up.
First, security is primarily a management problem, not a
technical or funding problem. Are you willing to support us if
we push to get someone fired because they will not implement a
security plan? Second, increased spending does not necessarily
translate into increased security performance. Third, high-
quality IG audits are necessary. The IGs provide an important,
independent validation function. Fourth, agency employees with
specific security responsibilities must have the authority to
fulfill their responsibilities and at the same time have to be
held accountable for their performance.
There are a number of additional actions I have described.
A key part of the written testimony I would ask you to look at
are the actions under the OMB Security Committee of the
Critical Infrastructure Protection Board. Therein we have laid
out a process to focus more rapidly on actions needing to be
addressed, because this is an ever-changing issue both in terms
of vulnerability and threats.
I would also ask you to take a look at the decisions that
we have made in the budget, and would ask your support in the
appropriations decisions that ultimately will have to make
these into reality.
Finally, I would like to focus on the governmentwide
initiatives that we have underway leveraging the project matrix
work and the enterprise architecture work. The development of
the governmentwide enterprise architecture assessment is
critical and a central part of not only our e-government
efforts, but our cyber-security efforts. Basically, to more
clearly identify and prioritize the security needs for
government assets, OMB is going to direct all large agencies to
undertake a project matrix review, and that was a key element
of the 2003 budget.
Again, I would like to thank you for the opportunity to
testify. We have a summary in the testimony of the six
government problems that we identified in the report, and I
would be willing to answer any questions in that regard at the
appropriate time.
[The prepared statement of Mr. Forman follows:]
[GRAPHIC] [TIFF OMITTED] 82355.041
[GRAPHIC] [TIFF OMITTED] 82355.042
[GRAPHIC] [TIFF OMITTED] 82355.043
[GRAPHIC] [TIFF OMITTED] 82355.044
[GRAPHIC] [TIFF OMITTED] 82355.045
[GRAPHIC] [TIFF OMITTED] 82355.046
[GRAPHIC] [TIFF OMITTED] 82355.047
[GRAPHIC] [TIFF OMITTED] 82355.048
[GRAPHIC] [TIFF OMITTED] 82355.049
[GRAPHIC] [TIFF OMITTED] 82355.050
[GRAPHIC] [TIFF OMITTED] 82355.051
[GRAPHIC] [TIFF OMITTED] 82355.052
[GRAPHIC] [TIFF OMITTED] 82355.053
Mr. Horn. Well, thank you very much. I want to emphasize
what you just did now, the President's Executive order, which
was Critical Infrastructure Protection in the Information Age,
and he established a board, as you suggested. The chair, who
serves as a special advisor to the President for Cyberspace
Security, and that, of course, is Richard Clark, who serves as
the Board and he is the Special Advisor to the President for
Cyberspace Security. He reports both to Governor Ridge on
issues that affect homeland security and to the National
Security Advisor, Condoleezza Rice, on the issues that affect
national security.
The President has made OMB a member of the Critical
Infrastructure Protection Board. Are you on that board as part
of it?
Mr. Forman. Yes, I am.
Mr. Horn. I think it shows the President has taken some
real action with people that did have his ear.
I am going to have to recess now. When I come back, the
ranking member, Ms. Schakowsky, will have her statement in, and
we will then go down the line. We have a Journal vote before
us.
Ms. Schakowsky. Is there an opportunity for me to do that
now?
Mr. Horn. Sure, sure. She will put it in now, and once she
finishes, we are in recess.
Ms. Schakowsky. Thank you, Mr. Chairman. I appreciate that.
I want to thank the chairman for holding this hearing and
for his leadership on computer security issues in the House. I
look forward to working with him to improve government
information security reform language that was passed in the
Congress.
It was passed in the last Congress as a part of the Defense
Authorization Act, and as such, really didn't get, in my view,
adequate review in the House. No hearings were held, and we had
very little opportunity to affect the content.
Consequently, under Representative Waxman's leadership, we
sought and received a 2-year sunset on this legislation. Our
experience over the past year has substantiated the wisdom of
that approach.
There are a number of problems in this legislation that
have already come to our attention. I am hopeful that today's
hearing will help us put together a more complete picture of
the actions to make this legislation more effective.
One problem has already come to our attention. One of the
problems is the reports prepared by the agencies. We asked the
GAO to use agency information security reports to develop the
scorecards for our hearing last fall. It came as a surprise
when the administration refused to allow access to those
reports, claiming that they were predecisional and part of the
budget process. After much negotiation, we were finally given
access to executive summaries, hardly a satisfactory outcome.
A more serious shortcoming of this legislation is the
absence of any system to assure that all agency systems are
checked and protected. Today few, if any, agencies have a
complete inventory of its computer systems, even though just
such an inventory was required for Y2K compliance just 2 years
ago. Without a complete inventory, it is impossible to know if
all systems have had the risks assessed and the protections
tested. We must make sure that every agency maintains a current
inventory of systems and has in place a systematic process to
assess risk for those systems and to test the protections in
place.
I am sorry that I was late. I do look forward to hearing
today's witnesses, if not reading the testimony, and hope that
each of you will understand that we share the common goal of
assuring the public that our systems have adequate protection.
So I thank you all for coming today.
We will be back.
[The prepared statement of Hon. Janice D. Schakowsky
follows:]
[GRAPHIC] [TIFF OMITTED] 82355.054
[GRAPHIC] [TIFF OMITTED] 82355.055
[Recess.]
Mr. Horn. Recess has ended, and we will begin next with Mr.
Bement, who is the Director of the National Institute of
Standards and Technology [NIST]--not in the mist, but NIST.
[Laughter.]
Dr. Bement. Right. Thank you, Mr. Chairman.
Mr. Horn. As a little kid, I remembered well the standards
and your beautiful campus out there.
Dr. Bement. You are more than welcome anytime, Mr.
Chairman.
Thank you very much for giving me the opportunity to speak
to you about NIST's role in cyber-security. NIST's Computer
Security Program supports the vision of strong cyber-security
and its critical role both in homeland security and e-
government. Our agency has specific statutory responsibilities
under both GISRA and the Computer Security Act of 1987 for
developing standards and guidances that help Federal agencies
to protect sensitive, unclassified information.
Specifically, NIST has published a guidance for firewalls,
intrusion detection, cryptography, public Web servers, and risk
management. We also conduct computer security research in close
cooperation with industry and academia. We work to find ways to
apply new technologies in a secure manner.
The solutions that we develop are made available to both
public and private users. This research helps us to find more
cost-effective ways to implement and address security
requirements.
I would now like to highlight a few of our more important
recent contributions to improve cyber-security in Federal
agencies. In December the Secretary of Commerce approved the
Advanced Encryption Standard [AES], as a Federal security
standard. Within days, commercial firms were announcing
products that incorporated the AES. It is clear that AES soon
will be used extensively internationally and be available in a
wide array of commercial products to protect sensitive Federal
information. We expect AES will be used daily to secure
trillions of dollars in electronic transactions and to protect
sensitive personal business and government information.
The Chief Information Officers' Council and NIST developed
a security assessment framework to assist agencies with a very
high-level review of their security status. The framework
established the groundwork for standardizing on five levels of
security and defined the criteria agencies could use to
determine if the levels were adequately implemented. By using
the framework levels, an agency can prioritize agency efforts
as well as to evaluate progress.
