b"<html>\n<title> - COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?</title>\n<body><pre>[House Hearing, 107 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                 SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,\n                        FINANCIAL MANAGEMENT AND\n                      INTERGOVERNMENTAL RELATIONS\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED SEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            NOVEMBER 9, 2001\n\n                               __________\n\n                           Serial No. 107-115\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n\n\n\n\n\n                       U. S. GOVERNMENT PRINTING OFFICE\n82-173                          WASHINGTON : 2002\n___________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n\n\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     DAN BURTON, Indiana, Chairman\nBENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California\nCONSTANCE A. MORELLA, Maryland       TOM LANTOS, California\nCHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York\nILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York\nJOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania\nSTEPHEN HORN, California             PATSY T. MINK, Hawaii\nJOHN L. MICA, Florida                CAROLYN B. MALONEY, New York\nTHOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, \nMARK E. SOUDER, Indiana                  DC\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nBOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio\nDAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois\nDOUG OSE, California                 DANNY K. DAVIS, Illinois\nRON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts\nJO ANN DAVIS, Virginia               JIM TURNER, Texas\nTODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine\nDAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois\nCHRIS CANNON, Utah                   WM. LACY CLAY, Missouri\nADAM H. PUTNAM, Florida              DIANE E. WATSON, California\nC.L. ``BUTCH'' OTTER, Idaho          STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia                      ------\nJOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont \n------ ------                            (Independent)\n\n\n                      Kevin Binger, Staff Director\n                 Daniel R. Moll, Deputy Staff Director\n                     James C. Wilson, Chief Counsel\n                     Robert A. Briggs, Chief Clerk\n                 Phil Schiliro, Minority Staff Director\n\n    Subcommittee on Government Efficiency, Financial Management and \n                      Intergovernmental Relations\n\n                   STEPHEN HORN, California, Chairman\nRON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois\nDAN MILLER, Florida                  MAJOR R. OWENS, New York\nDOUG OSE, California                 PAUL E. KANJORSKI, Pennsylvania\nADAM H. PUTNAM, Florida              CAROLYN B. MALONEY, New York\n\n                               Ex Officio\n\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\n          J. Russell George, Staff Director and Chief Counsel\n             Elizabeth Johnston, Professional Staff Member\n                        Justin Paulhamus, Clerk\n           David McMillen, Minority Professional Staff Member\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on November 9, 2001.................................     1\nStatement of:\n    Dacey, Robert F., Director, Information Security, U.S. \n      General Accounting Office..................................     5\n    Forman, Mark A., Associate Director, Information Technology \n      and E-Government, Office of Management and Budget..........    33\nLetters, statements, etc., submitted for the record by:\n    Dacey, Robert F., Director, Information Security, U.S. \n      General Accounting Office, prepared statement of...........     8\n    Forman, Mark A., Associate Director, Information Technology \n      and E-Government, Office of Management and Budget, prepared \n      statement of...............................................    38\n    Horn, Hon. Stephen, a Representative in Congress from the \n      State of California, prepared statement of.................     3\n\n\n COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?\n\n                              ----------                              \n\n\n                        FRIDAY, NOVEMBER 9, 2001\n\n                  House of Representatives,\n  Subcommittee on Government Efficiency, Financial \n        Management and Intergovernmental Relations,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10 a.m., in \nroom 2154, Rayburn House Office Building, Hon. Stephen Horn \n(chairman of the subcommittee) presiding.\n    Present: Representative Horn.\n    Staff present: Russell George, staff director and chief \ncounsel; Bonnie Heald, deputy staff director; Elizabeth \nJohnston, Darren Chidsey, and Earl Pierce, professional staff \nmembers; Jim Holmes and Fred Ephraim, interns; David McMillen, \nminority professional staff member; and Jean Gosa, minority \nassistant clerk.\n    Mr. Horn. The Subcommittee on Government Efficiency, \nFinancial Management and Intergovernmental Relations is now in \norder. In the aftermath of the terrible events of September \n11th, the Nation has prudently focused on its computer security \nvulnerabilities. Most of this examination has been focused on \nthe risks to the country's physical infrastructure. However, as \nthe oversight conducted by this subcommittee during the last 6 \nyears has shown, the Nation cannot afford to ignore the risks \nassociated with cyberattacks.\n    Federal agencies rely on computer systems to support \ncritical operations that are essential to the health and well-\nbeing of millions of Americans. National defense, emergency \nservices, tax collection, and benefit payments all rely on \nautomated systems and electronically stored information.\n    Without proper protection, the vast amount of sensitive \ninformation stored on executive branch computers could be \ncompromised and the systems themselves subject to malicious \nattack. As the recent spate of computer viruses and worms have \nshown, cyberattacks have the potential to cause great damage to \nthe Nation.\n    It is imperative that the public and private leaders of \nthis Nation know where weaknesses exist in their organizations \nso they can effect corrective action.\n    With that in mind, I am releasing an assessment of how \nFederal agencies rate in their computer security efforts. This \nis the second year that we have issued a grade on the subject. \nIt is a disappointing feeling to announce that the executive \nbranch of the Federal Government has received a failing grade \nfor its computer security efforts.\n    Last year Congress passed the Government Information \nSecurity Reform Act which was intended to ensure that Federal \nagencies establish agency-wide computer security programs that \nadequately protect the systems that support their missions. \nBased on the requirements of that law, the subcommittee has \nassessed the progress of 24 major executive branch departments \nand agencies in reaching the goals of enhanced computer \nsecurity. Overall, the Federal Government received an F in this \neffort. The Office of Management and Budget [OMB], has set the \nstandard. The staffs of the General Accounting Office and our \nsubcommittee staff review the OMB inventory. Agency Inspectors \nGeneral and Chief Information Officers and Chief Financial \nOfficers have been very helpful in this.\n    Two thirds of the agencies failed completely in their \ncomputer security efforts: The Department of Defense, whose \ncomputers carry some of the Nation's most sensitive secrets, F. \nThe Department of Energy, along with the Nuclear Regulatory \nCommission which oversees the Nation's nuclear facilities and \nother programs, F. The Department of Transportation, which \nincludes the Federal Aviation Administration, an F. The \nDepartment of Health and Human Services, which holds personal \ninformation on every person who receives Medicaid and Medicare. \nIn all, 16 Federal agencies failed this examination completely.\n    Five other agencies managed to keep their heads above \nwater, but just barely. The Federal Emergency Management \nAgency, the General Services Administration, Environmental \nProtection Agency, and the Department of Housing and Urban \nDevelopment at the Department of State all earned Ds.\n    The National Aeronautic and Space Administration did \nslightly better, scoring a C-minus. The Social Security \nAdministration, which performed an admirable job of preparing \nfor Y2K, earned only a C-plus on its computer security program. \nAnd the National Science Foundation's B-plus was the highest \ngrade awarded this year.\n    All of us in Congress are well aware that the Nation is in \na state of war. It is not anyone's intention to place this \ngreat land at further risk of attack. It is, however, very \nimportant that the new administration take heed of the sobering \nassessment the subcommittee is providing and work expeditiously \nto address this most important need.