<DOC>
[109th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:27511.wais]
NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER
SECURITY SCORECARDS
=======================================================================
HEARING
before the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
MARCH 16, 2006
__________
Serial No. 109-139
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.house.gov/reform
_____
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON: 2006
27-511 PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
CHRISTOPHER SHAYS, Connecticut HENRY A. WAXMAN, California
DAN BURTON, Indiana TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
GIL GUTKNECHT, Minnesota CAROLYN B. MALONEY, New York
MARK E. SOUDER, Indiana ELIJAH E. CUMMINGS, Maryland
STEVEN C. LaTOURETTE, Ohio DENNIS J. KUCINICH, Ohio
TODD RUSSELL PLATTS, Pennsylvania DANNY K. DAVIS, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California
CANDICE S. MILLER, Michigan STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio CHRIS VAN HOLLEN, Maryland
DARRELL E. ISSA, California LINDA T. SANCHEZ, California
JON C. PORTER, Nevada C.A. DUTCH RUPPERSBERGER, Maryland
KENNY MARCHANT, Texas BRIAN HIGGINS, New York
LYNN A. WESTMORELAND, Georgia ELEANOR HOLMES NORTON, District of
PATRICK T. McHENRY, North Carolina Columbia
CHARLES W. DENT, Pennsylvania ------
VIRGINIA FOXX, North Carolina BERNARD SANDERS, Vermont
JEAN SCHMIDT, Ohio (Independent)
------ ------
David Marin, Staff Director
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
C O N T E N T S
----------
Page
Hearing held on March 16, 2006................................... 1
Statement of:
Hughes, Thomas P., Chief Information Officer, U.S. Social
Security Administration; Thomas Wiesner, Deputy Chief
Information Officer, U.S. Department of Labor; Robert F.
Lentz, Director, Information Assurance, U.S. Department of
Defense; and Scott Charbo, Chief Information Officer, U.S.
Department of Homeland Security............................ 53
Charbo, Scott............................................ 86
Hughes, Thomas P......................................... 53
Lentz, Robert F.......................................... 68
Wiesner, Thomas.......................................... 62
Wilshusen, Gregory C., Director, Information Security Issues,
U.S. Government Accountability Office; and Karen S. Evans,
Administrator, Office of Electronic Government and
Information Technology, Office of Management and Budget.... 6
Evans, Karen S........................................... 39
Wilshusen, Gregory C..................................... 6
Letters, statements, etc., submitted for the record by:
Charbo, Scott, Chief Information Officer, U.S. Department of
Homeland Security, prepared statement of................... 88
Davis, Chairman Tom, a Representative in Congress from the
State of Virginia, prepared statement of................... 4
Evans, Karen S., Administrator, Office of Electronic
Government and Information Technology, Office of Management
and Budget, prepared statement of.......................... 40
Hughes, Thomas P., Chief Information Officer, U.S. Social
Security Administration, prepared statement of............. 55
Lentz, Robert F., Director, Information Assurance, U.S.
Department of Defense, prepared statement of............... 70
Waxman, Hon. Henry A., a Representative in Congress from the
State of California, prepared statement of................. 100
Wiesner, Thomas, Deputy Chief Information Officer, U.S.
Department of Labor, prepared statement of................. 64
Wilshusen, Gregory C., Director, Information Security Issues,
U.S. Government Accountability Office, prepared statement
of......................................................... 8
NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER
SECURITY SCORECARDS
----------
THURSDAY, MARCH 16, 2006
House of Representatives,
Committee on Government Reform,
Washington, DC.
The committee met, pursuant to notice, at 12:16 p.m., in
room 2154, Rayburn House Office Building, Hon. Tom Davis
(chairman of the committee) presiding.
Present: Representatives Tom Davis, Platts, Cummings, Clay,
and Watson.
Staff present: David Marin, staff director; Keith Ausbrook,
chief counsel; Chas Phillips, policy counsel; Rob White, press
secretary; Drew Crockett, deputy director of communication;
Victoria Proctor, senior professional staff member; Teresa
Austin, chief clerk; Sarah D'Orsie, deputy clerk; Leneal Scott,
computer systems manager; Michael McCarthy, minority counsel;
Earley Green, minority chief clerk; and Jean Gosa, minority
assistant clerk.
Chairman Tom Davis. Good afternoon and welcome. The
committee will come to order.
Today, the committee is releasing its Federal computer
security scorecards and will examine the status of agency
compliance with the Federal Information Security Management Act
[FISMA].
Information technology and the Internet drive our economy
and help the Federal Government to operate with greater
efficiency and cost savings. E-commerce, information sharing,
and Internet transactions, such as online tax filings, are so
common that we take them for granted. Not until an incident
such as the potential BlackBerry shutdown--which was recently
settled--are we reminded of our dependence on IT and how
difficult it is for us to function without it.
In the past year or so, we have heard stories about
identity theft, security breaches in large commercial data
bases, and phishing scams such as those identified by the
Internal Revenue Service this tax season. We have also seen an
increase in education and awareness campaigns for online safety
spearheaded by the private and public sectors. But in my
experience, when it comes to Federal IT policy and information
security, it is still difficult to get people--even Members of
Congress--engaged. For most people this is an abstract, inside-
the-Beltway issue. And FISMA is still viewed by some Federal
agencies as a paperwork exercise. But these are short-sighted
observations. As a result of the Government's aggressive push
to advance e-government, many Government information systems
hold personal information about citizens and employees, in
addition to other types of data. Maintaining the integrity,
privacy, and availability of all information in these systems
is vital to our national security, continuity of operations,
and economy.
Furthermore, in order to successfully fight the war on
terror, we must be able to move information to the right people
at the right place at the right time. Information needs to move
seamlessly, securely, and efficiently within agencies, across
departments, and across jurisdictions of Government as well.
Due to the nature of our cyber infrastructure, an attack
could originate anywhere at any time. We know that Government
systems are prime targets for hackers, terrorists, hostile
foreign governments, and identity thieves. Malicious or
unintended security threats come in varied forms: denial of
service attacks, malware, worms and viruses, phishing scams,
and software weaknesses, to just name a few. Any of these
threats can compromise our information systems. The results can
be costly, disruptive, and erode public trust in Government.
One of the best ways to defend against attacks is to have a
strong, yet flexible, protection policy in place. We want
agencies to actively protect their systems instead of just
reacting to the latest threat with patches and other responses.
FISMA accomplishes this goal by requiring each agency to create
a comprehensive risk-based approach to agency-wide information
security management. FISMA strengthens Federal cyber
preparedness, evaluation, and reporting requirements. It is
intended to make security management an integral part of an
agency's operations and to ensure that we are actively using
best practices to secure our systems and prevent devastating
damage.
The committee, with technical assistance from GAO, releases
annual scorecards based on the FISMA reports submitted to us by
agency Chief Information Officers and Inspectors General. This
year, the Federal Government as a whole hardly improved,
receiving a D+ yet again. Our analysis reveals that the scores
for the Departments of Defense, Homeland Security, Justice,
State--the agencies on the front lines in the war on terror--
remained unacceptably low or in some cases dropped
precipitously. Meanwhile, several agencies improved their
information security or maintained a consistently high level of
security from previous years.
The 2005 FISMA grades indicate that agencies have made
improvements in developing configuration management plans,
employee security training, developing and maintaining an
inventory, certifying and accrediting systems, and annual
testing. Despite these advances, there are still some areas of
concern to the committee, including implementation of
configuration management policies, specialized security
training for employees with significant security
responsibilities, inconsistent incident reporting,
inconsistencies in contingency plan testing, annual testing of
security controls, and agency responsibility for contractor
systems.
At today's hearing, we will evaluate the results of the
agencies' 2005 FISMA reports, identify strengths and weaknesses
in Government information security, and learn whether FISMA
provisions and the OMB guidance are sufficient to help secure
Government information systems. Witnesses from GAO and OMB will
help us understand what obstacles impede the Government's
ability to comply with FISMA. DOD and DHS witnesses will
discuss the challenges they face in their departments and their
plans to improve FISMA compliance. We will also hear about best
practices and lessons learned from the Social Security
Administration and Department of Labor, two agencies that have
demonstrated consistent improvements in their information
security since the scorecard process was initiated in 2001.
If FISMA was the No Child Left Behind Act, a lot of
critical agencies would be part of the list of low performers.
None of us would accept D+ grades on our children's report
cards. We can't accept these either.