Building from the framework, NIST issued a more detailed
security questionnaire that most agencies use to conduct their
programmed system reviews. This document provided guidance on
applying the framework. In addition, the guide provides control
objectives and techniques that can be measured for each area.
Many agencies use this to prepare their GISRA responses to OMB.
NIST also recently formed a team that specializes in
helping Federal agencies navigate through the dangers of
cyberspace. The Computer Security Expert Assist Team [CSEAT],
helps agencies understand how to protect their computer
systems, how to identify and fix existing vulnerabilities, and
how to anticipate and prepare for future security threats.
The CSEAT reviews are also valuable to NIST. They give us a
firsthand look at how NIST guidance is implemented, helping us
to improve our products and processes.
Our new information-sharing Web site for Federal agency
security practices covers a host of topics ranging from
contingency planning to network security. Computer security
professionals from various Federal agencies have contributed
much of the material on the site. The site also contains the
best practices for critical infrastructure protection and
computer security identified by the Federal Chief Information
Officers' Council. The site is one of the latest additions to
NIST's Computer Security Resource Center and is one of the
busiest and most popular spots on the entire NIST Web site.
Another aspect of our work involves security testing which
complements security standards by giving users confidence that
the security standards and specifications are implemented
correctly in the products they buy. NIST and our Canadian
counterpart have set up a joint program to help ensure correct
and secure implementation of unclassified cryptographic
algorithms and products. Statistics show that 48 percent of the
modules tested voluntarily under this program have security
flaws that were corrected during testing. So, without our
program, the Federal Government would have only a 50/50 chance
of buying products that correctly implemented cryptography.
I would like to point out that in carrying out our
responsibilities under GISRA and the Computer Security Act, we
consult frequency with other agencies. In particular, we work
very closely with the Office of Management and Budget. We
consult with OMB representatives on the Federal Chief
Information Officers' Council, the Federal Computer Security
Program Managers' Forum, and the Committee on National Security
Systems. We soon will serve on the newly formed Committee on
Executive Branch Information Systems Security. I would like to
take this opportunity to commend my OMB colleagues for their
steadfast support in promoting our security standards and
guidelines with Federal agencies.
Let me close by emphasizing that our national commitment to
improved cyber-security must be increased in Federal agencies
and elsewhere. NIST has a proven track record of success and
stands ready to play key roles in this and other facets of
homeland security.
Thank you very much, Mr. Chairman. I will be pleased to
answer any of your questions.
[The prepared statement of Dr. Bement follows:]
[GRAPHIC] [TIFF OMITTED] 82355.056
[GRAPHIC] [TIFF OMITTED] 82355.057
[GRAPHIC] [TIFF OMITTED] 82355.058
[GRAPHIC] [TIFF OMITTED] 82355.059
[GRAPHIC] [TIFF OMITTED] 82355.060
[GRAPHIC] [TIFF OMITTED] 82355.061
[GRAPHIC] [TIFF OMITTED] 82355.062
[GRAPHIC] [TIFF OMITTED] 82355.063
Mr. Horn. Thank you, and we are delighted to have your
paper in particular.
We now turn to the Honorable Roberta L. Gross, former
Inspector General, National Aeronautics and Space
Administration. I lost track of you. You have been a witness
here before. When did you leave the Inspector General's
position?
Ms. Gross. Saturday.
Mr. Horn. Saturday? OK.
Ms. Gross. But your staffer had asked me prior to the time,
and I had told her that I would be leaving, but we talked about
I would still come. So here I am.
Mr. Horn. Great. Well, welcome. So if we could summarize
your testimony?
Ms. Gross. Absolutely. I thank you for inviting me to
testify today on GISRA, and my testimony is obviously based on
my recent experience as NASA's Inspector General. I served in
that post from August 1995 through March 2, 2002. I am also
basing it on my experience as being the former Chair of the
IGs' IT Roundtable, where we discuss cross-cutting issues
across the government.
Last year I, along with a representative of the GAO,
testified before the Senate Committee on Governmental Affairs
on a precursor of GISRA, Senate bill 1993. The then-chair of
the committee, the Honorable Senator Thompson, began his
opening statement by recounting how time after time the GAO
kept writing reports, Inspectors General kept writing reports,
about serious lapses in IT security, deficiencies in IT
capital, in human resources planning. He observed that over the
years law after law was passed, regulation after regulation,
and the issues seemed to reoccur and nothing seemed to get
better, and it was no wonder, with so many laws and
regulations, that this Senator rhetorically asked, ``Why are we
enacting GISRA?'' The answer is that GISRA was needed, GISRA
has had success, and it can be improved.
My remarks are going to be divided into three sections: bad
news--I couldn't be an Inspector General, or former Inspector
General, without that, right? Good news, next steps, and
lessons learned.
During our GISRA reviews and audits at NASA, we found
problems in each of the six areas highlighted by OMB. I am only
going to address three of them, using NASA as an illustration,
and I incorporate by reference my written testimony.
The three that I would like to use as illustration are,
one, lack of senior management attention; two, limited programs
for security awareness and education, and, three, failure to
exercise oversight of contractor security services.
While some of the agency's IT practices are more mature
than those at many agencies, and I notice that NASA got a ``C-
,'' and they are above one of the yellow lines, NASA management
has historically been unwilling to recognize and/or fully
acknowledge the significance of the IT weaknesses and deal with
them in a timely manner. There are various interrelated reasons
for that.
They were engaged, since I have been there, in downsizing,
funding problems, but also, seriously, an unwillingness of
middle management or IT security officials to tell senior
management the extent of the problem, as well as lack of
reception by senior management to hear about the extent of the
problem. So that is a good segueway into the first problem:
senior management attention.
Leaderships of all the agencies occupy bully pulpits by
virtue of their positions. They can regularly remind staff of
their IT responsibilities and obligations. No cost; talk is
cheap. What should they be doing?
They should be addressing their employees in as many forums
as possible and reinforce that IT security is everybody's
responsibility. For example, we saw that the former
Administrator used his office--this is at NASA again--used his
office as a bully pulpit for safety. Safety was NASA's No. 1
core value. At senior staff meetings, leadership reiterated
this value, discussed lessons learned, and tracked programs
related to safety.
However, no similar attention to ITS, other than during the
Y2 crisis. Y2 came and went, and senior management attention
came and went. I hope the new Administrator will use his office
as a bully pulpit on IT issues.
Let's talk about the CIO. The CIO also did not utilize the
bully pulpit to communicate IG findings, and we had the same
findings over and over again, and NASA agreed to implement our
recommendations over and over again. They didn't monitor these
recommendations that they agreed to implement.
Instead of using the bully pulpit and communicating to the
staff and saying, ``Don't wait for the IG. Why don't you look
to see if your systems have similar problems? And here are some
suggestions that the agency IG recommended. Maybe these will be
fixes for you.'' This really didn't happen.
But I do want to point out the good news. Since the GISRA
report, the CIO has shown improvement in communicating and
sharing his communications with the OIG about IT
vulnerabilities we identified in the IT reviews. I used lack of
communication as one of the reasons why we found material
weakness for purposes of the GISRA report; the CIO failed to
use a very low-cost/no-cost forum.
