<DOC> [109th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:27511.wais] NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER SECURITY SCORECARDS ======================================================================= HEARING before the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ MARCH 16, 2006 __________ Serial No. 109-139 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html http://www.house.gov/reform _____ U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2006 27-511 PDF For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman CHRISTOPHER SHAYS, Connecticut HENRY A. WAXMAN, California DAN BURTON, Indiana TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania GIL GUTKNECHT, Minnesota CAROLYN B. MALONEY, New York MARK E. SOUDER, Indiana ELIJAH E. CUMMINGS, Maryland STEVEN C. LaTOURETTE, Ohio DENNIS J. KUCINICH, Ohio TODD RUSSELL PLATTS, Pennsylvania DANNY K. DAVIS, Illinois CHRIS CANNON, Utah WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California CANDICE S. MILLER, Michigan STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio CHRIS VAN HOLLEN, Maryland DARRELL E. ISSA, California LINDA T. SANCHEZ, California JON C. PORTER, Nevada C.A. DUTCH RUPPERSBERGER, Maryland KENNY MARCHANT, Texas BRIAN HIGGINS, New York LYNN A. WESTMORELAND, Georgia ELEANOR HOLMES NORTON, District of PATRICK T. McHENRY, North Carolina Columbia CHARLES W. DENT, Pennsylvania ------ VIRGINIA FOXX, North Carolina BERNARD SANDERS, Vermont JEAN SCHMIDT, Ohio (Independent) ------ ------ David Marin, Staff Director Teresa Austin, Chief Clerk Phil Barnett, Minority Chief of Staff/Chief Counsel C O N T E N T S ---------- Page Hearing held on March 16, 2006................................... 1 Statement of: Hughes, Thomas P., Chief Information Officer, U.S. Social Security Administration; Thomas Wiesner, Deputy Chief Information Officer, U.S. Department of Labor; Robert F. Lentz, Director, Information Assurance, U.S. Department of Defense; and Scott Charbo, Chief Information Officer, U.S. Department of Homeland Security............................ 53 Charbo, Scott............................................ 86 Hughes, Thomas P......................................... 53 Lentz, Robert F.......................................... 68 Wiesner, Thomas.......................................... 62 Wilshusen, Gregory C., Director, Information Security Issues, U.S. Government Accountability Office; and Karen S. Evans, Administrator, Office of Electronic Government and Information Technology, Office of Management and Budget.... 6 Evans, Karen S........................................... 39 Wilshusen, Gregory C..................................... 6 Letters, statements, etc., submitted for the record by: Charbo, Scott, Chief Information Officer, U.S. Department of Homeland Security, prepared statement of................... 88 Davis, Chairman Tom, a Representative in Congress from the State of Virginia, prepared statement of................... 4 Evans, Karen S., Administrator, Office of Electronic Government and Information Technology, Office of Management and Budget, prepared statement of.......................... 40 Hughes, Thomas P., Chief Information Officer, U.S. Social Security Administration, prepared statement of............. 55 Lentz, Robert F., Director, Information Assurance, U.S. Department of Defense, prepared statement of............... 70 Waxman, Hon. Henry A., a Representative in Congress from the State of California, prepared statement of................. 100 Wiesner, Thomas, Deputy Chief Information Officer, U.S. Department of Labor, prepared statement of................. 64 Wilshusen, Gregory C., Director, Information Security Issues, U.S. Government Accountability Office, prepared statement of......................................................... 8 NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER SECURITY SCORECARDS ---------- THURSDAY, MARCH 16, 2006 House of Representatives, Committee on Government Reform, Washington, DC. The committee met, pursuant to notice, at 12:16 p.m., in room 2154, Rayburn House Office Building, Hon. Tom Davis (chairman of the committee) presiding. Present: Representatives Tom Davis, Platts, Cummings, Clay, and Watson. Staff present: David Marin, staff director; Keith Ausbrook, chief counsel; Chas Phillips, policy counsel; Rob White, press secretary; Drew Crockett, deputy director of communication; Victoria Proctor, senior professional staff member; Teresa Austin, chief clerk; Sarah D'Orsie, deputy clerk; Leneal Scott, computer systems manager; Michael McCarthy, minority counsel; Earley Green, minority chief clerk; and Jean Gosa, minority assistant clerk. Chairman Tom Davis. Good afternoon and welcome. The committee will come to order. Today, the committee is releasing its Federal computer security scorecards and will examine the status of agency compliance with the Federal Information Security Management Act [FISMA]. Information technology and the Internet drive our economy and help the Federal Government to operate with greater efficiency and cost savings. E-commerce, information sharing, and Internet transactions, such as online tax filings, are so common that we take them for granted. Not until an incident such as the potential BlackBerry shutdown--which was recently settled--are we reminded of our dependence on IT and how difficult it is for us to function without it. In the past year or so, we have heard stories about identity theft, security breaches in large commercial data bases, and phishing scams such as those identified by the Internal Revenue Service this tax season. We have also seen an increase in education and awareness campaigns for online safety spearheaded by the private and public sectors. But in my experience, when it comes to Federal IT policy and information security, it is still difficult to get people--even Members of Congress--engaged. For most people this is an abstract, inside- the-Beltway issue. And FISMA is still viewed by some Federal agencies as a paperwork exercise. But these are short-sighted observations. As a result of the Government's aggressive push to advance e-government, many Government information systems hold personal information about citizens and employees, in addition to other types of data. Maintaining the integrity, privacy, and availability of all information in these systems is vital to our national security, continuity of operations, and economy. Furthermore, in order to successfully fight the war on terror, we must be able to move information to the right people at the right place at the right time. Information needs to move seamlessly, securely, and efficiently within agencies, across departments, and across jurisdictions of Government as well. Due to the nature of our cyber infrastructure, an attack could originate anywhere at any time. We know that Government systems are prime targets for hackers, terrorists, hostile foreign governments, and identity thieves. Malicious or unintended security threats come in varied forms: denial of service attacks, malware, worms and viruses, phishing scams, and software weaknesses, to just name a few. Any of these threats can compromise our information systems. The results can be costly, disruptive, and erode public trust in Government. One of the best ways to defend against attacks is to have a strong, yet flexible, protection policy in place. We want agencies to actively protect their systems instead of just reacting to the latest threat with patches and other responses. FISMA accomplishes this goal by requiring each agency to create a comprehensive risk-based approach to agency-wide information security management. FISMA strengthens Federal cyber preparedness, evaluation, and reporting requirements. It is intended to make security management an integral part of an agency's operations and to ensure that we are actively using best practices to secure our systems and prevent devastating damage. The committee, with technical assistance from GAO, releases annual scorecards based on the FISMA reports submitted to us by agency Chief Information Officers and Inspectors General. This year, the Federal Government as a whole hardly improved, receiving a D+ yet again. Our analysis reveals that the scores for the Departments of Defense, Homeland Security, Justice, State--the agencies on the front lines in the war on terror-- remained unacceptably low or in some cases dropped precipitously. Meanwhile, several agencies improved their information security or maintained a consistently high level of security from previous years. The 2005 FISMA grades indicate that agencies have made improvements in developing configuration management plans, employee security training, developing and maintaining an inventory, certifying and accrediting systems, and annual testing. Despite these advances, there are still some areas of concern to the committee, including implementation of configuration management policies, specialized security training for employees with significant security responsibilities, inconsistent incident reporting, inconsistencies in contingency plan testing, annual testing of security controls, and agency responsibility for contractor systems. At today's hearing, we will evaluate the results of the agencies' 2005 FISMA reports, identify strengths and weaknesses in Government information security, and learn whether FISMA provisions and the OMB guidance are sufficient to help secure Government information systems. Witnesses from GAO and OMB will help us understand what obstacles impede the Government's ability to comply with FISMA. DOD and DHS witnesses will discuss the challenges they face in their departments and their plans to improve FISMA compliance. We will also hear about best practices and lessons learned from the Social Security Administration and Department of Labor, two agencies that have demonstrated consistent improvements in their information security since the scorecard process was initiated in 2001. If FISMA was the No Child Left Behind Act, a lot of critical agencies would be part of the list of low performers. None of us would accept D+ grades on our children's report cards. We can't accept these either. [The prepared statement of Chairman Tom