[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]



 
 COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?
=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
                        FINANCIAL MANAGEMENT AND
                      INTERGOVERNMENTAL RELATIONS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION

                               __________

                            NOVEMBER 9, 2001

                               __________

                           Serial No. 107-115

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform







                       U. S. GOVERNMENT PRINTING OFFICE
82-173                          WASHINGTON : 2002
___________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001






                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             PATSY T. MINK, Hawaii
JOHN L. MICA, Florida                CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California                 DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia               JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine
DAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida              DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho          STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia                      ------
JOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont 
------ ------                            (Independent)


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director

    Subcommittee on Government Efficiency, Financial Management and 
                      Intergovernmental Relations

                   STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida                  MAJOR R. OWENS, New York
DOUG OSE, California                 PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida              CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
             Elizabeth Johnston, Professional Staff Member
                        Justin Paulhamus, Clerk
           David McMillen, Minority Professional Staff Member





                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on November 9, 2001.................................     1
Statement of:
    Dacey, Robert F., Director, Information Security, U.S. 
      General Accounting Office..................................     5
    Forman, Mark A., Associate Director, Information Technology 
      and E-Government, Office of Management and Budget..........    33
Letters, statements, etc., submitted for the record by:
    Dacey, Robert F., Director, Information Security, U.S. 
      General Accounting Office, prepared statement of...........     8
    Forman, Mark A., Associate Director, Information Technology 
      and E-Government, Office of Management and Budget, prepared 
      statement of...............................................    38
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     3


 COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?

                              ----------                              


                        FRIDAY, NOVEMBER 9, 2001

                  House of Representatives,
  Subcommittee on Government Efficiency, Financial 
        Management and Intergovernmental Relations,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representative Horn.
    Staff present: Russell George, staff director and chief 
counsel; Bonnie Heald, deputy staff director; Elizabeth 
Johnston, Darren Chidsey, and Earl Pierce, professional staff 
members; Jim Holmes and Fred Ephraim, interns; David McMillen, 
minority professional staff member; and Jean Gosa, minority 
assistant clerk.
    Mr. Horn. The Subcommittee on Government Efficiency, 
Financial Management and Intergovernmental Relations is now in 
order. In the aftermath of the terrible events of September 
11th, the Nation has prudently focused on its computer security 
vulnerabilities. Most of this examination has been focused on 
the risks to the country's physical infrastructure. However, as 
the oversight conducted by this subcommittee during the last 6 
years has shown, the Nation cannot afford to ignore the risks 
associated with cyberattacks.
    Federal agencies rely on computer systems to support 
critical operations that are essential to the health and well-
being of millions of Americans. National defense, emergency 
services, tax collection, and benefit payments all rely on 
automated systems and electronically stored information.
    Without proper protection, the vast amount of sensitive 
information stored on executive branch computers could be 
compromised and the systems themselves subject to malicious 
attack. As the recent spate of computer viruses and worms have 
shown, cyberattacks have the potential to cause great damage to 
the Nation.
    It is imperative that the public and private leaders of 
this Nation know where weaknesses exist in their organizations 
so they can effect corrective action.
    With that in mind, I am releasing an assessment of how 
Federal agencies rate in their computer security efforts. This 
is the second year that we have issued a grade on the subject. 
It is a disappointing feeling to announce that the executive 
branch of the Federal Government has received a failing grade 
for its computer security efforts.
    Last year Congress passed the Government Information 
Security Reform Act which was intended to ensure that Federal 
agencies establish agency-wide computer security programs that 
adequately protect the systems that support their missions. 
Based on the requirements of that law, the subcommittee has 
assessed the progress of 24 major executive branch departments 
and agencies in reaching the goals of enhanced computer 
security. Overall, the Federal Government received an F in this 
effort. The Office of Management and Budget [OMB], has set the 
standard. The staffs of the General Accounting Office and our 
subcommittee staff review the OMB inventory. Agency Inspectors 
General and Chief Information Officers and Chief Financial 
Officers have been very helpful in this.
    Two thirds of the agencies failed completely in their 
computer security efforts: The Department of Defense, whose 
computers carry some of the Nation's most sensitive secrets, F. 
The Department of Energy, along with the Nuclear Regulatory 
Commission which oversees the Nation's nuclear facilities and 
other programs, F. The Department of Transportation, which 
includes the Federal Aviation Administration, an F. The 
Department of Health and Human Services, which holds personal 
information on every person who receives Medicaid and Medicare. 
In all, 16 Federal agencies failed this examination completely.
    Five other agencies managed to keep their heads above 
water, but just barely. The Federal Emergency Management 
Agency, the General Services Administration, Environmental 
Protection Agency, and the Department of Housing and Urban 
Development at the Department of State all earned Ds.
    The National Aeronautic and Space Administration did 
slightly better, scoring a C-minus. The Social Security 
Administration, which performed an admirable job of preparing 
for Y2K, earned only a C-plus on its computer security program. 
And the National Science Foundation's B-plus was the highest 
grade awarded this year.
    All of us in Congress are well aware that the Nation is in 
a state of war. It is not anyone's intention to place this 
great land at further risk of attack. It is, however, very 
important that the new administration take heed of the sobering 
assessment the subcommittee is providing and work expeditiously 
to address this most important need.
    [The prepared statement of Hon. Stephen Horn follows:]
    [GRAPHIC] [TIFF OMITTED] 82173.001
    
    [GRAPHIC] [TIFF OMITTED] 82173.002
    
    Mr. Horn. And we have two excellent witnesses today, and 
that is Robert F. Dacey, Director, Information Security, U.S. 
General Accounting Office. We also have Mark A. Forman, 
Associate Director, Information Technology and E-Government, 
Office of Management and Budget.
    Gentlemen, as you know, we swear in witnesses here and your 
staff that have accompanied you, and the clerk will keep tabs 
of who the staff are and so forth and put it in the hearing 
record. So if you will stand and raise your right hands.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note that we have six witnesses 
and supporters.
    And our first witness is Robert Dacey, the Director, 
Information Security U.S. General Accounting Office. Welcome.

 STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY, 
                 U.S. GENERAL ACCOUNTING OFFICE

    Mr. Dacey. Thank you. Mr. Chairman, I am pleased to be here 
today to discuss our recent analysis of information security 
audits and evaluations of unclassified computer systems at 24 
major departments and agencies. As you requested, I will 
briefly summarize my written statement.
    Overall, the audit shows that significant pervasive 
computer security weaknesses continue to place Federal assets 
and operations at risk. As with other large organizations, 
Federal agencies rely extensively on computerized systems and 
electronic data to support their missions. If these systems are 
inadequately protected, resources such as Federal payments and 
collections could be lost or stolen. Computer resources could 
be used for unauthorized purposes or to launch attacks on 
others.
    Sensitive information such as taxpayer data, Social 
Security records, medical records, and proprietary business 
information could be inappropriately disclosed or browsed or 
copied for purposes of espionage or other crimes. Critical 
operations such as those supporting national defense and 
emergency services could be disrupted. Data could be modified 
or destroyed for purposes of fraud, deception or disruption, 
and agency missions could be undermined by embarrassing 
incidents that result in diminished confidence in the Federal 
Government's ability to conduct its business in a secure 
manner.
    Further, these risks are rapidly increasing. Greater 
complexity and interconnectivity of systems including Internet 
access are providing additional potential avenues for 
cyberattack.
    Second, more standardization of systems hardware and 
software is increasing the exposure to commonly known 
vulnerabilities.
    Third, the increased volume, sophistication and 
effectiveness of cyberattacks, combined with readily available 
intrusion, or hacking tools, and limited capabilities to detect 
cyberattacks.
    And, fourth, other nations, terrorists, transnational 
criminals, and intelligence services are developing cyberattack 
capabilities. The threat of cyberattacks can also arise from 
hackers and others. For example, the disgruntled organization 
insider is a significant threat, since such individuals often 
have knowledge that allows them to gain unrestricted access and 
inflict damage or steal assets.
    Given these risks, I would like to turn to the status of 
Federal agency information security. Our most recent analysis 
of reports published from July 2000 to September 2001 continue 
to show significant weaknesses in Federal unclassified computer 
systems that put critical operations and assets at risk.
    We have reported the potentially devastating consequences 
of poor information security since September 1996 and have 
identified information security as a governmentwide high-risk 
area since 1997, and most recently in January 2001. As the body 
of audit evidence continues to expand, it is probable that 
additional significant deficiencies will be identified.
    Weaknesses continue to be reported in each of the 24 
agencies included in our review, and they covered all six major 
areas of general controls which are those policies, procedures, 
and technical controls that apply to all or most of computer 
processing and help ensure their proper operation.
    This chart illustrates the distribution of weaknesses for 
the six general control areas across the 24 agencies. As we 
have reported in the past, information security problems 
persist in a large part because agency managers have not yet 
established comprehensive security management programs.
    As further evidence of vulnerabilities, the Inspectors 
General reported significant deficiencies in agency-critical 
infrastructure protection efforts. During the past 2 years, a 
number of improvement efforts have been initiated. For example, 
several agencies have taken significant steps to redesign and 
strengthen their information security programs. In addition, 
the Federal Chief Information Officer or CIO Council has issued 
a guide for measuring agency progress which we assisted in 
developing. And the President issued a national plan for 
information systems protection in January 2000.
    More recently, partially in response to the events of 
September 11th, the President created the Office of Homeland 
Security with duties that include coordinating efforts to 
protect public and private information systems in the United 
States from terrorist attack. The President also appointed a 
special advisor for cyberspace security to coordinate 
interagency efforts to secure information systems and created 
the President's Critical Infrastructure Protection Board to 
recommend policies and coordinate programs for protecting 
critical infrastructure. The Board is to include a standing 
committee for executive branch information systems security, 
which is to be chaired by an OMB designee.
    These actions are laudable. However, given recent events 
and the reports that critical assets and operations continue to 
be highly vulnerable to computer-based attacks, the government 
still faces a challenge in ensuring that risks from 
cyberthreats are appropriately addressed in the context of the 
broader array of risks to the Nation's welfare.
    Accordingly, it is important that Federal information 
security be guided by a comprehensive strategy for improvement. 
As the administration refines its strategy that it has begun to 
lay down in recent months, it is imperative that it take steps 
to ensure that information security receives appropriate 
attention and resources and that known deficiencies are 
addressed.
    First, it is important that Federal strategy delineate the 
roles and responsibilities of the numerous entities involved in 
Federal information security and the related aspects of 
critical infrastructure protection. Further, there is a need to 
clarify how these activities of these many organizations 
interrelate, who should be held accountable for the success and 
failure, and whether they will effectively and efficiently 
support national goals.
    Second, more specific guidance to agencies on controls that 
they need to implement could help to ensure adequate 
protection. Currently agencies have wide discretion in deciding 
what computer security controls to implement and the level of 
rigor with which they enforce these controls.
    Third, there is a need for effective agency monitoring to 
determine if milestones are being met and testing to determine 
if policies and procedures are operating as intended. Routine 
periodic audits such as those required in recent government 
information security reform legislation would allow for more 
meaningful performance measurement.
    Fourth, the Congress and the executive branch can use audit 
results to monitor agency performance and take whatever action 
is deemed advisable to remedy identified problems. Such 
oversight is essential for holding agencies accountable for 
their performance, as was demonstrated by the OMB and 
congressional efforts to oversee the year 2000 computer 
challenge.
    Fifth, agencies must have the technical expertise they need 
to select, implement, and maintain controls to protect their 
systems. Similarly, the Federal Government must maximize the 
value of its technical staff by sharing expertise and 
information.
    Sixth, agencies can allocate resources sufficient to 
support their computer security and infrastructure protection 
activities. Some additional amounts are likely to be needed to 
address significant weaknesses and new tasks. OMB and 
congressional oversight for future spending on computer 
security will be important to ensuring that agencies are not 
using the funds they receive to continue ad hoc piecemeal 
security fixes that are not supported by strong agency risk 
management process.
    And, last, expanded research is needed in the area of 
information security protection. While a number of research 
efforts are underway, experts have noted that more is needed to 
achieve significant advances.
    Mr. Chairman, this concludes my statement. I will be 
pleased to answer any questions that you have at this time.
    Mr. Horn. Well, thank you Mr. Dacey.
    [The prepared statement of Mr. Dacey follows:]
    [GRAPHIC] [TIFF OMITTED] 82173.003
    
    [GRAPHIC] [TIFF OMITTED] 82173.004
    
    [GRAPHIC] [TIFF OMITTED] 82173.005
    
    [GRAPHIC] [TIFF OMITTED] 82173.006
    
    [GRAPHIC] [TIFF OMITTED] 82173.007
    
    [GRAPHIC] [TIFF OMITTED] 82173.008
    
    [GRAPHIC] [TIFF OMITTED] 82173.009
    
    [GRAPHIC] [TIFF OMITTED] 82173.010
    
    [GRAPHIC] [TIFF OMITTED] 82173.011
    
    [GRAPHIC] [TIFF OMITTED] 82173.012
    
    [GRAPHIC] [TIFF OMITTED] 82173.013
    
    [GRAPHIC] [TIFF OMITTED] 82173.014
    
    [GRAPHIC] [TIFF OMITTED] 82173.015
    
    [GRAPHIC] [TIFF OMITTED] 82173.016
    
    [GRAPHIC] [TIFF OMITTED] 82173.017
    
    [GRAPHIC] [TIFF OMITTED] 82173.018
    
    [GRAPHIC] [TIFF OMITTED] 82173.019
    
    [GRAPHIC] [TIFF OMITTED] 82173.020
    
    [GRAPHIC] [TIFF OMITTED] 82173.021
    
    [GRAPHIC] [TIFF OMITTED] 82173.022
    
    [GRAPHIC] [TIFF OMITTED] 82173.023
    
    [GRAPHIC] [TIFF OMITTED] 82173.024
    
    [GRAPHIC] [TIFF OMITTED] 82173.025
    
    [GRAPHIC] [TIFF OMITTED] 82173.026
    
    [GRAPHIC] [TIFF OMITTED] 82173.027
    
    Mr. Horn. We now go to Mark A. Forman, Associate Director, 
Information Technology and E-Government, Office of Management 
and Budget. Welcome here.