No. 2, another problem highlighted by OMB, as well as the
IGs, is insufficient security awareness and training. Civil
servants and contractors, they all need to have the training
before being given access to systems. If personnel have more
responsibilities and higher-level sensitivities to systems,
they need to have different kind of training.
But NASA did not establish 100 percent training
participation for the targeted groups for all its measures,
despite the age-old adage: ``You're only as good as your
weakest link.'' The point is not that you are going to make 100
percent of your goal, but shouldn't that be your goal? How
could you have less than 100 percent for people to be trained
as your goal? Otherwise, you're going to allow and accept weak
links.
Our biggest complaint on this training issue was that NASA
did not have all of its civil servant system administrators
trained, but even more significant is that they excluded, as
their performance measure, contractor personnel. Guess what?
Seventy-nine percent of NASA's systems administrators are
contractors. Their training is not even measured; they are not
even tracked in terms of whether they have the appropriate
training. This is an obvious risk for which NASA did not
implement compensating controls.
Oversight of contractor responsibility. Over and beyond
incorporating IT clauses into contracts, which OMB addressed
and we address, you still have to make sure that you know who
these contractors are with who you are working with. They have
wide-range responsibilities. Think about it. They are your
systems administrators. They purchase and provide desktops.
They are the ones that safeguard sensitive information. They
maintain your systems. They put the patches in your system.
Who are these people? What are they doing? And are you
oversighting them? Contractor oversight is an area where the
government needs to be attentive, and certainly NASA does.
OK, good news. OMB focuses greater cooperation between OIGs
and CIOs. I do want to say and give credit to two individuals
who are here. Never say IGs don't say good things about people.
Glen Schlarman and Kamela White are both here. There's Glen,
and Kamela, she's hiding over there.
Mr. Horn. Why don't you speak that back into the mike? They
didn't quite catch it.
Ms. Gross. OK. Both Kamela and Glen are here. In forwarding
their summary report to Congress, they did not try to paint a
rosy picture, but tried to present an accurate picture, and
this wasn't always easy because sometimes it looked like the
IGs and the agencies were reporting on two different worlds.
I also want to commend them for their steadfast insistence
that management work with IGs in developing corrective action
plans. This has been a welcomed increase in cooperation between
IGs and CIOs. IG after IG report this.
Equally important, GISRA brought accountability to the
heads of the agencies. They had to forward the report. They had
to forward an IG report as well as the agency report and put
their name on it. It was their report. No more plausible
deniability. They couldn't claim they didn't know what the IT
issues were at their agencies. That was real good.
OK, next steps, and I'm going quickly--GISRA I think should
be extended in some form for 2 to 5 years, so that agencies
will implement agreed-upon changes. In subsequent legislation,
Congress should consider to allow the IGs to have more
flexibility in their reporting responsibilities. This year it
will still be the same, but if you still have to do this kind
of level of intensity without having additional funding from
the agency and OMB, you are not going to be able to move into
other high-risk areas. Unlike when Congress passed the CFO
audit and most IGs got more resources, that didn't happen for
GISRA.
Another suggestion is that there should be a sunset
provision maybe in the 3 to 5 years, so you can evaluate is
what you want to do. Are the means overtaking the end? So I
think a sunset provision is good.
Another way to ensure greater uniformity is to eliminate
the act's bifurcation of responsibilities for national security
programs. Under the act, the agency head asks an outside
evaluator to come in, look at national security systems, which
the IG later reviews. NASA's IG's office never got that
security report in time to review it for the GISRA Act.
The IGs use at the least, a uniform evaluation methodology.
They will either use government standards, PCIE-wide standards
for reviews, or GAGAS, government auditing standards for their
audits. This is not always the case. Agency heads bring in
different people. Who knows what standards they are using? So
this should be eliminated, and it should be having the IGs do
100 percent of that.
These next steps require a focus on agencies'
infrastructure for reporting intrusions, and also the agencies'
first-responders. Are they training first-responders? When you
have a program manager they want to fix the problem. Often
their fixes may increase the problem. Maybe the intruder is
still in the network trojanizing the systems. Program managers
don't always know what they are doing when they fix problems,
partly because they are not coordinating with law enforcement.
IGs must look at, and I think this should be an area of
Congress could look at to see if they are actually, the
agencies, are implementing law enforecement coordination. The
Congress passed the USA Patriot's Act of 2001 to help law
enforcement with the cyber war. One section allows victims of
computer attacks to authorize persons acting in color of law to
monitor trespassers on their computer systems. This provides
law enforcement with the same authority in the cyber world that
a police officer has in the normal world if there is a burglary
in progress. This had to be amended so the monitoring wouldn't
be considered wiretapping. This is important. I want to commend
Howard Schmidt, vice chair, President's Critical Infrastructure
Board. He is working with Richard Clark. He has initiated
contacts with NASA's Inspector General's office to help frame a
OIG-wide response for the victim agencies. NASA, under my term,
established the first Inspector General's Computer Crimes Unit,
and Howard was turning to our unit in part because we were
recognized both nationally and internationally for our
expertise. It is crucial that OIGs help their victim agencies
and those agencies look to this monitoring provision. Let's not
wait for the cyber-attack, the law has already passed.
Nobody has procedures. I know, because I put a request for
monitoring into the agency, and it is under review. We need to
have more sense of urgency for something like this. The law was
passed because there was an urgent situation. That urgency
cannot wait for the next attack, and if that is a cyber
attack----
Mr. Horn. Let me ask you a minute about this particular
aspect on the follow up and getting that. Did they use the
Carnegie-Mellon operation in part or did they use the FBI one?
Ms. Gross. Carnegie-Mellon is not a law enforcement entity.
They get information from both the private sector, and
government agencies. Part of the way Carnegie-Mellon works, is
sharing of information. Although it is not a law enforcement
entity, they do have a member of the FBI on the Cert. They do
share information with law enforcement. It goes back and forth,
but it is not a law enforcement entity.
The FBI also wanted this Computer Security Act passed.
They, like any other law enforcement entity needed that in
order to do the monitoring; consensual monitoring by the owners
of systems when you know there is a burglary, a cyber burglary
in process, they can monitor. They needed that provision.
There's no nationwide or agencywide practices on how to use
that authority though.
But, again, remember with the FBI, the FBI has to look at
the private sector, universities and international entities.
The group that really looks for their victim agencies is the
OIGs. Many of them know the agency people; they know the
systems; they know the programs. You might have a shot at
figuring out the intent and motive of intruders if IGs are
involved.
They have fully qualified law enforcement special agents.
This is a way of ensuring those much needed protections.
Right now, you have a focus of the FBI looking at physical
terrorism. The role of the IGs becomes even more paramount
because of that. They need to step-up to the plate. I would be
glad to speak more on that. I can wax eloquent on that issue.
Mr. Horn. We will get to that again, but we will move on to
Mr. Gorrie.
Ms. Gross. Yes.