Davis follows:] [GRAPHIC] [TIFF OMITTED] T7511.001 [GRAPHIC] [TIFF OMITTED] T7511.002 Chairman Tom Davis. Are there any other Members who wish to make opening statements? If not, I am going to note that Members will have 7 days to submit opening statements for the record. We are going to recognize our first panel of distinguished witnesses. We have Mr. Gregory Wilshusen, the Director of Information Security Issues for the U.S. Government Accountability Office, and the Honorable Karen Evans, the Administrator of the Office of E-Government and Information Technology at the Office of Management and Budget. You know it is our policy we swear you in before your testimony, so if you would just rise and raise your right hands. [Witnesses sworn.] Chairman Tom Davis. Thank you. Let me thank you for your perseverance on this. Mr. Wilshusen, thank you for being with us. STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND KAREN S. EVANS, ADMINISTRATOR, OFFICE OF ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET STATEMENT OF GREGORY WILSHUSEN Mr. Wilshusen. Thank you, Mr. Chairman. I am pleased to be here once again to discuss the efforts by Federal agencies to implement the requirements of FISMA. For many years, we have reported that inadequate information security is a widespread problem that could have devastating consequences. Since 1997, we have identified information security as a government-wide high-risk issue. Today, the Federal Government is facing increasingly sophisticated and complex threats to its sensitive information systems and information. The need for agencies to implement the strong information security controls required by FISMA has never been greater. My testimony is based, in part, on our analysis of the fiscal year 2005 FISMA reports by OMB and 24 major Federal agencies and their Inspectors General. Mr. Chairman, my bottom-line message is that progress made by the agencies in implementing FISMA is mixed, at best. Agencies have made progress in several areas but have slipped in others. Today, I will note areas where agencies have made progress and those areas where weaknesses remain. In addition, I will discuss actions that agencies can take to improve their information security controls. Before I do, I would like to recognize OMB for taking steps to improve the quality of the FISMA reports. For example, OMB required agencies to report, for the first time, certain performance measures by system risk level. This provides better information about whether agencies are prioritizing their information security efforts according to system risk. Mr. Chairman, agency FISMA reports present a mixed picture of FISMA implementation. The agencies generally reported an increasing number of systems meeting key security performance measures, such as the percentage of systems certified and accredited, and the percentage of contingency plans tested. Nevertheless, progress was uneven. For example, the percentage of agency systems reviewed declined from 96 percent in 2004 to 84 percent in 2005, and the percentage of employees and contractors receiving security awareness training also declined. The reports indicated other challenges as well. Only 13 IGs reported that their agencies' inventories of major systems were substantially complete. A complete inventory is a key element of managing the agency's IT resources, including the security of those resources. Without complete inventories, the agencies, the administration, and the Congress cannot be fully assured of the agencies' progress in implementing FISMA. Eight IGs also assessed the quality of their agency's certification and accreditation processes as ``poor.'' As a result, agency-reported performance data may not accurately reflect the status of the agency's efforts to implement this requirement. And 39 percent of Federal systems did not have a tested contingency plan. Without a tested plan, increased risk exists that agencies will not be able to recover mission-critical systems in a timely manner if an interruption occurs. Beyond assessing FISMA requirements, our audits of information security at Federal agencies have found significant weaknesses related to access controls and other information security controls that place a broad array of Federal operations and assets at risk of misuse and disruption. However, agencies can take several actions to fully implement their FISMA-mandated programs and improve security controls. Such actions include completing and maintaining accurate inventories of major systems, prioritizing information security efforts based on system risk levels, and strengthening controls that are to prevent, limit, and detect access to its information and information systems. Mr. Chairman, this concludes my statement. I will be happy to answer your questions. [The prepared statement of Mr. Wilshusen follows:] [GRAPHIC] [TIFF OMITTED] T7511.005 [GRAPHIC] [TIFF OMITTED] T7511.006 [GRAPHIC] [TIFF OMITTED] T7511.007 [GRAPHIC] [TIFF OMITTED] T7511.008 [GRAPHIC] [TIFF OMITTED] T7511.009 [GRAPHIC] [TIFF OMITTED] T7511.010 [GRAPHIC] [TIFF OMITTED] T7511.011 [GRAPHIC] [TIFF OMITTED] T7511.012 [GRAPHIC] [TIFF OMITTED] T7511.013 [GRAPHIC] [TIFF OMITTED] T7511.014 [GRAPHIC] [TIFF OMITTED] T7511.015 [GRAPHIC] [TIFF OMITTED] T7511.016 [GRAPHIC] [TIFF OMITTED] T7511.017 [GRAPHIC] [TIFF OMITTED] T7511.018 [GRAPHIC] [TIFF OMITTED] T7511.019 [GRAPHIC] [TIFF OMITTED] T7511.020 [GRAPHIC] [TIFF OMITTED] T7511.021 [GRAPHIC] [TIFF OMITTED] T7511.022 [GRAPHIC] [TIFF OMITTED] T7511.023 [GRAPHIC] [TIFF OMITTED] T7511.024 [GRAPHIC] [TIFF OMITTED] T7511.025 [GRAPHIC] [TIFF OMITTED] T7511.026 [GRAPHIC] [TIFF OMITTED] T7511.027 [GRAPHIC] [TIFF OMITTED] T7511.028 [GRAPHIC] [TIFF OMITTED] T7511.029 [GRAPHIC] [TIFF OMITTED] T7511.030 [GRAPHIC] [TIFF OMITTED] T7511.031 [GRAPHIC] [TIFF OMITTED] T7511.032 [GRAPHIC] [TIFF OMITTED] T7511.033 [GRAPHIC] [TIFF OMITTED] T7511.034 [GRAPHIC] [TIFF OMITTED] T7511.035 Chairman Tom Davis. Thank you. Ms. Evans. STATEMENT OF KAREN S. EVANS Ms. Evans. Good afternoon, Mr. Chairman. Thank you for inviting me to speak about the status of the Federal Government's efforts to safeguard our information and our systems. My comments today will focus on the progress we have made in improving the security of the Government's information technology as well as our strategy for addressing continuing security challenges. This is an extremely important issue for the administration, and it is equally important to me both professionally and personally because some of the government- wide security performance metrics that we use to evaluate the agencies are also included in my personal performance plan. On March 1st, OMB issued our third annual report to Congress on the implementation of the Federal Information Security Management Act [FISMA]. Much of the information I will be discussing today is provided in more detail in our report. So based on that, sir, I would be happy to answer any questions that you may have about the report and the status and what we are doing going forward. [The prepared statement of Ms. Evans follows:] [GRAPHIC] [TIFF OMITTED] T7511.036 [GRAPHIC] [TIFF OMITTED] T7511.037 [GRAPHIC] [TIFF OMITTED] T7511.038 [GRAPHIC] [TIFF OMITTED] T7511.039 [GRAPHIC] [TIFF OMITTED] T7511.040 [GRAPHIC] [TIFF OMITTED] T7511.041 Chairman Tom Davis. Ms. Evans, let me start with you. Do you plan to issue new or updated guidance regarding your Circular A-130? Ms. Evans. We do not plan to issue updated guidance on A- 130 because we believe that it is based on sound principles that are already reflected in FISMA. With NIST issuing new standards and guidance, we really don't think that we need to revise A-130 at this time, but we will continue to review it. Chairman Tom Davis. All right. In this year's report, just like last year's report, you mentioned that reporting to US- CERT is sporadic and not complete. What steps are you and US- CERT taking to ensure that agencies are more compliant in these incidents? Ms. Evans. In May 2005, we did issue a reporting concept of operations out to the agencies, and so what OMB and DHS are planning to do is followup specifically with the agencies that did not report any incidences to US-CERT to make sure that we all are operating from the same understanding so that we can go back and double-check that an incident is an incident based on this concept of operations that was approved by all the agencies as well. Chairman Tom Davis. Now, although there has been improvement, there are still several agencies that don't have complete inventories. These include some of the largest: DOD, USDA, Treasury, HHS, and VA. You know, without accurate inventories, how can you be sure that the agencies are making progress? And while C&As are an important component of security, knowing what systems you are running is even more essential. Have you emphasized or has OMB emphasized to the agencies the necessity of a complete inventory? And what challenges have they reported to you in trying to create and maintain an accurate inventory? Ms. Evans. Yes, sir, we have worked with the agencies, and in the places where the agencies haven't had a completed inventory based on what the IGs have reported, we are meeting specifically with those agencies to be able to address what issues are keeping them from meeting the inventory. But, also, we have included this in the President's management agenda as one of the criteria and that we do assess the agencies on a quarterly basis of their progress on performance. So once an agency makes green, in order to maintain green they have to have a completed inventory. Chairman Tom Davis. Thank you. Identity theft continues to be a growing problem, especially with the loss of personal and sensitive information. Data breach laws at the State level which require companies to inform individuals when the organization suffers a breach that exposes their personal information have improved our understanding of this problem. Congress is considering a national data breach notification standard. Currently, there is no requirement for Federal agencies to notify citizens in case there is a breach. I have a few questions along those lines. One, do Federal agencies notify citizens when a breach of personally