\n    [The prepared statement of Hon. Stephen Horn follows:]\n    [GRAPHIC] [TIFF OMITTED] 82173.001\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.002\n    \n    Mr. Horn. And we have two excellent witnesses today, and \nthat is Robert F. Dacey, Director, Information Security, U.S. \nGeneral Accounting Office. We also have Mark A. Forman, \nAssociate Director, Information Technology and E-Government, \nOffice of Management and Budget.\n    Gentlemen, as you know, we swear in witnesses here and your \nstaff that have accompanied you, and the clerk will keep tabs \nof who the staff are and so forth and put it in the hearing \nrecord. So if you will stand and raise your right hands.\n    [Witnesses sworn.]\n    Mr. Horn. The clerk will note that we have six witnesses \nand supporters.\n    And our first witness is Robert Dacey, the Director, \nInformation Security U.S. General Accounting Office. Welcome.\n\n STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY, \n                 U.S. GENERAL ACCOUNTING OFFICE\n\n    Mr. Dacey. Thank you. Mr. Chairman, I am pleased to be here \ntoday to discuss our recent analysis of information security \naudits and evaluations of unclassified computer systems at 24 \nmajor departments and agencies. As you requested, I will \nbriefly summarize my written statement.\n    Overall, the audit shows that significant pervasive \ncomputer security weaknesses continue to place Federal assets \nand operations at risk. As with other large organizations, \nFederal agencies rely extensively on computerized systems and \nelectronic data to support their missions. If these systems are \ninadequately protected, resources such as Federal payments and \ncollections could be lost or stolen. Computer resources could \nbe used for unauthorized purposes or to launch attacks on \nothers.\n    Sensitive information such as taxpayer data, Social \nSecurity records, medical records, and proprietary business \ninformation could be inappropriately disclosed or browsed or \ncopied for purposes of espionage or other crimes. Critical \noperations such as those supporting national defense and \nemergency services could be disrupted. Data could be modified \nor destroyed for purposes of fraud, deception or disruption, \nand agency missions could be undermined by embarrassing \nincidents that result in diminished confidence in the Federal \nGovernment's ability to conduct its business in a secure \nmanner.\n    Further, these risks are rapidly increasing. Greater \ncomplexity and interconnectivity of systems including Internet \naccess are providing additional potential avenues for \ncyberattack.\n    Second, more standardization of systems hardware and \nsoftware is increasing the exposure to commonly known \nvulnerabilities.\n    Third, the increased volume, sophistication and \neffectiveness of cyberattacks, combined with readily available \nintrusion, or hacking tools, and limited capabilities to detect \ncyberattacks.\n    And, fourth, other nations, terrorists, transnational \ncriminals, and intelligence services are developing cyberattack \ncapabilities. The threat of cyberattacks can also arise from \nhackers and others. For example, the disgruntled organization \ninsider is a significant threat, since such individuals often \nhave knowledge that allows them to gain unrestricted access and \ninflict damage or steal assets.\n    Given these risks, I would like to turn to the status of \nFederal agency information security. Our most recent analysis \nof reports published from July 2000 to September 2001 continue \nto show significant weaknesses in Federal unclassified computer \nsystems that put critical operations and assets at risk.\n    We have reported the potentially devastating consequences \nof poor information security since September 1996 and have \nidentified information security as a governmentwide high-risk \narea since 1997, and most recently in January 2001. As the body \nof audit evidence continues to expand, it is probable that \nadditional significant deficiencies will be identified.\n    Weaknesses continue to be reported in each of the 24 \nagencies included in our review, and they covered all six major \nareas of general controls which are those policies, procedures, \nand technical controls that apply to all or most of computer \nprocessing and help ensure their proper operation.\n    This chart illustrates the distribution of weaknesses for \nthe six general control areas across the 24 agencies. As we \nhave reported in the past, information security problems \npersist in a large part because agency managers have not yet \nestablished comprehensive security management programs.\n    As further evidence of vulnerabilities, the Inspectors \nGeneral reported significant deficiencies in agency-critical \ninfrastructure protection efforts. During the past 2 years, a \nnumber of improvement efforts have been initiated. For example, \nseveral agencies have taken significant steps to redesign and \nstrengthen their information security programs. In addition, \nthe Federal Chief Information Officer or CIO Council has issued \na guide for measuring agency progress which we assisted in \ndeveloping. And the President issued a national plan for \ninformation systems protection in January 2000.\n    More recently, partially in response to the events of \nSeptember 11th, the President created the Office of Homeland \nSecurity with duties that include coordinating efforts to \nprotect public and private information systems in the United \nStates from terrorist attack. The President also appointed a \nspecial advisor for cyberspace security to coordinate \ninteragency efforts to secure information systems and created \nthe President's Critical Infrastructure Protection Board to \nrecommend policies and coordinate programs for protecting \ncritical infrastructure. The Board is to include a standing \ncommittee for executive branch information systems security, \nwhich is to be chaired by an OMB designee.\n    These actions are laudable. However, given recent events \nand the reports that critical assets and operations continue to \nbe highly vulnerable to computer-based attacks, the government \nstill faces a challenge in ensuring that risks from \ncyberthreats are appropriately addressed in the context of the \nbroader array of risks to the Nation's welfare.\n    Accordingly, it is important that Federal information \nsecurity be guided by a comprehensive strategy for improvement. \nAs the administration refines its strategy that it has begun to \nlay down in recent months, it is imperative that it take steps \nto ensure that information security receives appropriate \nattention and resources and that known deficiencies are \naddressed.\n    First, it is important that Federal strategy delineate the \nroles and responsibilities of the numerous entities involved in \nFederal information security and the related aspects of \ncritical infrastructure protection. Further, there is a need to \nclarify how these activities of these many organizations \ninterrelate, who should be held accountable for the success and \nfailure, and whether they will effectively and efficiently \nsupport national goals.\n    Second, more specific guidance to agencies on controls that \nthey need to implement could help to ensure adequate \nprotection. Currently agencies have wide discretion in deciding \nwhat computer security controls to implement and the level of \nrigor with which they enforce these controls.\n    Third, there is a need for effective agency monitoring to \ndetermine if milestones are being met and testing to determine \nif policies and procedures are operating as intended. Routine \nperiodic audits such as those required in recent government \ninformation security reform legislation would allow for more \nmeaningful performance measurement.\n    Fourth, the Congress and the executive branch can use audit \nresults to monitor agency performance and take whatever action \nis deemed advisable to remedy identified problems. Such \noversight is essential for holding agencies accountable for \ntheir performance, as was demonstrated by the OMB and \ncongressional efforts to oversee the year 2000 computer \nchallenge.\n    Fifth, agencies must have the technical expertise they need \nto select, implement, and maintain controls to protect their \nsystems. Similarly, the Federal Government must maximize the \nvalue of its technical staff by sharing expertise and \ninformation.\n    Sixth, agencies can allocate resources sufficient to \nsupport their computer security and infrastructure protection \nactivities. Some additional amounts are likely to be needed to \naddress significant weaknesses and new tasks. OMB and \ncongressional oversight for future spending on computer \nsecurity will be important to ensuring that agencies are not \nusing the funds they receive to continue ad hoc piecemeal \nsecurity fixes that are not supported by strong agency risk \nmanagement process.