<DOC> [107th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:85840.wais] For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 85-840 PDF ______ 2003 COORDINATED INFORMATION SHARING AND HOMELAND SECURITY TECHNOLOGY ======================================================================= HEARING before the SUBCOMMITTEE ON TECHNOLOGY AND PROCUREMENT POLICY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS SECOND SESSION __________ JUNE 7, 2002 __________ Serial No. 107-182 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania STEPHEN HORN, California PATSY T. MINK, Hawaii JOHN L. MICA, Florida CAROLYN B. MALONEY, New York THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland BOB BARR, Georgia DENNIS J. KUCINICH, Ohio DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois DOUG OSE, California DANNY K. DAVIS, Illinois RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts JO ANN DAVIS, Virginia JIM TURNER, Texas TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois CHRIS CANNON, Utah WM. LACY CLAY, Missouri ADAM H. PUTNAM, Florida DIANE E. WATSON, California C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia ------ JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont JOHN SULLIVAN, Oklahoma (Independent) Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director James C. Wilson, Chief Counsel Robert A. Briggs, Chief Clerk Phil Schiliro, Minority Staff Director Subcommittee on Technology and Procurement Policy THOMAS M. DAVIS, Virginia, Chairman JO ANN DAVIS, Virginia JIM TURNER, Texas STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania DOUG OSE, California PATSY T. MINK, Hawaii EDWARD L. SCHROCK, Virginia Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California Melissa Wojciak, Staff Director Victoria Proctor, Professional Staff Member Teddy Kidd, Clerk Mark Stephenson, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on June 7, 2002..................................... 1 Statement of: Harman, Hon. Jane, a Representative in Congress from the State of California........................................ 85 Sugar, Ronald D., Ph.D., president and chief operating officer, Northrop Grumman Corp.; Leonard Pomata, president, Federal Group, webMethods, Inc.; S. Daniel Johnson, executive vice president, public services, KPMG Consulting, Inc.; and Kevin J. Fitzgerald, senior vice president, government, education & healthcare, Oracle Corp............ 100 Yim, Randall, Managing Director, National Preparedness Team, General Accounting Office; Mark Forman, Associate Director, Information Technology and E-Government, Office of Management and Budget; Robert J. Jordan, Director, Information Sharing Task Force, Federal Bureau of Investigation; George H. Bohlinger III, Executive Associate Commissioner for Management, Immigration and Naturalization Service; and William F. Raub, Ph.D., Deputy Director, Office of Public Health Preparedness, Department of Health and Human Services......................................... 11 Letters, statements, etc., submitted for the record by: Bohlinger, George H., III, Executive Associate Commissioner for Management, Immigration and Naturalization Service, prepared statement of...................................... 51 Davis, Hon. Thomas M., a Representative in Congress from the State of Virginia: Briefing memo............................................ 135 Prepared statement of.................................... 4 Fitzgerald, Kevin J., senior vice president, government, education & healthcare, Oracle Corp., prepared statement of 109 Forman, Mark, Associate Director, Information Technology and E-Government, Office of Management and Budget, prepared statement of............................................... 41 Harman, Hon. Jane, a Representative in Congress from the State of California, prepared statement of................. 88 Horn, Hon. Stephen, a Representative in Congress from the State of California, prepared statement of................. 8 Johnson, S. Daniel, executive vice president, public services, KPMG Consulting, Inc., prepared statement of..... 115 Jordan, Robert J., Director, Information Sharing Task Force, Federal Bureau of Investigation, prepared statement of..... 75 Pomata, Leonard, president, Federal Group, webMethods, Inc., prepared statement of...................................... 124 Raub, William F., Ph.D., Deputy Director, Office of Public Health Preparedness, Department of Health and Human Services, prepared statement of............................ 61 Sugar, Ronald D., Ph.D., president and chief operating officer, Northrop Grumman Corp., prepared statement of..... 103 Yim, Randall, Managing Director, National Preparedness Team, General Accounting Office, prepared statement of........... 14 COORDINATED INFORMATION SHARING AND HOMELAND SECURITY TECHNOLOGY ---------- FRIDAY, JUNE 7, 2002 House of Representatives, Subcommittee on Technology and Procurement Policy, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2154, Rayburn House Office Building, Hon. Thomas M. Davis (chairman of the subcommittee) presiding. Present: Representatives Tom Davis of Virginia, Jo Ann Davis of Virginia, Horn and Turner. Also present: Representative Harman. Staff present: Melissa Wojciak, staff director; George Rogers, Uyen Dinh, and John Brosnan, counsels; Victoria Proctor, professional staff member; Teddy Kidd, clerk; Todd Greenwood and Nick Vaughan, interns; Mark Stephenson, minority professional staff member; and Jean Gosa, minority assistant clerk. Mr. Tom Davis of Virginia. We have Members moving to take their seats. We're going to start with Members' statements. Good morning. I want to welcome everybody to today's oversight hearing. After September 11th, there's been a sea change in the mission of government. The first priority of the Nation has become homeland security. To win this fight, the government must be able to detect and respond to terrorist activity. We also must be ready to manage the crisis and consequences of future attacks, to treat casualties, and to protect the functioning of critical infrastructures. Thus, defending America in the new war against terrorism will require every level of government to work together with citizens and the private sector. More than ever our success is dependent upon collecting, analyzing and appropriately sharing information that exists in data bases, transactions and other data points. Effective use of accurate information from divergent sources is critical to our success in this fight. Indeed as the President said last night in his speech to the Nation, ``Information must be fully shared so we can follow every lead to find the one that may prevent a tragedy.'' The President spoke with vision about our Nation's titanic struggle against terrorism and the triumph of freedom over fear. I applaud his leadership in asking the Congress to create a Department of Homeland Security. I'll be working with our colleagues to enact legislation to meet his call. I believe the proposed Department of Homeland Security will greatly assist information sharing by reorganizing the government along the more rational strategic lines that will more efficiently pursue homeland security. The new Department will be a customer of the FBI and the CIA and will be able to analyze, diffuse and disseminate information to Federal, State and local agencies, the private sector and citizens. However, integration of the information systems and practices of the agencies to be consolidated into the new Department will be a prime concern, as will the new information-sharing relationships that will evolve between the Department of Homeland Security, the FBI, the CIA and other agencies. I'm also heartened to see that the plan for the new Department of Homeland Security includes flexible acquisition policies to encourage innovation and rapid development of critical technologies. This concept is at the core of H.R. 3832, the Services Acquisition Reform Act that I recently introduced. I look forward to discussions with the administration to further redefine the legislation and move forward the new Department. Today's hearing continues the subcommittee's oversight of the barriers to robust information sharing, both within and between agencies. In February of this year, we reviewed some of the management initiatives and technology acquisitions needed to ensure that stovepipes of knowledge and a lack of coordination between agencies would not compromise homeland security. While new funding for procurement of products and services is certainly needed if the government is going to effectively modernize, share information and win the war against terrorism, we should also continually measure the results of the government's efforts. When it comes to the war on terrorism, Americans are not asking for more spending; they are asking for more spending that works. Unfortunately, as witnessed in the February hearing revealed, there has not been an organized, cohesive and comprehensive process within the government to evaluate private sector solutions to the problems of information sharing and homeland security. Many technology firms with expertise to address homeland security matters have indicated that they are having a hard time getting a real audience for their products. Addressing the acquisition challenges to achieve homeland security must be a priority so that we can begin to leverage America's competitive advantage in IT innovation for the benefit of all Americans. After the February hearing we introduced legislation to facilitate private sector innovation by establishing an interagency team of subject matter experts to issue major announcements seeking unique and innovative anti-terror solutions. These experts would also screen and evaluate innovative proposals for industry and send them to the proper Federal agencies for action. This legislation would also launch a program offering monetary awards to companies with the best and most cutting-edge terror-fighting solutions. In addition, it would establish an acquisition pilot program to encourage agency professionals to creatively use streamlined authorities and waivers to buy commercial, off-the-shelf solutions with immediate impact on homeland security. In this hearing I look forward to hearing from the agencies and leading companies represented for their insights into how programmatic changes, management initiatives and technology acquisitions can contribute to the better sharing of information and the achievement of the homeland security mission. [The prepared statement of Hon. Thomas M. Davis follows:] [GRAPHIC] [TIFF OMITTED] T5840.001 [GRAPHIC] [TIFF OMITTED] T5840.002 Mr. Tom Davis of Virginia. I now yield to my ranking member, Mr. Turner from Texas, for his opening statement. Mr. Turner. Thank you, Mr. Chairman. I appreciate the good timing of the hearing that you called this morning, and I join with you in commending the President on his initiative to create a new Cabinet-level position for homeland security. As you know, there has been legislation pending in the Congress which I have supported to accomplish that, and I think that the President's initiative will be well received, and I look forward to the work that our committee will have the opportunity to do in refining that proposal. We all know that the attacks of September 11th have created the greatest challenge our Nation has faced in its history, and the sophistication and fanaticism of al Qaeda and similar organizations no doubt represent a challenge that all of us must work together to address. I appreciate all of our government agency witnesses here today, as well as the private sector witnesses who have come. One of the common complaints that I've heard from the private sector business folks during the last few months is that they go to the Office of Homeland Security, and they present their ideas and offer up various proposals, and yet they never hear anything, and obviously part of that problem exists because of the lack of authority in the Office of Homeland Security. The President's reorganization effort will, I think, resolve that, and we will be on our way toward utilizing the best that the private sector has to offer in the war on terrorism. I think the American people have been quite tolerant and forgiving of the intelligence failures that led to the tragic events of September 11th, but I have no doubt that we will be all held accountable in the event of another similar event. And so it is up to us to put our shoulder to the wheel, both in the government sector, as well as to bring in the best assistance we can find from the business community to be vigilant, prepared and to address the threats that we face. Responding to the challenge requires, I think, new thinking, thinking out of the box, new methods, new technologies. All of this can be provided if we build a good, strong working relationship with the powerful forces of the private sector in this country, and I look forward to working with the chairman to accomplish that. And, again, I thank our witnesses for being here today. Thank you, Mr. Chairman. Mr. Tom Davis of Virginia. Thank you, Mr. Turner. Mrs. Davis, any statement? Mr. Horn. The gentleman from California is recognized. Mr. Horn. Thank you, Mr. Chairman. This is a very important hearing. My Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations has been holding a series of field hearings on how effectively the Federal Government is helping State and local agencies prepare for another terrorist attack. We started in Nashville, and we've done a few more: Phoenix, Albuquerque, Los Angeles, San Francisco. Witnesses from local agencies in each of these cities have said that intelligence sharing and their ability to communicate with other local and Federal agencies are among the very leading concerns. These are the men and women who will be on the front lines should another attack occur. We must do everything possible to ensure that they're equipped with the best information possible so that they can effectively and efficiently protect and serve the American people, and I would like to, Mr. Chairman, put in the record a letter that Mr. Shays and myself sent to Mr. Sensenbrenner, the chairman of the Committee on the Judiciary, with the bill we put in, H.R. 3483, the Intergovernmental Law Enforcement Information Sharing Act of 2001. Mr. Burton is very supportive of this, and Mr. Shays and myself, Ms. Schakowsky, Mrs. Maloney, so forth, and if I might put that in and---- Mr. Tom Davis of Virginia. Without objection, it will be put in the record. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T5840.003 [GRAPHIC] [TIFF OMITTED] T5840.004 [GRAPHIC] [TIFF OMITTED] T5840.005 Mr. Horn. Because whatever you'd like to put on language, we don't have a big ego about this, we just want to get the job done. Mr. Tom Davis of Virginia. Well, thank you very much, Mr. Horn. The subcommittee is now going to hear testimony from our first panel. We have Mr. Randall Yim, the Managing Director of the National Preparedness Team at GAO; Mr. Mark Forman, a frequent contributor to this subcommittee's work, the Associate Director of Information Technology and E-government at OMB; George Bohlinger, the Executive Associate Commissioner for Management at INS; Dr. William Raub, the Deputy Director, Office of Public Health Preparedness at HHS; and Mr. Robert Jordan, the Director of the Information Sharing Task Force at the FBI. I appreciate everyone being here. It's the policy of this subcommittee that all witnesses be sworn, so if you would stand with me and raise your right hands. [Witnesses sworn.] Mr. Tom Davis of Virginia. Thank you very much. Mr. Yim, why don't we start with you and move straight down the line. Your total testimony is going to be--is a part of the record, so it's in the record. What I'd like you to do is try to use 5 minutes to hit your key points. There's a light in front of you. When it turns orange, you have a minute to try to hit your 5 minutes and try to keep it moving along. Most of the Members have read the total testimony, so our questions are kind of ready, but we'd like you to hold it to 5 minutes. Mr. Yim, thank you for being with us. STATEMENTS OF RANDALL YIM, MANAGING DIRECTOR, NATIONAL PREPAREDNESS TEAM, GENERAL ACCOUNTING OFFICE; MARK FORMAN, ASSOCIATE DIRECTOR, INFORMATION TECHNOLOGY AND E-GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET; ROBERT J. JORDAN, DIRECTOR, INFORMATION SHARING TASK FORCE, FEDERAL BUREAU OF INVESTIGATION; GEORGE H. BOHLINGER III, EXECUTIVE ASSOCIATE COMMISSIONER FOR MANAGEMENT, IMMIGRATION AND NATURALIZATION SERVICE; AND WILLIAM F. RAUB, Ph.D., DEPUTY DIRECTOR, OFFICE OF PUBLIC HEALTH PREPAREDNESS, DEPARTMENT OF HEALTH AND HUMAN SERVICES Mr. Yim. Thank you very much, Mr. Chairman and members of this committee. Thank you for inviting me to share information with you about the critical need for information sharing, and integration of new and existing technologies, and to an effective strategy for homeland security. Although there are many players in this complex arena of homeland security, we all share the same goal, to make our great Nation