[The prepared statement of Chairman Tom Davis follows:]
[GRAPHIC] [TIFF OMITTED] T7511.001
[GRAPHIC] [TIFF OMITTED] T7511.002
Chairman Tom Davis. Are there any other Members who wish to
make opening statements? If not, I am going to note that
Members will have 7 days to submit opening statements for the
record.
We are going to recognize our first panel of distinguished
witnesses. We have Mr. Gregory Wilshusen, the Director of
Information Security Issues for the U.S. Government
Accountability Office, and the Honorable Karen Evans, the
Administrator of the Office of E-Government and Information
Technology at the Office of Management and Budget. You know it
is our policy we swear you in before your testimony, so if you
would just rise and raise your right hands.
[Witnesses sworn.]
Chairman Tom Davis. Thank you. Let me thank you for your
perseverance on this.
Mr. Wilshusen, thank you for being with us.
STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION
SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND
KAREN S. EVANS, ADMINISTRATOR, OFFICE OF ELECTRONIC GOVERNMENT
AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET
STATEMENT OF GREGORY WILSHUSEN
Mr. Wilshusen. Thank you, Mr. Chairman.
I am pleased to be here once again to discuss the efforts
by Federal agencies to implement the requirements of FISMA. For
many years, we have reported that inadequate information
security is a widespread problem that could have devastating
consequences. Since 1997, we have identified information
security as a government-wide high-risk issue.
Today, the Federal Government is facing increasingly
sophisticated and complex threats to its sensitive information
systems and information. The need for agencies to implement the
strong information security controls required by FISMA has
never been greater.
My testimony is based, in part, on our analysis of the
fiscal year 2005 FISMA reports by OMB and 24 major Federal
agencies and their Inspectors General.
Mr. Chairman, my bottom-line message is that progress made
by the agencies in implementing FISMA is mixed, at best.
Agencies have made progress in several areas but have slipped
in others.
Today, I will note areas where agencies have made progress
and those areas where weaknesses remain. In addition, I will
discuss actions that agencies can take to improve their
information security controls.
Before I do, I would like to recognize OMB for taking steps
to improve the quality of the FISMA reports. For example, OMB
required agencies to report, for the first time, certain
performance measures by system risk level. This provides better
information about whether agencies are prioritizing their
information security efforts according to system risk.
Mr. Chairman, agency FISMA reports present a mixed picture
of FISMA implementation. The agencies generally reported an
increasing number of systems meeting key security performance
measures, such as the percentage of systems certified and
accredited, and the percentage of contingency plans tested.
Nevertheless, progress was uneven. For example, the
percentage of agency systems reviewed declined from 96 percent
in 2004 to 84 percent in 2005, and the percentage of employees
and contractors receiving security awareness training also
declined.
The reports indicated other challenges as well. Only 13 IGs
reported that their agencies' inventories of major systems were
substantially complete. A complete inventory is a key element
of managing the agency's IT resources, including the security
of those resources. Without complete inventories, the agencies,
the administration, and the Congress cannot be fully assured of
the agencies' progress in implementing FISMA.
Eight IGs also assessed the quality of their agency's
certification and accreditation processes as ``poor.'' As a
result, agency-reported performance data may not accurately
reflect the status of the agency's efforts to implement this
requirement.
And 39 percent of Federal systems did not have a tested
contingency plan. Without a tested plan, increased risk exists
that agencies will not be able to recover mission-critical
systems in a timely manner if an interruption occurs.
Beyond assessing FISMA requirements, our audits of
information security at Federal agencies have found significant
weaknesses related to access controls and other information
security controls that place a broad array of Federal
operations and assets at risk of misuse and disruption.
However, agencies can take several actions to fully
implement their FISMA-mandated programs and improve security
controls. Such actions include completing and maintaining
accurate inventories of major systems, prioritizing information
security efforts based on system risk levels, and strengthening
controls that are to prevent, limit, and detect access to its
information and information systems.
Mr. Chairman, this concludes my statement. I will be happy
to answer your questions.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC] [TIFF OMITTED] T7511.005
[GRAPHIC] [TIFF OMITTED] T7511.006
[GRAPHIC] [TIFF OMITTED] T7511.007
[GRAPHIC] [TIFF OMITTED] T7511.008
[GRAPHIC] [TIFF OMITTED] T7511.009
[GRAPHIC] [TIFF OMITTED] T7511.010
[GRAPHIC] [TIFF OMITTED] T7511.011
[GRAPHIC] [TIFF OMITTED] T7511.012
[GRAPHIC] [TIFF OMITTED] T7511.013
[GRAPHIC] [TIFF OMITTED] T7511.014
[GRAPHIC] [TIFF OMITTED] T7511.015
[GRAPHIC] [TIFF OMITTED] T7511.016
[GRAPHIC] [TIFF OMITTED] T7511.017
[GRAPHIC] [TIFF OMITTED] T7511.018
[GRAPHIC] [TIFF OMITTED] T7511.019
[GRAPHIC] [TIFF OMITTED] T7511.020
[GRAPHIC] [TIFF OMITTED] T7511.021
[GRAPHIC] [TIFF OMITTED] T7511.022
[GRAPHIC] [TIFF OMITTED] T7511.023
[GRAPHIC] [TIFF OMITTED] T7511.024
[GRAPHIC] [TIFF OMITTED] T7511.025
[GRAPHIC] [TIFF OMITTED] T7511.026
[GRAPHIC] [TIFF OMITTED] T7511.027
[GRAPHIC] [TIFF OMITTED] T7511.028
[GRAPHIC] [TIFF OMITTED] T7511.029
[GRAPHIC] [TIFF OMITTED] T7511.030
[GRAPHIC] [TIFF OMITTED] T7511.031
[GRAPHIC] [TIFF OMITTED] T7511.032
[GRAPHIC] [TIFF OMITTED] T7511.033
[GRAPHIC] [TIFF OMITTED] T7511.034
[GRAPHIC] [TIFF OMITTED] T7511.035
Chairman Tom Davis. Thank you.
Ms. Evans.
STATEMENT OF KAREN S. EVANS
Ms. Evans. Good afternoon, Mr. Chairman. Thank you for
inviting me to speak about the status of the Federal
Government's efforts to safeguard our information and our
systems.
My comments today will focus on the progress we have made
in improving the security of the Government's information
technology as well as our strategy for addressing continuing
security challenges.
This is an extremely important issue for the
administration, and it is equally important to me both
professionally and personally because some of the government-
wide security performance metrics that we use to evaluate the
agencies are also included in my personal performance plan.
On March 1st, OMB issued our third annual report to
Congress on the implementation of the Federal Information
Security Management Act [FISMA]. Much of the information I will
be discussing today is provided in more detail in our report.
So based on that, sir, I would be happy to answer any questions
that you may have about the report and the status and what we
are doing going forward.
[The prepared statement of Ms. Evans follows:]
[GRAPHIC] [TIFF OMITTED] T7511.036
[GRAPHIC] [TIFF OMITTED] T7511.037
[GRAPHIC] [TIFF OMITTED] T7511.038
[GRAPHIC] [TIFF OMITTED] T7511.039
[GRAPHIC] [TIFF OMITTED] T7511.040
[GRAPHIC] [TIFF OMITTED] T7511.041
Chairman Tom Davis. Ms. Evans, let me start with you. Do
you plan to issue new or updated guidance regarding your
Circular A-130?
Ms. Evans. We do not plan to issue updated guidance on A-
130 because we believe that it is based on sound principles
that are already reflected in FISMA. With NIST issuing new
standards and guidance, we really don't think that we need to
revise A-130 at this time, but we will continue to review it.
Chairman Tom Davis. All right. In this year's report, just
like last year's report, you mentioned that reporting to US-
CERT is sporadic and not complete. What steps are you and US-
CERT taking to ensure that agencies are more compliant in these
incidents?
Ms. Evans. In May 2005, we did issue a reporting concept of
operations out to the agencies, and so what OMB and DHS are
planning to do is followup specifically with the agencies that
did not report any incidences to US-CERT to make sure that we
all are operating from the same understanding so that we can go
back and double-check that an incident is an incident based on
this concept of operations that was approved by all the
agencies as well.
Chairman Tom Davis. Now, although there has been
improvement, there are still several agencies that don't have
complete inventories. These include some of the largest: DOD,
USDA, Treasury, HHS, and VA.
You know, without accurate inventories, how can you be sure
that the agencies are making progress? And while C&As are an
important component of security, knowing what systems you are
running is even more essential. Have you emphasized or has OMB
emphasized to the agencies the necessity of a complete
inventory? And what challenges have they reported to you in
trying to create and maintain an accurate inventory?