\n    And, last, expanded research is needed in the area of \ninformation security protection. While a number of research \nefforts are underway, experts have noted that more is needed to \nachieve significant advances.\n    Mr. Chairman, this concludes my statement. I will be \npleased to answer any questions that you have at this time.\n    Mr. Horn. Well, thank you Mr. Dacey.\n    [The prepared statement of Mr. Dacey follows:]\n    [GRAPHIC] [TIFF OMITTED] 82173.003\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.004\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.005\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.006\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.007\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.008\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.009\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.010\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.011\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.012\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.013\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.014\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.015\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.016\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.017\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.018\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.019\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.020\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.021\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.022\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.023\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.024\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.025\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.026\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.027\n    \n    Mr. Horn. We now go to Mark A. Forman, Associate Director, \nInformation Technology and E-Government, Office of Management \nand Budget. Welcome here.\n\n STATEMENT OF MARK A. FORMAN, ASSOCIATE DIRECTOR, INFORMATION \n  TECHNOLOGY AND E-GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET\n\n    Mr. Forman. Thank you, Mr. Chairman. Thank you for inviting \nme here to discuss the administration's efforts in the areas of \ncomputer security. Before getting to the substance of my \ntestimony, I would like to commend you and the committee for \nyour past and current efforts to shine the spotlight on Federal \nagency security performance. I believe that only by keeping the \npressure on this issue will we get the improved performance, \nwill we be able to achieve and sustain the targets that we are \nall searching for achieving.\n    As you know, the President's given a high priority to the \nsecurity of government assets including information systems and \nthe protection of our Nation's critical information assets. The \nPresident has taken a number of steps to address these risks. \nLast month the President signed Executive Order 13228 which \nestablished the Office of Homeland Security and the Homeland \nSecurity Council.\n    The Executive order provides for the implementation of a \ncomprehensive national strategy for detecting, preparing for, \npreventing, protecting against, responding to and recovering \nfrom terrorist threats and attacks within the United States to \nwork with Governor Ridge on issues related specifically to the \ntopic of today's hearing--that is, the security of information \nsystems--the President appointed Richard Clarke as Special \nAdvisor for Cyberspace Security and issued Executive Order \n13231, ``Critical Infrastructure Protection in the Information \nAge.''\n    The President has made OMB a member of both the Homeland \nSecurity Council and the Critical Critical Infrastructure \nProtection Board. We will help identify resource shortfalls and \nduplication and ensure that funding requests are included in \nthe President's budget, as necessary, and properly managed when \nappropriated by Congress.\n    OMB's presence on both organizations also reflects our \nstatutory role regarding the security of Federal information \nsystems. Now, over the last 3 years, Congress has passed two \nlaws that have helped to shape our current efforts in security. \nIn 1998 the Government Paperwork Elimination Act, GPEA was \npassed. GPEA addressed OMB and agency responsibilities for \nconducting business in an electronic environment and recognized \nthat improved government performance demands an ability to \nbroadly accept authenticated electronic business transactions. \nLast year, through passage of the Government Information \nSecurity Reform Act, which we will refer to as the ``Security \nAct,'' Congress strengthened the legal framework for the \nexecutive branch to address computer security needs.\n    Working within this legal framework, OMB is to continuously \nimprove Federal security programs. Our guidance ensures that \nagency senior managers devote greater attention to security; \nrequires agencies to tie security to their capital planning and \ninvestment control process and to their budget as required \nunder the Clinger-Cohen Act, the Security Act, and indeed by \nour policy. It helps agencies get user buy-in for security \ncontrol and processes to ensure that they enable business \noperations. It requires that security is part of agency program \nmanagement. And it makes adequate security a condition for \nfunding by requiring that security controls and their costs be \nexplicitly identified.\n    The agencies have reported that for fiscal year 2002 they \nare investing approximately $2.7 billion for security and \ncritical infrastructure protection. Of course, there are \nembedded security elements such as software and protocols \nwithin our overall IT spending. So this is buried within a \ntotal information technology budget for 2002 of approximately \n$45 billion.\n    But a high dollar figure says little about effective \nsecurity. In fact, we have done some analysis on our evaluation \nof the 2002 reports and we found there is no significant \nrelationship between the percent of IT spending on security to \nthe security performance of that agency.\n    Now, as you know, several of your ratings, based on our \nstaff discussions, are a little tougher than ours. Some of \nyours are a little lenient. If we were to add in your ratings \nthough, I have no doubt that would show a negative relationship \nbetween IT spending and their security performance. So----\n    Mr. Horn. Let me just ask for a fact here, to get it in the \nrecord. Is that figure you gave us $2 billion, was that it?\n    Mr. Forman. $2.7 billion.\n    Mr. Horn. $2.7. Does that include the intelligence \nhardware, software?\n    Mr. Forman. It would for the Defense Department, but not \nfor Intelligence Community spending.\n    Mr. Horn. OK. Because I think some of that needs to be \ncarved out before we look at the 24 agencies, minus one or two. \nGo ahead.\n    Mr. Forman. In essence, we don't believe that simply adding \nmore money will solve the problems. It has not worked for IT in \ngeneral. It shifts attention away from effective management and \ninvestment of existing resources, and we don't believe it will \nwork for IT security.\n    To ensure that security is addressed both in apportionment \nof the 2002 agency funds and in their 2003 budget request, we \nhave established four criteria: First, agencies must report \ntheir security costs for each measure and significant IT \nsystems. Systems that fail to document their security costs \nwill not be funded.\n    Second, agencies must document in their capital asset plans \nthat adequate security controls have been incorporated into the \nlifecycle planning and funding for each system.\n    Third, agency security reports and corrective action plans \nare presumed to reflect agencies' security priorities and thus \nare a central tool that we are using in prioritizing funding \nfor systems at the agencies.\n    And, four, agencies must tie their corrective action plans \nfor a system directly to the capital asset plan for that \nsystem, thereby establishing the audit trail that we know that \nthe actions are underway.\n    In September we began to receive the agency reports as \nrequired by the Security Act. We are reviewing them now because \nwe know that there will be much consultation with the agencies \nregarding their submissions. It is too early to make public our \nspecific findings regarding any particular agency. I will point \nout at this point that we do see the Defense Department is \noperating a significantly higher level of performance in \nsecurity than your ratings would suggest. But later I will \nprovide you some broad observations.