 STATEMENT OF MARK A. FORMAN, ASSOCIATE DIRECTOR, INFORMATION 
  TECHNOLOGY AND E-GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET

    Mr. Forman. Thank you, Mr. Chairman. Thank you for inviting 
me here to discuss the administration's efforts in the areas of 
computer security. Before getting to the substance of my 
testimony, I would like to commend you and the committee for 
your past and current efforts to shine the spotlight on Federal 
agency security performance. I believe that only by keeping the 
pressure on this issue will we get the improved performance, 
will we be able to achieve and sustain the targets that we are 
all searching for achieving.
    As you know, the President's given a high priority to the 
security of government assets including information systems and 
the protection of our Nation's critical information assets. The 
President has taken a number of steps to address these risks. 
Last month the President signed Executive Order 13228 which 
established the Office of Homeland Security and the Homeland 
Security Council.
    The Executive order provides for the implementation of a 
comprehensive national strategy for detecting, preparing for, 
preventing, protecting against, responding to and recovering 
from terrorist threats and attacks within the United States to 
work with Governor Ridge on issues related specifically to the 
topic of today's hearing--that is, the security of information 
systems--the President appointed Richard Clarke as Special 
Advisor for Cyberspace Security and issued Executive Order 
13231, ``Critical Infrastructure Protection in the Information 
Age.''
    The President has made OMB a member of both the Homeland 
Security Council and the Critical Critical Infrastructure 
Protection Board. We will help identify resource shortfalls and 
duplication and ensure that funding requests are included in 
the President's budget, as necessary, and properly managed when 
appropriated by Congress.
    OMB's presence on both organizations also reflects our 
statutory role regarding the security of Federal information 
systems. Now, over the last 3 years, Congress has passed two 
laws that have helped to shape our current efforts in security. 
In 1998 the Government Paperwork Elimination Act, GPEA was 
passed. GPEA addressed OMB and agency responsibilities for 
conducting business in an electronic environment and recognized 
that improved government performance demands an ability to 
broadly accept authenticated electronic business transactions. 
Last year, through passage of the Government Information 
Security Reform Act, which we will refer to as the ``Security 
Act,'' Congress strengthened the legal framework for the 
executive branch to address computer security needs.
    Working within this legal framework, OMB is to continuously 
improve Federal security programs. Our guidance ensures that 
agency senior managers devote greater attention to security; 
requires agencies to tie security to their capital planning and 
investment control process and to their budget as required 
under the Clinger-Cohen Act, the Security Act, and indeed by 
our policy. It helps agencies get user buy-in for security 
control and processes to ensure that they enable business 
operations. It requires that security is part of agency program 
management. And it makes adequate security a condition for 
funding by requiring that security controls and their costs be 
explicitly identified.
    The agencies have reported that for fiscal year 2002 they 
are investing approximately $2.7 billion for security and 
critical infrastructure protection. Of course, there are 
embedded security elements such as software and protocols 
within our overall IT spending. So this is buried within a 
total information technology budget for 2002 of approximately 
$45 billion.
    But a high dollar figure says little about effective 
security. In fact, we have done some analysis on our evaluation 
of the 2002 reports and we found there is no significant 
relationship between the percent of IT spending on security to 
the security performance of that agency.
    Now, as you know, several of your ratings, based on our 
staff discussions, are a little tougher than ours. Some of 
yours are a little lenient. If we were to add in your ratings 
though, I have no doubt that would show a negative relationship 
between IT spending and their security performance. So----
    Mr. Horn. Let me just ask for a fact here, to get it in the 
record. Is that figure you gave us $2 billion, was that it?
    Mr. Forman. $2.7 billion.
    Mr. Horn. $2.7. Does that include the intelligence 
hardware, software?
    Mr. Forman. It would for the Defense Department, but not 
for Intelligence Community spending.
    Mr. Horn. OK. Because I think some of that needs to be 
carved out before we look at the 24 agencies, minus one or two. 
Go ahead.
    Mr. Forman. In essence, we don't believe that simply adding 
more money will solve the problems. It has not worked for IT in 
general. It shifts attention away from effective management and 
investment of existing resources, and we don't believe it will 
work for IT security.
    To ensure that security is addressed both in apportionment 
of the 2002 agency funds and in their 2003 budget request, we 
have established four criteria: First, agencies must report 
their security costs for each measure and significant IT 
systems. Systems that fail to document their security costs 
will not be funded.
    Second, agencies must document in their capital asset plans 
that adequate security controls have been incorporated into the 
lifecycle planning and funding for each system.
    Third, agency security reports and corrective action plans 
are presumed to reflect agencies' security priorities and thus 
are a central tool that we are using in prioritizing funding 
for systems at the agencies.
    And, four, agencies must tie their corrective action plans 
for a system directly to the capital asset plan for that 
system, thereby establishing the audit trail that we know that 
the actions are underway.
    In September we began to receive the agency reports as 
required by the Security Act. We are reviewing them now because 
we know that there will be much consultation with the agencies 
regarding their submissions. It is too early to make public our 
specific findings regarding any particular agency. I will point 
out at this point that we do see the Defense Department is 
operating a significantly higher level of performance in 
security than your ratings would suggest. But later I will 
provide you some broad observations.
    First I want to talk about our process and how we have gone 
significantly further than the law requires insofar as 
reporting and follow-up. As you know, the Security Act's 
reporting requirements are relatively narrow, requiring only 
