[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]



 
LESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF 
                                  2000
=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
                        FINANCIAL MANAGEMENT AND
                      INTERGOVERNMENTAL RELATIONS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 6, 2002

                               __________

                           Serial No. 107-124

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform








                          U.S. GOVERNMENT PRINTING OFFICE
82-355                             WASHINGTON : 2002
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001






                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             PATSY T. MINK, Hawaii
JOHN L. MICA, Florida                CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California                 DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia               JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine
DAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida              DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho          STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia                      ------
JOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont 
------ ------                            (Independent)


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director

    Subcommittee on Government Efficiency, Financial Management and 
                      Intergovernmental Relations

                   STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida                  MAJOR R. OWENS, New York
DOUG OSE, California                 PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida              CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
               Claire Buckles, Professional Staff Member
                        Justin Paulhamus, Clerk
           David McMillen, Minority Professional Staff Member




                            C O N T E N T S


                             ----------                              
                                                                   Page
Hearing held on March 6, 2002....................................     1
Statement of:
    Dacey, Robert F., Director, Information Security, U.S. 
      General Accounting Office; Mark A. Forman, Associate 
      Director, Office of Information Technology and e-
      Government, Office of Management and Budget; Arden L. 
      Bement, Jr., director, National Institute of Standards and 
      Technology; Roberta L. Gross, former Inspector General, 
      National Aeronautics and Space Administration; Robert G. 
      Gorrie, Deputy Staff Director, Defense-wide Information 
      Assurance Program Office, Office of the Assistant Secretary 
      of Defense for Command, Control, Communications and 
      Intelligence; and Karen S. Evans, Chief Information 
      Officer, Department of Energy..............................    17
    Davis, Hon. Thomas M., a Representative in Congress from the 
      Commonwealth of Virginia...................................     6
Letters, statements, etc., submitted for the record by:
    Bement, Arden L., Jr., director, National Institute of 
      Standards and Technology:
        Followup questions and responses.........................   120
        Prepared statement of....................................    73
    Dacey, Robert F., Director, Information Security, U.S. 
      General Accounting Office, prepared statement of...........    20
    Davis, Hon. Thomas M., a Representative in Congress from the 
      Commonwealth of Virginia, prepared statement of............    10
    Evans, Karen S., Chief Information Officer, Department of 
      Energy, prepared statement of..............................   109
    Forman, Mark A., Associate Director, Office of Information 
      Technology and e-Government, Office of Management and 
      Budget, prepared statement of..............................    54
    Gorrie, Robert G., Deputy Staff Director, Defense-wide 
      Information Assurance Program Office, Office of the 
      Assistant Secretary of Defense for Command, Control, 
      Communications and Intelligence, prepared statement of.....    98
    Gross, Roberta L., former Inspector General, National 
      Aeronautics and Space Administration, prepared statement of    86
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     3
    Schakowsky, Hon. Janice D., a Representative in Congress from 
      the State of Illinois, prepared statement of...............    69


LESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF 
                                  2000

                              ----------                              


                        WEDNESDAY, MARCH 6, 2002

                  House of Representatives,
  Subcommittee on Government Efficiency, Financial 
        Management and Intergovernmental Relations,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn, Schakowsky, and Maloney.
    Staff Present: J. Russell George, staff director and chief 
counsel; Bonnie Heald, deputy staff director; Claire Buckles, 
professional staff member; Justin Paulhamus, clerk; Michael 
Sazonoff, intern; David McMillen, minority professional staff 
member; and Jean Gosa, minority assistant clerk.
    Mr. Horn. A quorum being present, the Subcommittee on 
Government Efficiency, Financial Management and 
Intergovernmental Relations will come to order.
    The Federal Government relies on computer systems to 
provide essential services to the Nation and its people. These 
large, complex systems help regulate the economy, collect 
taxes, pay benefits, and defend the Nation. The speed and 
accessibility of the technology have greatly enhanced 
government operations and have provided citizens with nearly 
instant access to their government.
    Yet, those operations are at risk. Computers at the White 
House, the Department of Defense, the Department of the 
Treasury, and the Department of the Interior have all been 
successfully attacked. The security vulnerabilities at the 
Department of the Interior are so severe that a U.S. District 
Court judge in Washington has ordered the Department to 
disconnect its Trust Asset and Accounting Management System 
from the Internet. This system handles about $500 million a 
year in royalty and lease payments to Native Americans.
    These are not the only troubled agencies, however. In 
November 2001, the subcommittee issued its second annual report 
card grading computer security efforts at 24 major executive 
branch agencies. Overall, the executive branch earned an 
abysmal grade of ``F.'' That grade was the same during the 
Clinton administration and now the Bush administration.
    We have known for more than a decade that the government's 
information systems are vulnerable, yet little has changed. In 
a report issued last month, the Office of Management and Budget 
concluded that a significant part of the problem falls to 
senior managers who have failed to focus sufficient attention 
on computer security. I agree. The various bureaucracies need 
to be pushed by the political appointees, so we can have a 
better record.
    Since 1987, Congress has passed legislation to address 
Federal computer security weaknesses. The most recent law, the 
Government Information Security Reform Act, was enacted in the 
year 2000. This law requires Federal agencies to assess the 
nature and sensitivity of the information stored in their 
computers and then develop appropriate security plans to 
protect that information. In addition, it requires that, for 
the first time, agencies conduct annual computer security 
evaluations and report the results to the Office of Management 
and Budget.
    Agencies filed their first reports in September 2001. 
Clearly, the full benefits of the law have not been realized. 
Agencies have not yet developed security plans that balance 
protection and risk. However, they are beginning to focus on 
the problem. The act is scheduled to sunset next year.
    Today's hearing will explore how Federal agencies have 
implemented the act and what additional steps might be taken to 
ensure that effective safeguards are in place. We must identify 
the weaknesses in order to correct them. We must use the 
``lessons learned'' from the Government Information Security 
Reform Act to take effective, urgently needed action to ensure 
that it is reauthorized and improved.
    I welcome today's witnesses, and I look forward to working 
with each of you to ensure the security of the government's 
information technology resources.
    I will enter into the record at this point as an exhibit 
after my opening remarks the Computer Security Report Card of 
November 9, 2001.
    [The prepared statement of Hon. Stephen Horn follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.001
    