\n    First I want to talk about our process and how we have gone \nsignificantly further than the law requires insofar as \nreporting and follow-up. As you know, the Security Act's \nreporting requirements are relatively narrow, requiring only \nthat the agency Inspectors General submit an annual independent \nevaluation to OMB. But because security is a high priority for \nthis administration, we have expanded the Security Act's \nreporting requirements. We have issued guidance throughout the \nyear on meeting these requirements, including detailed \ninstructions to agencies on how to report the results in an \nexecutive summary. To ensure that reporting does not devolve \ninto a paper drill, we are also requiring that agencies produce \nfor their own use and send to us copies of corrective action \nplans and milestones for each weakness found by an IG \nevaluation, a program review, or any other review conducted \nthroughout the year including GAO audits. These plans bring a \ndiscipline to the process and make tracking progress much \neasier for all involved.\n    We will also seek brief quarterly certifications that \ncorrective actions are on track. We intend to use the security \nreports from the agencies, the information we have gathered \nfrom meetings with the agencies on integrating security into \ntheir capital planning process and in budget submissions with \nother sources to determine whether OMB must take steps to \nassist agencies in quickly correcting the most serious \nweaknesses.\n    In general, based on the security reports, we found across \nthe 24 CIO agencies that the most common problems involved \ninadequate compliance with existing OMB security policies and a \nfailure to follow the implementing guidance for the Security \nAct.\n    Based on our preliminary findings, agencies have to do a \nbetter job testing and evaluating the basic security controls; \nimprove the ongoing maintenance of system security; greatly \nimprove employee training and awareness programs; do a better \njob integrating security into their capital planning and \nbudgeting process; recognize greatly increased risk of \ninterconnection; require that every system supporting \noperations and their assets are reviewed annually as part of \nthe program review; install readily available patches for \ncommonly known vulnerabilities. As you know this is a chronic \nproblem identified by GAO, the IGs, and most any security \nprogram in view.\n    It's also commonly reported from FedCIRC and others as the \ncause of some 90 percent of the successful attacks on the \nagency. This list represents what I would call the blocking and \ntackling, and not the policy gaps, but the details of what \nneeds to be done in the agencies.\n    The reporting requirements of the Security Act have given \nus a starting point to measure the performance, a baseline. And \nthis is our first opportunity to analyze the comprehensive \ninformation from agencies, and from this we can move forward on \nresolving the security concerns.\n    I would also like to take a moment to update you on two \nother security-related initiatives we are working on. The first \ninvolves our E-Government initiatives. We are currently working \nwith agencies on a number of high-payoff, cross-agency E-\nGovernment initiatives. All of these initiatives will address \nsecurity within their business cases as we're requiring a \ndetailed business case be made for each of them.\n    Additionally, we have three specific initiatives that deal \nwith security issues.\n    First, E-authentication, ensuring that parties to a \ntransaction are authorized to participate, and it would ensure \nthe integrity of the transaction.\n    Second, the wireless networks initiative, ensuring \neffective and interoperable communications between public \nsafety officials throughout all levels of government, Federal, \nState and local, before, during and after the response to an \nemergency.\n    And, third, disaster assistance and crisis response, \nproviding a one-stop portal containing information from all \npublic and private organizations involved in disaster \npreparedness response and recovery.\n    A second major issue on another front is that we are \ndirecting large agencies under a Project Matrix view. Project \nMatrix identifies the critical assets within an agency, \nprioritizes them, and then identifies interrelationships within \nthat agency and beyond into the enterprise architecture. Fiscal \nyear 2002 funds will be re-allocated to provide for Matrix \nreview. Once the reviews have been completed at each large \nagency, OMB will identify cross-government activities and the \nassociated lines of business. In this way, we will have \nidentified both the vertical and the horizontal critical \noperations; in other words, within an agency or department and \nbetween agencies and department, and the assets and the \nrelationships beyond government; in essence the government's \ncritical enterprise architecture.\n    I'd just like to sum up with a few comments. We are \nplanning to engage the agencies in a number of ways to address \nthe problems that have been identified. We are going to be \nemphasizing both the responsibilities and the performance of \nagency employees, in addition to accountability for exercising \nthose responsibilities, and consequences for poor performance. \nAt the same time, we are going to focus on achieving sustained \nsenior management attention at the agencies. In the past this \nhas been a chronic problem that we at GAO and others have found \nover the years to be the underlying cause for poor security \nperformance.\n    And, Mr. Chairman, as you know, I worked for many years on \nthe Senate Governmental Affairs Committee. Computer Security \nAct oversight was part of my portfolio. And we have a chronic \nissue of getting department secretaries and agency heads to \nfocus on this. I am quite pleased this year that in the agency \nit gives a report, it is a Security Act report. We had many \nagency heads and secretaries signing-off on the report. So I am \npleased that we are finally starting to get the senior \nexecutive view in this important issue.\n    In discharging our responsibilities under the Security Act, \nthe director will be communicating with the appropriate agency \nheads to impress upon them the true improvement in security \nperformance that has to come out of external oversight from \nOMB, the IGs and GAO. Congressional committee is insufficient. \nIt's got to come from within the agencies. So we're impressing \nupon them the importance of holding agency employees, including \nthe CIOs and program officials, accountable for fulfilling \ntheir responsibilities under the Security Act. There have to be \nconsequences for inadequate performance. We will also \nunderscore an essential companion to that accountability, the \nclear and unambiguous authority to exercise those \nresponsibilities.\n    Again, I want to thank you and the committee for your help \nand continued focus on this important area. It's vital that we \nall work together to maintain this as a priority issue, and \nthus promote a more secure government. Thank you.\n    [The prepared statement of Mr. Forman follows:]\n    [GRAPHIC] [TIFF OMITTED] 82173.028\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.029\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.030\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.031\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.032\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.033\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.034\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.035\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.036\n    \n    [GRAPHIC] [TIFF OMITTED] 82173.037\n    \n    Mr. Horn. Thank you, Mr. Forman. Both you and Mr. Dacey \nhave fine careers in the private sector as well as the public \nsector, and I guess I would ask you if you looked at these \ncharts and the subcommittees charts, what would you do if you \nwere still in the private sector?\n    Mr. Forman. Well, I have two----\n    Mr. Horn. Would there be a new computer director?\n    Mr. Forman. I have two views on this. No. 1, I would and I \nwill, as well as the Director of OMB, use your data and our \ndata in communications as part of the 2003 budget process. That \nwill go back to the hill.\n    And as I indicated in our testimony, we have authorities on \nthe apportionment of funds in 2002. I think we have made clear \nthat we're not going to fund systems that don't meet the \nrequirement of what we require to be a valid business case, and \ncomputer security at the heart of that.\n    The second thing that I think we all need to be cognizant \nof, the reports, as I read the evaluation, are based on \nvaluation of agency reports, you know, whether from the IGs and \nGAO, or from the agency themselves. And I don't believe we have \nthe data that we need into the details, so if I go into a \nserver form or a data center have they been pulling down, for \nexample, the IIS patches that they need to deal with Red Worm? \nWe put out a call via FedCIRC to get the CIOs to ensure that \nindeed this was occurring. And what we found out is, yes, it \nhad occurred. There were no issues in many of the agencies. \nWhat we found out in some other agencies, this was not on the \nplatter of some of the CIOs. So when we get into the details I \nthink we are going to find a mixed bag, and I think that is \nwhere we need to go over this next year.\n    Mr. Horn. Mr. Dacey, you have a similar career in the \nprivate and public sector. What would you do if you had this \nbunch of grades dumped on your desk some morning?