that the agency Inspectors General submit an annual independent 
evaluation to OMB. But because security is a high priority for 
this administration, we have expanded the Security Act's 
reporting requirements. We have issued guidance throughout the 
year on meeting these requirements, including detailed 
instructions to agencies on how to report the results in an 
executive summary. To ensure that reporting does not devolve 
into a paper drill, we are also requiring that agencies produce 
for their own use and send to us copies of corrective action 
plans and milestones for each weakness found by an IG 
evaluation, a program review, or any other review conducted 
throughout the year including GAO audits. These plans bring a 
discipline to the process and make tracking progress much 
easier for all involved.
    We will also seek brief quarterly certifications that 
corrective actions are on track. We intend to use the security 
reports from the agencies, the information we have gathered 
from meetings with the agencies on integrating security into 
their capital planning process and in budget submissions with 
other sources to determine whether OMB must take steps to 
assist agencies in quickly correcting the most serious 
weaknesses.
    In general, based on the security reports, we found across 
the 24 CIO agencies that the most common problems involved 
inadequate compliance with existing OMB security policies and a 
failure to follow the implementing guidance for the Security 
Act.
    Based on our preliminary findings, agencies have to do a 
better job testing and evaluating the basic security controls; 
improve the ongoing maintenance of system security; greatly 
improve employee training and awareness programs; do a better 
job integrating security into their capital planning and 
budgeting process; recognize greatly increased risk of 
interconnection; require that every system supporting 
operations and their assets are reviewed annually as part of 
the program review; install readily available patches for 
commonly known vulnerabilities. As you know this is a chronic 
problem identified by GAO, the IGs, and most any security 
program in view.
    It's also commonly reported from FedCIRC and others as the 
cause of some 90 percent of the successful attacks on the 
agency. This list represents what I would call the blocking and 
tackling, and not the policy gaps, but the details of what 
needs to be done in the agencies.
    The reporting requirements of the Security Act have given 
us a starting point to measure the performance, a baseline. And 
this is our first opportunity to analyze the comprehensive 
information from agencies, and from this we can move forward on 
resolving the security concerns.
    I would also like to take a moment to update you on two 
other security-related initiatives we are working on. The first 
involves our E-Government initiatives. We are currently working 
with agencies on a number of high-payoff, cross-agency E-
Government initiatives. All of these initiatives will address 
security within their business cases as we're requiring a 
detailed business case be made for each of them.
    Additionally, we have three specific initiatives that deal 
with security issues.
    First, E-authentication, ensuring that parties to a 
transaction are authorized to participate, and it would ensure 
the integrity of the transaction.
    Second, the wireless networks initiative, ensuring 
effective and interoperable communications between public 
safety officials throughout all levels of government, Federal, 
State and local, before, during and after the response to an 
emergency.
    And, third, disaster assistance and crisis response, 
providing a one-stop portal containing information from all 
public and private organizations involved in disaster 
preparedness response and recovery.
    A second major issue on another front is that we are 
directing large agencies under a Project Matrix view. Project 
Matrix identifies the critical assets within an agency, 
prioritizes them, and then identifies interrelationships within 
that agency and beyond into the enterprise architecture. Fiscal 
year 2002 funds will be re-allocated to provide for Matrix 
review. Once the reviews have been completed at each large 
agency, OMB will identify cross-government activities and the 
associated lines of business. In this way, we will have 
identified both the vertical and the horizontal critical 
operations; in other words, within an agency or department and 
between agencies and department, and the assets and the 
relationships beyond government; in essence the government's 
critical enterprise architecture.
    I'd just like to sum up with a few comments. We are 
planning to engage the agencies in a number of ways to address 
the problems that have been identified. We are going to be 
emphasizing both the responsibilities and the performance of 
agency employees, in addition to accountability for exercising 
those responsibilities, and consequences for poor performance. 
At the same time, we are going to focus on achieving sustained 
senior management attention at the agencies. In the past this 
has been a chronic problem that we at GAO and others have found 
over the years to be the underlying cause for poor security 
performance.
    And, Mr. Chairman, as you know, I worked for many years on 
the Senate Governmental Affairs Committee. Computer Security 
Act oversight was part of my portfolio. And we have a chronic 
issue of getting department secretaries and agency heads to 
focus on this. I am quite pleased this year that in the agency 
it gives a report, it is a Security Act report. We had many 
agency heads and secretaries signing-off on the report. So I am 
pleased that we are finally starting to get the senior 
executive view in this important issue.
    In discharging our responsibilities under the Security Act, 
the director will be communicating with the appropriate agency 
heads to impress upon them the true improvement in security 
performance that has to come out of external oversight from 
OMB, the IGs and GAO. Congressional committee is insufficient. 
It's got to come from within the agencies. So we're impressing 
upon them the importance of holding agency employees, including 
the CIOs and program officials, accountable for fulfilling 
their responsibilities under the Security Act. There have to be 
consequences for inadequate performance. We will also 
underscore an essential companion to that accountability, the 
clear and unambiguous authority to exercise those 
responsibilities.
    Again, I want to thank you and the committee for your help 
and continued focus on this important area. It's vital that we 
all work together to maintain this as a priority issue, and 
thus promote a more secure government. Thank you.
    [The prepared statement of Mr. Forman follows:]
    [GRAPHIC] [TIFF OMITTED] 82173.028
    