Ms. Evans. Yes, sir, we have worked with the agencies, and
in the places where the agencies haven't had a completed
inventory based on what the IGs have reported, we are meeting
specifically with those agencies to be able to address what
issues are keeping them from meeting the inventory. But, also,
we have included this in the President's management agenda as
one of the criteria and that we do assess the agencies on a
quarterly basis of their progress on performance.
So once an agency makes green, in order to maintain green
they have to have a completed inventory.
Chairman Tom Davis. Thank you. Identity theft continues to
be a growing problem, especially with the loss of personal and
sensitive information. Data breach laws at the State level
which require companies to inform individuals when the
organization suffers a breach that exposes their personal
information have improved our understanding of this problem.
Congress is considering a national data breach notification
standard. Currently, there is no requirement for Federal
agencies to notify citizens in case there is a breach. I have a
few questions along those lines.
One, do Federal agencies notify citizens when a breach of
personally identifiable information occurs on Government data
bases?
Ms. Evans. In responding to that question, sir, we believe
the Privacy Act has provisions that address this. But what I
would like to do is be able to go back and do a more in-depth
analysis and be able to take this question for the record and
give you a more thoughtful response about how we should be
responding to this.
Chairman Tom Davis. I appreciate that, because that is
something that comes up time and time again.
What, if any, guidelines exist to determine if a breach
requires notification?
Ms. Evans. Again, sir, I need to go back and further
research this based on what we have put in place with the
Privacy Act, and I would like to take this question for the
record so that I can give you a more thoughtful response.
Chairman Tom Davis. Let me ask you something on RFID
technology, radiofrequency. RFID technology is being
implemented by DOD for tracking supplies. It is being
implemented by the State Department for immigration documents
and passports. Other agencies may choose to use the technology
to control access to physical and logical assets to comply with
Homeland Security Presidential Directive 12. A May 2005 GAO
report on the Federal Government's use of RFID highlighted
FISMA security practices in the context of security concerns
with RFID technologies.
What agencies within the Federal Government are using RFID
technologies for applications that involve sensitive personal
information?
Ms. Evans. You have mentioned the State Department,
Department of Defense, DHS. What we would like to do is go back
and look more completely at each of the agencies to see what
their plans are as it relates to the deployment of RFID beyond
what we already have planned.
Chairman Tom Davis. Do you think there is a need for a
national standard for maintaining the security and privacy of
personal information collected using RFID technology?
Ms. Evans. We believe that if you currently implement the
security policies and practices that are in place, if you
implement them adequately, those practices and policies would
be able to protect the information regardless of the
technology, whether it was RFID or any other new emerging
technology that would come out.
Chairman Tom Davis. So how do you fine-tune FISMA regarding
the use of RFID technology given its increased adoption by
Federal agencies that are required to meet FISMA standards?
Ms. Evans. Well, I would recommend at this point that FISMA
is about good security practices. It is about managing the risk
associated with your security program and your information
technology and assets. And it is really not specifically about
technologies but about our ability to manage those technologies
as we implement them.
So in conjunction with working with NIST and having NIST
issue policies, guidelines, the standards that they do, I think
FISMA is adequate the way that it is, and it is up to us and
then the agencies to manage that risk as new technologies come
out.
Chairman Tom Davis. OK. Mr. Wilshusen, let me just ask, it
seems that when we look over the grades, the largest agencies
or those agencies with diverse missions seem to be at the
bottom of the grading while the smaller of the major agencies
or those with single, well-defined missions seem to improve
their grades. How do you think the diverse mission and size
play into the issue of information security?
Mr. Wilshusen. Well, I think certainly that size and the
complexity of the organization influences the way an
organization organizes, manages, and secures its information
technologies. Large Federal departments have multiple,
sometimes semi-autonomous operating bureaus and divisions that
may have separate missions, business processes, cultures, and
technologies that support those processes.
However, at some level those technologies interconnect with
other systems and networks with other bureaus, and
consequently, there might be vulnerabilities in one particular
agency or bureau that has an impact on others. Thus, there is
really a need for strong security management over that area.
However, because these bureaus may be somewhat semi-autonomous
and have separate funding, they may not necessarily be
conducive to implementing or ceding some of their authority for
securing these systems.
It is going to take--and the departments might have a more
challenging role in trying to create and develop and implement
an agency-wide information security program. It is going to
require that agency top management and the management of the
different bureaus be held accountable and support and be
committed to implementing an agency-wide information security
program.
Chairman Tom Davis. I think there is a perception in some
circles, it seems to me, that FISMA is largely a paperwork
exercise. What is your reaction to that?
Mr. Wilshusen. FISMA is designed to be a comprehensive
framework for ensuring the effectiveness of information
security controls over the information resources that support
Federal operations and assets. It requires Federal agencies to
develop, document, and implement an agency-wide information
security program that contains various elements. Each of these
elements is based on best industry practices. These include
assessing the risk, developing risk-based policies and
procedures that cost-effectively reduce those risks to an
acceptable level. It also requires that agencies provide the
training to their employees and contractors to inform them of
what these risks are and their responsibilities for practicing
and implementing strong security throughout the organizations.
It also requires that agencies test and evaluate the
effectiveness of their controls over their systems on a
periodic basis, and if there are problems, if there are
weaknesses, to take corrective actions.
These are just basic information security principles and
practices that should be implemented. If agencies are reducing
FISMA implementation to a paperwork exercise, then they are not
going to enjoy the benefits offered by implementing them.
Chairman Tom Davis. Can you think of any incentives or
penalties that should be added to improve the agency scorecard
ratings?
Mr. Wilshusen. One might be looking at the funding. I
believe at one point in time there was discussion on whether
agencies, you know, should be looking at the funding, should
they be adjusted, should--for agencies that do well versus
those that do not.
Chairman Tom Davis. How about the----
Mr. Wilshusen. But that is a double-edged sword.
Chairman Tom Davis. Of course it is. You are taking money
from the people who need it the most.
Ms. Evans, do you have any thought on that?
Ms. Evans. When we do the analysis for the President's
budget every year, one of the key priorities is the cyber
security program of each of the agencies. So we do continue to
put a priority on that and make sure that agencies that don't
have a good security program, that the priority for the funding
going forward is spent on that first and that--and we have
broken out the budget this year when we submitted the 2007
budget, broke out and showed the relationship of their overall
IT budget to the percentage that they spend on IT security as
well, and continue to put the priority on that.
The thought from the administration is that you should not
layer new things on top of bad things. And so you need to fix
the cyber security aspects of that based on all the issues that
you brought up already today about implementing new
technologies and those types of things.
So the incentive is the more efficient you are at getting
it done, not just generating the paperwork but really fixing
the security and mitigating the risk, then you can move forward
and use the funds that you had planned to use for those new
activities within your agency or department.
Chairman Tom Davis. And you think the budget reflects that
to some extent, is what you are saying?
Ms. Evans. Yes, sir. Yes, sir.
Chairman Tom Davis. Ms. Watson.
Ms. Watson. I missed most of the testimony. I want to thank
the chair for having this hearing. But what stands in our way
from preventing the hacking and the taking of information and
putting illegal information into the process in our computers?
What stands in our way from stopping that?
Mr. Wilshusen. One is making sure that the agencies have
fully implemented an information security program within that
particular agency.
Ms. Watson. Why haven't they?
Mr. Wilshusen. Well, that is a good question and that is
one that we constantly seek the answer to. In our reviews we
look, when we conduct an information security audit at the
Federal agencies, we look at the type of controls that they
have in place, the effectiveness of those controls, and we have
often found that numerous vulnerabilities exist within their
access controls that are designed to prevent limit and detect
access to their information resources. We also find other types
of general controls related to their physical security over
their computing resources that also could lead to the
unauthorized disclosure, deletion, alteration of sensitive
information. And these types of weaknesses have been identified
at numerous agencies that we have done audits at.
Ms. Watson. Well, is it that we don't have the technology
knowledge to do something? I mean, I know you are auditing, you
are looking. Is it lack of technology knowledge? Is it lack of
setting a priority? Is it lack of the funding? Did you--where
would you put your finger, if we were to correct this and do it
in a hurry? Because I flip on CNN or I flip on one of the
morning programs and I find that in our Federal computers
people have pornography, etc. How does that happen?