\n    Mr. Dacey. Well, I think the first step is along the lines \nof what Mark had said. I think you really need to take an \nassessment of really how bad or good is your security, what's \nworking good and what's working bad. Since we started doing \nwork probably in 1996, generally in connection with the CFO Act \nand other congressional requests, we have gained a lot more \ninformation as the years have gone on and continued to find \nsignificant weaknesses in computer systems. But I don't think \nthat we have an end-all analysis at the type of detail level \nthat Mark referred to.\n    So I would suggest the first thing to do which is \ncontemplated by the GISRA legislation is to go out and ensure \nthat you really understand the nature of those vulnerabilities \nand weaknesses. I think, again, that needs to be done. We have \nnot had time to really analyze the GISRA reports to see how \nmuch additional work has been completed beyond what was done \nbefore GISRA. But I think that is an important area.\n    Second, I think it is important to realize that what needs \nto be incorporated is really an acknowledgment that computer \nsecurity is part of your basic operations. It's really a \nresponsibility of everyone in the agency, and you really need \nto put in place reasonable and adequate computer security \nmanagement programs to ensure that. I think it is very \nimportant for management to have some regular analysis of their \nsystems as well in order to manage and maintain some level of \naccountability and performance measurement. I think those are \nimportant aspects of the GISRA legislation as well because we \ndo have an annual accounting now, at least for the 2 years that \nthe law currently covers, to address that issue, and then, \ngiven the identification of these weaknesses, really setup a \nvery active plan to address them, including looking at ways to \nbenefit from what is being done across other agencies.\n    What I see now a lot is each agency trying to address their \ncomputer security, setting up what they believe to be an \nadequate security process. Even within agencies, bureaus within \nagencies are setting up sometimes vastly different levels of \nsecurity based upon their judgments. I think there needs to be \na coalescing of some of that information, establishment of some \ncommon level of controls, at least a baseline, to tell people \nhere's what you really need to have, and not have each agency \ntry to figure out on their own how they get to that point in \ntime. Those are the kind of things I think I would suggest from \na private sector approach to try to address a problem of this \nmagnitude.\n    Mr. Horn. The chief information officers have a council, \nand they have subcommittees and committees within that council. \nAre you both members of that, or at least Mr. Forman for the \nadministration?\n    Mr. Forman. I serve as the director for the council.\n    Mr. Horn. Yeah. Now, do you think they take this seriously, \nor is this just regarded by either OMB or this subcommittee \nthat they say, oh, just another piece of paper we've got to \nfill out; how are we going to solve that problem and get them \ninvolved to really know it's serious?\n    Mr. Forman. I think that they do take this seriously. As \nyou know, we have reorganized the council and haven't \ncompletely finished the deployment of that. Security is one of \nthe areas that we are working through a number of options. But \nwe have chosen to disband for now the Security Committee, and I \nthink it is important to understand why. We've got a good best \npractices guide out of that committee. We had many members on \nthat committee who are in key agencies. We do not see any \ncorrelation based on the data between membership on that \ncommittee and either your scores or our scores of success. We \nneed to get into the nitty-gritty details.\n    We have a Work Force Committee. There are two key elements \nof the workforce that we and the CIOs need insight on. No. 1, \nwhat are the standards of performance for security personnel? \nWhat types of skills should we be looking at, both in terms of \nwho we're hiring and who are in those positions within the \ngovernment. And I'm forever cognizant of the fact that 80 \npercent of our IT work force is through contractors. So what \nare the basic skills and capabilities we need? We need more \ninsight on that and then we need to hold the agencies \naccountable. That task was given to the Work Force Committee.\n    The second type of work force skills, Web masters, Web \ndesigners, virtually everybody, every career field in IT, now \nhas some aspect of security. So clarifying those \nresponsibilities, those knowledge requirements and skill \nrequirements, is the other thing that the Work Force Committee \nis doing.\n    The Best Practices Committee will continue to focus on best \npractices. We have chosen to give National Institute for \nStandards and Technology a higher role in this arena as a \nsource not only of the Federal information processing \nstandards, but also a terrific source of best practices.\n    The third area in this is the architecture area. We have an \nArchitecture Committee. We have to get agreement among the CIOs \nof some of the common best practices as they relate directly to \nthe architectural elements. So it is my intent to force that \ndebate and that consensus building that we need via that \ncommittee.\n    Now we are looking at how do we best drive the cross-cut \nacross all the CIO agencies. And to date, quite frankly, I've \nbeen fighting the maintenance of a committee just to talk about \nthis, because we do not see that correlation between committee \nmembership and success.\n    With that said, we have some other options. Do we appoint a \ncouple of people, CIOs that basically marshal across the other \nstanding committees to focus on security and ensure that it's \ngetting out to all the other CIOs? We had a roundtable \ndiscussion a couple of weeks ago, a 2-hour discussion where the \nCIOs to a ``T'' were either there in person or there with their \ndeputy CIO. So I believe they are very focused on this issue. \nAnd we have a 5-page list of ideas we need to focus on and \nalternative ways to handle that. We are pulling that material \ntogether now. We will have another meeting and discussion of \nthis at the CIO Council coming up next month to make some \nchoices on how we'll proceed.\n    Mr. Horn. Were you at OMB when the argument--I don't know \nwhether you have it an argument or what--between the council \nand OMB as to what kind of questions ought to be used to look \nat what the hardware and software are with these computer \noperations? And were you there when this particular group--and \nthis grading thing we have done is really just look at what OMB \ndid, send out to 24 of the major agencies and departments, and \nthat's all we did. Do you think we have been unfair in reaction \nto these grades?\n    Mr. Forman. I am not quite sure I understand the question, \nbut let me try.\n    Mr. Horn. Well, were you around when this particular \ninventory, let's say, was sent out by OMB, and we simply--and \nGAO--simply said OK, they put the questions to them and let's \nsee if it works?\n    Mr. Forman. It actually occurred just before I came on \nboard, the original criteria were sent out.\n    Mr. Horn. So you're innocent so far.\n    Mr. Forman. No. Hold me accountable. Let me give you my \nview on this.\n    Mr. Horn. Yeah.\n    Mr. Forman. Accountability and authority go hand-in-hand \nfor me. If you hold me accountable, I have a way to hold the \nagency accountable.\n    Mr. Horn. Good. We'll do that. Maybe we'll see you a few \nmonths from now. And one of my friends in the Cabinet on the \nY2K thing simply took our grades and put it on his door, so \nevery time a civil servant went in to see him, that grade was \nright in their face. And he said it helped, a little bit of--\nthat grading got them moving. So what else can we do? What else \ncan you do? You're the one now on the frying pan.\n    Mr. Forman. As I mentioned, in preparation of the fiscal \nyear 2003 budget, we have got some rather strong action that we \nintend to take as part of the past act, discussions that I hope \nwill lead to reconciliation of gaps that we see and will \naddress, some of the poor grades that you see as part of the \n2003 budget submission. You will see that result, I hope, \ncoming back very well in the President's budget submission.\n    Second, as I mentioned, we intend to use the Clinger-Cohen \nAct authorities on basically the apportionment process. So what \nI would ask is your cooperation, because I am sure that there \nmay be other agencies or vendors that come to the Hill and talk \nabout how unfair that is. That will take persistence and \nbackbone by all of us to be true to these ideals.\n    Mr. Horn. How would the government have fared if, on \nSeptember 11th, a cyberattack accompanied the physical attacks \non the Nation? Would that have got them moving on such things \nas security? Or is it just, as I said earlier, well, let's see \nthe paper, OMB. We have been around here a long time and it's \nthe same old game. So what do you think?