more secure against terrorists and to prevent tragedies such as September 11th from ever occurring again. This will be a formidable task, since it will be very difficult to stop an enemy that is fluid, less structured and deliberately tries to blend into the background with our Federal, State and local governmental institutions that are more highly structured and less agile, making it all the more important that our governments adopt the innovative and creative tools of government that are flexible and have adaptable characteristics. We could never be 100 percent secure or 100 percent prepared, but we can be better prepared. Everyone cannot do everything, and everyone cannot and should not do the same things. Instead we must augment, foster, develop and maintain what particular governments do best, what the private sector and local communities do best and integrate these efforts through our national strategy. To fashion such a strategy, we'll need to identify those key enablers to the creation and implementation of the strategy. Clearly better information sharing and IT architectures are one of the most critical enablers, and expanding and adapting our sizable advantages in technology and research and development, using our positive asymmetries effectively against the asymmetric threats posed by terrorists will be a key enabler. We must overcome roadblocks that have been identified, such as protection of proprietary and sensitive information, including information that may adversely affect business value and financing, legal barriers such as antitrust and liability concerns, jurisdictional and turf issues such as those being highlighted in the current exploration of stovepiping in intelligence and law enforcement communities, and format and architecture mismatches to prevent sharing and interconnectivety even when people want to share. And we will need to identify an investment strategy that maximizes the use of our finite human and fiscal capital resources so our strategy is both affordable and sustainable, and we need to begin now since our threats are now. This means we cannot, unfortunately, wait to and only design new architectures from scratch, but we must assess what we currently have; assess what others have done and what they are doing when facing problems that share characteristics with our fight against terrorism; determine how we can adapt and refine existing or analogous mechanisms; and also consider good old- fashioned low-tech and common-sense solutions and solutions that rely on the smarts of our citizens and government leaders. And finally, we have to acknowledge that any national strategy lacking measurable objectives, measurable performance indicators and accountability mechanisms will not be sustainable. There is no doubt that there is more than one way to accomplish these goals. The GAO has focused upon the factors relevant to the decisionmaking process and some of the emerging and best practices that may be adaptable to the homeland security mission. It is important not only to do things right, but also to do the right things. This means we have to get the right information to the right people at the right times, and we also have to do the right things with that information. So we will need an integrating strategy that makes sense of the information that separates the relevant few from the general noise, that helps us to find the relevant needles in the haystack that spur us to take further action to prevent, interdict and respond to terrorists; and we have to do this in ways that are already familiar to State and local and private sector first responders so that we don't start from scratch, and consider adaptive use of programs that are already integrated into State and local and private sector response mechanisms, that complement rather than become additional burdens, because we all know that we are asking these people to undertake significant homeland security tasks in addition to their other duties and responsibilities, all with finite human and fiscal resources. Some good examples of effective use of information in new technologies exist, and more are beginning to emerge. We've illustrated some of these for you in the one-page handout that we've distributed for you today. For example, computer intrusion detection systems constantly try to monitor deviations from, ``normal background,'' to detect potential threats. The same know-how can be applied to airline data bases, energy supply and infrastructure monitoring systems, cargo container tracking or manifest systems, all to try to detect anomalies from a, ``background that may be an indicator to spur further action.'' Increasing use of digitized information, the power of digitization, integrating satellite-derived digital imagery with digitized maps of critical infrastructure and computer modeling to provide gaming simulations to guide preparedness or predict attacks or identify vulnerabilities. These models could even help us determine what types of data needs to be collected now, not only once, but consistently over time, to develop trends that would help us establish a background, and models could also be used to perhaps assign responsibilities to different jurisdictions or Federal agencies for detection and prevention. We will need not only, thus, to rely on new technologies, such as advancements in biometrics and devices to detect biological and radioactive agents in hidden locations, such as within cargo containers, but also adaptive use of existing technologies as well as common-sense and low-tech approaches. Above all, we will need to foster and augment and stimulate creative tools of government, combinations of high and low tech in ways we might not have imagined. Who would have thought that one of our most effective weapons in Afghanistan would have been 21st-century airplanes and smart weaponry guided to their targets by the cavalry on horseback? Mr. Chairman, this concludes my statement, and GAO is pleased to assist in whatever way we can. Mr. Tom Davis of Virginia. Thank you very much. [The prepared statement of Mr. Yim follows:] [GRAPHIC] [TIFF OMITTED] T5840.006 [GRAPHIC] [TIFF OMITTED] T5840.007 [GRAPHIC] [TIFF OMITTED] T5840.008 [GRAPHIC] [TIFF OMITTED] T5840.009 [GRAPHIC] [TIFF OMITTED] T5840.010 [GRAPHIC] [TIFF OMITTED] T5840.011 [GRAPHIC] [TIFF OMITTED] T5840.012 [GRAPHIC] [TIFF OMITTED] T5840.013 [GRAPHIC] [TIFF OMITTED] T5840.014 [GRAPHIC] [TIFF OMITTED] T5840.015 [GRAPHIC] [TIFF OMITTED] T5840.016 [GRAPHIC] [TIFF OMITTED] T5840.017 [GRAPHIC] [TIFF OMITTED] T5840.018 [GRAPHIC] [TIFF OMITTED] T5840.019 [GRAPHIC] [TIFF OMITTED] T5840.020 [GRAPHIC] [TIFF OMITTED] T5840.021 [GRAPHIC] [TIFF OMITTED] T5840.022 [GRAPHIC] [TIFF OMITTED] T5840.023 [GRAPHIC] [TIFF OMITTED] T5840.024 [GRAPHIC] [TIFF OMITTED] T5840.025 [GRAPHIC] [TIFF OMITTED] T5840.026 [GRAPHIC] [TIFF OMITTED] T5840.027 [GRAPHIC] [TIFF OMITTED] T5840.028 [GRAPHIC] [TIFF OMITTED] T5840.029 [GRAPHIC] [TIFF OMITTED] T5840.030 Mr. Davis of Virginia. Mr. Forman, thanks for being here. Mr. Forman. Good morning, Mr. Chairman, Congressman Turner and members of the subcommittee. I thank you for your leadership in holding hearings on information sharing and knowledge management issues for Federal agencies in the wake of the terrorism attacks. The President's announcement last night demonstrates that the administration considers homeland security to be a top priority. The enterprise architecture and e-government initiatives I'll discuss today will assist in accomplishing this mission. As you know, many Federal agencies are engaged in homeland security efforts that will require sharing information. Associated with that are many IT projects that are overlapping or redundant, when we need them to be integrated and unified. For example, there are eight law enforcement case management systems among our largest IT investments. To ensure investments improve operational performance across agencies, the President proposed in the fiscal year 2003 budget request the creation of an information integration program office known in the budget as the Homeland Security Information Technology and Evaluation Program within the Department of Commerce's Critical Infrastructure Assurance Office. I'll discuss five key barriers that need to be addressed for finding, tracking and responding to terrorist threats. Creating the Information Integration Program Office is critical to overcoming these barriers. The first impediment concerns agency culture. Agency cultures reflect long-standing roles and responsibilities. Homeland security activities affect roles and responsibilities that cut across jurisdictions of Federal, State and local government organizations. Barriers associated with insular agency cultures will be overcome by providing a sustained level, high level of leadership and commitment, establishing an interagency government structure and giving priority to cross- agency work. Second, citizens must trust the security and privacy of the government. Achieving a secure homeland must be accomplished in a manner that builds trust, preserves liberty and strengthens our economy. Agencies are currently building strong controls into both e-government and homeland security systems. OMB will monitor agency security and privacy performance, as I've noted in previous statements before this subcommittee. Third, a major obstacle is a lack of funding for initiatives that cross agency boundaries. Funding is provided in a manner that matches long-standing departmental silos. We are seeing this issue as we've tried to obtain funding for cross-agency e-government initiatives and the Information Integration Program Office. We have recommended approaches such as greater Appropriations Committee attention to cross-agency issues. A fourth difficulty is stakeholder resistance. The Federal Government is not structured for undertaking cross-agency initiatives. These initiatives threaten traditional concepts of accountability and responsibility. Stakeholder resistance will be minimized by timing performance evaluations to cross-agency success and having members of the President's Management Council work collectively on initiatives. The Information Integration Program Office will also assist in this regard. Fifth and finally, the lack of a Federal enterprise architecture hampers efforts to communicate across business lines. Agencies generally buy systems that address internal needs, and rarely are those systems able to interoperate or communicate with people in other agencies. A common integrated business and technology architecture will help to organize these systems and the information they contain in order to retrieve, analyze and act upon information. The Federal Government requires business processes that allow for a comprehensive approach to prepare for, mitigate and respond to terrorist activities. It's critical to have the Information Integration Program Office design interagency business and information architectures that will support this interagency access to information. OMB and the Office of Homeland Security are currently defining a baseline of homeland security-related activities that serve as components in the Federal business reference model. The baseline lists those problems, constraints and gaps within the government's information and data base and recommends actions to address those gaps; additionally will identify modular and reusable IT capabilities and ways to configure it to support key homeland functions and the lines of business. As noted in the President's budget, e-government projects have significant impact on homeland security efforts, and today I'd like to discuss three of those projects. Project SAFECOM will identify and implement solutions that enable interoperability for public safety communication across all levels of government. Additionally, the administration's Geospatial One-Stop will build a distributed infrastructure that enables use of seamless, standardized geographic and geospatial data. Third, the administration's disaster management e-government initiative will be the authoritative one-stop shop for end-to-end information and services related to Federal disaster management activities. Improving our interoperability with State and local partners is a key piece of the President's management agenda for e-government and for homeland security. In conclusion, the administration is focused on identifying, locating and establishing mechanisms to share across government the information required to protect the Nation's border and to prepare for, mitigate and respond to terrorist activities. The President's budget noted that we need to focus these efforts on two measures of success: First, accelerating response time, and second, improving decisionmaking quality. I appreciate the opportunity to brief you today on how we are integrating the work and results of homeland security enterprise architecture and e-government initiatives. Mr. Tom Davis of Virginia. Thank you very much. [The prepared statement of Mr. Forman follows:] [GRAPHIC] [TIFF OMITTED] T5840.031 [GRAPHIC] [TIFF OMITTED] T5840.032 [GRAPHIC] [TIFF OMITTED] T5840.033 [GRAPHIC] [TIFF OMITTED] T5840.034 [GRAPHIC] [TIFF OMITTED] T5840.035 [GRAPHIC] [TIFF OMITTED] T5840.036 [GRAPHIC] [TIFF OMITTED] T5840.037 [GRAPHIC] [TIFF OMITTED] T5840.038 Mr. Tom Davis of Virginia. Mr. Bohlinger. Mr. Bohlinger. Morning, Mr. Chairman and members of the committee. I appreciate the opportunity to participate in your continuing review of information sharing and knowledge management between and among Federal agencies in the war against terrorism. Since September 11th, we at the Immigration and Naturalization Service have seen the unprecedented sharing of data and knowledge among Federal agencies. Under the direction and leadership of the Attorney General, all components of the Department of Justice have stepped up efforts to coordinate information and improve data sharing in the common effort to prevent terrorism and disrupt its sources. The INS is clearly one of the core agencies that requires enhanced information-sharing capabilities. Just as we need to tap into additional external sources of data to support our enforcement and intelligence functions, so can the data we collect be crucial to other law enforcement and intelligence communities. Consequently, we are deeply involved in efforts to overcome the barriers to the appropriate and secure exchange of data and, just as importantly, the conversion of data to useful information that supports clear operational objectives. The INS has worked on important data-sharing initiatives in both the pre- and post-September 11th periods. As early as 1985, INS was sharing vital information with the U.S. Customs Service. Other data-sharing programs have been under way for some time with the Department of State, the U.S. Marshals Service, the FBI and the Social Security Administration. INS also assists State and local law enforcement through its Law Enforcement Support Center. We also verify immigration status for State and local benefit-granting agencies, some employers and some State driver's license bureaus. However, in all of these data-sharing initiatives, we have to be sensitive to established regulatory, statutory and policy constraints in the routine and customary use of information by other agencies. While making information available to other entities, security, privacy considerations and appropriate user access are primary considerations. The management principle guiding INS's approach to development of information systems is to build a sound strategic foundation. INS has established important mechanisms to address this principle internally. Our initial contribution to a governmentwide effort is to assure that our own information environment is sound and interoperable. Our formal enterprise architecture and technical architectures are nearing completion. Additionally, our information technology investment management process ensures that IT investments are spent wisely and coordinated among INS components. In doing so, we are mindful of the relationships that we must support with our technical enhancements while integrating our business objectives and developing technical solutions. The development and prioritization of clear and integrated Federal law enforcement in intelligence mission requirements is an undertaking that must be completed quickly. Only when these are clearly articulated can industry assist us meaningfully in applying the best technical solutions. Some of the most compelling progress that I have seen in recent months has been the formalization of the planning and management processes that must occur if the wide array of Federal, State, local and private entities are to achieve the level of information sharing that we all desire. This will ensure that we first define what our operational objectives should be, identify the data and data sources needed to support those objectives, and then apply the appropriate technological solutions to deliver that information. This leads to the crucial task of examining the barriers that may inhibit or otherwise thwart