identifiable information occurs on Government data bases? Ms. Evans. In responding to that question, sir, we believe the Privacy Act has provisions that address this. But what I would like to do is be able to go back and do a more in-depth analysis and be able to take this question for the record and give you a more thoughtful response about how we should be responding to this. Chairman Tom Davis. I appreciate that, because that is something that comes up time and time again. What, if any, guidelines exist to determine if a breach requires notification? Ms. Evans. Again, sir, I need to go back and further research this based on what we have put in place with the Privacy Act, and I would like to take this question for the record so that I can give you a more thoughtful response. Chairman Tom Davis. Let me ask you something on RFID technology, radiofrequency. RFID technology is being implemented by DOD for tracking supplies. It is being implemented by the State Department for immigration documents and passports. Other agencies may choose to use the technology to control access to physical and logical assets to comply with Homeland Security Presidential Directive 12. A May 2005 GAO report on the Federal Government's use of RFID highlighted FISMA security practices in the context of security concerns with RFID technologies. What agencies within the Federal Government are using RFID technologies for applications that involve sensitive personal information? Ms. Evans. You have mentioned the State Department, Department of Defense, DHS. What we would like to do is go back and look more completely at each of the agencies to see what their plans are as it relates to the deployment of RFID beyond what we already have planned. Chairman Tom Davis. Do you think there is a need for a national standard for maintaining the security and privacy of personal information collected using RFID technology? Ms. Evans. We believe that if you currently implement the security policies and practices that are in place, if you implement them adequately, those practices and policies would be able to protect the information regardless of the technology, whether it was RFID or any other new emerging technology that would come out. Chairman Tom Davis. So how do you fine-tune FISMA regarding the use of RFID technology given its increased adoption by Federal agencies that are required to meet FISMA standards? Ms. Evans. Well, I would recommend at this point that FISMA is about good security practices. It is about managing the risk associated with your security program and your information technology and assets. And it is really not specifically about technologies but about our ability to manage those technologies as we implement them. So in conjunction with working with NIST and having NIST issue policies, guidelines, the standards that they do, I think FISMA is adequate the way that it is, and it is up to us and then the agencies to manage that risk as new technologies come out. Chairman Tom Davis. OK. Mr. Wilshusen, let me just ask, it seems that when we look over the grades, the largest agencies or those agencies with diverse missions seem to be at the bottom of the grading while the smaller of the major agencies or those with single, well-defined missions seem to improve their grades. How do you think the diverse mission and size play into the issue of information security? Mr. Wilshusen. Well, I think certainly that size and the complexity of the organization influences the way an organization organizes, manages, and secures its information technologies. Large Federal departments have multiple, sometimes semi-autonomous operating bureaus and divisions that may have separate missions, business processes, cultures, and technologies that support those processes. However, at some level those technologies interconnect with other systems and networks with other bureaus, and consequently, there might be vulnerabilities in one particular agency or bureau that has an impact on others. Thus, there is really a need for strong security management over that area. However, because these bureaus may be somewhat semi-autonomous and have separate funding, they may not necessarily be conducive to implementing or ceding some of their authority for securing these systems. It is going to take--and the departments might have a more challenging role in trying to create and develop and implement an agency-wide information security program. It is going to require that agency top management and the management of the different bureaus be held accountable and support and be committed to implementing an agency-wide information security program. Chairman Tom Davis. I think there is a perception in some circles, it seems to me, that FISMA is largely a paperwork exercise. What is your reaction to that? Mr. Wilshusen. FISMA is designed to be a comprehensive framework for ensuring the effectiveness of information security controls over the information resources that support Federal operations and assets. It requires Federal agencies to develop, document, and implement an agency-wide information security program that contains various elements. Each of these elements is based on best industry practices. These include assessing the risk, developing risk-based policies and procedures that cost-effectively reduce those risks to an acceptable level. It also requires that agencies provide the training to their employees and contractors to inform them of what these risks are and their responsibilities for practicing and implementing strong security throughout the organizations. It also requires that agencies test and evaluate the effectiveness of their controls over their systems on a periodic basis, and if there are problems, if there are weaknesses, to take corrective actions. These are just basic information security principles and practices that should be implemented. If agencies are reducing FISMA implementation to a paperwork exercise, then they are not going to enjoy the benefits offered by implementing them. Chairman Tom Davis. Can you think of any incentives or penalties that should be added to improve the agency scorecard ratings? Mr. Wilshusen. One might be looking at the funding. I believe at one point in time there was discussion on whether agencies, you know, should be looking at the funding, should they be adjusted, should--for agencies that do well versus those that do not. Chairman Tom Davis. How about the---- Mr. Wilshusen. But that is a double-edged sword. Chairman Tom Davis. Of course it is. You are taking money from the people who need it the most. Ms. Evans, do you have any thought on that? Ms. Evans. When we do the analysis for the President's budget every year, one of the key priorities is the cyber security program of each of the agencies. So we do continue to put a priority on that and make sure that agencies that don't have a good security program, that the priority for the funding going forward is spent on that first and that--and we have broken out the budget this year when we submitted the 2007 budget, broke out and showed the relationship of their overall IT budget to the percentage that they spend on IT security as well, and continue to put the priority on that. The thought from the administration is that you should not layer new things on top of bad things. And so you need to fix the cyber security aspects of that based on all the issues that you brought up already today about implementing new technologies and those types of things. So the incentive is the more efficient you are at getting it done, not just generating the paperwork but really fixing the security and mitigating the risk, then you can move forward and use the funds that you had planned to use for those new activities within your agency or department. Chairman Tom Davis. And you think the budget reflects that to some extent, is what you are saying? Ms. Evans. Yes, sir. Yes, sir. Chairman Tom Davis. Ms. Watson. Ms. Watson. I missed most of the testimony. I want to thank the chair for having this hearing. But what stands in our way from preventing the hacking and the taking of information and putting illegal information into the process in our computers? What stands in our way from stopping that? Mr. Wilshusen. One is making sure that the agencies have fully implemented an information security program within that particular agency. Ms. Watson. Why haven't they? Mr. Wilshusen. Well, that is a good question and that is one that we constantly seek the answer to. In our reviews we look, when we conduct an information security audit at the Federal agencies, we look at the type of controls that they have in place, the effectiveness of those controls, and we have often found that numerous vulnerabilities exist within their access controls that are designed to prevent limit and detect access to their information resources. We also find other types of general controls related to their physical security over their computing resources that also could lead to the unauthorized disclosure, deletion, alteration of sensitive information. And these types of weaknesses have been identified at numerous agencies that we have done audits at. Ms. Watson. Well, is it that we don't have the technology knowledge to do something? I mean, I know you are auditing, you are looking. Is it lack of technology knowledge? Is it lack of setting a priority? Is it lack of the funding? Did you--where would you put your finger, if we were to correct this and do it in a hurry? Because I flip on CNN or I flip on one of the morning programs and I find that in our Federal computers people have pornography, etc. How does that happen? Mr. Wilshusen. Well, certainly there are technical controls that need to be improved and in place to help protect that from happening. But first and foremost, we see information security as a management issue and that it receives sufficient attention and implementation throughout the organization, from top-level management through all layers of the organization, because each and every person has responsibility for information security. But in terms of the management, we do look at various different aspects in terms of is the organization assessing the risk accordingly for the type of