Mr. Wilshusen. Well, certainly there are technical controls
that need to be improved and in place to help protect that from
happening. But first and foremost, we see information security
as a management issue and that it receives sufficient attention
and implementation throughout the organization, from top-level
management through all layers of the organization, because each
and every person has responsibility for information security.
But in terms of the management, we do look at various different
aspects in terms of is the organization assessing the risk
accordingly for the type of information that it collects and
processes and maintains; are they developing those policies and
controls that are needed to protect that information?
And what we often find is, yes, they do that to an extent,
and they may develop policies and procedures that are designed,
at least, to protect the information and implement strong
controls, but a lot of times they are not implementing it. And
this often occurs even though at the department level they
might have strong policies----
Ms. Watson. Well, let me just stop you there. Does it go to
incompetence? You know, I am reading here, each agency is also
required to do an annual independent evaluation--let's say of
information security. Why would it not be done? And why could
they not address it?
You know, we are the policymakers here. You are in front of
this committee. Maybe you can give us some idea of what our
next piece of legislation needs to be.
Mr. Wilshusen. I would like to answer the first question
you had there first.
Ms. Watson. OK.
Mr. Wilshusen. Certainly one of the reasons why there
continue to be information security weaknesses at the
organizations that we audit is that it is a complex and
challenging job. Many of these computing environments,
particularly at the larger agencies, have highly complex
distributive information systems and networks that are, because
of their interconnectivity, vulnerabilities that exist on one
server can affect an entire network. And some of these agencies
have thousands of servers. And so it is a very dynamic
environment in which new applications, new servers, new
technologies are being implemented. And if the agencies are not
effectively assessing their risk and monitoring the
implementation of these technologies on a regular basis,
vulnerabilities crop up. And that is how hackers, that is how
individuals within the organization can exploit those
vulnerabilities for either personal or--gain.
Ms. Watson. I heard the key words: effectively assessing.
Mr. Wilshusen. Yes.
Ms. Watson. And, you know, we ought to be looking at
systems before we contract and bring them in to see if they
would fit in. Otherwise--you know, we need to plan and we need
to assess and evaluate that plan, and we need to have a report.
I think that is a requirement. And certainly, you know, new
technology adds to the complexities of these systems, but we
have to have an overall plan, a master plan.
Mr. Wilshusen. Right. And that is one of the benefits of
FISMA, of what it provides, is that it requires that agencies
implement an agency-wide information security program, and that
includes addressing security throughout the entire life cycle
of any new technologies or its applications or systems that are
being introduced into the department.
Ms. Watson. Thank you very much. Appreciate it.
Chairman Tom Davis. Mr. Clay.
Mr. Clay. Thank you, Mr. Chairman.
For Mr. Wilshusen, GAO recently completed a draft report
for me on the impact the National Information Assurance
Partnership program is having on information security within
classified programs. Can you speak to the merits of extending
NIAP product validation out to those agencies in the non-
national security community?
Mr. Wilshusen. Sure. All these results are--as you
mentioned, we do have a draft report out. It is presently out
for comment with the DOD and the agencies. We have not yet
received their comment. We anticipate issuing that report later
this month in final.
But let me just at least talk about the observations that
we have identified so far with that program. We identified that
the NIAP program does indeed provide and offer some benefits.
One, it provides another set of eyes and ears to look and test
the security features of information security or systems
products that an agency is considering procuring. It also,
through the evaluation process, has identified and uncovered
flaws within those products. And what we have found and based
on our interviews with vendors, the participants in the
program, is that the vendor is often correct in those flaws
that are identified.
And another benefit is that, after going through these
processes, some of the vendors decided that they--actually
changed their development processes to accommodate the new
strength and to mitigate any weaknesses that were identified as
their products were evaluated.
But at the same time, there are still a number of
challenges associated with that program. These also include
that, for one, the product is not evaluated against a set of
particular requirements. It is more looked at the--it is
evaluated based on the procedures that are used to develop the
product. Another vulnerability is--or I should say another
challenge deals with the cost and time that is involved in
processing and evaluating these products. We have found that
vendors thought it was too costly and took a long period of
time to do so.
Some of the agencies felt that they did not have a really
full population or a pool of evaluated products to choose from.
Sometimes, because of the length of the evaluation process, new
versions of the product under evaluation were being issued, so
they couldn't necessarily get the latest and greatest version
of the product.
So there are a couple of challenges associated with that
program.
Mr. Clay. On finding the weaknesses and coming back and
correcting it, who gets the bill for that? Do the vendors eat
the cost, or do the taxpayers pay the cost?
Mr. Wilshusen. I don't know if I can answer that. It is up
to the vendors. It depends on, I guess, the contractual
requirements, but it is up to the vendors to take the
corrective actions on that. Whether they subsequently pass the
costs along to the procurers of the product, I can't answer
that.
Mr. Clay. Thank you. Thank you for your response.
Ms. Evans, perhaps you may be able to shed some light on
that. But let me ask you, you know, the number of annual risk
assessments conducted last year declined when compared to
fiscal year 2004 even though the number of systems online
increased by nearly 20 percent. DHS--first, what were the
factors contributing to this problem at first? Talk to me about
DHS, which once again--well, go ahead.
Ms. Evans. Well, as you stated, the risk assessments did go
down, but we did get an increase in the number of systems that
are out there. However, this is also the first year where we
did ask the agencies to also assess the systems that they had
based on impact, like high, medium, and low impact of those
systems. And the agencies did focus their risk assessments on
the high-impact systems. And 88 percent of those, I believe,
were the ones where the risk assessments going forward on that.
So we did ask them to make sure that their priority was
done the high-impact systems as they were doing the risk
assessments, going through and doing the certifications and
accreditations, because that is one piece of the certification
and accreditation that the agencies do.
Mr. Clay. OK, let me stop you there since----
Ms. Evans. Sure.
Mr. Clay. Real quickly, give me your impression of
ineptitude at DHS in this whole arena. Talk to me about that,
as far as them being the coordinator of key information-sharing
responsibilities, or a legacy system, are the 22 agencies
proving to be too difficult to bring into compliance, or are
there other factors?
Ms. Evans. Well, DHS is a challenging environment. By
bringing all the departments and agencies together there, this
really does exemplify the complexity of an environment of a
large department that would have to be managed to make sure
that you have a good program in place. So what DHS is doing is
moving forward trying to bring all that management in place to
ensure that they have a good cyber security program and that
they can move forward and protect that information and those
assets.
It does take some time to really be able to demonstrate
that progress. And I would say that the things that DHS is
doing we may not necessarily see in all the metrics as we
measure them in FISMA. But you have brought up that the
independent audit is also an essential piece so that they can
feed back the results of that from their IG into their
programming, to make sure that they are improving that as they
go forward.
Mr. Clay. Yes. Thank you, but it sounds as though you are
defending the incompetence of DHS. Thank you.
Chairman Tom Davis. Anything else you want to add?
We will dismiss this panel, take a 2 minute recess, and we
will come to the next one.
Thank you all very much.
[Recess.]
Chairman Tom Davis. Thank you all for your patience.
We are going to now recognize our second distinguished
panel. We have Mr. Thomas P. Hughes, Chief Information Officer,
U.S. Social Security Administration; we have Mr. Thomas
Wiesner, the Deputy Chief Information Officer, U.S. Department
of Labor; Mr. Robert Lentz, Information Assurance Director at
the U.S. Department of Defense; and Mr. Scott Charbo, the Chief
Information Officer at the U.S. Department of Homeland
Security.
It is our policy we swear you in before your testimony, so
if you would just rise and raise your right hands.
[Witnesses sworn.]
Chairman Tom Davis. Thank you very much.
Well, you know our rules. We try to hold to 5 minutes. Your
entire statement is in the record. We very much appreciate your
being with us today. I apologize for the delay with the floor
votes, but I think we will be able to move ahead fairly
expeditiously here, uninterrupted.
Mr. Hughes, we will start with you and we will work
straight on down the line. Thank you again for being with us.
STATEMENTS OF THOMAS P. HUGHES, CHIEF INFORMATION OFFICER, U.S.
SOCIAL SECURITY ADMINISTRATION; THOMAS WIESNER, DEPUTY CHIEF
INFORMATION OFFICER, U.S. DEPARTMENT OF LABOR; ROBERT F. LENTZ,
DIRECTOR, INFORMATION ASSURANCE; U.S. DEPARTMENT OF DEFENSE;
AND SCOTT CHARBO, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF
HOMELAND SECURITY
STATEMENT OF THOMAS HUGHES
Mr. Hughes. Chairman Davis and members of the committee,
thank you for inviting me here today to discuss information
security at the Social Security Administration. As Chief
Information Officer for the agency, I appreciate the
opportunity to discuss our implementation of FISMA, the Federal
Information Security Management Act of 2002, and our agency's
accomplishments in securing and protecting the information in
the records we maintain.