full partnership between public and private sectors in coming together in the war against terrorism. Barriers come in two forms, human and technological, and they manifest themselves three ways, through cultural, organizational or resource approaches. Like many of my colleagues, I have met with representatives from the private sector who have proffered technologically based products and solutions to any number of counterterrorism-driven prevention, detection and mitigation scenarios. Their sincerity and commitment are of the highest order. Unfortunately, in many instances, they perceive the Federal Government as an unresponsive bureaucracy. Some have suggested that the Federal procurement process may be to blame. However, I believe it would be a mistake to look at the procurement process as the sole culprit. If clear requirements can be formulated, many procurement alternatives are available that can fulfill our needs while ensuring broad participation by industry. Without well-defined requirements, even the best solutions stand little chance of effective and timely application. Encouraging the private sector to participate in problem solution through the request for information as well as other processes prior to the initiation of a formal procurement makes good sense. This will preserve a fair and open procurement process enabling the government to make best use of America's technological superiority and the creative problem-solving resources in the private sector. In summary, we in the Federal Government must establish and employ standards for information sharing between and amongst ourselves and further fully define our mission requirements or needs. Then we can take advantage of the wealth of existing technology solutions that currently exist within Federal agencies and corporations. This will enable us to develop solutions that better balance our openness to new ideas with applications that directly address our needs. Thank you, Mr. Chairman, for this opportunity, and I appreciate the opportunity to appear with you--before you and the committee. Mr. Tom Davis of Virginia. Thank you very much. [The prepared statement of Mr. Bohlinger follows:] [GRAPHIC] [TIFF OMITTED] T5840.039 [GRAPHIC] [TIFF OMITTED] T5840.040 [GRAPHIC] [TIFF OMITTED] T5840.041 [GRAPHIC] [TIFF OMITTED] T5840.042 [GRAPHIC] [TIFF OMITTED] T5840.043 [GRAPHIC] [TIFF OMITTED] T5840.044 [GRAPHIC] [TIFF OMITTED] T5840.045 [GRAPHIC] [TIFF OMITTED] T5840.046 Mr. Tom Davis of Virginia. Dr. Raub. Mr. Raub. Morning, Mr. Chairman, Mr. Turner, members of the committee. I appreciate the opportunity to represent the Department---- Mr. Tom Davis of Virginia. Push your button there. Mr. Raub. I appreciate the opportunity to represent the Department of Health and Human Services and describe our activities related to the theme of the hearing this morning. With your permission, Mr. Chairman, I'll submit my prepared statement for the record and make only a few comments now. First has to do with the item on our perception of barriers to achieving homeland security. With respect to bioterrorism and other aspects of public health emergencies, we believe we face formidable problems, but that none of them are intrinsically insurmountable. We don't believe that we can anticipate every threat scenario, but we do believe that with a strong, sustained and closely coordinated effort among public health, medical, scientific and technological communities, we can develop the basic capabilities we need to respond effectively. On pages 3 and 4 of my prepared statement, I summarize five fundamental functions that a local community must be able to do if it is able to respond effectively to bioterrorism or some other public health emergency. All five of those functions currently are doable with current knowledge and current technology. Doing any one of them is hard. Doing all five is very hard. Doing all five in every community in the country is daunting. But that's, in fact, what we're attempting to do. We have a vigorous effort under way and our State and our local partners are responding enthusiastically to this. The President and the Congress for this fiscal year have provided more than $1 billion for this purpose, and we have moved very quickly to mobilize it. Moreover, the President is requesting more than $1.5 billion for the similar purpose in fiscal year 2003. We have in place cooperative agreements with every State and other eligible entities. We are well along with them in their work plans for use of these funds. These plans focus on particular targets, things we call critical benchmarks and critical capacities, and the watchwords for all of this are speed, flexibility and accountability; speed in getting the money out, flexibility in giving the State and others considerable discretion in how they address the benchmarks we've set out, but also accountability, because at the end of the day, unless we have measurable milestones and objective evidence of enhanced preparedness, we will not have met the charge of the President and the Congress. My second area of comment has to do with information technology and its applications in that in every one of those five fundamental functions and many other aspects of public health, information technology is absolutely central to public health preparedness. I'm talking about electronic communications, computer-manipulable data bases and about statistical and analytical software. The information technology community has presented us with a wealth of tools and, in fact, is way ahead of our ability to apply them right now. In some States in this Nation, the public health capabilities are already linked by high-speed Internet connections with substantial computer systems supporting them. In other public health departments in our Nation, there are no computers. There are no Internet connections. There are rotary telephones, and case reports arrive by postcard. We have a substantial effort in front of us to reduce the variance in this. Our immediate challenge is to choose judicially amongst the information technology options available to us as a community with respect to the effectiveness for our immediate and longer- term purposes, the efficiency and the economy with which we can deploy them, and, most of all, achieving the interoperability. Unless these systems link at every level from the fundamental connections to the operating systems, to the applications programs, we will fail in achieving the kind of true public health system we must achieve. Our Centers for Disease Control and Prevention has promulgated a set of information technology standards. It's been adopted by our other agencies and is being used in our efforts with not only State and local health departments, but also hospitals throughout the United States. As this effort evolves with our State and local partners, we look forward to our and their collaborations with the information technology industry as we can catch up and make more effective use of what's available and as they proceed to offer us a still richer array of capabilities for us. Thank you, Mr. Chairman. Mr. Tom Davis of Virginia. Thank you very much. [The prepared statement of Mr. Raub follows:] [GRAPHIC] [TIFF OMITTED] T5840.047 [GRAPHIC] [TIFF OMITTED] T5840.048 [GRAPHIC] [TIFF OMITTED] T5840.049 [GRAPHIC] [TIFF OMITTED] T5840.050 [GRAPHIC] [TIFF OMITTED] T5840.051 [GRAPHIC] [TIFF OMITTED] T5840.052 [GRAPHIC] [TIFF OMITTED] T5840.053 [GRAPHIC] [TIFF OMITTED] T5840.054 [GRAPHIC] [TIFF OMITTED] T5840.055 [GRAPHIC] [TIFF OMITTED] T5840.056 [GRAPHIC] [TIFF OMITTED] T5840.057 [GRAPHIC] [TIFF OMITTED] T5840.058 Mr. Tom Davis of Virginia. Mr. Jordan. Mr. Jordan. Good morning, Mr. Chairman and members of the subcommittee. My name is Bob Jordan, and I serve as the head of the FBI's Information Sharing Task Force. I welcome this opportunity to meet with you today about the status of the FBI's information-sharing initiatives within the Bureau and with other government agencies for homeland defense purposes. The FBI is an organization in change. Not only are we structurally different, but in very fundamental ways Director Mueller has revamped our approaches to counterterrorism and prevention. Since September 11th, we have seen massive shifts in our resource deployments. Our missions and priorities are being redefined to better reflect the post September 11th realities. As an agency we are committed to devoting whatever resources are necessary to meet our prevention mission and continue to sustain a dramatically enhanced worldwide counterterrorism effort. A substantial component of this approach is information sharing not only at the Federal level, but also within the entire law enforcement and intelligence communities. Over the last several years, much has improved, but this seemingly simple issue is actually a complex myriad of technology, legal policy and cultural issues. Since the tragic events of September 11th, this single issue critical to public safety is receiving the sustained high-level attention necessary to ensure that everything that can be done is being done. In that regard, I'm happy to say that the spirit of collaboration and willingness to exchange data has never been stronger or more pronounced than it is today. Many of the legal and policy impediments that kept us from more fully exchanging information in the past have been or are now being changed. The Patriot Act has greatly improved our ability to exchange data within the Intelligence Community and across law enforcement. In addition, the Attorney General's recent directive to increase coordination and sharing of information between DOJ, FBI, INS, Marshals Service and the Foreign Terrorist Tracking Task Force on terrorist matters and to establish secure means of working with State and local officials are major milestones in improving our information- sharing and collaboration efforts. Equally important, the difficult technology challenges we all face are on top of everyone's list. This is especially so at the FBI. Under Director Mueller's leadership, the FBI on every front is hard at work carrying out the Attorney General's information-sharing directive. Within the FBI, Director Mueller has taken on the challenge of improving information sharing and has directed FBI executive management to develop every means necessary to share as much information as possible with other agencies, as well as State and local law enforcement. Years of experience have demonstrated that joint terrorism task forces, JTTFs, have proven to be one of the most effective methods of unifying Federal, State and local law enforcement efforts to prevent and investigate terrorist activity. There are currently 47 JTTFs. We are working expeditiously to establish JTTFs in each of our 56 field offices. As recently as 1996, there were only 11 of these task forces. The creation of JTTFs this year is resulting in an expanded level of interaction and cooperation between the FBI and our Federal, State and local counterparts. Among the full-time participants in JTTFs are INS, Marshals Service, Secret Service, the FAA, Customs, ATF, State Department, Postal Inspection, IRS, Department of Defense and U.S. Park Police. State and local agencies are heavily represented. Information is also being shared with the Transportation Security Administration and the U.S. Coast Guard. The FBI has a long tradition of exchanging unclassified information with Federal, State and local law enforcement agencies on warrants, fingerprints, forensic information and watch lists. The last few years have seen dramatic increases in the exchange of specific case-related information, due in large part to the proliferation of JTTFs. Now we are improving our sharing of classified information again through such mechanisms as the JTTFs. Director Mueller has undertaken several initiatives that directly enhance the FBI's information-sharing capacities. All of these efforts are designed around the recognition that post- September 11th, the FBI has adopted both a new focus and priorities that recognize that a substantial investment is being made in prevention. A few examples include Director Mueller has named Lewis Kay, who is currently chief of the High Point, North Carolina, Police, to be the FBI's Assistant Director for Law Enforcement Coordination. Our Office of Intelligence is now part of the FBI's organizational structure. The FBI has undertaken major recruiting and hiring initiatives to bring into the FBI private sector IT experts who can greatly assist our sizable IT projects. We have a new Records Management Division that has been established, and the FBI is detailing personnel to other agencies and vice versa to ensure that information is shared and understood within our agencies. These efforts are particularly critical to programs like our National Infrastructure Protection Center, the Counterterrorism Center at CIA and others. Information security is a significant issue in these initiatives. We must balance our desire to share information as freely as possible with the need for the security of information. I'm going to go to the last part of my comments here. The FBI's future ability to deter and prevent crimes requires the use of current and relevant IT. We have several critical initiatives under way to upgrade the FBI's IT infrastructure and investigative applications. Funding for these programs is essential to provide our investigators and analysts with IT resources and tools. That concludes my prepared remarks, Mr. Chairman. I'll be happy to answer any questions. Mr. Tom Davis of Virginia. Thank you very much. [The prepared statement of Mr. Jordan follows:] [GRAPHIC] [TIFF OMITTED] T5840.059 [GRAPHIC] [TIFF OMITTED] T5840.060 [GRAPHIC] [TIFF OMITTED] T5840.061 [GRAPHIC] [TIFF OMITTED] T5840.062 [GRAPHIC] [TIFF OMITTED] T5840.063 [GRAPHIC] [TIFF OMITTED] T5840.064 [GRAPHIC] [TIFF OMITTED] T5840.065 [GRAPHIC] [TIFF OMITTED] T5840.066 [GRAPHIC] [TIFF OMITTED] T5840.067 [GRAPHIC] [TIFF OMITTED] T5840.068 Mr. Tom Davis of Virginia. The subcommittee is pleased to have Representative Jane Harman from California sit in with us today, and I would ask unanimous consent to allow her to give a statement and participate in a hearing. Hearing no objection, the gentlelady from California is recognized. STATEMENT OF HON. JANE HARMAN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA Ms. Harman. Thank you, Mr. Chairman, and Mr. Turner and members of the subcommittee. I'm delighted to be here, and I want to commend you on your perfect timing. So far as I can tell, this is the first hearing on a critical piece of the homeland security subject to be held following the President's dramatic, bold and courageous announcement of last night. Good work. Mr. Tom Davis of Virginia. Thank you. We saw it coming. Ms. Harman. I also want to say about you, Mr. Chairman, that we go way back. You know, the Smith-Amherst Axis is pretty powerful, but also we represent communities that have some of the fastest growing tech communities on the planet. In my case, my district in southern California has a very large aerospace base. I know yours does, too, but I think mine is bigger. No competition here. It's diversified, and a lot of the aerospace companies--in fact, we're going to hear from one later--have large IT businesses. I would like to, if you don't mind, welcome one of my constituents who will testify on your second panel, Ron Sugar, who is the president and chief executive officer of a tiny little firm called Northrop Grumman, and that is an example of the diversification that I'm talking about. I just wanted to make a few points. First, I am late and I apologize, because I was one of 10 Members of the House and Senate who was at the White House meeting with the President and Governor Ridge today to talk about next steps in the turf and other battles related to unfolding this new Department of Homeland Security. I thought it was a very constructive meeting, and I think that this topic that you are exploring today is absolutely central to an effective homeland security effort, and the effort to put more functions into one department is related, does have a relationship to the need to improve information sharing. It's not that it's a magic answer. It's not that all the information sharing we need will happen inside the borders of the Department of Homeland Security. Obviously other departments are represented here, and they need to share, too. But it is that this is a critical piece of the reason why we need to do this Department of Homeland Security. Let me just touch on three issues, and I'll just summarize my testimony. First is procurement. As I mentioned, I represent a huge IT base in the South Bay of Los Angeles. Lots of the firms there, both aerospace and nonaerospace, have developed critical technologies that we need for a successful homeland security effort, and they don't really know how to access the Federal Government, how to learn about what's needed, and how to conform whatever products they make and services they render to what's needed. And we have tried hard to find places in the Federal Government that