[The prepared statement of Ms. Gross follows:]
[GRAPHIC] [TIFF OMITTED] 82355.064
[GRAPHIC] [TIFF OMITTED] 82355.065
[GRAPHIC] [TIFF OMITTED] 82355.066
[GRAPHIC] [TIFF OMITTED] 82355.067
[GRAPHIC] [TIFF OMITTED] 82355.068
[GRAPHIC] [TIFF OMITTED] 82355.069
[GRAPHIC] [TIFF OMITTED] 82355.070
[GRAPHIC] [TIFF OMITTED] 82355.071
[GRAPHIC] [TIFF OMITTED] 82355.072
Mr. Horn. Robert G. Gorrie is the Deputy Staff Director,
Defense-wide Information Assurance Program Office, and
Assistant Secretary of Defense for Command, Control,
Communications and Intelligence.
When did you fill that Assistant Secretaryship?
Mr. Gorrie. No, sir, I am Office of the Assistant
Secretary. They have that a little backward there.
Mr. Horn. I see, OK.
Mr. Gorrie. I conspire to that, though, but----
Mr. Horn. Well, remind me, who is the Assistant Secretary
in that area?
Mr. Gorrie. Mr. Stenbit is, sir.
Mr. Horn. Mr. Who?
Mr. Gorrie. John Stenbit.
Mr. Horn. How do you spell the last name?
Mr. Gorrie. S-T-E-N-B-I-T.
Mr. Horn. OK, yes, because I haven't really followed it,
but in the days of Y2K, until the General occupying the effort
left, I know there's been sort of up and down under the
previous administration. I assume Mr. Stenbit, then, is the
Bush administration?
Mr. Gorrie. Yes, sir, he followed Mr. Art Money, who was
the previous ASDC3I.
Mr. Horn. Well, go ahead.
Mr. Gorrie. Yes, sir, thank you, Mr. Chairman and members
of the subcommittee. I am honored to be here and pleased to
have the opportunity to speak with your committee about lessons
learned by DOD from assessments we conducted in response to the
Government Information Security Reform legislation.
Secretary Rumsfeld, in his testimony last month before the
House Appropriations Defense Subcommittee, identified six key
transformational goals for the Department. Leveraging
information technology to create seamless, interoperable
network-centric environments is one of those foundation
transformational goals.
However, as our dependence on information networks
increases, it creates new vulnerabilities, as adversaries
develop new ways of attacking and disrupting U.S. forces. In
recognition of this dichotomy, the Secretary established the
protection of U.S. information networks from attack as another
foundation transformational goal.
Emphasizing that transformation is not an event, Secretary
Rumsfeld described it as an ongoing process or a journey that
begins with a transformed leading-edge force. Mr. Stenbit, the
DOD CIO, is committed to support our transformation by
providing the power to that information leading edge. To do
that, he established three goals for his supporting efforts of
Mr. Rumsfeld, and one of those is making the exchange of
information available on a network that people depend and
trust.
Now all of these goals in large measure are influenced by
our ability to provide information assurance to the edge and
throughout the entire information enterprise. Our senior
leadership's stated commitment to these goals is testament to
the importance placed on information assurance within DOD.
The Department initiated work on its 2001 assessment in
January 2001. The former DOD CIO, Mr. Art Money, established an
IA Integrated Process Team to lead the assessments. In
addition, the DOD IG ensured that independent audits were
performed to assess and test DOD programs and policies for
effectiveness and compliance with the law and other policies,
procedures, standards, and guidelines.
The analysis of the system-specific data and the responses
to the OMB questions indicate that DOD has good IA policies,
practices, and procedures in place, but needs verification of
compliance. Without a capability to enforce and properly audit
IA policy compliance, it is difficult to ensure that all
systems operate based on up-to-date procedures and proper
configurations.
Based on the data analysis, however, it is evident that
even for those systems lacking accreditation, most have robust
IA measures in place and programs with high IA awareness. DOD
has a strong foundation in IA that will be expanded and more
fully developed as that program matures.
Without question, though, the biggest single lesson learned
during the conduct of GISRA 2001 was the problems associated
with our Security Certification and Accreditation Program.
Compliance is a major issue. However, stricter audit and
enforcement of DITSCAP, which is our Defense Information
Technology Security, Certification, and Accreditation Program,
stricter audit and enforcement of that will not necessarily
rectify the problem. Non-compliance is more a symptom of the
complexity of that process and the clarity of its implementing
policy. These problems were previously identified, but
definitively confirmed in the GISRA 2001 assessment.
That certification and accreditation policy is undergoing
dramatic modification in policy as well as in implementation.
The DOD policy governing DITSCAP will streamline the
certification and accreditation process and provide better
clarity on definitions and responsibilities. DOD is also
pursuing the use of automated tools to ease the documentation
burden on security and systems administrators. The combination
of these two efforts should significantly improve our ability
to conduct certification and accreditation and, as a result,
improve compliance.
DOD, through the Defense Information System Agency, has
also aggressively implemented comprehensive connection approval
programs for both our Non-Secure and Secret Internet Protocol
Router Networks, the SIPRNET and the NIPRNET. These programs
have initial and subsequent periodic validation of network
certification and accreditation as a precondition for
connection to the network, and this will serve as a valuable
compliance control mechanism to make sure that those programs
are fully carried out.
The DOD IG identified oversight and review of IA policy
implementation and programming of funds and resources to
support IA as areas requiring attention in the last GISRA
assessment. Conduct of worthwhile oversight and review of IA
policy implementation requires not only an established process,
but also relevant and current IA policy. As mentioned in the IG
report, DOD Directive 5200.28 was, or still is, our current
security policy, but that happened to be written in 1992 and
was woefully out-of-date.
In its place, DOD is issuing a series of new IA directives
and instructions to accommodate a more complex IA environment.
The capstone directive is in formal coordination now within the
Department and will be released soon. Other supporting
directives have recently been released or will be released
later this year. The responsibilities established in these
directives are clear and concise, as are the management
controls associated with the policies.
Oversight of budgets and programming to support IA is one
of the functions of my office, the Defense-wide Information
Assurance Program Office. We are now reviewing, with all the
DOD components, the services, and the agencies, IA budgets and
programs during their development to coordinate efforts across
the Department and to check for policy implementation.
Subsequent to that, we conduct reviews to match the resource
allocations and expenditures with the original plans to make
sure that they match.
Now, those were the things we noticed during regular GISRA.
However, there were some procedural lessons learned that we
also developed. One, as was mentioned previously, was to work
closely with the DOD IG in the conduct of GISRA. Unfortunately,
during last year's GISRA, we weren't able to do that because of
time constraints and previous scheduling problems with the DOD
IG. They looked at one small population of DOD systems, and we
looked at another population. Optimally, we would have looked,
both we would have done an assessment of DOD systems and then
the IG would have come behind us and audited the same systems
to verify the veracity of the information that we were getting.
Because of that, DOD's Fiscal Year 2002 GISRA assessment
efforts will focus on three particular areas. One is review of
selected systems from 2001, and then we will go in and take a
look at the major DOD networks, and also the third part of that
is the departmental response to OMB IA management process
questions.
Approximately 168 systems from the 2001 assessment will be
reviewed. The second area of this year's effort will focus on a
random sample of major local, wide, and metropolitan DOD area
networks.
Then the final area in 2001 will be the response to the OMB
IA management questions. OMB has indicated that the questions
will be similar to those in the 2001 assessment, and will
encompass all aspects of IA throughout the Department, from
training and awareness to response capability. As DOD
components conduct their assessments, the DOD IG will audit the
subset of the 168 systems from last year, again, as I said
before, to verify compliance and the veracity of the
information that we collected.