SSA has always recognized the importance of protecting the
security and privacy of the people we serve and ensuring the
integrity and accuracy of the records we maintain. The Social
Security Board's first regulation, published in 1937, dealt
with confidentiality of records. For more than 70 years we have
honored our commitment to the American people to maintain the
confidentiality of these records. This longstanding emphasis on
privacy has led to a strong commitment in information security.
While we have always safeguarded our records, we also work
continuously to ensure that our information technology programs
remain responsive to evolving conditions, and we use a variety
of proactive security measures, plus independent testing and
evaluation security controls, to protect these records. We take
an agency-wide approach to information technology security at
SSA. SSA's deputy commissioners, along with the CIO, are
accountable for the certification of our major IT systems and
help to ensure that our IT assets are adequately secured.
Here are some of the major highlights of our FISMA 2005
report: All 20 of SSA's major IT systems were certified and
accredited.
SSA had incorporated National Institute of Standards and
Technology security controls into our System Development Life
Cycle process.
SSA provided IT security awareness to all of our employees,
including contractors, and gave specialized in-depth training
for those with significant IT security responsibilities.
The Office of Inspector General's independent evaluation of
our information security program for 2005 confirmed that SSA's
remediation, certification and accreditation, and inventory
processes are sound. The OIG made a number of recommendations
for improvement that we are implementing.
For instance, first, we developed security documents for
every enterprise architecture platform in the agency and
expanded this initiative into the data base environment as
well. In addition, we implemented a monitoring program for each
system configuration standard and risk model.
Second, we agreed with the IG recommendation that SSA
should regularly update our continuity of operations plan
[COOP], with a disaster recovery plan. SSA also has and will
participate in disaster recovery exercises, which help validate
key elements of our COOP.
Finally, to respond to the recommendation regarding
improving how we monitor contract security awareness training,
we are implementing a process where all contractors with
systems access will complete a security awareness training
module that will allow us to monitor the process.
You asked us to describe the way SSA identifies and tracks
information technology security weaknesses. The answer is that
SSA is using an automated software tool that allows us to
follow corrective security actions all the way to completion.
In addition, the system generates detailed reports which then
allow management to better evaluate the security status of
their systems.
You also asked about guidance--resources and/or procedures
agencies need to comply with FISMA. I believe that agencies
need to constantly challenge the traditional status quo if we
are to maintain and enhance our security procedures and comply
with FISMA. This is critical in any security environment, but
particularly important in today's challenging information
environment.
While we are proud of our accomplishments, Commissioner
Barnhart and all of us at SSA recognize that we must be
vigilant in every way to assure that the personal information
SSA collects remains secure, the taxpayer dollars are
protected, and that public confidence in the Social Security
system is maintained.
Mr. Chairman, thank you for the opportunity to speak before
this committee. I will be pleased to answer any questions.
[The prepared statement of Mr. Hughes follows:]
[GRAPHIC] [TIFF OMITTED] T7511.042
[GRAPHIC] [TIFF OMITTED] T7511.043
[GRAPHIC] [TIFF OMITTED] T7511.044
[GRAPHIC] [TIFF OMITTED] T7511.045
[GRAPHIC] [TIFF OMITTED] T7511.046
[GRAPHIC] [TIFF OMITTED] T7511.047
[GRAPHIC] [TIFF OMITTED] T7511.048
Chairman Tom Davis. Mr. Hughes, thank you.
Mr. Wiesner, thanks for being with us.
STATEMENT OF THOMAS WIESNER
Mr. Wiesner. Good afternoon, Chairman Davis and members of
the committee. Thank you for inviting me here today to discuss
the Department of Labor's implementation of the Federal
Information Security Management Act and the lessons learned
over the past several years.
Today I will first speak on the challenges the Department
has faced over the last few years in implementing its computer
security program. I will then expand on the current status of
our program and highlight many of the significant improvements.
Last, I will provide a snapshot of opportunities for
improvement and labor strategy to address those areas.
Labor's organizational components, including the Office of
the CIO, had different viewpoints FISMA compliance.
Additionally, we were an organization of distinct agencies that
in many cases operated independently and accomplished
individual goals through various IT solutions. Labor agencies,
the OIG, and the Office of the CIO were all focused on
different and sometimes conflicting priorities. We had to
change this culture, including attention to IT security as a
key part of everyday business. Under the CIO's direction, the
Department arrived at a consensus and we have moved forward to
ensure our compliance with FISMA.
To that end, the following actions were carried out: In
2001, a security manager was hired and placed in the Office of
the CIO to manage the Department-wide security program.
In 2002, our IT security policies and procedures were
updated to incorporate current OMB and NIST guidance.
In 2003, the Department established a Technical Review
Board IT Committee subcommittee comprised of agency security
managers. This board serves as the Department's first tier of
investment review for major IT investments and as a forum to
identify and resolve Department-wide IT-related issues,
including computer security.
In 2003, Secretary Elaine Chao institutionalized a culture
of policy and strong computer security under a Secretary's
order issued in May 2003. This order outlines the roles and
responsibilities for managing information technology at the
Department, to include IT security responsibilities.
In 2003, the Department developed an eGovernment Strategic
Plan that ties IT security to the Department's mission.
In 2005, the Department updated its IT Strategic Plan,
where IT security goals and direction were incorporated.
At Labor our computer security program has progressed from
a grade of F in 2001 to a B- in 2004. Additionally, our
computer security program was a significant contributor to the
Department's achieving and maintaining a ``Green'' rating on
Expanded Electronic Government on the President's management
agenda scorecard.
The successes we have achieved to date can be attributed to
strong oversight of Department-wide security issues,
cooperation at the IT senior management level, and continuous
collaboration through Department-wide reviews. The efforts of
the Labor IT Security Subcommittee results in sound security
practices that enable consistent FISMA reporting from the CIO
and the OIG. This is attributed to the following successes: A
fully integrated computer security program with capital
planning and enterprise architecture programs. A revised system
development life cycle management manual to include security
requirements at each phase. An OIG-approved plan of action and
milestones program since 2003. Quarterly capital planning
program reviews that ensures adequate IT security expenditures
and semiannual eGovernment reviews of all DOL agencies modeled
on the PMA scorecard and FISMA performance metrics.
Correspondingly, the Department has maintained a
comprehensive Certification and Accreditation program,
achieving authority to operate for 100 percent of our major
information systems, up from 97 percent in fiscal year 2004.
Despite this progress in securing our IT systems at DOL, we
recognize that security is a constant challenge and a task that
can never be considered complete. We have identified three
areas for strengthening our computer security program: general
and application security controls, patch management, and IT
security manager skill competencies.
The Department has developed a comprehensive work plan to
address these issues, to include the implementation of NIST
800-53 and a Certified Information Systems Security
Professional training program and certification exam for DOL
security managers.
In conclusion, computer security is a core element of our
business and culture at the Department of Labor. Secretary
Chao, Deputy Secretary Law, agency senior management, and the
dedicated DOL IT professionals are committed to the
Department's computer security program. As we face the
evolution of FISMA compliance, we will strive to maintain a
balance of FISMA reporting requirements and the implementation
of sound security practices.
Mr. Chairman, thank you for the opportunity to provide this
brief outline. I would be happy to answer any questions. Thank
you.
[The prepared statement of Mr. Wiesner follows:]
[GRAPHIC] [TIFF OMITTED] T7511.049
[GRAPHIC] [TIFF OMITTED] T7511.050
[GRAPHIC] [TIFF OMITTED] T7511.051
[GRAPHIC] [TIFF OMITTED] T7511.052
Chairman Tom Davis. Thank you very much.
Mr. Lentz.
STATEMENT OF ROBERT LENTZ
Mr. Lentz. Good afternoon, Mr. Chairman and members of the
committee. As Chief Information Assurance Officer for the
Department of Defense, I appreciate this opportunity to
highlight the posture of information security within the
Department.
The Department leadership is fully engaged in the security
efforts in support of FISMA. Secretary Rumsfeld considers
information technology a critical strategic component in
transforming America's armed forces for the 21st century
warfare. Our recently completed Quadrennial Defense Review
stresses networks and information security as key areas of
focus.