    [GRAPHIC] [TIFF OMITTED] 82173.029
    
    [GRAPHIC] [TIFF OMITTED] 82173.030
    
    [GRAPHIC] [TIFF OMITTED] 82173.031
    
    [GRAPHIC] [TIFF OMITTED] 82173.032
    
    [GRAPHIC] [TIFF OMITTED] 82173.033
    
    [GRAPHIC] [TIFF OMITTED] 82173.034
    
    [GRAPHIC] [TIFF OMITTED] 82173.035
    
    [GRAPHIC] [TIFF OMITTED] 82173.036
    
    [GRAPHIC] [TIFF OMITTED] 82173.037
    
    Mr. Horn. Thank you, Mr. Forman. Both you and Mr. Dacey 
have fine careers in the private sector as well as the public 
sector, and I guess I would ask you if you looked at these 
charts and the subcommittees charts, what would you do if you 
were still in the private sector?
    Mr. Forman. Well, I have two----
    Mr. Horn. Would there be a new computer director?
    Mr. Forman. I have two views on this. No. 1, I would and I 
will, as well as the Director of OMB, use your data and our 
data in communications as part of the 2003 budget process. That 
will go back to the hill.
    And as I indicated in our testimony, we have authorities on 
the apportionment of funds in 2002. I think we have made clear 
that we're not going to fund systems that don't meet the 
requirement of what we require to be a valid business case, and 
computer security at the heart of that.
    The second thing that I think we all need to be cognizant 
of, the reports, as I read the evaluation, are based on 
valuation of agency reports, you know, whether from the IGs and 
GAO, or from the agency themselves. And I don't believe we have 
the data that we need into the details, so if I go into a 
server form or a data center have they been pulling down, for 
example, the IIS patches that they need to deal with Red Worm? 
We put out a call via FedCIRC to get the CIOs to ensure that 
indeed this was occurring. And what we found out is, yes, it 
had occurred. There were no issues in many of the agencies. 
What we found out in some other agencies, this was not on the 
platter of some of the CIOs. So when we get into the details I 
think we are going to find a mixed bag, and I think that is 
where we need to go over this next year.
    Mr. Horn. Mr. Dacey, you have a similar career in the 
private and public sector. What would you do if you had this 
bunch of grades dumped on your desk some morning?
    Mr. Dacey. Well, I think the first step is along the lines 
of what Mark had said. I think you really need to take an 
assessment of really how bad or good is your security, what's 
working good and what's working bad. Since we started doing 
work probably in 1996, generally in connection with the CFO Act 
and other congressional requests, we have gained a lot more 
information as the years have gone on and continued to find 
significant weaknesses in computer systems. But I don't think 
that we have an end-all analysis at the type of detail level 
that Mark referred to.
    So I would suggest the first thing to do which is 
contemplated by the GISRA legislation is to go out and ensure 
that you really understand the nature of those vulnerabilities 
and weaknesses. I think, again, that needs to be done. We have 
not had time to really analyze the GISRA reports to see how 
much additional work has been completed beyond what was done 
before GISRA. But I think that is an important area.
    Second, I think it is important to realize that what needs 
to be incorporated is really an acknowledgment that computer 
security is part of your basic operations. It's really a 
responsibility of everyone in the agency, and you really need 
to put in place reasonable and adequate computer security 
management programs to ensure that. I think it is very 
important for management to have some regular analysis of their 
systems as well in order to manage and maintain some level of 
accountability and performance measurement. I think those are 
important aspects of the GISRA legislation as well because we 
do have an annual accounting now, at least for the 2 years that 
the law currently covers, to address that issue, and then, 
given the identification of these weaknesses, really setup a 
very active plan to address them, including looking at ways to 
benefit from what is being done across other agencies.
    What I see now a lot is each agency trying to address their 
computer security, setting up what they believe to be an 
adequate security process. Even within agencies, bureaus within 
agencies are setting up sometimes vastly different levels of 
security based upon their judgments. I think there needs to be 
a coalescing of some of that information, establishment of some 
common level of controls, at least a baseline, to tell people 
here's what you really need to have, and not have each agency 
try to figure out on their own how they get to that point in 
time. Those are the kind of things I think I would suggest from 
a private sector approach to try to address a problem of this 
magnitude.
    Mr. Horn. The chief information officers have a council, 
and they have subcommittees and committees within that council. 
Are you both members of that, or at least Mr. Forman for the 
administration?
    Mr. Forman. I serve as the director for the council.
    Mr. Horn. Yeah. Now, do you think they take this seriously, 
or is this just regarded by either OMB or this subcommittee 
that they say, oh, just another piece of paper we've got to 
fill out; how are we going to solve that problem and get them 
involved to really know it's serious?
    Mr. Forman. I think that they do take this seriously. As 
you know, we have reorganized the council and haven't 
completely finished the deployment of that. Security is one of 
the areas that we are working through a number of options. But 
we have chosen to disband for now the Security Committee, and I 
think it is important to understand why. We've got a good best 
practices guide out of that committee. We had many members on 
that committee who are in key agencies. We do not see any 
correlation based on the data between membership on that 
committee and either your scores or our scores of success. We 
need to get into the nitty-gritty details.
    We have a Work Force Committee. There are two key elements 
of the workforce that we and the CIOs need insight on. No. 1, 
what are the standards of performance for security personnel? 
What types of skills should we be looking at, both in terms of 
who we're hiring and who are in those positions within the 
government. And I'm forever cognizant of the fact that 80 
percent of our IT work force is through contractors. So what 
are the basic skills and capabilities we need? We need more 
insight on that and then we need to hold the agencies 
accountable. That task was given to the Work Force Committee.
    The second type of work force skills, Web masters, Web 
designers, virtually everybody, every career field in IT, now 
has some aspect of security. So clarifying those 
responsibilities, those knowledge requirements and skill 
requirements, is the other thing that the Work Force Committee 
is doing.
    The Best Practices Committee will continue to focus on best 
practices. We have chosen to give National Institute for 
Standards and Technology a higher role in this arena as a 
source not only of the Federal information processing 
standards, but also a terrific source of best practices.
    The third area in this is the architecture area. We have an 
Architecture Committee. We have to get agreement among the CIOs 
of some of the common best practices as they relate directly to 
the architectural elements. So it is my intent to force that 
debate and that consensus building that we need via that 
committee.
    Now we are looking at how do we best drive the cross-cut 
across all the CIO agencies. And to date, quite frankly, I've 
been fighting the maintenance of a committee just to talk about 
this, because we do not see that correlation between committee 
membership and success.
    With that said, we have some other options. Do we appoint a 
couple of people, CIOs that basically marshal across the other 
standing committees to focus on security and ensure that it's 
getting out to all the other CIOs? We had a roundtable 
discussion a couple of weeks ago, a 2-hour discussion where the 
CIOs to a ``T'' were either there in person or there with their 
deputy CIO. So I believe they are very focused on this issue. 
And we have a 5-page list of ideas we need to focus on and 
alternative ways to handle that. We are pulling that material 
together now. We will have another meeting and discussion of 
this at the CIO Council coming up next month to make some 
choices on how we'll proceed.
    Mr. Horn. Were you at OMB when the argument--I don't know 
whether you have it an argument or what--between the council 
and OMB as to what kind of questions ought to be used to look 
at what the hardware and software are with these computer 
operations? And were you there when this particular group--and 
this grading thing we have done is really just look at what OMB 
did, send out to 24 of the major agencies and departments, and 
that's all we did. Do you think we have been unfair in reaction 
to these grades?
    Mr. Forman. I am not quite sure I understand the question, 
but let me try.
    Mr. Horn. Well, were you around when this particular 
inventory, let's say, was sent out by OMB, and we simply--and 
GAO--simply said OK, they put the questions to them and let's 
see if it works?
    Mr. Forman. It actually occurred just before I came on 
board, the original criteria were sent out.