    [GRAPHIC] [TIFF OMITTED] 82355.002
    
    [GRAPHIC] [TIFF OMITTED] 82355.003
    
    Mr. Horn. The ranking member is coming, and I see that my 
colleague, Mr. Davis, has been here now as panel one, and we're 
delighted to have you here. You have been a major force in the 
work of e-government and the work of technology generally. So 
the gentleman from Virginia, Mr. Davis.

STATEMENT OF HON. THOMAS M. DAVIS, A REPRESENTATIVE IN CONGRESS 
               FROM THE COMMONWEALTH OF VIRGINIA

    Mr. Davis. Let me first commend you and your staff for the 
tremendous work you have done on Federal information security 
during your tenure as chairman of this subcommittee and your 
previous chairmanship of the Government Management, 
Information, and Technology Subcommittee. It's a privilege 
working with you on this critical topic.
    I want to thank you for giving me the opportunity to speak 
on this issue in the context of today's hearing, examining the 
lessons learned from the implementation of the Government 
Information Security Reform Act of 2000 [GISRA].
    Unquestionably, the events of September 11th and the 
ensuing war on terrorism have produced a variety of responses 
throughout the world. Nowhere has the response been so fervent 
as here in our Nation's Capital. From the creation of the new 
Office of Homeland Security to security-related legislation, 
there is an unprecedented awareness of the vulnerabilities we 
face.
    This new awareness has naturally focused more attention on 
security matters, particularly with respect to information 
security. Yet, this issue and the fact that Federal information 
systems continue to be woefully unprotected from both 
malevolent acts and benign interruptions have presented a grave 
concern to me for a number of years. I know that you and the 
members of this subcommittee share that concern as well.
    From our work in the Government Reform Committee, it is 
clear that the state of Federal information security suffers 
from a lack of coordinated, uniform management. Resolving this 
problem becomes even more imperative when you consider the many 
objectives we hope to achieve through the efficient and cost-
effective use of information technology and the advancement of 
electronic government. These objectives include electronic 
procurement, telecommuting, a comprehensive information-sharing 
network, and improved provision of services to citizens and 
businesses. The common element of these goals is the 
interconnectivity that they each require to facilitate 
communications between different public and private entities.
    Poor information security management has persisted in both 
the public and private sectors long before IT became the 
ubiquitous engine driving governmental, business, and even home 
activities. After all, the information security implicates both 
the physical and the cyber-environment.
    A decade ago, technology stood as one of many factors 
important to the mission and performance objectives of the 
Federal Government. But no longer is technology ``one of 
many.'' Instead, the Information Revolution and the ever-
evolving technologies that support its collection, 
assimilation, and communications have become integral to the 
functioning of our government.
    As our reliance on technology and our desire for 
interconnectivity have grown over the past decade, intensifying 
with the advent of the Internet, our vulnerability to attacks 
has grown exponentially. The high degree of interdependence 
between information systems, both internally and externally, 
exposes the Federal Government's computer networks to benign 
and destructive disruptions. This fact is tremendously 
important in understanding how we devise a comprehensive and 
yet flexible strategy for coordinating, implementing, and 
maintaining Federal information security practices throughout 
the Federal Government as the threat of electronic terrorism 
increases.
    Yet, Federal information security management continues to 
falter. Despite consistent evaluations since 1997 showing that 
Federal information security is a government-wide, high-risk 
issue, GAO continues to find ``pervasive and continuing 
weaknesses.'' And, of course, as this subcommittee found last 
November, 16 of the 24 Federal agencies evaluated in 2001 each 
received a disappointing grade of ``F,'' with only one agency 
receiving a grade higher than a ``C+.''
    Of course, while these grades are disappointing, they 
reflect the difficulty of implementing effective security 
management without sufficient commitment and guidance from an 
accountable entity within each agency, and for the Federal 
Government as a whole.
    In July 2000, I introduced legislation that would have 
created, among other things, a new Federal Chief Information 
Officer in the Executive Office of the President. One of the 
primary components of that bill expanded upon the then yet-to-
be-enacted Government Information Security Reform Act [GISRA], 
introduced by Senators Fred Thompson and Joe Lieberman.
    My legislation, entitled, ``the Federal Information Policy 
Act'' [FIPA], reflected my firm belief that there needs to be 
an executive branch office that holds both the prestige and the 
accountability for strategically modernizing our stovepipe IT 
structure. At the same time, that office must have the 
authority to prioritize cross-jurisdictional e-government 
initiatives and networked information and telecommunications 