Collaboration between the CIO and the war-fighting
community is absolutely critical. The protection of the network
is everybody's business. This can't be overstated. We take
specific actions to train, license, qualify, and certify pilots
and weapons systems. We must consider no less a standard for
the operation, security, integrity of our information systems.
The DOD IA strategic plan has for 3 years been
institutional component driving strategic objectives for
improving our security posture. It also enables FISMA
compliance. The Department of Defense uses FISMA as a critical
management and assessment tool. We continue to enhance our
FISMA efforts.
The Department reviewed over 3,500 systems this past year,
an increase of more than 1,000 systems from 2004. The
Department increased its Authority to Operate rate from 58
percent in 2004 to 82 percent in 2005. In addition, our Total
Accreditation rate was at 93 percent.
Last year, more than 2 million of the approximate 2.6
million DOD personnel who had access to DOD networks received
IA security awareness training. This training was accomplished
even while larger members of the servicemembers were deployed
to combat theaters. In addition, more than 67,000 individuals
with significant security responsibilities received specialized
security training.
I have identified in the full written testimony many
initiatives that DOD has undertaken to improve its Information
Security Department. Let me highlight a few others.
The Department is aggressively pursuing an enterprise
architecture and prioritized enterprise solutions through
centralized funding.
The Department has comprehensive policies and process for
system configurations, a very important area. One example is
the distribution by the Air Force of Microsoft software with
standard security configuration resulting in improved network
security and management.
Departmental components are accelerating the use of public
key infrastructure, from network access and secure log-on,
consistent with HSPD-12. Over 3 million personnel are outfitted
with common access cards, enabling PKI capabilities throughout
the Department.
In 2005, the DOD published a comprehensive IA Workforce
Improvement program, launching an aggressive effort to certify
nearly 80,000 core network professionals.
As to identified security weaknesses in this year's FISMA
report, we are pleased to advise you of the following remedies:
Considering the dynamic operational environment of DOD and the
sheer number of systems deployed across the enterprise, we have
made significant progress in the area of inventory of our IT
systems. We believe that our inventory of major information
systems is under control.
Regarding the challenges of instituting a process for
managing plans of actions and milestones, the Department has a
PO&M process that was improved in 2005 from lessons learned and
from IG audits. We continue to improve that process by making
this year's guidance more detailed and integrated into our C&A
guidance as well.
We are also developing an automated standardized capability
that will add greater visibility to PO&Ms.
We believe the Department certification and accreditation
process is very solid and getting better. FISMA delegates
authority to the Secretary of Defense to develop security
policy and guidelines for all of its information systems. The
DOD C&A process is consistent with NIST guidelines but designed
to address classified national security systems and factor in
unique operational challenges.
In the area of training in 2005, the DOD components
reported a total of 79,000 employees with significant IT
security responsibilities. In such a large, dynamic, and
changing organization that number will always be in a state of
flux.
In conclusion, the Department of Defense is committed to a
strong and comprehensive security program. Our commitment to
improve our FISMA compliance is an essential element of the
Department's information security strategy.
Again, I thank you for the opportunity to comment on this
important topic.
[The prepared statement of Mr. Lentz follows:]
[GRAPHIC] [TIFF OMITTED] T7511.053
[GRAPHIC] [TIFF OMITTED] T7511.054
[GRAPHIC] [TIFF OMITTED] T7511.055
[GRAPHIC] [TIFF OMITTED] T7511.056
[GRAPHIC] [TIFF OMITTED] T7511.057
[GRAPHIC] [TIFF OMITTED] T7511.058
[GRAPHIC] [TIFF OMITTED] T7511.059
[GRAPHIC] [TIFF OMITTED] T7511.060
[GRAPHIC] [TIFF OMITTED] T7511.061
[GRAPHIC] [TIFF OMITTED] T7511.062
[GRAPHIC] [TIFF OMITTED] T7511.063
[GRAPHIC] [TIFF OMITTED] T7511.064
[GRAPHIC] [TIFF OMITTED] T7511.065
[GRAPHIC] [TIFF OMITTED] T7511.066
[GRAPHIC] [TIFF OMITTED] T7511.067
[GRAPHIC] [TIFF OMITTED] T7511.068
Chairman Tom Davis. Thank you very much.
Mr. Charbo.
STATEMENT OF SCOTT CHARBO
Mr. Charbo. Thank you, Mr. Chairman and committee members.
My remarks will cover the current status of the Department's
implementation of FISMA.
The mission of the Department of Homeland Security's
information security program is to provide the Department with
a secure and trusted computing environment that enables the
Department to leverage information technology and effectively
and securely share information in support of its many and
varied missions. Statutory compliance is a top priority, and
the Department's information security program is structured
around compliance with FISMA as well as OMB in this guidance.
In 2003 and 2004, the Department laid the necessary
foundation of effective security policies and architecture
guidance. Policies are now codified in a dedicated management
directive and a systems security architecture is fully
integrated with the Department's architecture.
Security policies and architectures are both updated on a
regular basis and compliance is enforced through the use of
several mandatory security management tools that are now in use
throughout the Department. Building on those efforts, the
Department completed three major information security
initiatives in 2005.
First, a comprehensive systems and applications inventory
was completed in August 2005. The inventory is based on a
detailed methodology for identifying systems and applications
using standard Federal definitions. This inventory now provides
clear accreditation boundaries for each and every operational
IT system and assigns responsibilities for those controls to
specific individuals, thereby providing a baseline for
measuring security compliance.
To ensure the inventory remains accurate, annual inventory
reviews will continue each year, with a near-term focus on 2006
of linking the inventory to the Department's capital planning
and investment control processes, thus allowing the Department
to better integrate effective security controls at the
beginning of a system's life cycle.
In the Department's fiscal year 2005 FISMA report, the
Inspector General acknowledged for the first time the
completeness and accuracy of our FISMA inventory.
Second, an enterprise certification and accreditation tool
was successfully fielded in April 2005, and that is now fully
integrated with a FISMA management tool fielded in 2004.
Third, a comprehensive and repeatable set of information
security metrics significantly improved system owner
accountability. These metrics now measure and inform progress
in completing the accreditation of all operational systems.
Monthly information security scorecards provide detailed status
updates to Department leadership, and these scorecards are
highly successful in improving the accountability of system
owners.
These three initiatives build on earlier milestones and
have now paved the way for real, measurable cyber security
improvements. The Department implemented an aggressive
remediation project for 2006 with a goal of 100 percent
remediation by the end of this year. Originally announced by
Secretary Chertoff in his keynote address at the Department's
annual Security Conference last August, the project moved into
full swing in October 2005 and the Department is on its way to
full remediation.
The Department's FISMA inventory currently includes
approximately 700 systems, and prior to the initiation of the
remediation project, the number of fully accredited systems was
only 26 percent. By the end of February of this year, over 60
percent of those systems are now fully accredited. In just 5
months, the Department has more than doubled the number of
accredited systems and it is on track to make the goal of full
remediation by the end of the year. It is clear the project is
positively affecting the security culture of the Department,
and recent upward trends in remediation metrics support the
view.
The Department must also ensure those systems and
applications are connected across a secure enterprise backbone
providing shared IT services. To accomplish this goal, an
aggressive infrastructure transformation program called One Net
was initiated for 2006 to bring all legacy information
technology infrastructures under a single enterprise. Benefits
of One Net include network optimization and improved quality of
service, both of which will significantly enhance information
sharing initiatives.
Planning for One Net began with a comprehensive security
framework that is consistent with the detailed systems security
architecture of the Department.
As part of the One Net effort, the Department is also
fielding its first enterprise-wide network operations and
security center. The center is responsible for managing the
Department's shared IT enterprise environment in real time,
including the discovery and remediation of security incidents
as they occur, and represents a significant improvement to our
overall security posture.
I am confident that the DHS information security program is
moving in the right direction.
Thank you. I look forward to your questions.
[The prepared statement of Mr. Charbo follows:]
[GRAPHIC] [TIFF OMITTED] T7511.069
[GRAPHIC] [TIFF OMITTED] T7511.070
[GRAPHIC] [TIFF OMITTED] T7511.071
[GRAPHIC] [TIFF OMITTED] T7511.072
[GRAPHIC] [TIFF OMITTED] T7511.073
Chairman Tom Davis. Thank you, all.
Now, looking at the report card, we seem to have a reverse
bell curve, with agencies settling at either the high end or
the low end. For the two over here on my left, or on the right
here, what are the major steps your agency took to achieve it?