We in DOD find the GISRA assessments as a valuable tool.
Combined with other assessment tools we have--for instance, the
Joint Chiefs of Staff Joint Monthly Readiness Reviews, the
Commanders-in-Chief's Integrated Priority Lists, Mission Need
Statements, and other requirements documents--we are better
able to discern what actions and direction are needed to be
taken to sustain our IA posture and to transition to a more
robust posture. Having identified these necessary actions and
directions, we were able to better coordinate more effectively
our oversight and coordination of the Department's IA budgets
and the entire enterprise-wide program.
That's it, sir.
[The prepared statement of Mr. Gorrie follows:]
[GRAPHIC] [TIFF OMITTED] 82355.073
[GRAPHIC] [TIFF OMITTED] 82355.074
[GRAPHIC] [TIFF OMITTED] 82355.075
[GRAPHIC] [TIFF OMITTED] 82355.076
[GRAPHIC] [TIFF OMITTED] 82355.077
[GRAPHIC] [TIFF OMITTED] 82355.078
[GRAPHIC] [TIFF OMITTED] 82355.079
Mr. Horn. Thank you very much. I want to ask you about the
role of Mr. Stenbit. Now he is Assistant Secretary for the
three C's--Command, Communications, and what else is it?
Mr. Gorrie. Command, Communications, and Control and
Intelligence.
Mr. Horn. Control and Intelligence?
Mr. Gorrie. Yes, sir, and he is also the DOD CIO.
Mr. Horn. Yes. Now is that too much for one person to
handle?
Mr. Gorrie. No, sir. Actually, it is probably a pretty good
combination because not only does he see or oversee the policy
and the budgetary parts of IT within the Department, but then,
again, as the CIO of DOD, that gives him a more pervasive view
not only of the programming and budgeting aspect and bringing
new systems on board, but getting into the daily operational
things that go on within the Department.
Is it too big of a job to handle? No. I mean, he obviously
has staff to deal with his CIO functions and also with his
Assistant Secretary functions, but to have that all brought
together in one person is valuable, because you get to see not
only the policy development and also the procurement side of
it, but also the operational side of it.
Now there are people who would disagree with that and say
that we should split this function and have a separate DOD CIO
and a separate Assistant Secretary for Command, Control,
Communications and Intelligence. The jury is still out on that.
I don't personally subscribe to splitting those
responsibilities, but until I become the Secretary, I won't be
able to make that decision, sir. [Laughter.]
Mr. Horn. Well, I would like a little table with little
boxes as to how many people we have for those various
functions. I have gone through this with another agency 5 or 6
years ago. They piled everything onto what Congress had said
about Chief Financial Officers, Chief Information Officers, and
the thrust of that was to get somebody of high-rank that we
could get in the private sector or in the executive branch out
of the Senior Service. We just looked at it, and not much was
happening because the poor soul was overloaded.
So I would like a chart at this point in the record.
Without objection, it will be put there. So if you and
everybody else can give us one, just so we can see the picture
of who's helping and how many are helping and addressed to
this?
Mr. Gorrie. Yes, sir.
And if I might add one other reason why I don't think you
necessarily want to separate those functions is because the
level--if you split those functions, I don't know that
necessarily the level of importance of the person holding that
job would carry enough sway within the Department to have
influence. At the Assistant Secretary level--and, actually, I
think it should be at the Under Secretary level, but, again, I
am not in a position to make that call--there is enough
leverage there, and they have enough influence and the ear of
the Secretary of Defense to make things happen. If you split it
and diluted it, that might not necessarily be the case.
Mr. Horn. I have great admiration for the Secretary of
Defense. I remember, going back about seven administrations,
one person had about 12 of the functions we now have Assistant
Secretaries hold. As you know, he did a very fine job. But when
we have troubles in this area, where we haven't had it yet up
where they can get a C, B, or A in looking at the computing
operation, it just means we have got to focus on that and not
be waylaid by all the other things that are very important.
Mr. Gorrie. Yes, sir.
Mr. Horn. OK, so we now have our last presenter, Chief
Information Officer Karen S. Evans of the U.S. Department of
Energy.
Glad to have you here. When were you appointed? I see
January 28th.
Ms. Evans. Yes, sir, just 6 weeks ago.
Good morning, and thank you for this opportunity to appear
today to address the very important issue of improving the
security of our Federal information systems. I was named the
Department of Energy's Chief Information Officer 6 weeks ago,
on January 28, 2002. As the CIO, I believe that effective cyber
security is a balance of managed policies, procedures,
technology, training, and people. It is also a major enabler of
our Department's information technology initiatives, especially
our e-government initiatives.
My remarks today focus on the implementation of the
Government Information Security Reform Act, improvements in the
Department's cyber security infrastructure, and our plans for
further strengthening our cyber security posture.
GISRA provides a comprehensive framework for establishing
and ensuring effectiveness of security controls over
information resources that support Federal operations and
assets. Secretary Abraham submitted the Department's first
annual security review last September. This committee
established grading criteria, and the Department received an
``F.''
The scoring acknowledged that we were either complete or in
the process of implementing 9 of 10 areas. Our raw score was
71. The score was weighed against weaknesses identified by our
previous Department Inspector General and the Office of
Independent Oversight and Performance assurance audits and
assessments. Our final scoring was lowered to 51.
Since the passage of GISRA, the Department has taken an
active leadership role to further strengthen its cyber security
posture. First, we developed and incorporated an enterprise-
wide perimeter defense strategy to reduce the number and the
severity of successful attacks. Analysis reveals that while the
overall threat from virus and malicious code increased, the
number of successful intrusions diminished. Virus and malicious
code incidents dropped from 60 in fiscal year 2000 to 39 in
fiscal year 2001, a 35 percent reduction. In addition, while
probes and scans escalated over 2,000 percent from fiscal year
1999 to 2001, unauthorized access and Web defacements
diminished by over 50 percent.
In addition, we have trained 6,200 managers and cyber
security staff in the last year alone, and are continuing an
aggressive training and awareness program, so that every
Department member is aware that cyber security is an integral
part of his or her job.
Like many other government agencies, we still have a long
way to go, but we have an excellent foundation on which to
build. We recognize the importance of cyber security as a
management issue. Our goal is to give line management the
authority to determine how to implement policy, because it is
in the best position to assess the appropriate levels of
protection.
Our Performance Improvement Plan and Performance Report
Card provide a clean remediation road map for those program
offices with GISRA-identified deficiencies, and our sites have
made significant progress toward their elimination.
Today I am pleased to announce additional cyber security
initiatives. First, I will focus initially on developing and
implementing a Department-wide certification and accreditation
process to ensure that our unclassified information systems
comply with departmental cyber security policies. Our
Certification and Accreditation Program will establish a
Department-wide process to certify that an information system
or a site complies with documented security requirements, and
that the program will continue to maintain an accredited
security posture throughout the system life cycle.
Processes such as certification and accreditation are
insufficient without adequate risk-management and configuration
management directives. The Department has identified some
shortcomings in its approach in both areas, and I am committed
to developing directives in these areas.