information that it collects and processes and maintains; are they developing those policies and controls that are needed to protect that information? And what we often find is, yes, they do that to an extent, and they may develop policies and procedures that are designed, at least, to protect the information and implement strong controls, but a lot of times they are not implementing it. And this often occurs even though at the department level they might have strong policies---- Ms. Watson. Well, let me just stop you there. Does it go to incompetence? You know, I am reading here, each agency is also required to do an annual independent evaluation--let's say of information security. Why would it not be done? And why could they not address it? You know, we are the policymakers here. You are in front of this committee. Maybe you can give us some idea of what our next piece of legislation needs to be. Mr. Wilshusen. I would like to answer the first question you had there first. Ms. Watson. OK. Mr. Wilshusen. Certainly one of the reasons why there continue to be information security weaknesses at the organizations that we audit is that it is a complex and challenging job. Many of these computing environments, particularly at the larger agencies, have highly complex distributive information systems and networks that are, because of their interconnectivity, vulnerabilities that exist on one server can affect an entire network. And some of these agencies have thousands of servers. And so it is a very dynamic environment in which new applications, new servers, new technologies are being implemented. And if the agencies are not effectively assessing their risk and monitoring the implementation of these technologies on a regular basis, vulnerabilities crop up. And that is how hackers, that is how individuals within the organization can exploit those vulnerabilities for either personal or--gain. Ms. Watson. I heard the key words: effectively assessing. Mr. Wilshusen. Yes. Ms. Watson. And, you know, we ought to be looking at systems before we contract and bring them in to see if they would fit in. Otherwise--you know, we need to plan and we need to assess and evaluate that plan, and we need to have a report. I think that is a requirement. And certainly, you know, new technology adds to the complexities of these systems, but we have to have an overall plan, a master plan. Mr. Wilshusen. Right. And that is one of the benefits of FISMA, of what it provides, is that it requires that agencies implement an agency-wide information security program, and that includes addressing security throughout the entire life cycle of any new technologies or its applications or systems that are being introduced into the department. Ms. Watson. Thank you very much. Appreciate it. Chairman Tom Davis. Mr. Clay. Mr. Clay. Thank you, Mr. Chairman. For Mr. Wilshusen, GAO recently completed a draft report for me on the impact the National Information Assurance Partnership program is having on information security within classified programs. Can you speak to the merits of extending NIAP product validation out to those agencies in the non- national security community? Mr. Wilshusen. Sure. All these results are--as you mentioned, we do have a draft report out. It is presently out for comment with the DOD and the agencies. We have not yet received their comment. We anticipate issuing that report later this month in final. But let me just at least talk about the observations that we have identified so far with that program. We identified that the NIAP program does indeed provide and offer some benefits. One, it provides another set of eyes and ears to look and test the security features of information security or systems products that an agency is considering procuring. It also, through the evaluation process, has identified and uncovered flaws within those products. And what we have found and based on our interviews with vendors, the participants in the program, is that the vendor is often correct in those flaws that are identified. And another benefit is that, after going through these processes, some of the vendors decided that they--actually changed their development processes to accommodate the new strength and to mitigate any weaknesses that were identified as their products were evaluated. But at the same time, there are still a number of challenges associated with that program. These also include that, for one, the product is not evaluated against a set of particular requirements. It is more looked at the--it is evaluated based on the procedures that are used to develop the product. Another vulnerability is--or I should say another challenge deals with the cost and time that is involved in processing and evaluating these products. We have found that vendors thought it was too costly and took a long period of time to do so. Some of the agencies felt that they did not have a really full population or a pool of evaluated products to choose from. Sometimes, because of the length of the evaluation process, new versions of the product under evaluation were being issued, so they couldn't necessarily get the latest and greatest version of the product. So there are a couple of challenges associated with that program. Mr. Clay. On finding the weaknesses and coming back and correcting it, who gets the bill for that? Do the vendors eat the cost, or do the taxpayers pay the cost? Mr. Wilshusen. I don't know if I can answer that. It is up to the vendors. It depends on, I guess, the contractual requirements, but it is up to the vendors to take the corrective actions on that. Whether they subsequently pass the costs along to the procurers of the product, I can't answer that. Mr. Clay. Thank you. Thank you for your response. Ms. Evans, perhaps you may be able to shed some light on that. But let me ask you, you know, the number of annual risk assessments conducted last year declined when compared to fiscal year 2004 even though the number of systems online increased by nearly 20 percent. DHS--first, what were the factors contributing to this problem at first? Talk to me about DHS, which once again--well, go ahead. Ms. Evans. Well, as you stated, the risk assessments did go down, but we did get an increase in the number of systems that are out there. However, this is also the first year where we did ask the agencies to also assess the systems that they had based on impact, like high, medium, and low impact of those systems. And the agencies did focus their risk assessments on the high-impact systems. And 88 percent of those, I believe, were the ones where the risk assessments going forward on that. So we did ask them to make sure that their priority was done the high-impact systems as they were doing the risk assessments, going through and doing the certifications and accreditations, because that is one piece of the certification and accreditation that the agencies do. Mr. Clay. OK, let me stop you there since---- Ms. Evans. Sure. Mr. Clay. Real quickly, give me your impression of ineptitude at DHS in this whole arena. Talk to me about that, as far as them being the coordinator of key information-sharing responsibilities, or a legacy system, are the 22 agencies proving to be too difficult to bring into compliance, or are there other factors? Ms. Evans. Well, DHS is a challenging environment. By bringing all the departments and agencies together there, this really does exemplify the complexity of an environment of a large department that would have to be managed to make sure that you have a good program in place. So what DHS is doing is moving forward trying to bring all that management in place to ensure that they have a good cyber security program and that they can move forward and protect that information and those assets. It does take some time to really be able to demonstrate that progress. And I would say that the things that DHS is doing we may not necessarily see in all the metrics as we measure them in FISMA. But you have brought up that the independent audit is also an essential piece so that they can feed back the results of that from their IG into their programming, to make sure that they are improving that as they go forward. Mr. Clay. Yes. Thank you, but it sounds as though you are defending the incompetence of DHS. Thank you. Chairman Tom Davis. Anything else you want to add? We will dismiss this panel, take a 2 minute recess, and we will come to the next one. Thank you all very much. [Recess.] Chairman Tom Davis. Thank you all for your patience. We are going to now recognize our second distinguished panel. We have Mr. Thomas P. Hughes, Chief Information Officer, U.S. Social Security Administration; we have Mr. Thomas Wiesner, the Deputy Chief Information Officer, U.S. Department of Labor; Mr. Robert Lentz, Information Assurance Director at the U.S. Department of Defense; and Mr. Scott Charbo, the Chief Information Officer at the U.S. Department of Homeland Security. It is our policy we swear you in before your testimony, so if you would just rise and raise your right hands. [Witnesses sworn.] Chairman Tom Davis. Thank you very much. Well, you know our rules. We try to hold to 5 minutes. Your entire statement is in the record. We very much appreciate your being with us today. I apologize for the delay with the floor votes, but I think we will be able to move ahead fairly expeditiously here, uninterrupted. Mr. Hughes, we will start with you and we will work straight on down the line. Thank you again for being with us. STATEMENTS OF THOMAS P. HUGHES, CHIEF INFORMATION OFFICER, U.S. SOCIAL SECURITY ADMINISTRATION; THOMAS WIESNER, DEPUTY CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF LABOR; ROBERT F. LENTZ, DIRECTOR, INFORMATION ASSURANCE; U.S. DEPARTMENT OF DEFENSE; AND SCOTT CHARBO, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY STATEMENT OF THOMAS HUGHES Mr. Hughes. Chairman Davis and members of the committee, thank you for inviting me here today to discuss information security at the Social Security Administration. As Chief Information Officer for the agency, I appreciate the opportunity to discuss our implementation of FISMA, the Federal Information Security Management Act of 2002, and our agency's accomplishments in