You didn't start off with A's, you worked steadily toward that.
And I would say for DOD and then DHS, what are the major
challenges you feel prevent you from progressing? Your plan for
addressing these challenges you alluded to in your comments,
what would you like to see your partners in this process do to
help you? I am talking about OMB, GAO, and the IG.
I will start with you, Mr. Hughes. You traced out the
things you did to get your A+ and maintain it.
Mr. Hughes. Mr. Chairman, members of the committee, really,
at Social Security there is a strong emphasis on security. It
has been there for many years, as I have repeated. And with
FISMA, I can tell you we take it very seriously. We meet
regularly, we constructively argue regularly, and we try to
make corrections. So you have to make that commitment to keep
challenging, as executives, the importance of security and that
FISMA is a real exercise. And so I don't know if I can say that
enough from a practical reality. It is not a paper report, it
is real security that we are trying to constantly be aware of.
And that is what FISMA teaches us.
Chairman Tom Davis. Mr. Wiesner.
Mr. Wiesner. At the Department of Labor I would have to say
there are a few items that have led to our success. One is the
strong leadership and management commitment from the
Secretary's level through all the levels of management,
including assistant secretaries, the various senior IT
management staff within the Department of Labor. And it starts
at the top and management supports us 100 percent in ensuring
that we protect our departmental assets.
The second step we have done over the last few years is
really integrate IT security into our IT management processes,
procedures, and governance models. We start looking at security
at the capital planning stage and enterprise architecture,
during the systems development life cycle process, the entire
life cycle. So we put security integrating into every IT
project that we undertake and currently the ones that are under
way.
And then the other thing we have worked on really hard is
to establish a strong relationship with the OIG, recognizing
that they have a strong compliance role and they have their
views on how they view us as being successful and the things
that they discover in their audits and what we should be
focusing on, and we establish that relationship and try to form
a partnership so we are heading in the right direction.
Chairman Tom Davis. Thank you.
Mr. Lentz, let me just ask you, I mean, if you had an A+
you would feel your agency was more secure, wouldn't you?
Mr. Lentz. Of course, sir. I think the question you asked
in your earlier panel, sir, I think goes to the heart of one of
the challenges that we have, which, as you said earlier, a very
large and a very diverse, dynamic organization that is deployed
worldwide and things are changing all the time.
I think the discussions that I have had with my peers,
other chief security officers in the Department as well as
private-sector leaders in this area, I think the point that has
to be emphasized is that during the FISMA process, the act
calls for an assessment, not an audit. An assessment takes into
account a lot of factors. In a large organization like the
Department of Defense--or Homeland Security, for that matter--
you have a changing environment. Where an audit could in fact
pick up one or two systems that may not be accounted for or a
certain number of personnel that may be deployed that are
achieving certain status, you know, I think through that kind
of dynamic environment, it makes it very difficult to, at some
times, achieve the kind of scores that may be indicative
through an auditive process.
I think by working closely with the IG, which is indicated
by my colleagues, I think that is a very important step in this
process and one that we are continuing to strive for.
Chairman Tom Davis. One of the things is, when we got our
reports on DOD, we got like four different reports. We get the
Army, Navy, Air Force. I mean, it kind of made up just the way
that your organization is different from a lot of other
agencies in terms of how this is compiled and so on. I mean, is
that an obstacle?
Mr. Lentz. I think Secretary Rumsfeld through the QDR
process and our new CIO, Mr. Grimes, wants to remove any type
of obstacle that may in fact be inferred by that kind of
service-oriented environment that we live in. We are very much
focused on an enterprise architecture, we are very much focused
on an enterprise CIO governance model. And I think we are
already seeing improvements in that area already that I think
are going to be reflected very much so in next year's report,
sir.
Chairman Tom Davis. OK.
Mr. Charbo, I will ask you, I mean, obviously you come from
a--you had a number of dysfunctional agencies you are trying to
put together. You have had a steep climb over there to begin
with. So I concede that to you.
Mr. Charbo. Thank you. I think the first thing that we have
done--and our numbers, I think, are supporting that we are
moving in the right direction right now, in the last 5 months.
We have been able to move it more than it has moved in the last
couple of years.
But the first piece that we had our teams accept was where
we were was not where we wanted to remain. So we admitted that
we weren't in the right posture that we wanted to have moving
forward in terms of the security of our systems. So we asked
Secretary Chertoff to lead that charge for us at our annual
conference and then place that accountability to those system
owners in the multiple components that we have.
We have seen very good response from the Coast Guard and
Customs, ICE. Even FEMA has responded well in terms of the
accountability for securing the systems.
Publishing the inventory was a major milestone for us. It
put that benchmark in the sand. Now we are focused on moving
that forward. And I guess I would just say, we use a term
called ``relentless'' in the Department. You will get a lot of
excuses on how hard this is to do, but we accept that but we
still need to move it forward. And that is what we are focused
on.
Chairman Tom Davis. But GAO reported that there was a very
low level of security incident reporting in DHS. What is the
problem? What is the deterrent here? Do we need to do anything
to remove those barriers?
Mr. Charbo. I think we have rallied that in here in the
last 5 months. We have implemented policies, we have done some
training with our systems security professionals that we have
in the Department, and we have worked through those processes
to assure that we are getting reporting.
The other piece that I think will really improve that is
how we are going to be monitoring our systems. We have had
multiple wide-area networks. So you have different
methodologies of reporting. That is now coming through a core
NOC-SOC--network operations, security operations center--
through our One Net. And they will have a responsibility of
moving that to the US-CERT.
Chairman Tom Davis. One of the problems you have at DHS is
you have taken all these disparate agencies, over 100 and some
1,000 employees, and put them together, and everybody expects
immediate results. This is a work in progress. I mean, this
takes years, doesn't it, as a practical matter?
Mr. Charbo. We are going to take 1 year to certify the
systems. We will move those, a large milestone--as we say in
our statement, we were at 26 percent that we could document and
we are now about 60 percent. And it is on the right curve that
we want to move through the end of the year. At that point, we
will look at the POAMs that are generated, we will go back into
those accreditations and do an IV&V, and we will reassess it.
It will be an annual routine that we will follow.
Chairman Tom Davis. Let me ask Mr. Hughes and Mr. Wiesner,
your agency systems have to connect with State systems that are
not covered by FISMA for information sharing purposes. How do
you ensure that your information systems are adequately
protected under those circumstances?
Mr. Hughes. That is a good question. We have agreements
with States and different agencies. We have security procedures
and policies that they have to agree to. We have MOUs of these
agreements. And we monitor these data exchanges that go between
the States and the Federal Government.
Chairman Tom Davis. All right.
Ms. Watson.
Ms. Watson. I want to highly commend Mr. Hughes, U.S.
Social Security Administration, and Mr. Wiesner, U.S.
Department of Labor, for the fact that using the criteria that
the committee used, the number of points assigned to each
response is proportional to the extent the element has been
implemented. You received an A+. And you started from probably
lower grades, but you showed your ability to focus like a laser
beam and to make the improvements along the way.
Going to Mr. Lentz and Mr. Charbo, U.S. Department of
Defense defending our country, and U.S. Department of Homeland
Security securing our country, you started in year 2005 with an
F grade and, at the end of year 2005, you still have an F
grade. Can either one of you gentlemen explain to me why? And
listening to your reports, it looks like you are just moving
along and making progress. But the criteria that the committee
used was a methodology that was standardized, and you came up,
started with an F, and you are still at an F.
Let me know why that is the case. Mr. Lentz, let me start
with you.
Mr. Lentz. Well, ma'am, I agree that the challenges that we
have in this very large organization will sometimes make the
process that we use in terms of assessing our operational
status one that creates the kind of assessments that one has to
look very hard at, and that is what our leadership is doing
every single day. And we take----
Ms. Watson. Let me just stop you. Mr. Lentz, 5 years? Your
leadership? Five years and you don't improve based on the
methodology that is standardized? The way they judged every
single--and I can read off all the departments. Agency for
International Development, A+, starting from much lower grades
before. Department of Labor, A+. Social Security, A+. Office of
Personnel Management, A+. Environmental Protection Agency, A+.
National Science Foundation, A.
What is happening with the two most strategic and sensitive
agencies? What is it? Is there incompetence? Is there cronyism?
You know, I don't feel comfortable with my Department of
Defense, based on what I see here. I don't feel comfortable
that my homeland is secure. And I can take a lesson from
September 11th. The perpetrators were sent--the flight school,
as I understand, sent them their authority to take flight
lessons after September 11th. Something went wrong along the
way.