The Department is also committed to protecting our national
critical and mission-critical assets. As one of the first five
agencies to complete the Critical Infrastructure Assurance
Office Project Matrix Step One, we now have a comprehensive
list of our most critical assets, which we used to focus our
enhanced protection efforts.
In addition, I am committed to implementing a robust,
independent validation and verification process to provide an
additional objective level of assurance regarding the
continuity of operations for all of Department of Energy's
mission-critical cyber assets.
The Department has also initiated a renewed IT capital
planning process to manage the cost of acquiring and
maintaining IT assets. We are improving that process to ensure
the seamless integration of security into each system's
lifecycle costs. Although each of these efforts is only a part
of our cyber security program, together they are effective
tools to protect the Department's critical information assets.
They will also serve as enablers for our electronic government
efforts.
I am intent on making the Department a national center of
excellence for safeguarding classified and unclassified
information on electronic systems. This will be accomplished
through three objectives: strengthening the Department's cyber
security community, ensuring a Department-wide risk-based
approach to cyber security implementation, and enhancing
protection of our internal cyber assets, especially our
nationally critical and mission-critical assets.
As CIO, I have been given programmatic authority to provide
management oversight of the Department's cyber security program
through the use of information technology capital planning and
investment process. Our Performance Improvement Plan and
Performance Report Card clearly communicate the status of
identified issues of concern. This plan builds upon the
foundation provided by GISRA and fosters solution-sharing
within the enterprise.
Our performance metric program provides us feedback on key
elements for a healthy cyber security program. I am moving
forward to strengthen our approach to risk and configuration
management; implement a comprehensive certification and
accreditation process, and an independent validation and
verification process. With these initiatives, I am confident
that the Department will continue to strengthen its cyber
security posture.
Success in this area takes continued and focused efforts
due to the increasing complexity of threats and the rapid
evolution of technology. We at the Department are committed to
meeting this challenge.
Mr. Chairman, this concludes my statement, and I would be
happy to answer any questions.
[The prepared statement of Ms. Evans follows:]
[GRAPHIC] [TIFF OMITTED] 82355.080
[GRAPHIC] [TIFF OMITTED] 82355.081
[GRAPHIC] [TIFF OMITTED] 82355.082
[GRAPHIC] [TIFF OMITTED] 82355.083
[GRAPHIC] [TIFF OMITTED] 82355.084
[GRAPHIC] [TIFF OMITTED] 82355.085
[GRAPHIC] [TIFF OMITTED] 82355.086
[GRAPHIC] [TIFF OMITTED] 82355.087
Mr. Horn. Thank you very much. We appreciate your
presentation.
We are now going to go down the line for a few questions. I
would like all of you to give us some information on them.
The question basically is, are there adequate standards and
known best practices to implement an effective information
technology security program, especially for the CIOs, as to
where that source is. Is it OMB? Is it GAO, so forth?
Mr. Dacey.
Mr. Dacey. Let me answer that question at two levels. I
think we have some guidance at GAO with respect to overall
security management programs. I have included that as best
practices from leading organizations for security management
programs and for risk-assessment.
With respect to more details controls, I think there isn't
consistent information out there. There is a lot of good
information in industry, and there is a lot more being
developed. I would say that NIST, a combination of NIST and the
NSA, through the NIIAP, another organization, and some others,
are starting to develop more detailed policies. These have been
received fairly well for those who are trying to implement
security in their systems. So it is, again, at two levels: one
at the management level and one at the detailed standards
level.
Mr. Horn. Mr. Forman.
Mr. Forman. I think the focus is wrong there. I think there
are a plethora of standards, best practices tools. I think you
have got to go beyond the United States and look at what the
U.K. has done and other countries.
The reality that we are working in, the environment that I
am trying to bring about here, has to operate as fast as the
Internet. Traditional bureaucratic processes simply will not
give us the security we are looking for. We have--and I will
lay out some of the elements of the puzzle--threat data
aggregation, NIPC at the FBI, FedCirc for the Federal
Government, Cert at Carnegie-Mellon, the Sands Institute, the
National Security Agency, organizations within the Defense
Department.
So if there is a threat on the Internet and it moves at
Internet speed, by the time any one of these organizations
finds out about it and puts out an alert, you or I may hear
about it on WTOP coming into the office in the morning. That is
a day.
We are talking about, on the other hand, an annual process
with GISRA. We are moving to a quarterly process to oversee the
management by the President's Management Council for Security
Management. At once I feel, yea, finally, after for me 12 years
of trying to get management attention, we've got the management
attention; we've got a terrific set at both the policy levels
and the technology levels of standards from NIST, from NSA,
from DOD, and others. Those standards are adequate to do what
we need to do for the management policy, but they are
inadequate to address some of the major issues within the
Internet in regards to vulnerabilities.
We need to look at how we put in place a process, not
standards. If, in the end, we want fast identification of
threats, fast remediation of vulnerabilities, we need to make
sure that we are providing for that infrastructure. I fear the
path we are going on right now is identifying people who are
accountable, identifying visible sets of metrics and are they
following them? If so, the potential exists to ignore the fact
this stuff is moving in hours or days, not months, quarters or
years.
In essence, this is what we are trying to bring about with
the Critical Infrastructure Protection Board. The process needs
threat data aggregation. It needs vulnerability assessment. We
have to make some decisions as a country about the remediation
and deployment of remediation. In other words, is that going to
be industry-driven or government-driven? I fear that the type
of structures we put in place for Y2K, from a bureaucratic
standpoint, won't work now.
So, clearly, all of that is evolving, and we are working
through that. But, by the same time, there is this issue of
enterprise security issue, and that has been the focus of
GISRA. That has been the focus of many people at this table as
well as many of our staff in the back for well over a decade.
There we have made the progress.
I would rather see the focus being on, ``What do we need to
be successful at Internet time'' than, ``How do we continue
down this path of enterprise security management in a
bureaucratic process?''
Mr. Horn. You mentioned that there were certain nations
that would seem to be ahead of us in some of these areas. Could
you give us a feeling for that?
Mr. Forman. I wouldn't say necessarily ahead of us in the
sense that they have done a better job, but had some perhaps
more complete or some accepted standards. I think the U.K was
one of those. I know when I was at IBM, we used the U.K.
standard for our security audits that we did in a number of
industries. Since then, of course, NIST has, I believe, widely
recognized, has put together a much broader set of standards
from the technology level to the management level, which now
many of the CIOs adopted. We didn't have that 2 years ago.
Mr. Horn. Dr. Bement, how do you feel about what's
happening abroad that we might use in our own administration?
Dr. Bement. Well, in this area I think our current
standards and accepted best practices are current and will put
us in good standing, but it's very dynamic. The technology is
changing rapidly. So we have to continually review these
standards. Also, our risk models need to be changed as we get
new threat information. So we have to keep on top of that.
But we have cross-cutting alliances with Canada, with the
U.K., and many other countries in the work that we do.
Mr. Horn. How about Australia?
Dr. Bement. Pardon me?
Mr. Horn. How about Australia? Or New Zealand? I mean,
they've got a particularly different government.
Dr. Bement. I think all the members of the Coordinating
Committee are very closely coupled with the work that we do,
and Australia, New Zealand, Canada, the U.K. would be included
in that.