    Mr. Horn. So you're innocent so far.
    Mr. Forman. No. Hold me accountable. Let me give you my 
view on this.
    Mr. Horn. Yeah.
    Mr. Forman. Accountability and authority go hand-in-hand 
for me. If you hold me accountable, I have a way to hold the 
agency accountable.
    Mr. Horn. Good. We'll do that. Maybe we'll see you a few 
months from now. And one of my friends in the Cabinet on the 
Y2K thing simply took our grades and put it on his door, so 
every time a civil servant went in to see him, that grade was 
right in their face. And he said it helped, a little bit of--
that grading got them moving. So what else can we do? What else 
can you do? You're the one now on the frying pan.
    Mr. Forman. As I mentioned, in preparation of the fiscal 
year 2003 budget, we have got some rather strong action that we 
intend to take as part of the past act, discussions that I hope 
will lead to reconciliation of gaps that we see and will 
address, some of the poor grades that you see as part of the 
2003 budget submission. You will see that result, I hope, 
coming back very well in the President's budget submission.
    Second, as I mentioned, we intend to use the Clinger-Cohen 
Act authorities on basically the apportionment process. So what 
I would ask is your cooperation, because I am sure that there 
may be other agencies or vendors that come to the Hill and talk 
about how unfair that is. That will take persistence and 
backbone by all of us to be true to these ideals.
    Mr. Horn. How would the government have fared if, on 
September 11th, a cyberattack accompanied the physical attacks 
on the Nation? Would that have got them moving on such things 
as security? Or is it just, as I said earlier, well, let's see 
the paper, OMB. We have been around here a long time and it's 
the same old game. So what do you think?
    Mr. Forman. I think things have clearly shifted, and I 
would daresay that it may not be as press-worthy. But if you 
look at the worms that came out this summer, that our battle in 
the computer security arena really started in perhaps the July 
timeframe when the first of the worms started to hit. So I know 
from OMB's standpoint all the way up to the director, this is, 
believe it or not, the type of thing that we would talk about 
at these staff meetings. We are very focused on this. And it 
started in July.
    Mr. Horn. Well, when you provide us with examples of 
agencies whose requests will not be funded because they've 
failed to document their security costs, that would be an 
example of getting their attention. Is that what you're 
planning to do?
    Mr. Forman. Well, we hope that we will be able to----
    Mr. Horn. Or are you being Mr. Nice Guy?
    Mr. Forman. At some point, I'm sure that I'll appreciate 
the time when somebody calls me Mr. Nice Guy, after we go 
through this budget process. We hope that based on the feedback 
that we're giving to the agencies and will continue to give 
with the agency in preparation for the 2003 budget, that we 
will reconcile these issues. Obviously, if we are unable to 
reconcile the issues, that list will be in the budget.
    Mr. Horn. Do you agree with GAO's recommendation to 
establish mandatory standards for Federal agencies?
    Mr. Forman. I think it is a question of the details on the 
standards. I think we have laid out some fairly clear standards 
in both the requirements for the government information 
Security Act reporting and within the guidelines of what we put 
into my testimony. I think a little bit more specific 
standards. The standards that we have been promulgating along 
the lines of how do you hold the agency accountable and link 
that to funding are actually in both A-130 and the A-11, our 
basic budget documentation. So I think that is consistent with 
what GAO is proposing.
    I actually think there is another set of standards that get 
down to the real technology. When do certain data elements have 
to have a security wrapper, which with XML technology is 
currently available. When do certain elements of transactions 
or certain uses of virtual private networks have to have 
encryption or other types of security? It's those standards 
that I want to get the agreement via the CIO Council 
Architecture Committee, and that is the process I would like to 
pursue for buy-in purposes.
    Mr. Horn. Mr. Dacey, let me ask you on the September 11th 
question, how would the government have fared if on September 
11th a cyberattack accompanied the physical attacks on the 
Nation? How would GAO feel about that?
    Mr. Dacey. Well it's difficult to speculate what would have 
happened. I know on the physical side we had disruptions in 
communications and other areas. Fortunately at this point in 
time, we haven't suffered from disastrous effects of a 
cyberattack. As in our testimony we stated, though, there are 
signs that things are getting more serious, more sophisticated, 
that it could really be a serious issue. Particularly when you 
look at how dependent we, the Federal Government, are on 
computer technology and communications channels being available 
to do our business on a day-to-bay basis. So I think when you 
look at those things, you have to start analyzing what could go 
wrong.
    And in terms of the critical infrastructure, I think that's 
one of the areas that Mr. Forman refers to needs attention and 
has been given attention, and, through Project Matrix, has 
really had to identify what those critical areas are so they be 
protected adequately; at least focus the priority on protecting 
those first to ensure they are protected.
    But I think that is an exercise that needs to be done, 
certainly in the Federal Government. And then as part of the 
overall CIP structure, consideration of what needs to be done 
or what is being done in the private sector. There's a private 
sector partnership here, because a lot of the critical 
infrastructures that even the Federal Government depends on for 
communication, electricity, and others are all controlled by 
the private sector, mostly controlled by private sector 
interests. So I think it is important that those be dealt with, 
too.
    So I think we have, certainly, challenges ahead of us to 
make sure our systems are secure before something happens that 
is more disastrous. Again, we've had a lot of attacks, it's 
cost a lot of money; I don't want to diminish the fact that 
they haven't been serious, because they have. A lot of 
productivity, a lot of money has been lost. We had the 
testimony before this committee out in California in the field 
hearing and talked a little bit more about that along with the 
other witnesses, but I think it is an issue that just needs to 
be addressed now; and again in an organized fashion, not to say 
that it isn't, but it needs to go forward, again, with really a 
strategic plan. And I think some of those things we're starting 
to see at this point in time.
    Mr. Horn. Well, the General Accounting Office has been 
reporting on many security weaknesses in the Federal systems 
for--as your testimony just notes--Federal systems for several 
years. Yet based on today's grades, agencies don't appear to be 
making any progress in strengthening their security. Do you 
agree?
    Mr. Dacey. Well, I think we are seeing not necessarily 
every agency, but many are making some significant progress in 
improving security. We talked about a couple of those 
certainly. We had the issue to report earlier this year on the 
electronic filing system, and IRS had taken extreme efforts to 
make sure that was secure for this last filing season. We have 
had a lot of improvement to the Department of Defense as well, 
although they continue to face challenges in putting together a 
security management program, they do have some of the basic 
elements in place at this point in time. So there have been 
improvements. What is really challenging I think in this 
environment is that the pace of these risks is increasing 
extremely rapidly. Some of the factors that make it more of a 
risk are increasing at a fast pace, so we are not dealing with 
a static target that we need to hit. I think the target's 
moving perhaps more quickly than we are at this point. I'm not 
saying it is, but I'm just saying that's the challenge to keep 
up with that.
    So I think in terms of perspective, again, a lot has 
happened. Probably if you want to secure the systems, the pace 
may need to be stepped up a bit from what it has been to catch 
up.
    Mr. Horn. Do you feel any of these grades are being easy on 
people or being too tough on people? What's your thinking on 
that?
    Mr. Forman. I'm concerned just about some of the 
discrepancies. You have a couple of grades that are easier than 
ours. We're going to hold the agencies accountable, I think, 
for the harder grades in those cases. The Defense Department is 
the big gap that we see between our grades and where you graded 
it harder than we have. I suspect that is because they came 
over and presented much more material to us than your staffs 
had access to. You know, I don't know that would change 
necessarily the grades that you give them. But that would be 
the only discrepancy, major discrepancy I would say.
    Mr. Horn. Which grades would be easier?
    Mr. Forman. I'm probably not willing to get into that at 
this point. We're going to reserve that for the directors' 
communications with the agency heads.
    Mr. Horn. So you've got sort of several professors down 
there that are putting different kinds of grading or what? Or 