should be the right places to access, like the Technical Support Working Group, TSWG, at DOD, and that effort, for example, has a very capable leader, John Reingrubber, who came to Los Angeles to meet with members of these firms. But his group has been overwhelmed by requests, and there's no possible way that one place in the Defense Department can handle all of the needs. I want to commend you for H.R. 4629, of which I am a cosponsor, and I know that legislation would create a body responsible for receiving and routing technology proposals to the right government agencies. I think that's a good start. I think we need that regardless of the need to create the Department of Homeland Security. But as you know, none of this is easy. The new organization would have many bureaucratic challenges, need to recruit staff and so forth. Nonetheless, I think it is an important thing that we consider your legislation, and I strongly support it. The second issue is data integration. I think, again, both the government and private witnesses understand this. Example: The Intelligence Community needs to be able to access information in any agency and to search multiple data bases for common themes. Looking backward in hindsight is always better. Wouldn't it have been great if we could punch in ``flight training'' and ``Moussaoui,'' just two random ideas, and have multiple hits in FBI reports, the CIA watch list, FAA rosters? When you talk about connecting the dots, you talk about data integration, and we need work on our data integration processes, and in that regard I think this new analytical capability that the President is proposing for the Office of Homeland Security is a terrific idea. Even this morning the press was asking about, well, what about the CIA and the FBI and all of the other agencies? Isn't this duplication? Or shouldn't they be pulled into all of this? And my answer is, yes and no. Yes, it's duplication. Another set of eyes, an analytical capability focused on homeland security to make sure that we do connect the dots and that our threat condition warnings are as accurate and informational as possible is a great idea. The no is that, no, we don't need to move the FBI and the CIA someplace else. They have important functions which they should still continue to perform. But at any rate, data integration is a big deal. Final comment is on public-private partnerships, and, again, Mr. Chairman, I want to commend you and Mr. Turner and the others for all of the work that you do. It was true sometime back that we had and could afford separate industrial bases, a defense industrial base and a commercial industrial base. We invested huge amounts of money in government R&D. A lot of the most critical technologies that we employ across the board now, like GPS, were invented by the government, and with all affection for Al Gore, the Internet was invented by the government. But nonetheless, it is now true that we can no longer afford separate industrial bases. We need one industrial base with both commercial and government application, and most of that base does presently reside and should reside in the private sector, and that is why it is so critically important that we leverage private sector technologies for government uses. In many cases the government can serve as an information clearinghouse, sharing best practices and reports. The Cyber Security Information Act, H.R. 2435, is a good example of this. But it is also true that the government has to find better mechanisms to leverage technologies. The future of homeland security will depend on whether we do this well, and I have no doubt that our second panel will talk about how best to do that. I just want to commend you one more time, and it's the last time I'm planning to flatter you this week, no matter what, for your enormous leadership and your partnership on a bipartisan basis with those of us in this House who have focused on this issue for a long time. I think that this is the future, and I'm very happy that you let me participate in your hearing. Thank you. Mr. Tom Davis of Virginia. Well, thank you, and you keep talking that way, you can come to any of our hearings. [The prepared statement of Hon. Jane Harmon follows:] [GRAPHIC] [TIFF OMITTED] T5840.069 [GRAPHIC] [TIFF OMITTED] T5840.070 [GRAPHIC] [TIFF OMITTED] T5840.071 Mr. Tom Davis of Virginia. Thank you very much, Ms. Harman. Let me just say your leadership on a number of these issues has been very, very important to our coalition in the House, and I'll continue to value your advice, expertise and leadership as we move through this. So thank you very much for being here. I'm going to start the questioning with Mrs. Davis. We'll do 5 minutes around the first time. Then we'll move to Mr. Turner and back and forth. Mrs. Jo Ann Davis of Virginia. Thank you, Mr. Chairman, and thank you, gentlemen, for being here to testify this morning. Sort of in conjunction with what my colleague from California said, I believe she stated that she has a lot of private IT companies that don't know how to access what the Federal Government needs, and in that regard are your agencies or your departments, are they inundated with private sector security technology proposals, No. 1? And two, do you believe you have the staff qualified to sort out what would be useful and what would not be useful? And do you have the procedures in place to accomplish your goals? Any of you? Do you want to start, Mr. Yim? Mr. Yim. Yes. I think one of the concerns that the GAO has is how will the variety of technical solutions be evaluated. I think a lot of agencies would be deluged with proposals, and do we have effective mechanisms to assess the viability efficacies of that? The GAO has undertaken a pilot project working with the National Academy of Sciences to evaluate, for example, emerging biometric techniques. So even though we may not have the expertise in-house, although we have substantial expertise in-house, we wish to augment that with the significant scientific base provided by the National Academy, and that is one model I think that we could pursue. Mr. Tom Davis of Virginia. Anyone else? Mr. Forman. I'd like to speak a little bit about the framework that was laid out in the Clinger-Cohen Act. I really don't think the problem at this point is with the procurement work force in terms of staffing requirements. I think the problem, as was indicated, is in the requirements definition. You know, the issue of how we bring technology in the government has been going on for several decades and is--just as the Congresswoman stated, a shift from the government being at the leading edge of technology to being significantly behind commercial industry technology led to several rounds of legislation. Most of that legislation said we're trying to choose technology through the procurement process, but we don't have the requirements well enough defined to make any use of the technology. So we tend to buy it as commercial best practices, and we hear terms like ``governmentizing the technology.'' If we risked that with some of this leading-edge technology, we're not going to get the benefit out of it. We're going to expend too much out of it. So the issue is if we've got 50 proposals for different aspects of security technology, can the government today become the systems integrator? Do we want it to become a systems integrator? Right now we don't have the talent, and we don't have the technical skills. I know this has been a subject of another hearing in another very fine piece of legislation from this subcommittee. We have to focus on clearly understanding our requirements, and we also, I think, have to focus on getting good teamwork in industry. You know, when a company goes out to buy security technology, it's not quite the same as they announce that they've been hit by some cybervandals, and then people start showing up. They generally look for a security architecture, a comprehensive solution approach. That's what we are trying to do in the Federal Government as well, and I think that may be tough to understand for a lot of industry, that the government works not by being our own integrator oftentimes. So when they come to--many companies that have just pieces of the technology puzzle come to talk to us, they expect us to know how to integrate it together and to buy the pieces. That's very difficult right now for the Federal Government. Mr. Bohlinger. I'd like to assure you that the three of us did not get together before we were making these comments, but--and not to sound like just reiterating---- Mrs. Jo Ann Davis of Virginia. It's OK. Mr. Bohlinger. The issue is requirements. There's no question about it. We are significantly engaged in meeting with people from the private sector and have been going to their forums, talking with them individually, meeting with the senior people from these corporations, and there are many wonderful ideas out there, but can you imagine ideas just being thrown over the transom, all of which are good? How do you sort them out? And what I said in my testimony I think I'd like to emphasize again is that we need to be able to tell the people in the private sector exactly what our needs are and allow them to---- Mrs. Jo Ann Davis of Virginia. Let me interrupt you there, because my time is about running out. Where do you get what your needs are? Who gives them to you? All three of you have said requirements. Where do you get them from? Mr. Forman. I--especially in this area of security, there are two areas. One is in the Government Information Security Reform Act requirements that were laid out. The baseline set of best practices identified by the National Institute for Standards and Technology gave us the ability to do a gap analysis. It's a very comprehensive gap analysis. That's led to a listing, a plan of actions and milestones, that in some agencies are 2 or 3 inches thick, and those are the requirements. So we're first year into the process, several months into the process. We now--the requirements are there, and we can make sense and go buy the technology. Mr. Bohlinger. If I might just continue for a second on the requirements issue, I think it's both on a macro and a micro scale. On the macro scale, it's something that has also been discussed here in talking about enterprise architectures. Federal agencies must have robust and thoroughly vetted enterprise architectures, and this is exactly how we are doing our business. On the micro area of requirements, it's as you go out with specific requests, and that might be a particular system having to do with something that just is local, it may be a nationwide system, but being able to clearly lay out in the request for information--and I'm a great proponent of that, of allowing corporations that come in and suggesting solutions to well-defined requirements, then allow you to go out with RFPs that people can apply their best technology to. Mrs. Jo Ann Davis of Virginia. Mr. Chairman, can they all have the time to answer? Mr. Tom Davis of Virginia. Go ahead. Mr. Raub. I can just comment briefly. With respect to Health and Human Services, we won't claim perfection in our interface with the private sector, but we believe we're doing well and are getting better. Secretary Thompson is taking two major structural steps that have helped us along. One is the creation of the office I represent, the Office of Public Health Preparedness, last November. He's given us a focal point within the Secretary's office for all $3 billion worth of it related to bioterrorism across our 11 agencies in the Department. And representatives of the technology community have not been bashful in seeking us out, nor have we in our interactions with them, either for activities of our own office or steering them to the Centers for Disease Control and Prevention, the National Institutes of Health, the drug administration or other elements of our Department. Even before that, last summer the Secretary created his Council on Private Sector Initiatives. The idea was to bring together a team of representatives from every agency in the Department that would meet on a regular basis and be a one-stop shop for members of the community to bring ideas that might have some pertinence to programs of Health and Human Services. This is not limited to terrorism. It's much more broadly including the hospital sector. At a most recent meeting of that team, no fewer than nine company representatives were present describing their activities, how they might relate to Health and Human Services, and seeking some requirements and general guidance of how best to relate to the Department. Mrs. Jo Ann Davis of Virginia. Thank you. Mr. Jordan. Mr. Jordan. As I mentioned in my direct testimony, the FBI has begun to hire outside IT experts who are helping us sift through the various suggestions made to us, and we are well along in that process. And we have an established process for interfacing with the private sector. Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman. Mr. Tom Davis of Virginia. Thank you very much. Mr. Turner. Mr. Turner. Thank you, Mr. Chairman. Mr. Forman, talk to us a little bit about how far along we are in developing the enter prise architecture that is necessary for homeland security and how the new Homeland Security Department or office will function with regard to the work that, apparently, currently you are responsible for. Mr. Forman. I can't at this point discuss any of the issues related to the President's announcement last night. It is just too early in the process. But as you point out, there are many issues that need to be addressed. So let me go through what issues you raise. We are taking a two-tiered approach with respect to homeland security that there very clearly has to be progress made in homeland security lines of business, is the way we refer to them. A line of business could be disaster management preparedness. Within that, people have to make architecture decisions. They have got to look at which agencies, which organizations within those agencies have what roles and responsibilities, and what performance results or outcomes those organizations are supposed to achieve. Within that, there is an awful lot of overlap, so we have to have some clear way to identify those. We call those business functions. And so you could have, for example, within disaster management, emergency planning, and you would find out that there are many bureaus involved in that planning. You would also find out that there is a core business process, a way of doing disaster planning that cuts across those department-- departments, and is probably replicated multiple times. They probably have redundant information systems. And the unfortunate thing about this is, when you pull in the focus of this, the citizen voice, the customer, if you will, which tends to be State and local emergency management officials, they have told us consistently, it is too confusing to deal with all these different activities, these different processes run by these different entities of the Federal Government. So identifying that, consolidate it, that's what I call simplified business process. To interoperate with State and local government requires pulling people together and identifying, depicting, laying out the way we are going to work together, and we call that process design or process integration. So, indeed, you have these in the multiple: homeland security functions. Steve Cooper, who is doing terrific work as essentially the CIO for the Office of Homeland Security, has laid out a concept as referred to as Foundation Projects; and, within those types of projects are essentially these kind of more detailed architecture projects. At a high level, we are making sure that all the different departments and agencies that play in that line of business are working together with him. The actual work that needs to be done has to be done under some cross-agency organization. We have laid that out as the Information Integration Program Office, and we have requested accelerating that fund--that funding into the supplemental, and then that would be managed under the CIAO, the Critical Infrastructure Assurance Office. So, at the high level, my office is making sure we are moving forward on the architecture, those business components that we have measures of effectiveness. At the next tier down this Information Integration Program Office, working with the Office of Homeland Security, making sure that people are coming together to actually lay that out and go through the thought work, which can then define requirements. That work is due to be completed at the end of this fiscal year, so the end of September. Mr. Turner. It has been suggested by the GAO that we can't wait for this architecture to be developed, we have got to move faster. How do you respond to that? Mr. Forman. We are moving faster, and the tradeoff I have is between roughly 2,900 major and significant IT projects in the budget. At the same time, we do not have 2,900 solutions architects. We don't have 2,900 world-class program managers. So the trick is to