securing and protecting the information in the records we maintain. SSA has always recognized the importance of protecting the security and privacy of the people we serve and ensuring the integrity and accuracy of the records we maintain. The Social Security Board's first regulation, published in 1937, dealt with confidentiality of records. For more than 70 years we have honored our commitment to the American people to maintain the confidentiality of these records. This longstanding emphasis on privacy has led to a strong commitment in information security. While we have always safeguarded our records, we also work continuously to ensure that our information technology programs remain responsive to evolving conditions, and we use a variety of proactive security measures, plus independent testing and evaluation security controls, to protect these records. We take an agency-wide approach to information technology security at SSA. SSA's deputy commissioners, along with the CIO, are accountable for the certification of our major IT systems and help to ensure that our IT assets are adequately secured. Here are some of the major highlights of our FISMA 2005 report: All 20 of SSA's major IT systems were certified and accredited. SSA had incorporated National Institute of Standards and Technology security controls into our System Development Life Cycle process. SSA provided IT security awareness to all of our employees, including contractors, and gave specialized in-depth training for those with significant IT security responsibilities. The Office of Inspector General's independent evaluation of our information security program for 2005 confirmed that SSA's remediation, certification and accreditation, and inventory processes are sound. The OIG made a number of recommendations for improvement that we are implementing. For instance, first, we developed security documents for every enterprise architecture platform in the agency and expanded this initiative into the data base environment as well. In addition, we implemented a monitoring program for each system configuration standard and risk model. Second, we agreed with the IG recommendation that SSA should regularly update our continuity of operations plan [COOP], with a disaster recovery plan. SSA also has and will participate in disaster recovery exercises, which help validate key elements of our COOP. Finally, to respond to the recommendation regarding improving how we monitor contract security awareness training, we are implementing a process where all contractors with systems access will complete a security awareness training module that will allow us to monitor the process. You asked us to describe the way SSA identifies and tracks information technology security weaknesses. The answer is that SSA is using an automated software tool that allows us to follow corrective security actions all the way to completion. In addition, the system generates detailed reports which then allow management to better evaluate the security status of their systems. You also asked about guidance--resources and/or procedures agencies need to comply with FISMA. I believe that agencies need to constantly challenge the traditional status quo if we are to maintain and enhance our security procedures and comply with FISMA. This is critical in any security environment, but particularly important in today's challenging information environment. While we are proud of our accomplishments, Commissioner Barnhart and all of us at SSA recognize that we must be vigilant in every way to assure that the personal information SSA collects remains secure, the taxpayer dollars are protected, and that public confidence in the Social Security system is maintained. Mr. Chairman, thank you for the opportunity to speak before this committee. I will be pleased to answer any questions. [The prepared statement of Mr. Hughes follows:] [GRAPHIC] [TIFF OMITTED] T7511.042 [GRAPHIC] [TIFF OMITTED] T7511.043 [GRAPHIC] [TIFF OMITTED] T7511.044 [GRAPHIC] [TIFF OMITTED] T7511.045 [GRAPHIC] [TIFF OMITTED] T7511.046 [GRAPHIC] [TIFF OMITTED] T7511.047 [GRAPHIC] [TIFF OMITTED] T7511.048 Chairman Tom Davis. Mr. Hughes, thank you. Mr. Wiesner, thanks for being with us. STATEMENT OF THOMAS WIESNER Mr. Wiesner. Good afternoon, Chairman Davis and members of the committee. Thank you for inviting me here today to discuss the Department of Labor's implementation of the Federal Information Security Management Act and the lessons learned over the past several years. Today I will first speak on the challenges the Department has faced over the last few years in implementing its computer security program. I will then expand on the current status of our program and highlight many of the significant improvements. Last, I will provide a snapshot of opportunities for improvement and labor strategy to address those areas. Labor's organizational components, including the Office of the CIO, had different viewpoints FISMA compliance. Additionally, we were an organization of distinct agencies that in many cases operated independently and accomplished individual goals through various IT solutions. Labor agencies, the OIG, and the Office of the CIO were all focused on different and sometimes conflicting priorities. We had to change this culture, including attention to IT security as a key part of everyday business. Under the CIO's direction, the Department arrived at a consensus and we have moved forward to ensure our compliance with FISMA. To that end, the following actions were carried out: In 2001, a security manager was hired and placed in the Office of the CIO to manage the Department-wide security program. In 2002, our IT security policies and procedures were updated to incorporate current OMB and NIST guidance. In 2003, the Department established a Technical Review Board IT Committee subcommittee comprised of agency security managers. This board serves as the Department's first tier of investment review for major IT investments and as a forum to identify and resolve Department-wide IT-related issues, including computer security. In 2003, Secretary Elaine Chao institutionalized a culture of policy and strong computer security under a Secretary's order issued in May 2003. This order outlines the roles and responsibilities for managing information technology at the Department, to include IT security responsibilities. In 2003, the Department developed an eGovernment Strategic Plan that ties IT security to the Department's mission. In 2005, the Department updated its IT Strategic Plan, where IT security goals and direction were incorporated. At Labor our computer security program has progressed from a grade of F in 2001 to a B- in 2004. Additionally, our computer security program was a significant contributor to the Department's achieving and maintaining a ``Green'' rating on Expanded Electronic Government on the President's management agenda scorecard. The successes we have achieved to date can be attributed to strong oversight of Department-wide security issues, cooperation at the IT senior management level, and continuous collaboration through Department-wide reviews. The efforts of the Labor IT Security Subcommittee results in sound security practices that enable consistent FISMA reporting from the CIO and the OIG. This is attributed to the following successes: A fully integrated computer security program with capital planning and enterprise architecture programs. A revised system development life cycle management manual to include security requirements at each phase. An OIG-approved plan of action and milestones program since 2003. Quarterly capital planning program reviews that ensures adequate IT security expenditures and semiannual eGovernment reviews of all DOL agencies modeled on the PMA scorecard and FISMA performance metrics. Correspondingly, the Department has maintained a comprehensive Certification and Accreditation program, achieving authority to operate for 100 percent of our major information systems, up from 97 percent in fiscal year 2004. Despite this progress in securing our IT systems at DOL, we recognize that security is a constant challenge and a task that can never be considered complete. We have identified three areas for strengthening our computer security program: general and application security controls, patch management, and IT security manager skill competencies. The Department has developed a comprehensive work plan to address these issues, to include the implementation of NIST 800-53 and a Certified Information Systems Security Professional training program and certification exam for DOL security managers. In conclusion, computer security is a core element of our business and culture at the Department of Labor. Secretary Chao, Deputy Secretary Law, agency senior management, and the dedicated DOL IT professionals are committed to the Department's computer security program. As we face the evolution of FISMA compliance, we will strive to maintain a balance of FISMA reporting requirements and the implementation of sound security practices. Mr. Chairman, thank you for the opportunity to provide this brief outline. I would be happy to answer any questions. Thank you. [The prepared statement of Mr. Wiesner follows:] [GRAPHIC] [TIFF OMITTED] T7511.049 [GRAPHIC] [TIFF OMITTED] T7511.050 [GRAPHIC] [TIFF OMITTED] T7511.051 [GRAPHIC] [TIFF OMITTED] T7511.052 Chairman Tom Davis. Thank you very much. Mr. Lentz. STATEMENT OF ROBERT LENTZ Mr. Lentz. Good afternoon, Mr. Chairman and members of the committee. As Chief Information Assurance Officer for the Department of Defense, I appreciate this opportunity to highlight the posture of information security within the Department. The Department leadership is fully engaged in the security efforts in support of FISMA. Secretary Rumsfeld considers information technology a critical strategic component in transforming America's armed forces for the 21st century warfare. Our recently completed Quadrennial Defense Review stresses networks and information security as key areas of focus. Collaboration between the CIO and the war-fighting community is absolutely critical. The protection of the network is everybody's business. This can't be overstated. We take specific actions to