\n    Mr. Forman. I think things have clearly shifted, and I \nwould daresay that it may not be as press-worthy. But if you \nlook at the worms that came out this summer, that our battle in \nthe computer security arena really started in perhaps the July \ntimeframe when the first of the worms started to hit. So I know \nfrom OMB's standpoint all the way up to the director, this is, \nbelieve it or not, the type of thing that we would talk about \nat these staff meetings. We are very focused on this. And it \nstarted in July.\n    Mr. Horn. Well, when you provide us with examples of \nagencies whose requests will not be funded because they've \nfailed to document their security costs, that would be an \nexample of getting their attention. Is that what you're \nplanning to do?\n    Mr. Forman. Well, we hope that we will be able to----\n    Mr. Horn. Or are you being Mr. Nice Guy?\n    Mr. Forman. At some point, I'm sure that I'll appreciate \nthe time when somebody calls me Mr. Nice Guy, after we go \nthrough this budget process. We hope that based on the feedback \nthat we're giving to the agencies and will continue to give \nwith the agency in preparation for the 2003 budget, that we \nwill reconcile these issues. Obviously, if we are unable to \nreconcile the issues, that list will be in the budget.\n    Mr. Horn. Do you agree with GAO's recommendation to \nestablish mandatory standards for Federal agencies?\n    Mr. Forman. I think it is a question of the details on the \nstandards. I think we have laid out some fairly clear standards \nin both the requirements for the government information \nSecurity Act reporting and within the guidelines of what we put \ninto my testimony. I think a little bit more specific \nstandards. The standards that we have been promulgating along \nthe lines of how do you hold the agency accountable and link \nthat to funding are actually in both A-130 and the A-11, our \nbasic budget documentation. So I think that is consistent with \nwhat GAO is proposing.\n    I actually think there is another set of standards that get \ndown to the real technology. When do certain data elements have \nto have a security wrapper, which with XML technology is \ncurrently available. When do certain elements of transactions \nor certain uses of virtual private networks have to have \nencryption or other types of security? It's those standards \nthat I want to get the agreement via the CIO Council \nArchitecture Committee, and that is the process I would like to \npursue for buy-in purposes.\n    Mr. Horn. Mr. Dacey, let me ask you on the September 11th \nquestion, how would the government have fared if on September \n11th a cyberattack accompanied the physical attacks on the \nNation? How would GAO feel about that?\n    Mr. Dacey. Well it's difficult to speculate what would have \nhappened. I know on the physical side we had disruptions in \ncommunications and other areas. Fortunately at this point in \ntime, we haven't suffered from disastrous effects of a \ncyberattack. As in our testimony we stated, though, there are \nsigns that things are getting more serious, more sophisticated, \nthat it could really be a serious issue. Particularly when you \nlook at how dependent we, the Federal Government, are on \ncomputer technology and communications channels being available \nto do our business on a day-to-bay basis. So I think when you \nlook at those things, you have to start analyzing what could go \nwrong.\n    And in terms of the critical infrastructure, I think that's \none of the areas that Mr. Forman refers to needs attention and \nhas been given attention, and, through Project Matrix, has \nreally had to identify what those critical areas are so they be \nprotected adequately; at least focus the priority on protecting \nthose first to ensure they are protected.\n    But I think that is an exercise that needs to be done, \ncertainly in the Federal Government. And then as part of the \noverall CIP structure, consideration of what needs to be done \nor what is being done in the private sector. There's a private \nsector partnership here, because a lot of the critical \ninfrastructures that even the Federal Government depends on for \ncommunication, electricity, and others are all controlled by \nthe private sector, mostly controlled by private sector \ninterests. So I think it is important that those be dealt with, \ntoo.\n    So I think we have, certainly, challenges ahead of us to \nmake sure our systems are secure before something happens that \nis more disastrous. Again, we've had a lot of attacks, it's \ncost a lot of money; I don't want to diminish the fact that \nthey haven't been serious, because they have. A lot of \nproductivity, a lot of money has been lost. We had the \ntestimony before this committee out in California in the field \nhearing and talked a little bit more about that along with the \nother witnesses, but I think it is an issue that just needs to \nbe addressed now; and again in an organized fashion, not to say \nthat it isn't, but it needs to go forward, again, with really a \nstrategic plan. And I think some of those things we're starting \nto see at this point in time.\n    Mr. Horn. Well, the General Accounting Office has been \nreporting on many security weaknesses in the Federal systems \nfor--as your testimony just notes--Federal systems for several \nyears. Yet based on today's grades, agencies don't appear to be \nmaking any progress in strengthening their security. Do you \nagree?\n    Mr. Dacey. Well, I think we are seeing not necessarily \nevery agency, but many are making some significant progress in \nimproving security. We talked about a couple of those \ncertainly. We had the issue to report earlier this year on the \nelectronic filing system, and IRS had taken extreme efforts to \nmake sure that was secure for this last filing season. We have \nhad a lot of improvement to the Department of Defense as well, \nalthough they continue to face challenges in putting together a \nsecurity management program, they do have some of the basic \nelements in place at this point in time. So there have been \nimprovements. What is really challenging I think in this \nenvironment is that the pace of these risks is increasing \nextremely rapidly. Some of the factors that make it more of a \nrisk are increasing at a fast pace, so we are not dealing with \na static target that we need to hit. I think the target's \nmoving perhaps more quickly than we are at this point. I'm not \nsaying it is, but I'm just saying that's the challenge to keep \nup with that.\n    So I think in terms of perspective, again, a lot has \nhappened. Probably if you want to secure the systems, the pace \nmay need to be stepped up a bit from what it has been to catch \nup.\n    Mr. Horn. Do you feel any of these grades are being easy on \npeople or being too tough on people? What's your thinking on \nthat?\n    Mr. Forman. I'm concerned just about some of the \ndiscrepancies. You have a couple of grades that are easier than \nours. We're going to hold the agencies accountable, I think, \nfor the harder grades in those cases. The Defense Department is \nthe big gap that we see between our grades and where you graded \nit harder than we have. I suspect that is because they came \nover and presented much more material to us than your staffs \nhad access to. You know, I don't know that would change \nnecessarily the grades that you give them. But that would be \nthe only discrepancy, major discrepancy I would say.\n    Mr. Horn. Which grades would be easier?\n    Mr. Forman. I'm probably not willing to get into that at \nthis point. We're going to reserve that for the directors' \ncommunications with the agency heads.\n    Mr. Horn. So you've got sort of several professors down \nthere that are putting different kinds of grading or what? Or \ncan you agree on what an F means or an A means? Or is this the \n60's, anybody down there in the 60's? Because if there are, you \nknow, what the heck, it's just give everybody pass/fail.\n    Mr. Forman. No, there aren't that many discrepancies. There \nare very few discrepancies. Please let me leave it at that.\n    Mr. Horn. OK. We'll see what happens in about 2 or 3 months \nfrom now, see if we've made some real progress. And I am \ncurious, Mr. Forman, while I understand the government \ninformation security reform requirements do not establish a \ndate by which OMB must submit its required reports to Congress, \nwhen will OMB submit this report?\n    Mr. Forman. Our intent is to submit it with the budget. If \nit is not with the budget, it will be very near to that \nsubmission. And of course that goes along with the basic \nenforcement mechanism that we are pursuing.