I feel that, apart from the standards and the best
practices, and again we're going to come right back again to
training, awareness, high-level oversight and compliance, there
has to be enforcement of compliance. There has to be critical
monitoring, and, of course, people really have to continually
keep on top of the changes, as Mr. Forman mentioned. I think
those are the critical issues.
Mr. Horn. Moving to another country before we finish that
part of the question, India produces a tremendous number of
very talented people that relate to computing.
Dr. Bement. Yes, that is correct.
Mr. Horn. What do we know about India's Government. Many or
most of the people probably come to the United States. I don't
know if they are within the Government of India, but do you
have any thoughts on that?
Dr. Bement. I don't know that NIST has strong interactions
with India and I don't know that we have a number of citizens
from India working at NIST. We may have some. But I am
certainly aware of the fact that industry looks to the talent
and the capabilities in India and draws on that very actively.
Of course, we also interact very much with industry. So
indirectly we probably do have some connections.
Mr. Horn. Ms. Gross----
Dr. Bement. Oh, Mr. Chairman, may I ask a privilege?
Mr. Horn. Sure.
Dr. Bement. I have another hearing in 15 minutes, and if I
may, I would like to be excused.
Mr. Horn. Fine, and if we have a couple of questions, we
will send them to you, and we will put them in the record at
this point.
Dr. Bement. I would be pleased to respond to those. Thank
you.
Mr. Horn. Fine. Thank you.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] 82355.088
[GRAPHIC] [TIFF OMITTED] 82355.089
Mr. Horn. Ms. Gross, how do you feel about, are there
adequate standards and known best practices to implement an
effective information technology security program?
Ms. Gross. I think there are a number of standards that are
developing and, if implemented, would make our systems safer. I
think you have to talk about human capital. You can have all
the policies and all the procedures, but, ultimately, security
is a matter of layers. It is policies; it is procedures; it is
having the right people. If you don't have the right person as
the CIO, you don't have the right people in law enforcement. It
doesn't matter that you have an NIPC if the people there are
not technical agents or they don't have technicians that know
what they are doing.
You can't have this vision of reacting to Internet speed
unless you make sure that, in fact, you have the human capital
in place. We need to start reacting with Internet speed; about
making sure we have the right people in the right places. I
think you can get your layers of policies and procedures, but I
am not sure we have been good about sharing best practices. You
have organizations like SANS to give out some and so does OMB.
I think this focus needs to be done. What are those best
practices? You can't have that many ``F's'' and say that we
have people that know what best practices are or know what the
right procedures are, or don't have the right people in place.
Mr. Horn. How about your thoughts, Mr. Gorrie?
Mr. Gorrie. Standards and best practices, yes, sir, there
are standards and best practices out there, and we use them,
but they have to be tailored to specific environments. You just
can't run out willy-nilly and pull them out of the blue. The
NIST guidance for evaluating systems, NASA, NIST, security
configuration, guidance for operating systems, they're all
good, but you have to bring them in and build them into your
own system and then evolve your own system along the way.
To just elaborate a little bit on what we heard about human
capital, the training of people and the problems we have
associated with that, people turning over and leaving the
service and things like that, that is really more symptomatic
of a deeper problem. That is again what was alluded to before,
which is the velocity of the technology.
In order for us to be able to track that velocity or track
that technology as it moves forward, you are constantly having
to retrain people, constantly having to modify operational
techniques and procedures to keep up with that. However, as we
look at that technology as it progresses along, we find that,
in the terms of my boss, it isn't born secure, that security
isn't built in from the beginning. That is what needs to be
done, not only the technological security, the crypto-
algorithms, the built-in entries and detection and things of
that nature, but also a systemic view where you have to have
security management built into it, too. It can be a very, very
secure box, but if you can't put it in the system and be able
to manage all these disparate security devices, then you're
sort of barking up the wrong tree.
I think Mike Vatis, when he testified before your committee
last September, sort of alluded to that problem, that it is not
necessarily the training of the people; it is not necessarily
the operational techniques that you employ, is looking ahead to
where technology is going and to try to track it. Now that is
only part of the problem. You can track technology and try to
build in security later, but the better part would be to
engineer in security at the front, and not only the security
technology, but to enable it to be managed effectively.
Because today we have applications that are point-click,
and before you used to have to sit down forever and a day to
program these things out. What we need is security and security
management that is also point and click, which would remediate
some of our training problems, would remediate some of our
operational problems, and go a long way to making this big bear
of information security a little bit easier to tame.
Mr. Horn. Two weeks ago I was talking about various things
with members of the NATO Assembly. Of course, you have a lot of
problems in terms of the various countries in the Eastern part
of Europe. I wonder, is the CIO role of Mr. Stenbit, do they
relate to NATO and different things, where we do a lot of
computing?
Mr. Gorrie. Yes, sir. As a matter of fact, one of the
reasons I am here today, and not my boss, is that he is in
first--not China, somewhere in the Far East, and then going
down to Australia and New Zealand. But there is a very large
international play in the ASDC3I and in the CIO, too.
One, interface with the five I's, which are the five
English-speaking nations, the United States, the U.K., Canada,
New Zealand, and Australia. But then even further than that, in
through all the NATO subcommittees that we sit on, and then the
Partnership for Peace People, and all the other people that it
is expanding to, and then actually to even third-party
countries to make sure that, when we need to go somewhere, that
we have not only infrastructure support, but infrastructure
support that has high availability, security, and some
confidence that there isn't anybody prowling around in that
infrastructure.
Mr. Horn. On Y2K, and now on this, where computing is a
major factor, it comes up under Department of Defense, and they
didn't do too well overall. When they have a lot of other
things there besides the services. My instinct was that the Air
Force was way ahead of the father, namely, the DOD, and we
would have been giving them an ``A'' and still giving a ``D''
to the other groups, like Logistics and Procurement.
I just wonder, is there a way to get the pressure so that
the services that are doing well with CIOs--and maybe my
instinct is wrong; you're on top of it, but I just think
sometimes we ought to put the ``A's'' there if they are doing
``A'' work.
Mr. Gorrie. I don't know if I can address that, sir. I
mean, I work with not necessarily the CIOs, but their IA
underlings. I don't know if I am qualified to answer that
question.
Mr. Horn. Well, if you could get me an answer, I would like
to know that----
Mr. Gorrie. Yes, sir, I will.
Mr. Horn [continuing]. Because we ought to see the
breakdown by the services and make sure that they are moving
along on a path, and they aren't just off in a corner.
Mr. Gorrie. From that particular perspective, sir, at least
as far as IA goes, and that is my area of responsibility, so
the only thing that I can talk to, you have each of the
services--at least about 3 years ago, when I was on the Joint
Staff, there were certain services that excelled in particular
areas. For instance, the Air Force was far ahead of the Navy
and the Army in terms of its ability to do intrusion detection,
consolidated intrusion detection, across the enterprise. Such
is not the case now. They have pretty much become even-keeled,
because of the sharing of best practices and being able to go
in and audit the capabilities for the individual services to do
those things and then to apply resources for those services and
actually prod them along to come about a little bit better.
Things like information assurance vulnerability alerts,
where we find out that there is a particular vulnerability in a
piece of equipment or piece of software, those things are
starting to become enterprise-wide endeavors, and not strictly
limited to the services. The services have realized that in
order to be successful in this world, that they have to
exercise enterprise-wide solutions and not just limit them
strictly to services, because they are all vulnerable. They all
ride the basic backbone network. They all, both security and
non-secure, know that if they are going to succeed, that they
have to cooperate, and by and large they are cooperating.