train, license, qualify, and certify pilots and weapons systems. We must consider no less a standard for the operation, security, integrity of our information systems. The DOD IA strategic plan has for 3 years been institutional component driving strategic objectives for improving our security posture. It also enables FISMA compliance. The Department of Defense uses FISMA as a critical management and assessment tool. We continue to enhance our FISMA efforts. The Department reviewed over 3,500 systems this past year, an increase of more than 1,000 systems from 2004. The Department increased its Authority to Operate rate from 58 percent in 2004 to 82 percent in 2005. In addition, our Total Accreditation rate was at 93 percent. Last year, more than 2 million of the approximate 2.6 million DOD personnel who had access to DOD networks received IA security awareness training. This training was accomplished even while larger members of the servicemembers were deployed to combat theaters. In addition, more than 67,000 individuals with significant security responsibilities received specialized security training. I have identified in the full written testimony many initiatives that DOD has undertaken to improve its Information Security Department. Let me highlight a few others. The Department is aggressively pursuing an enterprise architecture and prioritized enterprise solutions through centralized funding. The Department has comprehensive policies and process for system configurations, a very important area. One example is the distribution by the Air Force of Microsoft software with standard security configuration resulting in improved network security and management. Departmental components are accelerating the use of public key infrastructure, from network access and secure log-on, consistent with HSPD-12. Over 3 million personnel are outfitted with common access cards, enabling PKI capabilities throughout the Department. In 2005, the DOD published a comprehensive IA Workforce Improvement program, launching an aggressive effort to certify nearly 80,000 core network professionals. As to identified security weaknesses in this year's FISMA report, we are pleased to advise you of the following remedies: Considering the dynamic operational environment of DOD and the sheer number of systems deployed across the enterprise, we have made significant progress in the area of inventory of our IT systems. We believe that our inventory of major information systems is under control. Regarding the challenges of instituting a process for managing plans of actions and milestones, the Department has a PO&M process that was improved in 2005 from lessons learned and from IG audits. We continue to improve that process by making this year's guidance more detailed and integrated into our C&A guidance as well. We are also developing an automated standardized capability that will add greater visibility to PO&Ms. We believe the Department certification and accreditation process is very solid and getting better. FISMA delegates authority to the Secretary of Defense to develop security policy and guidelines for all of its information systems. The DOD C&A process is consistent with NIST guidelines but designed to address classified national security systems and factor in unique operational challenges. In the area of training in 2005, the DOD components reported a total of 79,000 employees with significant IT security responsibilities. In such a large, dynamic, and changing organization that number will always be in a state of flux. In conclusion, the Department of Defense is committed to a strong and comprehensive security program. Our commitment to improve our FISMA compliance is an essential element of the Department's information security strategy. Again, I thank you for the opportunity to comment on this important topic. [The prepared statement of Mr. Lentz follows:] [GRAPHIC] [TIFF OMITTED] T7511.053 [GRAPHIC] [TIFF OMITTED] T7511.054 [GRAPHIC] [TIFF OMITTED] T7511.055 [GRAPHIC] [TIFF OMITTED] T7511.056 [GRAPHIC] [TIFF OMITTED] T7511.057 [GRAPHIC] [TIFF OMITTED] T7511.058 [GRAPHIC] [TIFF OMITTED] T7511.059 [GRAPHIC] [TIFF OMITTED] T7511.060 [GRAPHIC] [TIFF OMITTED] T7511.061 [GRAPHIC] [TIFF OMITTED] T7511.062 [GRAPHIC] [TIFF OMITTED] T7511.063 [GRAPHIC] [TIFF OMITTED] T7511.064 [GRAPHIC] [TIFF OMITTED] T7511.065 [GRAPHIC] [TIFF OMITTED] T7511.066 [GRAPHIC] [TIFF OMITTED] T7511.067 [GRAPHIC] [TIFF OMITTED] T7511.068 Chairman Tom Davis. Thank you very much. Mr. Charbo. STATEMENT OF SCOTT CHARBO Mr. Charbo. Thank you, Mr. Chairman and committee members. My remarks will cover the current status of the Department's implementation of FISMA. The mission of the Department of Homeland Security's information security program is to provide the Department with a secure and trusted computing environment that enables the Department to leverage information technology and effectively and securely share information in support of its many and varied missions. Statutory compliance is a top priority, and the Department's information security program is structured around compliance with FISMA as well as OMB in this guidance. In 2003 and 2004, the Department laid the necessary foundation of effective security policies and architecture guidance. Policies are now codified in a dedicated management directive and a systems security architecture is fully integrated with the Department's architecture. Security policies and architectures are both updated on a regular basis and compliance is enforced through the use of several mandatory security management tools that are now in use throughout the Department. Building on those efforts, the Department completed three major information security initiatives in 2005. First, a comprehensive systems and applications inventory was completed in August 2005. The inventory is based on a detailed methodology for identifying systems and applications using standard Federal definitions. This inventory now provides clear accreditation boundaries for each and every operational IT system and assigns responsibilities for those controls to specific individuals, thereby providing a baseline for measuring security compliance. To ensure the inventory remains accurate, annual inventory reviews will continue each year, with a near-term focus on 2006 of linking the inventory to the Department's capital planning and investment control processes, thus allowing the Department to better integrate effective security controls at the beginning of a system's life cycle. In the Department's fiscal year 2005 FISMA report, the Inspector General acknowledged for the first time the completeness and accuracy of our FISMA inventory. Second, an enterprise certification and accreditation tool was successfully fielded in April 2005, and that is now fully integrated with a FISMA management tool fielded in 2004. Third, a comprehensive and repeatable set of information security metrics significantly improved system owner accountability. These metrics now measure and inform progress in completing the accreditation of all operational systems. Monthly information security scorecards provide detailed status updates to Department leadership, and these scorecards are highly successful in improving the accountability of system owners. These three initiatives build on earlier milestones and have now paved the way for real, measurable cyber security improvements. The Department implemented an aggressive remediation project for 2006 with a goal of 100 percent remediation by the end of this year. Originally announced by Secretary Chertoff in his keynote address at the Department's annual Security Conference last August, the project moved into full swing in October 2005 and the Department is on its way to full remediation. The Department's FISMA inventory currently includes approximately 700 systems, and prior to the initiation of the remediation project, the number of fully accredited systems was only 26 percent. By the end of February of this year, over 60 percent of those systems are now fully accredited. In just 5 months, the Department has more than doubled the number of accredited systems and it is on track to make the goal of full remediation by the end of the year. It is clear the project is positively affecting the security culture of the Department, and recent upward trends in remediation metrics support the view. The Department must also ensure those systems and applications are connected across a secure enterprise backbone providing shared IT services. To accomplish this goal, an aggressive infrastructure transformation program called One Net was initiated for 2006 to bring all legacy information technology infrastructures under a single enterprise. Benefits of One Net include network optimization and improved quality of service, both of which will significantly enhance information sharing initiatives. Planning for One Net began with a comprehensive security framework that is consistent with the detailed systems security architecture of the Department. As part of the One Net effort, the Department is also fielding its first enterprise-wide network operations and security center. The center is responsible for managing the Department's shared IT enterprise environment in real time, including the discovery and remediation of security incidents as they occur, and represents a significant improvement to our overall security posture. I am confident that the DHS information security program is moving in the right direction. Thank you. I look forward to your questions. [The prepared statement of Mr. Charbo follows:] [GRAPHIC] [TIFF OMITTED] T7511.069 [GRAPHIC] [TIFF OMITTED] T7511.070 [GRAPHIC] [TIFF OMITTED] T7511.071 [GRAPHIC] [TIFF OMITTED] T7511.072 [GRAPHIC] [TIFF OMITTED] T7511.073 Chairman Tom Davis. Thank you, all. Now, looking at the report card, we seem to have a reverse bell curve, with agencies settling at either the high end or the low end. For the two over here on my left, or on the right here, what are the major steps your agency took to achieve it? You didn't start off with A's, you worked steadily toward that. And I would say for DOD and then DHS, what are the major challenges you feel prevent you from progressing? Your plan for addressing