can you agree on what an F means or an A means? Or is this the 
60's, anybody down there in the 60's? Because if there are, you 
know, what the heck, it's just give everybody pass/fail.
    Mr. Forman. No, there aren't that many discrepancies. There 
are very few discrepancies. Please let me leave it at that.
    Mr. Horn. OK. We'll see what happens in about 2 or 3 months 
from now, see if we've made some real progress. And I am 
curious, Mr. Forman, while I understand the government 
information security reform requirements do not establish a 
date by which OMB must submit its required reports to Congress, 
when will OMB submit this report?
    Mr. Forman. Our intent is to submit it with the budget. If 
it is not with the budget, it will be very near to that 
submission. And of course that goes along with the basic 
enforcement mechanism that we are pursuing.
    Mr. Horn. Well, that's--I'm glad to hear because we were 
wondering where that was. You're OMB's associate director for 
IT and E-Government, don't agencies' security weaknesses as 
indicated by the deplorable grades we assigned today, post a 
formidable obstacle to implementing more E-Government 
initiatives? How does OMB and E-Government strategy explicitly 
address computer security? Are we on the wrong thing, or how 
much of that, if you will look at all of the inventory and the 
form, that was sent out by OMB, is this a 5 percent or is it a 
25 percent? Do they take it--how do they take it? That's what 
I'm after, in terms of percentage, that they worry about and 
try to do something about.
    Mr. Forman. Well, I think for each of the E-Government 
initiatives it is a 100 percent, because we made very clear 
that we are going to use the A-11 guidance in putting together 
the business case for each of these E-Government initiatives. 
In doing the work of our quicksilver task force, our E-
Government strategy team, we identified several cross-cutting 
barriers. Of course, as you would anticipate and as you pointed 
out, there are a number of security-related items that came out 
of that. And indeed, that is this E-authentication initiative 
that we've begun. That's going to have a business case as well. 
Now, we have included that in any one of the customer segments, 
the bulk of our initiatives focus on a customer segment 
government, citizen government, and business etc. The security 
initiative is a cross-cutting initiative. It relates to agency-
to-agency or within-agency transactions as well as interactions 
between Federal, State and local governments, governments and 
businesses, and government and citizens.
    That business case, as all the business cases, will have to 
report not just to me but to a steering group. The steering 
group will in most of the initiatives be comprised of the 
different management councils, CIO Council, etc. In this case, 
the steering group we're going to use is that Architecture 
Committee of the CIO Council. So when we come to resolution on 
authentication and digital signature and E-signature elements, 
which we found is the most critical element for the E-
Government initiatives, that agreement has to get the support 
of all of the CIOs because it has to be embedded across the 
department and agencies.
    There is another infrastructure issue that came out of the 
task force, which basically I refer to as the business 
architecture analysis. And integrating that with the Project 
Matrix data at each department as we look across the business 
architecture, all the agency-to-agency interactions, is another 
level of analysis that we'll continue to do coming out of the 
task force.
    Mr. Horn. Let me ask Mr. Dacey. In your testimony, you 
state the number of incidents are increasing, yet one agency, 
OPM, reported that during the past year it only experienced one 
security incident which involved limited infection by the ``I 
Love You'' virus. How do you react to this statement?
    Mr. Dacey. Well, I think one of the challenges that we have 
is twofold. First of all, one of the basic premises on security 
is to have the first adequate level of security in place, 
particularly at your perimeters, for people to get into your 
systems, but security, as good as it can be, is never going to 
be foolproof. So there is always going to be opportunities for 
people to breach that, even in a good security situation.
    So you really need to have effective incident detection 
processes in place to identify when that has happened and to 
really identify unusual or anomalous activities. I think what 
we are finding, both in the Federal agencies as well as the 
challenge in the private sector, is the identification of that 
type of intrusion. I know one of the parts of the GISRA 
legislation is that agencies have effective incident detection 
systems in place. In working and discussing things with the 
CERT Coordination Center, which is funded heavily by the 
Federal Government and receives a lot of information from both 
private and public sector in terms of incidents, they said 
their information indicates that as many as 80 percent of 
incidents are not detected, and that is across the board. So I 
think we have a tremendous challenge. That is in fact one of 
the areas that research and development could really help to 
identify better techniques, because we do have a ways to go to 
really develop more effective mechanisms to identify those.
    The volume of scans and activities coming into any agency 
is phenomenal. We have a rather small laboratory that we use to 
help do the work that we do. We've gotten 3 million or so scans 
of our system within 3 years, and that is something that is not 
well advertised, even our address. I know even at home 
personally, when I go online, my firewall is picking up three 
or four incidents an hour of someone trying to get access to my 
system. So activity is happening out there. We just need to 
have a better system to figure out what is valid and what is 
not valid in those systems, and it is going to be a challenge.
    Mr. Horn. Along this line, the subcommittee based its 
grades on information submitted to OMB by the agency CIOs and 
IGs in their reports on the annual agency security program 
reviews required by the Government Information Security Reform 
Act passed last year as part of the fiscal year 2000 Defense 
Authorization Act.
    Now, how do you account for the substantial discrepancies 
that we noted in several cases between the CIOs report and 
those of the Inspectors General? Are some agencies' CIOs 
underreporting their vulnerabilities?
    Mr. Dacey. Well, I think one of the challenges as part of 
this process--again, not having fully analyzed what was 
reported--is to really get in place a mechanism whereby there 
can be some agreement on whether the security controls are 
effective or not. What we have seen in the past is that a lot 
of the analysis and actual testing of those systems is being 
done by the Inspectors General, and although we note some 
activity by managers actually testing their own systems, we 
haven't seen a lot of that happening to date. So what I think 
you have oftentimes are situations where the ID is actually 
going out as we do, trying to break into systems, trying to 
really analyze those controls, and I think what we need to do, 
which has started to happen with GISRA, is say, managers--
program managers, you're the ones responsible for security. 
It's not the GAO or the IG coming in every once in a while and 
doing a testing of this system or that system. Management 
really needs to put in place procedures and processes to 
monitor their own systems on an ongoing basis regularly, which, 
again, GISRA facilitates that through annual reporting 
processes.
    So I think there are bound to be some difference, at least 
initially. I would hope that over time, though, that if the 
agency manages to actively test their own system, which is a 
very important piece of the legislation, that they will find 
similar types of weaknesses, and you'll reach some conversions. 
There's always going to be some differences in judgment, of 
course, but I think overall that is the biggest difference now, 
is the methods by which maybe that management was obtained. A 
lot of this information from the management side may have been 
through just various means, assessments, questions that went 
out to the field and talked about whether the security is 
adequate and what they have done. I don't know.
    Mark may be able to shed some more light, because we 
haven't been privy to all the detailed information, but again, 
that would be one potential area as to why there are some 
differences and how those two might converge in the future.
    Mr. Horn. When we went through the Y2K situation, Mr. 
Koskinen was the Deputy Director for Management. Nothing much 
happened, and he retired, and then the President very well 
called him back, and he was a friend of the President's, and 
much like Governor Ridge, that--he's got Mr. Clarke, a lot of 
respect for both the Governor and Mr. Clarke on these matters. 
If I were a Deputy Secretary or something, I'd sure want to 
please him. So the question is, is he the Lone Ranger that 
comes in across the prairie and you guys are just waiting for 
him to do your jobs? How do they think about that at OMB?
    Mr. Forman. First of all, in both Executive orders, it is 
very clear that OMB maintains its role for the oversight and 
management, if you will, of agency security. So while we're 