allow enough good things to move forward without tying up resources that we need to focus. We are focusing our efforts on the strategic priorities that were in the budget: the war on terrorism, homeland security, revitalizing the economy. So we are not trying to boil the ocean, per se, but focus our resources. Mr. Turner. Do you have any comments on that from the GAO's perspective? Mr. Yim. Well, I think that is actually the right strategy, but we also need to look and see what we currently have, what capabilities are currently already integrated into State and locals and the private sector which would be feeding the information up into the integrating strategy that would be included in the Office of Homeland Security and the national strategy. There is existing architecture that already is there that could be adapted, and one of the reasons why we may want to look at that is not only because it is familiar to State and local governments, and this would not be viewed as an additional burden upon them, but much of the information being collected there is being collected for other purposes, which, frankly, would help assure the reliability and validity of some of that data, rather than specialized data calls related to the Office of Homeland Security or any Federal agency asking for specific information. For example, if highway information was being collected for highway improvement or Federal funding of highway projects, for example, but that was also relevant to evacuation proposals or the ability to bring law enforcement or first responders into an area of concern quickly, we would hate to see a specialized data call that, frankly, could be skewed or perhaps being done on too quick of a basis. We would like to have the ability to draw from existing data sets that were generated for other purposes. So the key would be integrating those data sets, being able to define some set of format or to focus on middleware that could integrate diverging formats so that there could be some central model in which these disparate data pieces could be sent and something made of the information in a timely manner. Mr. Forman. I concur 100 percent with that. Mr. Turner. Do we have the staffing and expertise to accomplish this? Mr. Forman. We do. We have to supplement it with the wonders of the IT industry. There is no question about it. Part of the emerging technologies, especially in the middleware arena in what's referred to as objectory architectures, where things--you hear terms like plug and play--now give you the ability to quickly leverage that data base or that work flow that was built for a different purpose, but fits this new mission. That's new technology. That's come out over the last 9 months to 12 months. And so we have to operate with the contractors helping us in this arena, consultants helping us who have already thought through this. We are not the first industry to grapple with this issue. Mr. Turner. Thank you, Mr. Chairman. Mr. Tom Davis of Virginia. Thank you very much. Let me ask a general question. First I will start with Mr. Bohlinger. I understand that the development of requirements is a key challenge, but are those requirements not the result of agency and government interaction? Would that process not be enhanced by a single portal type of process that we envision in our legislation? What I'm trying to say is, I am not sure you even know all your requirements sometimes until you have gone out to the private sector and seen what they have available and some of the issues they are tackling. There is an awareness gap sometimes between what government is doing and working on and what the private sector is out there doing. Mr. Bohlinger. I certainly concur with that, and as I said the request for information process and also more informal process working with the various private sector associations. Heaven knows, we don't know what the universe is out there, and it's a continuing education process, an education process for us in the Federal Government, and an education process for those in the private sector, on not only how you access the Federal Government, but how you assist. There are ways to assist that make a great deal of sense in helping refine requirements, in helping us understand, on the Federal side, the best way to apply technologies. So I certainly do agree with you that these avenues have to be explored just because of the volume and complexity of the data. Mr. Tom Davis of Virginia. OK. Dr. Raub, let me ask you; you refer to Secretary Thompson's Council on Private Sector Initiatives to improve the security, safety, and quality of health care. The Council was established in part to provide the private sector with a single point of contact for innovative ideas that cut across HHS's agencies and departments. Now, H.R. 4629, which I've introduced, would, among other things, establish a similar mechanism in the Office of Federal Procurement Policy, would apply to all agencies for innovative homeland security solutions. What do you think about extending the concept you use at HHS government-wide? Mr. Raub. Well, the concept has proved quite efficacious for HHS, and, in principle, I see no reason why it couldn't work on a broader basis across other agencies. Were that to be established, we would certainly work cooperatively and hard to ensure its success. Mr. Tom Davis of Virginia. OK. Some allege that there was a communications breakdown between the CDC and the FBI and others when the anthrax letters came to Capitol Hill, New York and Philadelphia. Do you have any thoughts on that? Mr. Raub. Yes, sir, I do. I think both agencies have worked hard at that communication issue, and we believe will continue to improve. Some of the issues are the fundamental differences in our missions and our cultures that I think both agencies are doing better to recognize and understand one another. For example, when a matter involves a potential crime scene or a subject under surveillance from the FBI's perspective, which we appreciate significantly, a close hold of that kind of information and a very deliberate process is critical to be able to bring an ultimate successful prosecution. At the same time, the public health community needs to ensure that it has the information early enough to be able to mount various kinds of protective initiatives in the community. So I think in general our view is the more time we spend interacting with one another, understanding the missions, the restraints, the better those communication systems can be. Mr. Tom Davis of Virginia. Thank you. Mr. Jordan, let me ask you a couple questions. FBI Agent Rowley testified yesterday at the Senate hearing that field agents have less access to information than the press because there are too many layers within the organization that clog information sharing. Do you have any comments on the reorganization efforts that have been announced by the FBI and how they might contribute to better information sharing? Mr. Jordan. Well, the reorganization efforts plan that the Director has submitted focus on having the FBI recognize that terrorism is our No. 1 mission, and that we are going to put more resources on terrorism, not just the investigation, but the prevention of it. And as we respond to that challenge, we are going to have new information needs and challenges to share our information outside the FBI with other intelligence and law enforcement agencies as well as make sure that information gets out to our field, which Special Agent Rowley is a representative. So we recognize the need to--we need to share our information outside, but internally first, and we are making efforts in that regard. Mr. Tom Davis of Virginia. Well, one of the reasons we called the hearing today was to determine the progress that Federal agencies involved in the homeland security were making in assessing the respective knowledge needs and information- sharing requirements. There has been a lot of Monday-morning quarterbacking on this. Where are we in the process, in your opinion, over at the FBI? Mr. Jordan. We have made great strides. Our--outside of the Intelligence Community, our single largest group of partners in the prevention of terrorism are 650,000 State and local police officers who are the largest single available force to help us in a war against terrorism. We have met with them through their major city chiefs, through the ,IACP, International Association of Chiefs of Police, their representatives. We have attended their recent information-sharing summit. Director Mueller was the keynote speaker. As I mentioned in my direct testimony, the directors brought in a high-profile chief to basically ensure that we recognize that State and local law enforcement are our partners in this effort, and that we get them the information they need, and that they share with us the--exactly what it is that they need. There are some obstacles, and, for example, some of the information that would be valuable to them is classified. It's probably not feasible to get Secret or Top Secret security clearances for 650,000 police officers. Maybe there is something in the middle that we can do, maybe some middle--or maybe there is a way to create a classification level below Secret where we can take information and change some of its attributes so that it could be disseminated at a below Secret level. I mean, these are all the things we are working on. We are working on them with State and local law enforcement, and our Joint Terrorism Task Forces are probably one of the best and most successful and, historically, best efforts in this regard. Mr. Tom Davis of Virginia. Some of the Secret stuff always gets in the hands of the press. So, you know, you want to get it in the hands of the agents as well. Mr. Jordan. Yeah. Mr. Tom Davis of Virginia. All right. Thanks. Let me ask Mr. Forman. Your statement stresses the important role that standards play in ensuring that the different systems can work together in furthering the homeland security mission. Where does the responsibility rest for developing and enforcing these standards? Mr. Forman. There are two types of standards. One is at the technology level, and that resides with the Secretary of Commerce, and largely standards being defined at the National Institute for Standards and Technology. The other is a common component or standard of functionality, if you will. That's what we have undertaken via the CIO Council, and with the Federal Enterprise Architecture Program Office work that my office is overseeing. So I have kind of taken on that responsibility in my role at OMB on those functional standards. But we are doing it and the enforcement of it via the CIO Council's architecture committee. And, in that manner, as you know, probably the fastest way to get a standard is to get everybody who has to buy the technology to agree that this is what they are going to buy, this type of functional capability, and therefore ensuring not just the agreement on the standard, but the enforcement of that standard. Mr. Tom Davis of Virginia. Thank you. I'm just going to make a final comment, and then I think Ms. Davis has a couple more questions. Do you have a couple more questions for this panel? I think Jo Ann wants to get a question cleared up. You know, we have gone through some of these security briefings on the House floor, and I get more out of CNN and Fox News than I do from our security briefings. And, of course, they are so nervous that somebody is going to leak something I assume they have the same kind of problems in the FBI and other agencies with getting word down to members on the street, to employees on the street who could use information, but are just so afraid that the classification, whether it's Secret or Top Secret or classified doesn't fit. And we have got to find a way to cut through this and get the information to the people on the street appropriately. That has been one of the problems; as we look back and try to Monday-morning-quarterback this we get so hung up on all these classification systems that the word is not getting out in an appropriate fashion to the people who could benefit from it. The press has no problem getting ahold of a lot of this stuff and so we are basically victims of our own overregulation and inability to classify. And it's something we have got to continue to wrestle with. And also in our conversations with the private sector, some of this stuff I think we are overly protective of. That's just an observation, stepping back. But I see a lot of progress being made, and I appreciate everybody taking the time to share with us and answer our questions today. Ms. Davis. Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman. And I don't mean to beat a dead horse, but I'm sort of just a straight-talking person, and I've got to say, I didn't understand your answers. The best I could understand is that the resources aren't the problem; the problem is the requirements and defining the requirements. But aren't you all supposed to define the requirements? Mr. Forman. Well, we have new major IT investments in this year's budget, roughly $30 billion, and so the requirements have to come, we know best practices, from the people who are actually doing the work. When we bring in modern tools and techniques for essentially e-business in the private sector, that has tremendous applicability in virtually all the homeland security areas. Ms. Jo Ann Davis of Virginia. So are you supposed to, sir, define the requirements? Mr. Forman. No. It's got to be at the level of the people actually who will use it in doing the work, married together with the CIOs or people within the CIO organization who are responsible for identifying. Ms. Jo Ann Davis of Virginia. How long does it take to do that and then to get the--I mean, by the time you do all that and get the technology in place, isn't it outdated? Mr. Forman. No. Unfortunately, we tend to hide behind that in resisting change in many of the Federal agencies. It shouldn't take more than a couple weeks or a month to do this. Ms. Jo Ann Davis of Virginia. So, then, the problem more is in the culture and not requirements? Mr. Forman. And resistance to change. Ms. Jo Ann Davis of Virginia. Which is the culture. Mr. Forman. I tend to focus on, both dealing with the industry and with the agencies, these two simple measures of outcome that I mentioned before. How do we increase their response time, cycle time, the decisionmaking time? How do we improve the quality of the decisions that you are responsible for? And I give the same test to the industry folks that come in, and I found from industry, some of the folks will come back to us with a very low-cost, very modern solution just because of the technologies that are out there. And when I look at low cost, I mean 40-, 50-, $60,000 for a program that had been budgeted for $30 million. To me, that's the pay off of bringing these modern technologies in; but what it means is people in the line of business do their work differently. If they don't sign up to doing their work that way, then we won't get that acceleration in decisionmaking, we won't get the results. What we will get is a 50-, $60,000 effort that turns into a $30 million effort and doesn't give us the results. This is a chronic problem. It's been around for about 10 years now in government. It's part of change management, and, at the end of the day, a big part of the puzzle that we are using here is the management scorecard. We are literally tracking whether the agencies are adopting these modern business approaches and scoring them on that on a quarterly basis. Ms. Jo Ann Davis of Virginia. Well, maybe I just did things a little different in the private sector, but when I had people that worked for me, if they didn't do the changes the way I wanted them, they weren't there anymore. Thank you, Mr. Chairman. Mr. Tom Davis of Virginia. Thank you very much. Anything anyone on the panel want to add additionally? Well, thank you all very much for your testimony today and in your answering our questions. If you want to supplement anything over the next couple of weeks, feel free to. I'll put it in the record. I'm going to declare about a 2-minute recess as we switch panels. We have an outstanding panel coming up: Dr. Sugar of Northrop Grumman, who has already been introduced by Ms. Harman; Mr. Johnson, KPMG; Mr. Fitzgerald from Oracle, I see in the audience; and Mr. Pomata from webMethods. We will just take a couple minutes to exchange, and we will be back in 2 minutes. Thank you. [Recess.] Mr. Tom Davis of Virginia. I think we can resume the hearing. If everyone could just remain standing here, I want to swear our next distinguished panel in. [Witnesses sworn.] Mr. Tom Davis of Virginia. Let me just explain. This isn't the major investigative committee in Congress; so, by our rules, we swear every witness in. We are not trying to catch you on everything, but those are just the rules we operate under. And so let me start with Dr. Sugar and work our way down. Try to keep it to 5 minutes. Again, we have the lights on there, and we will give some time for questions