these challenges you alluded to in your comments, what would you like to see your partners in this process do to help you? I am talking about OMB, GAO, and the IG. I will start with you, Mr. Hughes. You traced out the things you did to get your A+ and maintain it. Mr. Hughes. Mr. Chairman, members of the committee, really, at Social Security there is a strong emphasis on security. It has been there for many years, as I have repeated. And with FISMA, I can tell you we take it very seriously. We meet regularly, we constructively argue regularly, and we try to make corrections. So you have to make that commitment to keep challenging, as executives, the importance of security and that FISMA is a real exercise. And so I don't know if I can say that enough from a practical reality. It is not a paper report, it is real security that we are trying to constantly be aware of. And that is what FISMA teaches us. Chairman Tom Davis. Mr. Wiesner. Mr. Wiesner. At the Department of Labor I would have to say there are a few items that have led to our success. One is the strong leadership and management commitment from the Secretary's level through all the levels of management, including assistant secretaries, the various senior IT management staff within the Department of Labor. And it starts at the top and management supports us 100 percent in ensuring that we protect our departmental assets. The second step we have done over the last few years is really integrate IT security into our IT management processes, procedures, and governance models. We start looking at security at the capital planning stage and enterprise architecture, during the systems development life cycle process, the entire life cycle. So we put security integrating into every IT project that we undertake and currently the ones that are under way. And then the other thing we have worked on really hard is to establish a strong relationship with the OIG, recognizing that they have a strong compliance role and they have their views on how they view us as being successful and the things that they discover in their audits and what we should be focusing on, and we establish that relationship and try to form a partnership so we are heading in the right direction. Chairman Tom Davis. Thank you. Mr. Lentz, let me just ask you, I mean, if you had an A+ you would feel your agency was more secure, wouldn't you? Mr. Lentz. Of course, sir. I think the question you asked in your earlier panel, sir, I think goes to the heart of one of the challenges that we have, which, as you said earlier, a very large and a very diverse, dynamic organization that is deployed worldwide and things are changing all the time. I think the discussions that I have had with my peers, other chief security officers in the Department as well as private-sector leaders in this area, I think the point that has to be emphasized is that during the FISMA process, the act calls for an assessment, not an audit. An assessment takes into account a lot of factors. In a large organization like the Department of Defense--or Homeland Security, for that matter-- you have a changing environment. Where an audit could in fact pick up one or two systems that may not be accounted for or a certain number of personnel that may be deployed that are achieving certain status, you know, I think through that kind of dynamic environment, it makes it very difficult to, at some times, achieve the kind of scores that may be indicative through an auditive process. I think by working closely with the IG, which is indicated by my colleagues, I think that is a very important step in this process and one that we are continuing to strive for. Chairman Tom Davis. One of the things is, when we got our reports on DOD, we got like four different reports. We get the Army, Navy, Air Force. I mean, it kind of made up just the way that your organization is different from a lot of other agencies in terms of how this is compiled and so on. I mean, is that an obstacle? Mr. Lentz. I think Secretary Rumsfeld through the QDR process and our new CIO, Mr. Grimes, wants to remove any type of obstacle that may in fact be inferred by that kind of service-oriented environment that we live in. We are very much focused on an enterprise architecture, we are very much focused on an enterprise CIO governance model. And I think we are already seeing improvements in that area already that I think are going to be reflected very much so in next year's report, sir. Chairman Tom Davis. OK. Mr. Charbo, I will ask you, I mean, obviously you come from a--you had a number of dysfunctional agencies you are trying to put together. You have had a steep climb over there to begin with. So I concede that to you. Mr. Charbo. Thank you. I think the first thing that we have done--and our numbers, I think, are supporting that we are moving in the right direction right now, in the last 5 months. We have been able to move it more than it has moved in the last couple of years. But the first piece that we had our teams accept was where we were was not where we wanted to remain. So we admitted that we weren't in the right posture that we wanted to have moving forward in terms of the security of our systems. So we asked Secretary Chertoff to lead that charge for us at our annual conference and then place that accountability to those system owners in the multiple components that we have. We have seen very good response from the Coast Guard and Customs, ICE. Even FEMA has responded well in terms of the accountability for securing the systems. Publishing the inventory was a major milestone for us. It put that benchmark in the sand. Now we are focused on moving that forward. And I guess I would just say, we use a term called ``relentless'' in the Department. You will get a lot of excuses on how hard this is to do, but we accept that but we still need to move it forward. And that is what we are focused on. Chairman Tom Davis. But GAO reported that there was a very low level of security incident reporting in DHS. What is the problem? What is the deterrent here? Do we need to do anything to remove those barriers? Mr. Charbo. I think we have rallied that in here in the last 5 months. We have implemented policies, we have done some training with our systems security professionals that we have in the Department, and we have worked through those processes to assure that we are getting reporting. The other piece that I think will really improve that is how we are going to be monitoring our systems. We have had multiple wide-area networks. So you have different methodologies of reporting. That is now coming through a core NOC-SOC--network operations, security operations center-- through our One Net. And they will have a responsibility of moving that to the US-CERT. Chairman Tom Davis. One of the problems you have at DHS is you have taken all these disparate agencies, over 100 and some 1,000 employees, and put them together, and everybody expects immediate results. This is a work in progress. I mean, this takes years, doesn't it, as a practical matter? Mr. Charbo. We are going to take 1 year to certify the systems. We will move those, a large milestone--as we say in our statement, we were at 26 percent that we could document and we are now about 60 percent. And it is on the right curve that we want to move through the end of the year. At that point, we will look at the POAMs that are generated, we will go back into those accreditations and do an IV&V, and we will reassess it. It will be an annual routine that we will follow. Chairman Tom Davis. Let me ask Mr. Hughes and Mr. Wiesner, your agency systems have to connect with State systems that are not covered by FISMA for information sharing purposes. How do you ensure that your information systems are adequately protected under those circumstances? Mr. Hughes. That is a good question. We have agreements with States and different agencies. We have security procedures and policies that they have to agree to. We have MOUs of these agreements. And we monitor these data exchanges that go between the States and the Federal Government. Chairman Tom Davis. All right. Ms. Watson. Ms. Watson. I want to highly commend Mr. Hughes, U.S. Social Security Administration, and Mr. Wiesner, U.S. Department of Labor, for the fact that using the criteria that the committee used, the number of points assigned to each response is proportional to the extent the element has been implemented. You received an A+. And you started from probably lower grades, but you showed your ability to focus like a laser beam and to make the improvements along the way. Going to Mr. Lentz and Mr. Charbo, U.S. Department of Defense defending our country, and U.S. Department of Homeland Security securing our country, you started in year 2005 with an F grade and, at the end of year 2005, you still have an F grade. Can either one of you gentlemen explain to me why? And listening to your reports, it looks like you are just moving along and making progress. But the criteria that the committee used was a methodology that was standardized, and you came up, started with an F, and you are still at an F. Let me know why that is the case. Mr. Lentz, let me start with you. Mr. Lentz. Well, ma'am, I agree that the challenges that we have in this very large organization will sometimes make the process that we use in terms of assessing our operational status one that creates the kind of assessments that one has to look very hard at, and that is what our leadership is doing every single day. And we take---- Ms. Watson. Let me just stop you. Mr. Lentz, 5 years? Your leadership? Five years and you don't improve based on the methodology that is standardized? The way they judged every single--and I can read off all the departments. Agency for International Development, A+, starting from much lower grades before. Department of Labor, A+. Social Security, A+. Office of Personnel Management, A+. Environmental Protection Agency, A+. National Science Foundation, A. What is happening with the two most strategic and sensitive agencies? What is it? Is there incompetence? Is there cronyism? You know, I don't feel comfortable with my Department of Defense, based on what I see here. I don't feel comfortable