Now, if you had a department, a business that made nails,
and you put the metal in at the beginning of the process and,
at the end, the nails came out bent, you would stop the whole
operation and work backward to find out why those nails are
being bent. What is happening with the Department of Defense
and Homeland Security that in 5 years, based on the methodology
used, you show no improvement? You tell us that the report--I
guess the preceding 5 months will look better, but I am
wondering what happened in those 5 years. Can you help me
understand this?
Mr. Lentz. Well, I think when we look at, when we open up
our report and look at it gradually--and, as indicated in my
testimony, I think we have shown some clear improvements in all
the areas that FISMA is asking for. And on top of that----
Ms. Watson. As of when? Can you help me?
Mr. Lentz. As of starting last year and the year before.
Ms. Watson. Well, why is it--maybe the staff is
incompetent, because they graded you. I did not. The committee
staff. And maybe I should ask this of the chair. You know, they
score by a point. And I probably need to give this to you. And,
you know, if you score within a certain range, they assign you
a certain letter. And the scores were so low with the
Department of Defense and Homeland Security that it resulted in
an F. Now, maybe the math is all off.
I am trying to be fair. I am trying to understand what is
going on with my Department of Defense that you come and you
ask us--you know, we have a supplement on the floor asking us
for billions of dollars. And, you know, what are you securing,
Iraq? Department of Homeland Security, what are you securing?
You know, and the grade is still coming out F. I need to
understand this so when I go back to my 650,000 constituents
that pay taxes, and I--I didn't vote for it, and I am not going
to--I can tell them, yeah, we need to vote for this because our
Department of Defense says they need this so we can win the war
10,000 miles away. We are not winning the war here. We can't
even pick up the rubble down in New Orleans.
So you have to prove to me that you are doing something
that will secure us as a people and secure our country. And I
don't see it. So I am asking for you to educate me, to
enlighten me, so I can go back and tell my constituents why I
would vote to use their taxpayer dollars to defend against
Iraq--which apparently is no threat to us here, but certainly a
threat to life and limb over there. Give me some information,
please, that there is some competence in this organization that
I can take back to my constituents.
Mr. Lentz. In looking at the grading that we have recently
seen, there were two assessments that were done, one by the CIO
and one by the IG, in the assessment column. The Department of
Defense got a score of 85 under the CIO column. And when you
look at that holistically and combine that with all the other
security measures that were undertaken, such as, as the
chairman indicated earlier, identity protection and management
using PKI and other methods that we are, I would say that I
think our security posture has significantly improved. But at
the same time, I must admit, we always in this very dynamic
environment that we live in, we have to constantly seek for
better improvement in these areas.
Ms. Watson. Let me address the chair. From the response I
just received, is there something wrong with this scoring?
Because as I look at the information provided to us on the
assignment of grades, it says 0 points for a response
indicating the percentage that falls below an acceptable
threshold. And they give us an example: 50 percent or less
known IT security weaknesses being incorporated in the plan of
action. That means that you fell below the 50 percent level.
Now, if this is the methodology----
Chairman Tom Davis. Well, the methodology is very simple.
The CIO scores and the IG scores, and when you are in doubt,
GAO takes the IG score. CIO score is like when you are grading
your own paper, to some extent. So in those cases, the GAO, who
really gives us the numbers on which we base the grade, goes
with the IG score.
Ms. Watson. So I still haven't heard adequate response to
my concerns. And I just think there is something wrong in the
process. And I would advise the two of you to take the message
back from me individually that the Department of Defense, the
Department of Homeland Security needs to get about the business
of improving the process of securing our land and our people.
From what I see, and this is information that the staff gives
us, I did not do the research and the evaluation and the
assignment myself. You need to know that. I can only go on the
information that our professional staff gives us.
I would hope the two of you, next time you come, not insult
my intelligence. Otherwise, I have to question the competence
of staff. But you can't tell me it is working well and the
staff gave you and F, and for the last 5 years it has been F.
So take that message back to the Secretaries. And Mr. Chertoff
has not returned my call. When I was asking him to stop the
evictions of 10,000 people, I never got a return call. So he
would get an F- from me in terms of being effective just
answering a call from a Congress person concerned about
making--so I have no trust that it is going to get any better.
Now, that is my opinion. I am speaking for myself. And you can
take that message back.
Thank you, Mr. Chairman, for the time.
Chairman Tom Davis. Thank you very much. I would leave on
that high note here, but I think that I will just ask a couple
of other questions.
We asked the first panel, and I guess in fairness to DHS
and DOD, do you think there are issues that arise at the larger
agencies that the smaller ones don't have to contend with? I
think that has been--we talked about that in our opening
statement and I will give you an opportunity to comment on that
again.
Mr. Charbo. From DHS's perspective, I think there is a
complexity with dealing with lots of large agencies that we
have components that we have. That still doesn't change the
fact when we looked at our security posture coming into the
Department, where we were was not where we wanted to be in
terms of our security scores and our FISMA compliance. So we
have launched an aggressive project. I see good response coming
from those components even though it is large, it is complex.
Currently we have the data. We have good progression moving--I
see good response coming from those large components, as
difficult as it is.
I think the GAO had some good comments in the first panel
dealing with direct appropriations, and it is difficult to get
them to respond. But I would like to have a chance to execute
our plan this year. And the plan that we had last year isn't
the one we are currently working under.
Chairman Tom Davis. I mean, you are both large
organizations but you are very important organizations in terms
of vulnerability and where someone who has malice aforethought
may be looking. So that is why we focus in on you and I think
that is why Ms. Watson is just saying to DOD and Homeland
Security these are two agencies that are showing up as more
vulnerable than other agencies, and obviously we are alarmed.
But we understand there is a lot of complexity. I know in the
case of DHS we have cobbled together these different units and
you are as strong as your weakest unit, to some extent, the way
this works.
Mr. Lentz, would you--I will give you an opportunity to
comment.
Mr. Lentz. Yes, I completely agree that the complexity of
the organization, the dynamics of moving forces--when you
deploy ships out to sea, you are changing the network
configurations constantly, you are deploying troops overseas,
you are creating new network on the fly in global environments
and high-risk environments. Clearly in a situation like that,
it does represent a lot of new challenges and challenges that
we take very seriously.
Chairman Tom Davis. OK. Anything you would like to add?
Mr. Hughes. I would just say that we know our mission, so
perhaps--we are a large organization, we have 120,000 work
stations, but our mission is clear in terms of our complexity.
We know the way we serve our citizens. So I don't think we have
absorbed the complexity of an organization like DHS.
Chairman Tom Davis. OK.
Mr. Wiesner. I agree also. We have been an organization
around for many, many years, and perhaps that helps out a
little bit in terms of absorbing a lot of complexity in a
large-scale organization like DHS.
Chairman Tom Davis. Well, of course this committee wrote
FISMA. We don't have all the enforcement mechanisms we like,
but you have heard Ms. Evans talk about that is something that
they take into account as they are putting their budgets
together. We are trying to coordinate appropriately with the
Appropriations Committee so it is taken into account as they
put their budgets together. You can fight the resources
department within your own agencies. I am not asking you to
come here and put you on the spot and saying are you getting
enough resources with your own agency. But we understand. I
mean, I understand the issues of this. And we are going to
continue to push to give you the resources you need to get the
job done.
I just want to congratulate those of you that have shown
great improvement. And for the others, we will keep trying. I
know you have plans to address this. We look forward to seeing
you up here again.
Thank you very much.
[Whereupon, at 1:41 p.m., the committee was adjourned.]
[The prepared statement of Hon. Henry A. Waxman and
additional information submitted for the hearing record
follow:]
[GRAPHIC] [TIFF OMITTED] T7511.003
[GRAPHIC] [TIFF OMITTED] T7511.004
[GRAPHIC] [TIFF OMITTED] T7511.074
[GRAPHIC] [TIFF OMITTED] T7511.075
[GRAPHIC] [TIFF OMITTED] T7511.076
[GRAPHIC] [TIFF OMITTED] T7511.077
[GRAPHIC] [TIFF OMITTED] T7511.078
[GRAPHIC] [TIFF OMITTED] T7511.079
[GRAPHIC] [TIFF OMITTED] T7511.084
[GRAPHIC] [TIFF OMITTED] T7511.085
[GRAPHIC] [TIFF OMITTED] T7511.086
<all>