and then submit. And thank you for being with us today, Dr. Sugar. STATEMENTS OF RONALD D. SUGAR, Ph.D., PRESIDENT AND CHIEF OPERATING OFFICER, NORTHROP GRUMMAN CORP.; LEONARD POMATA, PRESIDENT, FEDERAL GROUP, WEBMETHODS, INC.; S. DANIEL JOHNSON, EXECUTIVE VICE PRESIDENT, PUBLIC SERVICES, KPMG CONSULTING, INC.; AND KEVIN J. FITZGERALD, SENIOR VICE PRESIDENT, GOVERNMENT, EDUCATION & HEALTHCARE, ORACLE CORP. Mr. Sugar. Can you hear me? Thank you, Mr. Chairman, Ms. Davis, Mr. Turner. It's always a pleasure to meet with you. My name is Ron Sugar, president and chief operating officer of Northrop Grumman, Incorporated, one of our Nation's major defense industrial firms. Northrop Grumman has a dedicated work force of over 100,000 engineers, scientists, and other professionals applying advanced technology in support of our military services and other governmental agencies. It's a great privilege to appear before you today and to talk about some of my observations on the important issue of providing technology solutions to the serious homeland security challenges facing our Nation today. As a senior executive of a major defense firm, I cannot advise you on national policy or how to organize the government to approach this daunting task of homeland security. I can, however, provide a perspective on how those of us in the world of technology can help address this major challenge, and I can suggest certain steps the government can take to create a favorable environment where the innovative thinking, the manufacturing skills, and the procedural discipline of the defense industry could be applied to this pressing national need. One should not underestimate the power of American industry, working with government, to provide good solutions to major challenges. We do rise to the occasion. The record of the past speaks for itself. The Manhattan Project of World War II, the development of strategic weapons and ICBMs during the cold war, and the placing of a man on the moon in the 1960's demonstrate what can be accomplished in a relatively short period of time when efforts are focused, resources are provided, and there is a national will to do it. As with these past examples, of course, urgency must now prevail. I would like to identify for you three concerns that I believe may be inhibiting our ability to bring the power of American technological capability into this effort, and I will call them the three Rs, for lack of a better term: requirements, resources, and release from unreasonable liabilities. Requirements, resources, and release from unreasonable liabilities. Addressing these three Rs will greatly improve the requirement for industry to innovate and create effective technology solutions for this problem. Now, let me briefly address what I mean by these three items. First, requirements. Despite the passage of 9 months, there are still very few specific requirements that have been identified by the many numerous agencies at all levels of government on what they need to meet the challenges that they face. We typically in industry provide technological solutions in response to governmental requests for proposals or requests for information, and their companion statements of requirements or specifications. Because there is great uncertainty among many agencies about their exact roles and missions in homeland security, there have been to date very few RFPs as a result of September 11th, and I would strongly second the testimony of Mr. Bohlinger from the INS on this matter. Requirements are very, very important here. Second, resources. Now, certainly much money has been appropriated to date for this effort. With the original emergency funding, the current supplemental under consideration, and the fiscal 2003 proposal, there has been over $100 billion identified for homeland security, but the large percentage of these funds is for response and recovery. Very little to date has translated into requests for specific technology solutions. Neither Northrop Grumman Corp., nor any other major corporation that I know of at the moment, is yet able to determine from a business standpoint the additional business or revenue potential of this important emerging homeland security market. We know something is there, but we are not quite sure what it is and how we are going to address it. And, finally, there is the third R: release from unreasonable liability, or indemnification. Many companies, including our own, now have technologies available to assist all levels of government in detecting and preventing future terrorist attacks. Paradoxically, our tort system has the capability of shifting the economic loss due to a terrorist criminal act onto those providing the tools to detect and prevent such acts. Despite our best efforts, no technical system is infallible. The unintended consequence of even a single failure in a well-intended system or device that we might provide could result in a significant legal exposure that could financially ruin a company. Prudent companies may find themselves unwilling to provide their critical technologies to the government and its agencies that need them because of the great financial risk involved. At Northrop Grumman, for example, we find ourselves face to face with this very issue now in our efforts to provide the Postal Service with a biological detection system to counter the anthrax threat. Clearly, containing liability exposure for those in industry who are trying to do good is a major policy issue that must be addressed by both Congress and the executive branch. Now, if we can successfully deal with these three Rs, we can do a lot of good things. We have, for example, at Northrop Grumman sophisticated airborne surveillance platforms, such as the Global Hawk, that can be adapted for use in improving border and coastline security. We have Fire Scout, a smaller unmanned helicopter that can provide point surveillance around ports or other vulnerable national assets such as nuclear power stations. We have modern command, control, communications systems that can be adapted for domestic use by State and local organizations. We have increasingly effective systems for detecting and tracking chemical and biological agents. We have sophisticated information technology systems capable of managing and integrating large amounts of data, making it rapidly available. This can assist security officials, immigration officers, Customs agents, and the Border Patrol in greatly complicating any terrorist efforts to launch coordinated and deadly attacks against American facilities and citizens. We can do a lot right now. Now, from a classical business perspective, however, homeland security would be viewed as an emerging market. But to be vibrant and viable, any market needs customers with clearly defined needs who have funds they are willing to spend to secure goods and services. Presently, with a handful of exceptions, the homeland security market is still somewhat clouded. Mr. Chairman, your legislation, H.R. 4629, aimed at promoting innovative solutions for homeland security is a very appropriate first step. Its recommendation establishing an office to rapidly review technology proposals while providing procurement point of entry will be most helpful. I would urge you to move this legislation forward as quickly as possible. Combined with the President's announcement last evening about an establishing a Department of Homeland Security, this should provide increased momentum to allow us to bring the full power of our industry to bear. Finally, let me be frank. I am concerned about the rate of progress we are making in protecting the Nation. This is a serious issue. Many good ideas are flowing from both the government and from industry. What we need now are the firm, specific requirements, immediately available funding resources, and protection from the risks of unreasonable liability. Give us these and we in industry will provide our Nation the tools to do this job. Mr. Chairman, I applaud the efforts of the committee. I wish you well in your important endeavors, and thank you very much for having me here today. Mr. Tom Davis of Virginia. Thank you very much. [The prepared statement of Mr. Sugar follows:] [GRAPHIC] [TIFF OMITTED] T5840.072 [GRAPHIC] [TIFF OMITTED] T5840.073 [GRAPHIC] [TIFF OMITTED] T5840.074 Mr. Tom Davis of Virginia. Mr. Fitzgerald. Mr. Fitzgerald. Mr. Chairman, Ranking Member Turner, Congressman Davis, my name is Kevin Fitzgerald. I am the senior vice president of Oracle Corp., and on behalf of Oracle, I would like to thank you for inviting me to share experiences and perspective on information sharing and homeland security technology. Mr. Chairman, since September 11th, we have been engaged in a battle on two fronts. First, we have been fighting to protect the lives of Americans from the threat of terrorism, and at the same time we have been struggling to protect the single most important asset needed to promote and preserve liberty and prosperity: the U.S. economy. If the investments made today to improve our homeland security prove ineffective, we will have missed a seminal opportunity to shape our future for the better, an opportunity that we are unlikely to see again. If we step back and look at the goal of strengthening homeland security, the over whelming obstacle will be the effective partnering of the organizations, public and private, involved in the process. There are national, State, and local organizations geared toward law enforcement and intelligence, first responders, health care, Border Patrol, transportation, agriculture, and countless others. It is difficult to know where to start, and spending our Nation's tax dollars effectively will be challenging. In order to protect the United States, we need an integrated national strategy and information infrastructure; yet implementing a national strategy with countless independent organizations will be like building a plane with at least 50 totally independent contractors. One builds the wings, another builds a navigation system, and yet another builds the fuselage and so on. Even if each organization excels at his or her given task, it will still work in a vacuum without any guidance on how and whether these separate parts work together in an effective whole, the combined concoction could never fly. Imagine building our homeland security information systems airplane--like this airplane, not having any way to ensure they fit into a broader national strategy. The result will be a waste. Fortunately, the President took a step in the right direction yesterday with his proposal to create a Department of Homeland Security, which would provide for a clearinghouse for terrorism intelligence. This is a significant and positive development, and I hope Congress will act on the President's proposal before you adjourn later this year. For this new Department to succeed, Congress will have to target a significant amount of investments toward information technology. No doubt information is one of the most powerful weapons that we have in the fight against terrorism. The fact is that we have an extraordinary amount of information, but we lack sufficient capability to establish relationships between various information sources. Even today we see there are lots of facts we had about the individual terrorists responsible for the attacks on September 11th. Since we were unable to bring these facts together, intelligence agencies and law enforcement were not able to see the whole picture. It would not be possible, prudent, or politically expedient to try and build a single national system for homeland security information; we can, however, make it possible for the relevant organizations to build their systems in such a way that, although they are different, they can work in concert to support a national homeland security strategy, or, in more practical terms, a Department of Homeland Security. Accomplishing this requires a commitment to standards. If Congress provides homeland security resources to 50 States, absent any kind of systematic direction, it will be used in at least 50 different ways, and certainly far more if these resources flow to localities. The system that would be built under this scenario may have local needs, but they will almost certainly not talk to one another unless there is an effort on a national level to require a few standards for information sharing and security. For information systems, those standards fall into three categories: data, integration, and security. Data standards provide guidelines for how data is collected and stored, making data possible--sharing possible. For example, in law enforcement, the Department of Justice has defined a standard called the National Incident-Based Reporting System, or NIBRS. This standard defines guidelines for collecting and reporting information related to criminal incidents. So if my system is NIBRS-compliant, and your system is NIBRS-compliant, then we can compare data with one another because we both use and understand the codes that represent that type of criminal incident. Data standards like NIBRS are critically important for ensuring that once we establish connectivity between systems, we will know how to compare and interpret the results. Integration standards define how a system exposes its data to other systems. For example, Web Services standards like WSDL, UDDI, and SOAP, define how a system wraps its data and publishes it to other systems. So a system can use these standards to say, in effect, I know all about pilot licenses in the State of Florida. If you give me a Social Security number, I will check your credentials and then give you XML in the following format that includes that person's license information. This approach means that I don't care what a system does or how it was built, I only care that it can accept and answer my question. Perhaps the most important form of information standard is geared toward security. The most significant barrier to information sharing will not be technical issues, but concerns raised by organizations about exposing their data to potentially insecure systems. There are well-established standards in existence, and they have matured around the world, and they are now accepted globally. In the United States their use is managed by NIAP, the National Information Assurance Partnership. This is a collaboration between the National Security Agency and the National Institute of Standards and Technology. Consistent government enforcement of security standards has been a source of frustration for Oracle. Despite its importance to national security, what we too often see is that the requirements for independent security evaluations are waived in procurement. This summer, a National Information Assurance Acquisition policy called NSTISSP No. 11 is scheduled to go into effect for systems that contain information relating to national security and requires these systems to use products that have undergone an independent security evaluation. After September 11th, it is fair to say more and more Federal systems have a direct link to national security. Thus, policies like this one need to be strengthened and enforced through the procurement policy. What can the Federal Government do to better ensure the use of these standards? First, national agencies need to take responsibility for defining more data standards as the Justice Department has done in the defining of NIBRS. Second, we urge Congress not to try and create integration standards. Industry and the Internet are defining and refining these standards faster than the government possibly could. Exploit what they develop. Third, Congress should encourage relevant agencies to enforce NSTISSP No. 11. These standards and processes are already in place. We all know there will be an accounting for how Congress has targeted Federal spending on homeland security, and, with the President's announcement yesterday, this new Department, should Congress create it, will likely be held accountable as well for the administrative success of homeland security. If the result is 1,000 little systems with no improved national capacity to deal with the threat of terrorism, the American people will recognize this failure of planning and protection. Let's work together to make sure that doesn't happen. Congress, in its role as policy leader, can include appropriate standards to guide Federal, State, and local organizations down a common path of information sharing. The information technology industry can devise the systems to make sure these policies can work to accomplish our national goals. Thank you again, Mr. Chairman, for the opportunity to be heard today. I look forward to answering any questions you have. Mr. Tom Davis of Virginia. Thank you very much. [The prepared statement of Mr. Fitzgerald follows:] [GRAPHIC] [TIFF OMITTED] T5840.075 [GRAPHIC] [TIFF OMITTED] T5840.076 [GRAPHIC] [TIFF OMITTED] T5840.077 [GRAPHIC] [TIFF OMITTED] T5840.078 Mr. Tom Davis of Virginia. Mr. Johnson. Mr. Johnson. Mr. Chairman and members of the subcommittee, thank you for this opportunity to share KPMG Consulting's