that my homeland is secure. And I can take a lesson from September 11th. The perpetrators were sent--the flight school, as I understand, sent them their authority to take flight lessons after September 11th. Something went wrong along the way. Now, if you had a department, a business that made nails, and you put the metal in at the beginning of the process and, at the end, the nails came out bent, you would stop the whole operation and work backward to find out why those nails are being bent. What is happening with the Department of Defense and Homeland Security that in 5 years, based on the methodology used, you show no improvement? You tell us that the report--I guess the preceding 5 months will look better, but I am wondering what happened in those 5 years. Can you help me understand this? Mr. Lentz. Well, I think when we look at, when we open up our report and look at it gradually--and, as indicated in my testimony, I think we have shown some clear improvements in all the areas that FISMA is asking for. And on top of that---- Ms. Watson. As of when? Can you help me? Mr. Lentz. As of starting last year and the year before. Ms. Watson. Well, why is it--maybe the staff is incompetent, because they graded you. I did not. The committee staff. And maybe I should ask this of the chair. You know, they score by a point. And I probably need to give this to you. And, you know, if you score within a certain range, they assign you a certain letter. And the scores were so low with the Department of Defense and Homeland Security that it resulted in an F. Now, maybe the math is all off. I am trying to be fair. I am trying to understand what is going on with my Department of Defense that you come and you ask us--you know, we have a supplement on the floor asking us for billions of dollars. And, you know, what are you securing, Iraq? Department of Homeland Security, what are you securing? You know, and the grade is still coming out F. I need to understand this so when I go back to my 650,000 constituents that pay taxes, and I--I didn't vote for it, and I am not going to--I can tell them, yeah, we need to vote for this because our Department of Defense says they need this so we can win the war 10,000 miles away. We are not winning the war here. We can't even pick up the rubble down in New Orleans. So you have to prove to me that you are doing something that will secure us as a people and secure our country. And I don't see it. So I am asking for you to educate me, to enlighten me, so I can go back and tell my constituents why I would vote to use their taxpayer dollars to defend against Iraq--which apparently is no threat to us here, but certainly a threat to life and limb over there. Give me some information, please, that there is some competence in this organization that I can take back to my constituents. Mr. Lentz. In looking at the grading that we have recently seen, there were two assessments that were done, one by the CIO and one by the IG, in the assessment column. The Department of Defense got a score of 85 under the CIO column. And when you look at that holistically and combine that with all the other security measures that were undertaken, such as, as the chairman indicated earlier, identity protection and management using PKI and other methods that we are, I would say that I think our security posture has significantly improved. But at the same time, I must admit, we always in this very dynamic environment that we live in, we have to constantly seek for better improvement in these areas. Ms. Watson. Let me address the chair. From the response I just received, is there something wrong with this scoring? Because as I look at the information provided to us on the assignment of grades, it says 0 points for a response indicating the percentage that falls below an acceptable threshold. And they give us an example: 50 percent or less known IT security weaknesses being incorporated in the plan of action. That means that you fell below the 50 percent level. Now, if this is the methodology---- Chairman Tom Davis. Well, the methodology is very simple. The CIO scores and the IG scores, and when you are in doubt, GAO takes the IG score. CIO score is like when you are grading your own paper, to some extent. So in those cases, the GAO, who really gives us the numbers on which we base the grade, goes with the IG score. Ms. Watson. So I still haven't heard adequate response to my concerns. And I just think there is something wrong in the process. And I would advise the two of you to take the message back from me individually that the Department of Defense, the Department of Homeland Security needs to get about the business of improving the process of securing our land and our people. From what I see, and this is information that the staff gives us, I did not do the research and the evaluation and the assignment myself. You need to know that. I can only go on the information that our professional staff gives us. I would hope the two of you, next time you come, not insult my intelligence. Otherwise, I have to question the competence of staff. But you can't tell me it is working well and the staff gave you and F, and for the last 5 years it has been F. So take that message back to the Secretaries. And Mr. Chertoff has not returned my call. When I was asking him to stop the evictions of 10,000 people, I never got a return call. So he would get an F- from me in terms of being effective just answering a call from a Congress person concerned about making--so I have no trust that it is going to get any better. Now, that is my opinion. I am speaking for myself. And you can take that message back. Thank you, Mr. Chairman, for the time. Chairman Tom Davis. Thank you very much. I would leave on that high note here, but I think that I will just ask a couple of other questions. We asked the first panel, and I guess in fairness to DHS and DOD, do you think there are issues that arise at the larger agencies that the smaller ones don't have to contend with? I think that has been--we talked about that in our opening statement and I will give you an opportunity to comment on that again. Mr. Charbo. From DHS's perspective, I think there is a complexity with dealing with lots of large agencies that we have components that we have. That still doesn't change the fact when we looked at our security posture coming into the Department, where we were was not where we wanted to be in terms of our security scores and our FISMA compliance. So we have launched an aggressive project. I see good response coming from those components even though it is large, it is complex. Currently we have the data. We have good progression moving--I see good response coming from those large components, as difficult as it is. I think the GAO had some good comments in the first panel dealing with direct appropriations, and it is difficult to get them to respond. But I would like to have a chance to execute our plan this year. And the plan that we had last year isn't the one we are currently working under. Chairman Tom Davis. I mean, you are both large organizations but you are very important organizations in terms of vulnerability and where someone who has malice aforethought may be looking. So that is why we focus in on you and I think that is why Ms. Watson is just saying to DOD and Homeland Security these are two agencies that are showing up as more vulnerable than other agencies, and obviously we are alarmed. But we understand there is a lot of complexity. I know in the case of DHS we have cobbled together these different units and you are as strong as your weakest unit, to some extent, the way this works. Mr. Lentz, would you--I will give you an opportunity to comment. Mr. Lentz. Yes, I completely agree that the complexity of the organization, the dynamics of moving forces--when you deploy ships out to sea, you are changing the network configurations constantly, you are deploying troops overseas, you are creating new network on the fly in global environments and high-risk environments. Clearly in a situation like that, it does represent a lot of new challenges and challenges that we take very seriously. Chairman Tom Davis. OK. Anything you would like to add? Mr. Hughes. I would just say that we know our mission, so perhaps--we are a large organization, we have 120,000 work stations, but our mission is clear in terms of our complexity. We know the way we serve our citizens. So I don't think we have absorbed the complexity of an organization like DHS. Chairman Tom Davis. OK. Mr. Wiesner. I agree also. We have been an organization around for many, many years, and perhaps that helps out a little bit in terms of absorbing a lot of complexity in a large-scale organization like DHS. Chairman Tom Davis. Well, of course this committee wrote FISMA. We don't have all the enforcement mechanisms we like, but you have heard Ms. Evans talk about that is something that they take into account as they are putting their budgets together. We are trying to coordinate appropriately with the Appropriations Committee so it is taken into account as they put their budgets together. You can fight the resources department within your own agencies. I am not asking you to come here and put you on the spot and saying are you getting enough resources with your own agency. But we understand. I mean, I understand the issues of this. And we are going to continue to push to give you the resources you need to get the job done. I just want to congratulate those of you that have shown great improvement. And for the others, we will keep trying. I know you have plans to address this. We look forward to seeing you up here again. Thank you very much. [Whereupon, at 1:41 p.m., the committee was adjourned.] [The prepared statement of Hon. Henry A. Waxman and additional information submitted for the hearing record follow:] [GRAPHIC] [TIFF OMITTED] T7511.003 [GRAPHIC] [TIFF OMITTED] T7511.004 [GRAPHIC] [TIFF OMITTED] T7511.074 [GRAPHIC] [TIFF OMITTED] T7511.075 [GRAPHIC] [TIFF OMITTED] T7511.076 [GRAPHIC] [TIFF OMITTED] T7511.077 [GRAPHIC] [TIFF OMITTED] T7511.078 [GRAPHIC] [TIFF OMITTED] T7511.079 [GRAPHIC] [TIFF OMITTED] T7511.084 [GRAPHIC] [TIFF OMITTED] T7511.085 [GRAPHIC] [TIFF OMITTED] T7511.086 <all>