\n    Mr. Horn. Well, that's--I'm glad to hear because we were \nwondering where that was. You're OMB's associate director for \nIT and E-Government, don't agencies' security weaknesses as \nindicated by the deplorable grades we assigned today, post a \nformidable obstacle to implementing more E-Government \ninitiatives? How does OMB and E-Government strategy explicitly \naddress computer security? Are we on the wrong thing, or how \nmuch of that, if you will look at all of the inventory and the \nform, that was sent out by OMB, is this a 5 percent or is it a \n25 percent? Do they take it--how do they take it? That's what \nI'm after, in terms of percentage, that they worry about and \ntry to do something about.\n    Mr. Forman. Well, I think for each of the E-Government \ninitiatives it is a 100 percent, because we made very clear \nthat we are going to use the A-11 guidance in putting together \nthe business case for each of these E-Government initiatives. \nIn doing the work of our quicksilver task force, our E-\nGovernment strategy team, we identified several cross-cutting \nbarriers. Of course, as you would anticipate and as you pointed \nout, there are a number of security-related items that came out \nof that. And indeed, that is this E-authentication initiative \nthat we've begun. That's going to have a business case as well. \nNow, we have included that in any one of the customer segments, \nthe bulk of our initiatives focus on a customer segment \ngovernment, citizen government, and business etc. The security \ninitiative is a cross-cutting initiative. It relates to agency-\nto-agency or within-agency transactions as well as interactions \nbetween Federal, State and local governments, governments and \nbusinesses, and government and citizens.\n    That business case, as all the business cases, will have to \nreport not just to me but to a steering group. The steering \ngroup will in most of the initiatives be comprised of the \ndifferent management councils, CIO Council, etc. In this case, \nthe steering group we're going to use is that Architecture \nCommittee of the CIO Council. So when we come to resolution on \nauthentication and digital signature and E-signature elements, \nwhich we found is the most critical element for the E-\nGovernment initiatives, that agreement has to get the support \nof all of the CIOs because it has to be embedded across the \ndepartment and agencies.\n    There is another infrastructure issue that came out of the \ntask force, which basically I refer to as the business \narchitecture analysis. And integrating that with the Project \nMatrix data at each department as we look across the business \narchitecture, all the agency-to-agency interactions, is another \nlevel of analysis that we'll continue to do coming out of the \ntask force.\n    Mr. Horn. Let me ask Mr. Dacey. In your testimony, you \nstate the number of incidents are increasing, yet one agency, \nOPM, reported that during the past year it only experienced one \nsecurity incident which involved limited infection by the ``I \nLove You'' virus. How do you react to this statement?\n    Mr. Dacey. Well, I think one of the challenges that we have \nis twofold. First of all, one of the basic premises on security \nis to have the first adequate level of security in place, \nparticularly at your perimeters, for people to get into your \nsystems, but security, as good as it can be, is never going to \nbe foolproof. So there is always going to be opportunities for \npeople to breach that, even in a good security situation.\n    So you really need to have effective incident detection \nprocesses in place to identify when that has happened and to \nreally identify unusual or anomalous activities. I think what \nwe are finding, both in the Federal agencies as well as the \nchallenge in the private sector, is the identification of that \ntype of intrusion. I know one of the parts of the GISRA \nlegislation is that agencies have effective incident detection \nsystems in place. In working and discussing things with the \nCERT Coordination Center, which is funded heavily by the \nFederal Government and receives a lot of information from both \nprivate and public sector in terms of incidents, they said \ntheir information indicates that as many as 80 percent of \nincidents are not detected, and that is across the board. So I \nthink we have a tremendous challenge. That is in fact one of \nthe areas that research and development could really help to \nidentify better techniques, because we do have a ways to go to \nreally develop more effective mechanisms to identify those.\n    The volume of scans and activities coming into any agency \nis phenomenal. We have a rather small laboratory that we use to \nhelp do the work that we do. We've gotten 3 million or so scans \nof our system within 3 years, and that is something that is not \nwell advertised, even our address. I know even at home \npersonally, when I go online, my firewall is picking up three \nor four incidents an hour of someone trying to get access to my \nsystem. So activity is happening out there. We just need to \nhave a better system to figure out what is valid and what is \nnot valid in those systems, and it is going to be a challenge.\n    Mr. Horn. Along this line, the subcommittee based its \ngrades on information submitted to OMB by the agency CIOs and \nIGs in their reports on the annual agency security program \nreviews required by the Government Information Security Reform \nAct passed last year as part of the fiscal year 2000 Defense \nAuthorization Act.\n    Now, how do you account for the substantial discrepancies \nthat we noted in several cases between the CIOs report and \nthose of the Inspectors General? Are some agencies' CIOs \nunderreporting their vulnerabilities?\n    Mr. Dacey. Well, I think one of the challenges as part of \nthis process--again, not having fully analyzed what was \nreported--is to really get in place a mechanism whereby there \ncan be some agreement on whether the security controls are \neffective or not. What we have seen in the past is that a lot \nof the analysis and actual testing of those systems is being \ndone by the Inspectors General, and although we note some \nactivity by managers actually testing their own systems, we \nhaven't seen a lot of that happening to date. So what I think \nyou have oftentimes are situations where the ID is actually \ngoing out as we do, trying to break into systems, trying to \nreally analyze those controls, and I think what we need to do, \nwhich has started to happen with GISRA, is say, managers--\nprogram managers, you're the ones responsible for security. \nIt's not the GAO or the IG coming in every once in a while and \ndoing a testing of this system or that system. Management \nreally needs to put in place procedures and processes to \nmonitor their own systems on an ongoing basis regularly, which, \nagain, GISRA facilitates that through annual reporting \nprocesses.\n    So I think there are bound to be some difference, at least \ninitially. I would hope that over time, though, that if the \nagency manages to actively test their own system, which is a \nvery important piece of the legislation, that they will find \nsimilar types of weaknesses, and you'll reach some conversions. \nThere's always going to be some differences in judgment, of \ncourse, but I think overall that is the biggest difference now, \nis the methods by which maybe that management was obtained. A \nlot of this information from the management side may have been \nthrough just various means, assessments, questions that went \nout to the field and talked about whether the security is \nadequate and what they have done. I don't know.\n    Mark may be able to shed some more light, because we \nhaven't been privy to all the detailed information, but again, \nthat would be one potential area as to why there are some \ndifferences and how those two might converge in the future.\n    Mr. Horn. When we went through the Y2K situation, Mr. \nKoskinen was the Deputy Director for Management. Nothing much \nhappened, and he retired, and then the President very well \ncalled him back, and he was a friend of the President's, and \nmuch like Governor Ridge, that--he's got Mr. Clarke, a lot of \nrespect for both the Governor and Mr. Clarke on these matters. \nIf I were a Deputy Secretary or something, I'd sure want to \nplease him. So the question is, is he the Lone Ranger that \ncomes in across the prairie and you guys are just waiting for \nhim to do your jobs? How do they think about that at OMB?\n    Mr. Forman. First of all, in both Executive orders, it is \nvery clear that OMB maintains its role for the oversight and \nmanagement, if you will, of agency security. So while we're \ndisbanding the CIOs Council Security Committee, under the \nExecutive order in the Critical Infrastructure Protection \nBoard, OMB does chair a security committee that has been \ncreated for Federal infrastructure. So the linkage and the \nworking relationship will be very good, I think.