So from that perspective, the IA perspective, I do not see
a great disparity in the capability of either the Air Force,
the Army, or the Navy, or, as a matter of fact, across any of
the agencies. We have endeavored, like I said before, to try to
enforce enterprise-wide solutions rather than stovepipe
solutions within the services.
Mr. Horn. If you would, just for the record, on IA, could
you spell it out?
Mr. Gorrie. Information Assurance. I'm sorry, sir.
Mr. Horn. OK, and that's your office basically?
Mr. Gorrie. The Defense-wide Information Assurance Program
Office, yes, sir.
Mr. Horn. Yes. Is that the way most of the agencies have--
--
Mr. Gorrie. Federal agencies or?
Mr. Horn. Yes, Federal.
Mr. Gorrie. I don't know that. The DIAP, or Defense-wide
Information Assurance Program Office, was mandated in
legislation, and I can't think off-the-top-of-my-head what that
was, but it was in 1998, where the Secretary was told, ``You
will have a defense-wide information assurance program,'' and a
year after that's when the office that I belong to was formed.
Now whether or not that is as pervasive across all of the other
Federal agencies, I can't speak to that, sir.
Mr. Horn. OK, thank you. That was Secretary Cohen that put
that mandate in.
Mr. Gorrie. Yes, sir.
Mr. Horn. Yes, well, he was very knowledgeable in that
area, as a Member of the Senate.
Ms. Evans, any thoughts on best practices? Because you have
put a lot of emphasis on it.
Ms. Evans. Yes, I did. It is my opinion that we do have
adequate standards and that there are best practices available
today for a good security program. In many cases a lot of the
best practices are obtained currently from our National
Laboratories, and they are being used by other Federal
departments and agencies.
The Department itself does use the NIST standards best
practices for our own classified systems, and we use the
Committee on the National Security Systems for best practices
for our classified systems. But I believe to have an effective
security program, it is a discipline that needs to be practiced
every day, and it has to be incorporated into the daily
operations.
So a lot of the comments that have been made by my esteemed
colleagues here I support all the way down the line, in that as
a CIO I need to incorporate that for the Department as a whole,
so that it is practiced on a daily basis, so that we can effect
remediation in Internet time, when a vulnerability is
identified.
Mr. Horn. Well, thank you. That is very helpful.
Let me ask just a few more questions, and then we will call
it a day.
Ms. Gross----
Ms. Gross. Yes?
Mr. Horn [continuing]. You've got a very active record,
through the President's Council on Integrity and Efficiency, in
helping both the agencies and Inspectors General implement
the--excuse us. [Bells are ringing.] How many minutes? Ten? It
is 9 minutes to go.
You can see you are about to be released by the votes. This
would be a great place if it wasn't for all the votes, you
know. [Laughter.]
You have given us some very good testimony. So, Ms. Gross,
helping both the agencies and the Inspectors General implement
the government information security reform provisions, I was
just interested; you have been active in this. You have helped
in that. What challenges do you see for Inspectors General
expanding their annual evaluations to encompass all agency
systems?
Ms. Gross. I think the challenges for the Inspectors
General are to make sure that there is implementation with
agreed-upon recommendations, but I think a wider perspective
than just the narrow, let's do the next GISRA report, which is
very time-consuming and very resource-intensive, is to make
sure that they are focusing on issues governmentwide. I think
that it is very important that the individual Inspectors
General go back into the PCIE, which is the IGs' group, and
look to see both best practices and also look to see about how
can they help. Since the President is going to have an
initiative with e-government, IG's need to make sure that
information will be available, that it will be secure, and that
it will have integrity. Unless the IGs move out governmentwide
and look past their own agencies, I think we are going to have
a problem. So that would have been my thrust.
Mr. Horn. Well, thank you.
Mr. Forman, has your office considered imposing mandatory
security standards and requirements on Federal agencies?
Mr. Forman. Requirements we have; we will continue to do
that, and we will tighten that up. Standards we rely on NIST,
under the Computer Security Act for Federal information
processing standards.
There is another area where some people would call them
standards, but they are architecture elements that are agreed
upon. They are not technology standards at the NIST or FIPS
level. For that, we have orchestrated--and I have actually done
some changes in my role as directing the CIO Council. We have
the Architecture Committee, which focuses on this. Lee Holcomb,
the CIO at NASA, chairs it. John Gilligan, who had been
chairing or co-chair of the Security Committee is now co-chair
of the Architecture Committee. It is through that I believe we
can be most successful.
There is a final element, which is, how do we get patches
out rapidly when major threats are identified? That is an area
where we need to rapidly get in touch with at least 40,000
people. So I am making increasing use of FedCirc for that.
Mr. Horn. Well, I want to thank the following people that
prepared this hearing: J. Russell George, staff director and
chief counsel, standing-up back there; and Bonnie Heald, deputy
staff director; Claire Buckles, on my left, a very fine
professional staff member on loan to us. And thank you.
Earl Pierce, professional staff, isn't here today, and then
Justin Paulhamus, majority clerk, is with us doing a great job.
He just came in with us. And Michael Sazonov, subcommittee
intern, and our court reporter, Joan Trumps. Thank you very
much, and thanks to all of you.
If we might, I think we will send you a few questions, and
put them at this point in the record.
So, unfortunately, I have got to get over there and vote.
We are adjourned.
[Whereupon, at 12:01 p.m., the subcommittee was adjourned,
to reconvene at the call of the Chair.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] 82355.090
[GRAPHIC] [TIFF OMITTED] 82355.091
[GRAPHIC] [TIFF OMITTED] 82355.092
[GRAPHIC] [TIFF OMITTED] 82355.093
[GRAPHIC] [TIFF OMITTED] 82355.094
[GRAPHIC] [TIFF OMITTED] 82355.095
[GRAPHIC] [TIFF OMITTED] 82355.096
[GRAPHIC] [TIFF OMITTED] 82355.097
[GRAPHIC] [TIFF OMITTED] 82355.098
[GRAPHIC] [TIFF OMITTED] 82355.099
[GRAPHIC] [TIFF OMITTED] 82355.100
[GRAPHIC] [TIFF OMITTED] 82355.101
[GRAPHIC] [TIFF OMITTED] 82355.102
[GRAPHIC] [TIFF OMITTED] 82355.103
[GRAPHIC] [TIFF OMITTED] 82355.104
[GRAPHIC] [TIFF OMITTED] 82355.105
[GRAPHIC] [TIFF OMITTED] 82355.106
[GRAPHIC] [TIFF OMITTED] 82355.107
[GRAPHIC] [TIFF OMITTED] 82355.108
[GRAPHIC] [TIFF OMITTED] 82355.109
[GRAPHIC] [TIFF OMITTED] 82355.110
[GRAPHIC] [TIFF OMITTED] 82355.111
[GRAPHIC] [TIFF OMITTED] 82355.112
[GRAPHIC] [TIFF OMITTED] 82355.113
[GRAPHIC] [TIFF OMITTED] 82355.114
[GRAPHIC] [TIFF OMITTED] 82355.115
-