views on the topic of homeland security. My name is Dan Johnson, and I lead our public services business unit, which is comprised of over 3,000---- Mr. Tom Davis of Virginia. Mr. Johnson, you don't need to keep it a secret; you need to turn on your microphone. Mr. Johnson. Got it now? Mr. Tom Davis of Virginia. Got it. Mr. Johnson. Sorry. I'll start over again. Mr. Chairman and members of the subcommittee, thank you for this opportunity to share KPMG Consulting's views on the topic of homeland security. My name is Dan Johnson, and I lead our public services business unit, which is comprised of over 3,000 professionals serving Federal, State, and local government clients. KPMG Consulting supports large-scale information technology modernization programs at many of the Federal agencies that are critical to our homeland security efforts, including the Immigration and Naturalization Service, the Customs Service, the Department of State, the Internal Revenue Service, the Federal Aviation Administration, Coast Guard, and the military departments, as well as many public safety agencies in key States such as Pennsylvania, New York, Texas, California, South Carolina, and the District of Columbia. Most recently we have been engaged to help stand up the Transportation Security Agency in defining its mission activities in business processes as well as supporting development of an entry/exit system at Immigration and Naturalization Service which would document the arrival and departure of aliens at U.S. ports of entry. Mr. Chairman, we feel that our 40 years of experience in serving government entities such as these and the knowledge of their organizations, systems, processes, and protocols that experience brings uniquely qualifies KPMG Consulting to discuss change management issues and technology acquisition measures as they relate to homeland security. In the aftermath of September 11th, when KPMG Consulting mobilized to provide recovery assistance to our New York Port Authority and New York Department of Finance clients at the World Trade Center, as well as our DOD Office of the Comptroller clients at the Pentagon, the requirements for a higher level of cooperation and collaboration between Federal, State, and local governments, as well as the private sector, has reached a new level of urgency. We would like to address several areas which will impact and challenge attaining that higher level of integration. The first is leveraging existing capabilities. We must get a firm grasp of the information available today, the technologies that are being employed, and match that data and those technologies to identifiable programs. An example we are most familiar with is the Pennsylvania Criminal Justice Network, commonly referred to as JNET. Following the crash of United Airlines Flight 93 in Western Pennsylvania, a JNET terminal was set up for the FBI. Running the Flight 93 passenger list through JNET and searching multiple Commonwealth justice system data bases simultaneously, the FBI was able to identify one of the suspected terrorists on board, and confirmed that another suspected terrorist was, in fact, already incarcerated. The JNET story is a microcosm of the challenges that homeland security faces. Initiated in 1998, it overcame the stovepipe territorial issues of sharing sensitive information across 17 different State agencies, 2 cities, and 20 counties, now totaling over 5,000 users this year. It did so with an architecture which lent itself to gradual and interactive development showing incremental benefit and promoting comfort among its stakeholders as it evolved. It did so through strong executive sponsorship and a centralized independent budget for it alone. It did so through protecting the integrity of the individual stakeholder data bases by implementing rigid access controls, and it did so by establishing a government structure in which all the key stakeholders were represented. The second area, as agencies look across their investments with an eye toward addressing homeland security missions, they must first determine what information is needed before looking for new technology solutions. They must match this with their understanding of what their problems are, what technologies exist today to address those problems, and how can they best leverage those technology solutions and improve upon them. Then, and only then, can agencies take the next step of determining what else needs to be done, what other technologies must be acquired. Last, Mr. Chairman, we commend you for introducing H.R. 4629, which would establish a program to encourage and support carrying out innovative proposals to enhance homeland security. Its provisions for the streamlined acquisition of innovative solutions certainly is needed. In our experience, application of IT investment and portfolio management disciplines is essential to the success of a technology program of the magnitude of homeland security. A set of standard criteria should be established to streamline and focus the screening of these technology proposals and to normalize the evaluation of their potential. Using this type of approach, each proposal is viewed as a component of an overall homeland security technology portfolio. The portfolio would be continuously monitored and adjusted as new proposals were presented and technologies were tested and implemented, and would ensure that all components of homeland security are considered against an integrated framework. Mr. Chairman, again, thank you for holding this important hearing today. We look forward to working closely with you and the rest of the subcommittee in any way you deem appropriate. Mr. Tom Davis of Virginia. Thank you very much. [The prepared statement of Mr. Johnson follows:] [GRAPHIC] [TIFF OMITTED] T5840.079 [GRAPHIC] [TIFF OMITTED] T5840.080 [GRAPHIC] [TIFF OMITTED] T5840.081 [GRAPHIC] [TIFF OMITTED] T5840.082 [GRAPHIC] [TIFF OMITTED] T5840.083 [GRAPHIC] [TIFF OMITTED] T5840.084 Mr. Tom Davis of Virginia. Mr. Pomata, you are our cleanup speaker here. Mr. Pomata. Thank you. Mr. Chairman, thank you for the opportunity to testify today. My name is Len Pomata, and I serve as the president of webMethods' Federal business unit, part of webMethods, Incorporated, a Fairfax, Virginia, company. WebMethods manufactures integration software, a technology that enables the government agencies and companies of all sizes to connect their computers and data systems together. The technology is straightforward, cost-effective, reliable, secure, and readily available. It facilitates the right information getting to the right people at the right time. It is interesting that much of America's investment to date in homeland security has been spent on the last line of defense, guards, gates, and guns. That's a natural and critical part of the response, but there is a part of the September 11th answer that has still received too little public attention, and that is the use of information technology as a proactive first line of defense. It is ironic, because it is information technology and those capabilities that give America one of the greatest competitive advantages in combating terrorism and securing the homeland. The INS and the FBI are currently highly visible examples of the need for integration software and the sharing of information across agencies. Like most Americans, I applaud these agencies for their dedicated employees and their leadership, but there are lessons we have learned and can learn from the events of September and the importance of sharing critical information. In some instances agencies had identified important information, but the information was not effectively coordinated into a common view or given to relevant officials. I realize that in many instances substantial policy and political issues may argue against sharing, but there is no technological reason. My point, Mr. Chairman, is that sharing of critical information, both inside and outside the government, is straightforward and relatively easy. Linking systems has become secure and affordable. At webMethods, we know this because we do this every day in our business. Public and private sector organizations alike face the cultural policy issues, but I would like to mention a few lessons that we have learned in addressing this with our customers. First, organizations don't have to share or integrate entire systems, only that which is important, only that which is defined as part of their critical mission. Defining those as precisely as possible can make the cultural and political boundaries and barriers seem much lower than they may first appear. Second, simply connecting data bases and applications does not produce the right information to the right people. It is necessary to define the mission and particular information to be shared in a logical process, and not an artificial organization. That is what determines what--and you need to determine who is providing and who is receiving information. Those are the critical parts. Third, it should be remembered the purpose of integrating information is not just to distribute it, but to be able to push it or give it to those--that right information to the high-level officials as well as down to the field agents that may need it in a push technology. Fourth, as customers like Covisint, an e-business exchange for major automakers, we have discovered the utility of building an online hub, for instance, that has competitive organizations plugging in, and without disclosing proprietary information works very well in the commercial sector, and this is a model that I think the government may use for sharing information in the public sector. You know, there is a temptation to think that with so much money already spent on information systems, surely we can be much better at coordinating information; but these systems have become increasingly more complex, and have been dedicated to very specific tasks, and have become individual silos and islands of information, which actually can sometimes hamper the facilitation of information coordination. These systems contain mountains of information, and, as a result, helping them simply to communicate with each other has the potential to tap tremendous new value from existing resources. Traditionally this integration of disparate systems, applications, and data bases has taken place through costly, time-consuming customization efforts. Until recently, it would require deploying scores of programmers and software writers to go into a company or agency and manually write code to create custom connections among these systems. In recent years, particularly in the last 12 to 17 months, this has become virtually unnecessary. It can now be done far more quickly, cheaply, and reliably, largely through off-the-shelf software. As a result, companies and agencies can now modernize and extend the life of old systems and avoid the huge expense of replacing them, much like the Navy might view in extending the life with modernization of one of their ships. Integration software can make this happen now amongst the vast--and makes this happen now amongst the vast majority of the top 2,000 global companies. Government, too, is now appreciating the power and the potential of this latest IT revolution. Integration software depends on language protocols. One of those is XML. Recently the GAO emphasized the importance of XML and the need for government to focus on it in terms of standards and utilization. As the GAO pointed out, XML offers the greatest potential for agencies to share information with each other and across the government. XML is here now and is the language that can be used to integrate complex technology systems, built over time, multiple platforms, and they can work together. Mr. Chairman and members of the committee, every American recognizes the importance of homeland security, and for obvious reasons. My message to you is that government, recognizing the importance of information technology, information sharing, and new integration technologies, can contribute to this effort. This subcommittee in particular, and the committee in general, has been the voice of ensuring the effective use of different technology gets distributed across the government. Mr. Chairman, I applaud this hearing and encourage you to continue this program. Finally, Mr. Chairman, I, as well as some of the other panelists, would like to take this opportunity to express my strong support for H.R. 4629, your bill. As any business executive can tell you, even the brightest and best ideas would not advance unless there was a process and organization that could properly review them and advance them. Especially in times that call for urgent action, there must be an effective and efficient clearinghouse within the government to consider leading-edge technology. Your idea was well thought out and responded to concerns of your February hearing. I know that the committee considers the testimony of its witnesses, and I appreciate the opportunity for the private sector to be at this hearing. I stand ready to answer any questions. Mr. Tom Davis of Virginia. Thank you. [The prepared statement of Mr. Pomata follows:] [GRAPHIC] [TIFF OMITTED] T5840.085 [GRAPHIC] [TIFF OMITTED] T5840.086 [GRAPHIC] [TIFF OMITTED] T5840.087 [GRAPHIC] [TIFF OMITTED] T5840.088 Mr. Tom Davis of Virginia. I am going to recognize. Ms. Davis to start the questions, but I've got to ask this question: This XML, this is new to me. Is this kind of a universal language that everybody can tap into? Mr. Fitzgerald. Central markup language. Mr. Pomata. And it is used within the Internet. It's an Internet technology language. It allows many different types of systems over many different platforms to communicate through the Internet and share information. Mr. Tom Davis of Virginia. How widely used is that in the private sector? Mr. Pomata. Very, very extensively. Mr. Fitzgerald. Pervasively. Mr. Tom Davis of Virginia. You have got to remember, I left PRC in, what, 1994. Mr. Pomata. A few years ago. Mr. Tom Davis of Virginia. I'm just trying to get it. OK. Ms. Davis. Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman. And thank you, gentlemen, for being here. And, Dr. Sugar, it is a pleasure to see you again. You know, I sit on the House Armed Services Committee, and you talk about turf wars, you have got the Army, Navy, Air Force, Marines, and there is a little turf war there sometimes. But in this war in Afghanistan, I was able to watch how, when there was a requirement, we had an Army fellow on a horse, and we had a Navy pilot in the sky, and within a 2-week period they developed technology on a Palm Pilot for that Army fellow, the soldier on the horse, to let the Navy pilot know exactly where to drop the bomb. So in a 2-week period, we can get the technology. And, Mr. Johnson, I want to go to you. Well, Dr. Sugar, I heard you say that requirements were-- you were still waiting on the requirements. And you heard me in the former panel ask those why we don't have them; and, if I heard you correct, Mr. Johnson, you said that relatively, you know, in a short period of time, you could get those requirements. Those weren't your words, but that's what I gleaned out of it. But we are 9 months since September 11th, and we don't have requirements. We are nowhere close in many of these agencies to seeing what we need to help us with homeland security, and we are getting ready here to vote on the proposed new Department of Homeland Security. Should we be having a struggle getting those requirements from these agencies? I know you are contracted with some of them, but not all of them. Can you help us out, help me out, there to understand why we don't have them? Mr. Johnson. Well, I think the driver here is the sense of urgency. When we were prosecuting the war in Afghanistan, the sense of urgency was very, very high in terms of being able to get things done on short notice. The example I used in Pennsylvania, again, was a situation where it is a somewhat smaller group of people, a little narrowly focused effort to go forward with. But the driver is--this country can do amazing things in short order when there is a sense of urgency to drive it to that, and I think many of us see that we don't see that sense of urgency as being pushed down through the organization to execute those things in a rapid fashion. Ms. Jo Ann Davis of Virginia. Well, I would certainly hope we don't have a another disaster for that sense of urgency. Dr. Sugar, do you want to add something? Mr. Sugar. Could I add to that? I certainly agree on the urgency sense. There is no question about that necessity is the mother of invention. When lives are on the line, people do remarkable things and put aside partisan and parochial boundaries. There is also an issue of skills, and skills and the ability to know how to define requirements, how to transform a nebulous set of needs or vague sense of wants into very specific actionable statements and quantitative measures that can be used, and then put in place the technology that solves the problem. That's a skills set which doesn't generally reside, quite frankly, in most of the agencies in the U.S. Government, and generally does not reside in great abundance in the State and local government agencies around the country. That is not an indictment of them, it is just simply a fact that it is just not something that has been done. It has been developed in the Intelligence Community, it has been developed in the Department of Defense. Certainly the ballistic missile program and all these things have enforced that discipline. So, there is an issue of not just urgency and a desire, but there is an issue of skills and capability. One thought could be that, for the Office of Homeland Security and perhaps even for this agency that might be created by such a bill as proposed here, you could have either a DARPA- like or a systems-engineering-like organization, a seat-like organization whose job it is to look at being sort of a central clearinghouse of requirements and standards so that you don't have to replicate the creation of something every police department in the Nation is going to need, you know, at every police department. So the thought of skills and methodology would be very helpful here as well. Ms. Jo Ann Davis of Virginia. Well, let me ask, on the Department of Homeland Security that is proposed, as I understand it, there is going to be one element that would analyze all the information. So if I am hearing you correct-- all the information from, I guess, the FBI, everyone, I guess. If I'm hearing you all correctly, that wouldn't even be--I mean, it's not possible because we can't get the information to them; is that correct? Mr. Fitzgerald. That's---- Ms. Jo Ann Davis of Virginia. Is that what I'm hearing? Mr. Fitzgerald [continuing]. Pretty much correct. Grants will be given by the Justice Department to local police departments to build systems, and then we will have necessary standards associated with those, so when the information that they gather is requested, it may not be able to be understood by the Office of Homeland Defense. Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman. I think that is all I have. Mr. Tom Davis of Virginia. Thank you very much. Mr. Turner. Mr. Turner. Thank you, Mr. Chairman. Dr. Sugar, talk to us a little bit about the problem that you mentioned briefly in your testimony that you had with the Postal Service on the liability issue for the anthrax, the detection equipment purchase. Mr. Sugar. Yeah. And, again, this is not the forum to talk about a very specific issue and a specific contract, but it does, I think, represent a problem we are all facing. We have a system which we think can solve a problem. We had a certain quantity of these things planned to be ordered. We had to cut back that quantity because we were unwilling to take it past the stage of prototype demonstration until we were certain that putting it in the field, and if there were any unintended consequences, it would not come back and materially impact or financially destroy our company. That's really the situation. Now, there is an indemnification, I guess the 85804, which is in place for--which is public law, which helps; it's nuclear and other identification, and that is very helpful. It is used certainly in all of our defense work. What's not as clear is when we migrate the products to other civilian agencies, the State and local agencies or, frankly, even the private sector, for example, a private company that owns and operates a nuclear power plant and wants to utilize one of our great devices that one of our companies comes up with, how do you ensure that we're not going to end up, you know, having a situation where no good deed ever goes unpunished? We do something good, and we have something happen bad. It's a serious issue. I'm not a lawyer, but I know that this is now becoming-- emerging as a stumbling block on even the very few RFPs and programs we're seeing. I think you're going to see this become a very broad issue. It's going to become a policy issue for the Nation. On the other hand, I would say that no Federal agency wants to take on unlimited liability that may be created by a contractor who provides a device which then reflects back on the government. So we're going to have to find some way as a Nation to figure out how to share this so we can get on with applying technology correctly. Mr. Turner. So you're saying there's no statutory authority now for an agency to negotiate this issue of liability with a private sector vendor? Mr. Sugar. I think there is in some cases. I know, for example, with the U.S. Navy we can receive, because we build nuclear aircraft carriers, a nuclear indemnification as part of 85804. I'm not sure how widely that is allowed with other agencies or whether it, in fact, becomes a local decision of the contracting officer on any given procurement. Mr. Fitzgerald. Capping liabilities would clearly be a step in the right direction. Mr. Turner. Thank you. Mr. Tom Davis of Virginia. Thank you. I appreciate you raising the liability issue, because we don't think about that. Many times as we go out to contracting and--government lawyers are trained to protect the government. If something goes wrong, it's the other guy's fault; and, of course, it has the end result of sometimes discouraging some of those innovative ideas, innovative companies, from doing business with the government. You get higher markups in the private sector, you know, why do you have to come here? So I appreciate you raising that. I think we will take a closer look at that. Any more specific examples that you can give to the subcommittee in terms of where that has been a deterrent or where maybe a company has in good faith provided a service and it went awry and they ended up losing their shirt? I know some State and local government instances of that, but at the Federal level that would be helpful to get it into the record so the members could understand why they're waiving something that otherwise it seems we wouldn't do. So I appreciate you raising that factor, and we'll take a closer look at that. You know, virtually all of the private-sector witnesses here today have, in one way or another, expressed a concern about our ability to take advantage of the technology that the private sector has to offer. I think there's a great frustration at this point among companies who have invested in new ideas and think they can be of service, maybe make a profit along the way. But you have ideas that we're just not utilizing. What are the specific problems you face in getting that to market at this point? Maybe this homeland security agency will be more of a clearinghouse. Maybe our legislation, if it is enacted, can at least give you some kind of organized route where you can pursue some of these. But do you have particular concerns regarding attacks on computer systems and infrastructure and intellectual property piracy issues? Let me just try to hit those two offhand. Does anybody want to go---- Mr. Fitzgerald. Yeah, sure. For Oracle Corp., I think our frustration comes in--we built systems specifically for the government for intelligence and defense purposes to share classified data, various classifications to audit all data to make sure we know who sees what. Once we spent the millions and tens of millions of dollars to build these systems, the government tends not to include them as part of the procurement process; and we sit there and scratch our heads at that. We've built a solution specifically to attack a problem like this, and then when it's waived or it's--agencies are given waivers around the policies associated with security and the sharing of classified data, we wonder why we spent the money to do it. So I guess our situation is slightly different, Congressman Davis, in the sense that we stepped up the ante and put the money to do the development. Then we find that many agencies won't use what we've developed, and it's been developed for that purpose. Mr. Tom Davis of Virginia. Let me ask--Mr. Pomata, let me ask you. You've been in the business a long time. The Federal Government has a history of failed system development efforts. A lot of times we've spent a lot of money and we don't get what we want. It used to be that it was driven by the procurements itself, that we were so afraid of--once you'd go out with an RFP, you were so afraid of changing it even as your needs changed, because you'd have to go back out to the street. You're afraid of protests. We've tried to loosen that up a little bit. I don't know how it's actually working, but we're trying to loosen it up a little bit so that the government buyers who know what they want can go off and they have GWACS and schedules and areas where they can go out and say, here's what we want, how do you provide it? And not have to go out the route we used to have to have. Can you think of other steps that the government can take to ensure that systems that we get work properly? You've sat on the other side of this for years. Mr. Pomata. I think a couple things. I think---- Mr. Tom Davis of Virginia. Go ahead. Mr. Pomata. Did you---- Mr. Tom Davis of Virginia. No. I was going to go with you first. Mr. Pomata. Sorry. One of the things I think of is that requirements need to be well defined. We know that. But as procurements progress, there are typically requirement changes. So there needs to be some flexibility on both sides to be able to understand as changes come up how to handle them. The other thing we found is that a lot of the requirements in the IT world and a lot of the way procurements were proposed and executed was that, rather than utilize commercial standards, rather than utilize commercial off-the-shelf software, the government always insisted that they had unique requirements and that they had to be custom tailored to what they needed to do, as opposed to try to change some of the processes to conform and to use off-the-shelf software, a lower risk approach. So, typically, the risk is higher when you try to customize things. Mr. Tom Davis of Virginia. And more expensive, too. Mr. Pomata. And more expensive. And I think part of the solution there is for--even in homeland defense certainly there are mission-critical things that are going to be very specific and very important to the way the government needs to look at data and needs to do business, but I would suggest there are robust off-the-shelf technologies available that can be implemented quicker, faster and more--and cheaper into the systems at lower risks to solve the government's problem. I think we should look at that. Mr. Tom Davis of Virginia. OK. Does anyone else want to add anything to that? Mr. Johnson. Yes, I'd like to add a few things. There are a couple of aspects that are common to many of the failures that we've seen. One is in some cases a lack of top leadership which can push down activity requirements and implementation across multiple stovepipes. In other words, without top management, emphasis on a major program of that size is typically doomed to failure. A second one is there has to be a very strong government project manager and project team involved going forward, and oftentimes there's a shortage of those within government agencies. A third one is that these large-scale systems and implementation efforts are certainly team approaches. They cannot be executed from an arm's-length arrangement between contractor and government agency. The team going forward needs to be effectively transparent and committed to the success of the program, rather than operating in an impeding communication kind of atmosphere. Mr. Tom Davis of Virginia. OK. Anyone else on that? Let me address the culture issues. Improving information sharing for homeland security is one of the largest changes to management initiatives I think that's ever been attempted. Many view the culture gap between the public and the private sectors as just a significant impediment to leveraging private sector management expertise to private and the information sharing that we need to get to. Any suggestions for bridging the gap? Mr. Fitzgerald. Well, I think it's somewhat hard, because there's an arm's-length relationship between the government and the contractors on many of these projects. We all have to remember, at the same time, we all have the best interests of the country involved. We want to bring our skills to bear on these innovative solutions, as the bill you're sponsoring points out, and there has to be a little bit of a trust factor. I know trust is a difficult commodity to have between government and industry, but the stakes are very high. Mr. Tom Davis of Virginia. Now, you all hire people who worked for the government to come work for you. Mr. Fitzgerald. Yes. Mr. Tom Davis of Virginia. They could have some knowledge to try to at least do translations and speak the language. Mr. Fitzgerald. Yeah. And that does help, Congressman. But, again, there is still an insular attitude toward the private sector. So I think there just has to--and I'm not sure what the answer to that is. We really don't. We've all struggled with that. But I know from speaking with the other members with me today, I mean, we're all sitting here with one purpose. We are interested, we are capable, and we all believe in what we have ahead of us is a very important project. Mr. Tom Davis of Virginia. Dr. Sugar, let me ask you a question. In your testimony, you talked about much of what Northrop Grumman has done for years and that the defense program area can be adopted for use domestically by State and even local organizations. In your experience, do the State and local organizations have the human resources needed to implement these programs? Mr. Sugar. Well, the fact is it varies, but generally not at the levels that you'd want. I think that the challenge here is to create standard solutions that we can replicate, that are easy to use, that we can also assist with training and to conduct exercises in standard ways so that you're not reinventing the wheel. You know, if you think about it, we have 40 or 50 Federal agencies, 50 States and probably 200 cities of more than 100,000 or 200,000 people. So you can imagine that if everybody is trying to solve a problem like this, you might have 10,000, 50,000 solutions, and that is total chaos. And the irony is it's basically the same problem. It's the same problem being replicated. So one value we could have here from your bill and from a central department is that a certain class of problems which are going to clearly be what you might call killer apps in the software business, where you have a standard need for a baggage detection or a standard need for a sniffer for biochem or something, can be identified. Requirements can be quickly finalized for it. RFPs can go out. The best ideas from industry can be brought together, and that can become a standard solution. It doesn't even necessarily have to be the same guy. It can be a standard set of specifications that apply; and as long as you comply with that you've got a qualified device that is homeland security, department-qualified, and that becomes the standard. By the way, if that is used in some way which creates an unintended consequence but you did comply with this in good faith, you have some limitations around your liability. I think that is the way to address the issue of the training and viability for the people around---- Mr. Tom Davis of Virginia. We don't even have to legislate this. We're such a huge purchaser in the market that if we could keep our procurement needs consistent we would be able to define the marketplace. But we're not consistent. That's one of the problems. Mr. Fitzgerald. In the granting process as well, too, because many of these systems will be purchased through grants from various agencies. Mr. Tom Davis of Virginia. That's where Mr. Forman and the previous panel just need to step up. Still so often within agencies we're finding disparate ways to get there, and it's just not consistent. That really rings true. Well, I want to thank you all. Those are all the questions I have. Any other questions for the panelists? I said I'd get us out at 12, and we're a few minutes late, but actually the questions took a little longer. I think this has been a good panel and a very timely panel, and I appreciate the thoughtfulness and reflection that each of you have brought to this today. Let me sum up. I'm going to enter into the record the briefing memo distributed to the subcommittee members. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T5840.089 [GRAPHIC] [TIFF OMITTED] T5840.090 [GRAPHIC] [TIFF OMITTED] T5840.091 [GRAPHIC] [TIFF OMITTED] T5840.092 [GRAPHIC] [TIFF OMITTED] T5840.093 Mr. Tom Davis of Virginia. We'll hold the record open for 2 weeks from today for those who want to forward submissions for possible inclusion. I suggest, with the delay of regular mail going in and out of the Capitol campus, that you e-mail these submissions to the attention of my counsel, George Rogers, and we'll get them in. All right. Thank you very much. These proceedings are closed. [Whereupon, at 12:12 p.m., the subcommittee was adjourned.] -