\n    Not at all would I say that we're going to toss our \nresponsibility up the hill. This will be another area where we \nhope to be held accountable for the work, but I want to build \non something that Mr. Dacey said. You know, when we look at \nthis, ultimately it's got to be built into--we've got to have \nsecurity built into the actual programs. GAO several years ago \nlaid out how do you manage capital investments in general. Our \nfocus on the business case process is, I believe, the \nappropriate focus that we should move forward. So in the \ncapital planning process, the first step is make sure security \nis part of the business case, and that is essentially the phase \nthat we're in now in driving into the agencies. I think by us \nsaying we're simply not going to fund the business case that \ndoes not incorporate the appropriate security controls, \ncomplies with that first phase of GAO's three-part practice.\n    The next phase is the actual program control. Is it \nactually being built in? Are the agencies and are the program \nmanagers working on the security components or modules as they \nexecute that program? The third phase is the followup, and it \nis not just lessons learned and best practices. I think that's \nexactly as Mr. Dacey has said, we've got to have the \naffirmative testing, that in fact the security is break-proof \nat that point.\n    The difficulty is every time you move forward in \npreventative approaches for security, the hackers move forward \nin a way to break through that. So we're dealing a little bit \nwith the moving target. We have to make sure that is integrated \nand updated, and I'm a big fan of maintaining the business \ncases and controls over those business cases. So I believe that \nthe approach that's been laid out for capital investment \nmanagement is the same that we should be employing here.\n    Mr. Horn. Are you seeing any changes or new computer \nsecurity initiatives within the agencies since September 11th?\n    Mr. Forman. Absolutely. We have much help from our friends \non the Hill. As you know, we have at least one bill suggesting \nthat we spend $1 billion more on computer security. We \nappreciate the cooperation and the focus on security. Clearly, \nmore money is not the issue. Focus is, and the details, as I \nthink you've focused on in your scores where we need to look.\n    Mr. Horn. And you're saying how much do you think you can \nget out of them this time? Because I went around last year with \nthe number of things the executive branch wanted, and some of \nthem got it and some of them didn't. It was a little haphazard. \nSo it is nice for OMB and you to get it moving. And how much do \nyou think you can get from them?\n    Mr. Forman. In terms of focus on this, I have to say based \non the reports that have been submitted--and, again, I'm quite \nimpressed with this--this is the first time that I have seen \nSecretary level or agency head level focus on this issue. And \nso I think that occurred before September 11th. This was--the \nreports came in September 10th, and it's just I think after \nthat become all the more important and it's recognized. I hope \nwe get full compliance by the Secretaries. Our intent is in the \nprocess between now and the final submanagers of the budget, \nthat we will have that communication at the level of the OMB \nDirector to the Secretaries of the agencies.\n    Mr. Horn. Mr. Forman, we discussed that OMB and CIOs and \nIGs and their reports, and that those were required by the \nGovernment Information Security Reform Act passed last year as \npart of the fiscal year 2000 Defense Authorization Act, and I'd \nlike it on the record, is OMB satisfied with the quality of \nthese reports and how do you account for the substantial \ndiscrepancies that we noted in several cases between the CIOs \nreports and those of the IGs and are some agency CIOs \nunderreporting their vulnerabilities?\n    Mr. Forman. When you say are we satisfied with the quality \nof the reports, are we satisfied with the quality of the \ncontent or the completeness of the reports, I guess would be my \nquestion? I think that in both cases, we'd say we're not fully \nsatisfied. So let me explain that a little bit. This is the \nbest set of information that we've had so far going back to \n1987 in the Computer Security Act on agency assessments. We \nwant more. That's the bottom line.\n    In some cases, the agencies have come back afterwards and \nprovided us the additional information, in many cases. Are we \nsatisfied with the content? There are clear examples of \ndramatic progress versus the information that we had received \nbefore. I would say that the high--areas where you have given \nagencies higher grades are not an area where we are seeing any \nof the agencies. So my answer would be, as has been said before \nI believe before this committee, I don't do C work. I don't \nwant the agencies to do C work. I'm not satisfied.\n    Mr. Horn. Good. Glad to hear it. How long will it take you \nto turn them around?\n    Mr. Forman. I don't know the answer to that. I'd like to be \nable to come before you a year from now and to say that we've \ngot a substantial amount of Bs. That clearly is where we'd like \nto go. On the other hand, as I've said before, there's another \nlevel of details associated with what we've got to get across \nthe CIOs. The work force skills and the compliance with those \nskills that may not show up in the reports, the agreement on \nsome of these security protocols and standards and so forth, \nthat I believe is a critical element of how you should hold me \naccountable. But again, that won't show up in these reports. So \nI've got a lot to do, and I don't know if I can get to that \nlevel of B in a year from now.\n    Mr. Horn. To what degree does the President and OMB and all \nof those who see the retiring situation in the bureaucracy and \nhow we replace it with very committed people and have \nunderstanding of the new world that they didn't come out of 20, \n30 years ago? So are we going to get some incentives of getting \nnew people into the government where we need them badly and get \npeople to go around to the State universities in particular, I \nwould think, and--but I'm a bias there. And those are the \npeople that stay with it, when I looked at them in a study 30 \nyears ago, and it still seems to be true. So what's the plan?\n    Mr. Forman. Absolutely, on the work force we're taking a \nnumber of initiatives, and, again, I'd say that these are in \ntwo prongs. One, the types of security personnel or computer \nsecurity, cybersecurity personnel that we're hiring, their \nskill-sets, how we build their competencies and indeed the \ntraining program. The second is in a number of other job \ncategories, Web masters, Web applications designers, the skills \nto do object-oriented architectures and so forth. So we have to \nramp-up those skills.\n    Now, one point that I have to make here is that the vast \nmajority of our work force are not Federal employees. I think \nwe've made tremendous progress with the CIO Council Workforce \nCommittee, under Gloria Parker and Ira Hobbs, to move forward \non a curriculum. You may be familiar with the CIO university \nconcept that basically lays out a curriculum for graduate \nschool and related training. What we're finding is that as much \nor more contractor personnel are going through this course work \nthan Federal employees. So we're making--which should be, you \nknow, given the ratio of our work force, Federal versus \ncontractor, we should be seeing that. We're making that \nprogress, and I will continue to push forward in that arena.\n    Mr. Horn. Well, thank you very much. It's been a useful \nsituation of going through these things, and I think 1 year is \ntoo much to wait, and we're going to have to think about it in \nmaybe a month and a half and 2 months and a half to get, and I \nwould hope OMB would say, get with it, and then we don't have \nto give Fs. So--and as you say, you don't want to have a C \nstudent there either. Often they're the ones, however, that are \nhiring people of a grant and what not and get rather rich in \nSilicon Valley.\n    So anyhow, we thank you for coming, and I want to thank the \nstaff here that helped put it all together and worked with us \nin terms of the grading situation. Russell George, staff \ndirector and chief counsel; Bonnie Heald, the deputy staff \ndirector; Elizabeth Johnston to my left, professional staff; \nDarren Chidsey, professional staff, Earl Pierce, professional \nstaff, and Jim Holmes and Fred Ephraim, interns. We're glad to \nhave them, and on the minority side, David McMillen, \nprofessional staff; Jean Gosa, minority clerk; and our faithful \ncourt reporters are Christina Smith and Michelle Bulkley. So \nthank you.\n    And with that, we're adjourned.\n    [Whereupon, at 11:12 p.m., the subcommittee was adjourned.]\n    [Additional information submitted for the hearing record \nfollows:]\n[GRAPHIC] [TIFF OMITTED] 82173.038\n\n[GRAPHIC] [TIFF OMITTED] 82173.039\n\n[GRAPHIC] [TIFF OMITTED] 82173.040\n\n[GRAPHIC] [TIFF OMITTED] 82173.041\n\n[GRAPHIC] [TIFF OMITTED] 82173.042\n\n[GRAPHIC] [TIFF OMITTED] 82173.043\n\n[GRAPHIC] [TIFF OMITTED] 82173.044\n\n[GRAPHIC] [TIFF OMITTED] 82173.045\n\n[GRAPHIC] [TIFF OMITTED] 82173.046\n\n[GRAPHIC] [TIFF OMITTED] 82173.047\n\n[GRAPHIC] [TIFF OMITTED] 82173.048\n\n                                   - \n\x1a\n</pre></body></html>\n"