disbanding the CIOs Council Security Committee, under the 
Executive order in the Critical Infrastructure Protection 
Board, OMB does chair a security committee that has been 
created for Federal infrastructure. So the linkage and the 
working relationship will be very good, I think.
    Not at all would I say that we're going to toss our 
responsibility up the hill. This will be another area where we 
hope to be held accountable for the work, but I want to build 
on something that Mr. Dacey said. You know, when we look at 
this, ultimately it's got to be built into--we've got to have 
security built into the actual programs. GAO several years ago 
laid out how do you manage capital investments in general. Our 
focus on the business case process is, I believe, the 
appropriate focus that we should move forward. So in the 
capital planning process, the first step is make sure security 
is part of the business case, and that is essentially the phase 
that we're in now in driving into the agencies. I think by us 
saying we're simply not going to fund the business case that 
does not incorporate the appropriate security controls, 
complies with that first phase of GAO's three-part practice.
    The next phase is the actual program control. Is it 
actually being built in? Are the agencies and are the program 
managers working on the security components or modules as they 
execute that program? The third phase is the followup, and it 
is not just lessons learned and best practices. I think that's 
exactly as Mr. Dacey has said, we've got to have the 
affirmative testing, that in fact the security is break-proof 
at that point.
    The difficulty is every time you move forward in 
preventative approaches for security, the hackers move forward 
in a way to break through that. So we're dealing a little bit 
with the moving target. We have to make sure that is integrated 
and updated, and I'm a big fan of maintaining the business 
cases and controls over those business cases. So I believe that 
the approach that's been laid out for capital investment 
management is the same that we should be employing here.
    Mr. Horn. Are you seeing any changes or new computer 
security initiatives within the agencies since September 11th?
    Mr. Forman. Absolutely. We have much help from our friends 
on the Hill. As you know, we have at least one bill suggesting 
that we spend $1 billion more on computer security. We 
appreciate the cooperation and the focus on security. Clearly, 
more money is not the issue. Focus is, and the details, as I 
think you've focused on in your scores where we need to look.
    Mr. Horn. And you're saying how much do you think you can 
get out of them this time? Because I went around last year with 
the number of things the executive branch wanted, and some of 
them got it and some of them didn't. It was a little haphazard. 
So it is nice for OMB and you to get it moving. And how much do 
you think you can get from them?
    Mr. Forman. In terms of focus on this, I have to say based 
on the reports that have been submitted--and, again, I'm quite 
impressed with this--this is the first time that I have seen 
Secretary level or agency head level focus on this issue. And 
so I think that occurred before September 11th. This was--the 
reports came in September 10th, and it's just I think after 
that become all the more important and it's recognized. I hope 
we get full compliance by the Secretaries. Our intent is in the 
process between now and the final submanagers of the budget, 
that we will have that communication at the level of the OMB 
Director to the Secretaries of the agencies.
    Mr. Horn. Mr. Forman, we discussed that OMB and CIOs and 
IGs and their reports, and that those were required by the 
Government Information Security Reform Act passed last year as 
part of the fiscal year 2000 Defense Authorization Act, and I'd 
like it on the record, is OMB satisfied with the quality of 
these reports and how do you account for the substantial 
discrepancies that we noted in several cases between the CIOs 
reports and those of the IGs and are some agency CIOs 
underreporting their vulnerabilities?
    Mr. Forman. When you say are we satisfied with the quality 
of the reports, are we satisfied with the quality of the 
content or the completeness of the reports, I guess would be my 
question? I think that in both cases, we'd say we're not fully 
satisfied. So let me explain that a little bit. This is the 
best set of information that we've had so far going back to 
1987 in the Computer Security Act on agency assessments. We 
want more. That's the bottom line.
    In some cases, the agencies have come back afterwards and 
provided us the additional information, in many cases. Are we 
satisfied with the content? There are clear examples of 
dramatic progress versus the information that we had received 
before. I would say that the high--areas where you have given 
agencies higher grades are not an area where we are seeing any 
of the agencies. So my answer would be, as has been said before 
I believe before this committee, I don't do C work. I don't 
want the agencies to do C work. I'm not satisfied.
    Mr. Horn. Good. Glad to hear it. How long will it take you 
to turn them around?
    Mr. Forman. I don't know the answer to that. I'd like to be 
able to come before you a year from now and to say that we've 
got a substantial amount of Bs. That clearly is where we'd like 
to go. On the other hand, as I've said before, there's another 
level of details associated with what we've got to get across 
the CIOs. The work force skills and the compliance with those 
skills that may not show up in the reports, the agreement on 
some of these security protocols and standards and so forth, 
that I believe is a critical element of how you should hold me 
accountable. But again, that won't show up in these reports. So 
I've got a lot to do, and I don't know if I can get to that 
level of B in a year from now.
    Mr. Horn. To what degree does the President and OMB and all 
of those who see the retiring situation in the bureaucracy and 
how we replace it with very committed people and have 
understanding of the new world that they didn't come out of 20, 
30 years ago? So are we going to get some incentives of getting 
new people into the government where we need them badly and get 
people to go around to the State universities in particular, I 
would think, and--but I'm a bias there. And those are the 
people that stay with it, when I looked at them in a study 30 
years ago, and it still seems to be true. So what's the plan?
    Mr. Forman. Absolutely, on the work force we're taking a 
number of initiatives, and, again, I'd say that these are in 
two prongs. One, the types of security personnel or computer 
security, cybersecurity personnel that we're hiring, their 
skill-sets, how we build their competencies and indeed the 
training program. The second is in a number of other job 
categories, Web masters, Web applications designers, the skills 
to do object-oriented architectures and so forth. So we have to 
ramp-up those skills.
    Now, one point that I have to make here is that the vast 
majority of our work force are not Federal employees. I think 
we've made tremendous progress with the CIO Council Workforce 
Committee, under Gloria Parker and Ira Hobbs, to move forward 
on a curriculum. You may be familiar with the CIO university 
concept that basically lays out a curriculum for graduate 
school and related training. What we're finding is that as much 
or more contractor personnel are going through this course work 
than Federal employees. So we're making--which should be, you 
know, given the ratio of our work force, Federal versus 
contractor, we should be seeing that. We're making that 
progress, and I will continue to push forward in that arena.
    Mr. Horn. Well, thank you very much. It's been a useful 
situation of going through these things, and I think 1 year is 
too much to wait, and we're going to have to think about it in 
maybe a month and a half and 2 months and a half to get, and I 
would hope OMB would say, get with it, and then we don't have 
to give Fs. So--and as you say, you don't want to have a C 
student there either. Often they're the ones, however, that are 
hiring people of a grant and what not and get rather rich in 
Silicon Valley.
    So anyhow, we thank you for coming, and I want to thank the 
staff here that helped put it all together and worked with us 
in terms of the grading situation. Russell George, staff 
director and chief counsel; Bonnie Heald, the deputy staff 
director; Elizabeth Johnston to my left, professional staff; 
Darren Chidsey, professional staff, Earl Pierce, professional 
staff, and Jim Holmes and Fred Ephraim, interns. We're glad to 
have them, and on the minority side, David McMillen, 
professional staff; Jean Gosa, minority clerk; and our faithful 
court reporters are Christina Smith and Michelle Bulkley. So 
thank you.
    And with that, we're adjourned.
    [Whereupon, at 11:12 p.m., the subcommittee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]
[GRAPHIC] [TIFF OMITTED] 82173.038

[GRAPHIC] [TIFF OMITTED] 82173.039

[GRAPHIC] [TIFF OMITTED] 82173.040

[GRAPHIC] [TIFF OMITTED] 82173.041

[GRAPHIC] [TIFF OMITTED] 82173.042

[GRAPHIC] [TIFF OMITTED] 82173.043

[GRAPHIC] [TIFF OMITTED] 82173.044

[GRAPHIC] [TIFF OMITTED] 82173.045

[GRAPHIC] [TIFF OMITTED] 82173.046

[GRAPHIC] [TIFF OMITTED] 82173.047

[GRAPHIC] [TIFF OMITTED] 82173.048

                                   - 