networks, in order to achieve efficiencies and secure Federal 
information systems.
    With the establishment of a new office of Associate 
Director of IT and Electronic Government within the OMB, I have 
opted to withhold the reintroduction of Federal CIO legislation 
until I have had an opportunity to evaluate the progress that 
OMB has been able to achieve in carrying out the 
administration's Enterprise Information Management and 
Integration initiative.
    That said, my concerns regarding the pervasive and 
persistent weaknesses in Federal information security 
management, infrastructure, and accountability remain strong. 
These are concerns I know you also share, Mr. Chairman, and I 
applaud your subcommittee's steady work in bringing to the 
forefront the critical need for immediate and focused attention 
on this issue.
    Yet, I would add that, to the extent that increased 
security concerns rely on the ability of the public and private 
sectors to share information securely, it is even more critical 
that the Federal Government put its own house in order with 
respect to the security of its own Federal information and 
telecommunications systems. It is for this reason that I have 
just introduced legislation similar to the information security 
provisions in FIPA, and I am very pleased that you have agreed 
to co-sponsor this measure with me, Mr. Chairman.
    The overall purpose of these efforts is to strengthen the 
information security management infrastructure of the Federal 
Government. The bill, entitled, ``the Federal Information 
Security Management Act'' [FISMA], undertakes this objective by 
building on the foundations laid out by GISRA. As you know, 
GISRA requires every Federal agency to develop and implement 
security policies that include risk assessment, risk-based 
policies, security awareness training, and periodic reviews.
    With GISRA set to expire on November 29th of this year, the 
Federal Information Security Management Act permanently 
reauthorizes this legislation and implements additional 
measures designed to enable the Federal Government to become a 
reliable public partner for protecting America's information 
highways. In general, FISMA streamlines GISRA's provisions and 
requires that agencies utilize information security best 
practices that will ensure the integrity, confidentiality, and 
availability of Federal information systems.
    Moreover, the bill seeks to strengthen the role played by 
the National Institute of Standards and Technology in 
developing and maintaining standards and guidelines for minimum 
information security controls. Agencies would be required to 
identify the risk levels associated with their systems and 
implement the appropriate level of protections accordingly. 
This latter objective is especially important in light of the 
interconnectivity of information systems. We need to implement 
a framework that ensures that when systems interconnect with 
each other, there is a uniform management infrastructure and 
universal benchmark for measuring the risks and vulnerabilities 
of Federal information systems.
    We cannot afford to delay enactment of this legislation. At 
a time when uncertainty threatens confidence in our Nation's 
preparedness, the Federal Government must make information 
security a priority. I am heartened by the President's bold 
commitment to tying the budget process to individual agency 
performance, and to using information security as one 
measurement of that performance. However, the information 
security cannot go the way of any other ``issue du jour.'' It 
is a constant management requirement that requires eternal 
vigilance, and the ranking of its importance to Federal 
operations cannot fluctuate from one administration to the 
next.
    It is my hope that we take this opportunity, in the context 
of extending GISRA, to signal Congress' deep concerns that 
information security is not being taken seriously by every 
agency and department. We must demand that in our networked 
era, where technology is the driver, every Federal information 
system must be managed in a way that minimizes both the risk 
that a breach or disruption will occur and the harm that would 
result should such a disruption take place.
    We will learn a lot today as we determine the impact that 
GISRA has had on the information security practices throughout 
the Federal Government. I very much look forward to working 
with you, Mr. Chairman, the members of this subcommittee, and 
other concerned Members of the House and Senate as we move 
forward on strengthening GISRA and improving our government's 
overall information security management. Thank you.
    [The prepared statement of Hon. Thomas M. Davis follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.004
    
    [GRAPHIC] [TIFF OMITTED] 82355.005
    
    [GRAPHIC] [TIFF OMITTED] 82355.006
    
    [GRAPHIC] [TIFF OMITTED] 82355.007
    
    [GRAPHIC] [TIFF OMITTED] 82355.008
    
    [GRAPHIC] [TIFF OMITTED] 82355.009
    
    Mr. Horn. I thank you for all the work you have done. Could 
you translate those two things, like ``FISMA'', was it, or 
something?
    Mr. Davis. Right, it's the Federal Information Security 
Management Act. Of course, GISRA was the previous act.
    Mr. Horn. Now is it true that Mr. Richard Clark is really 
fulfilling the office that you and some of our friends in the 
Senate wanted to do?
    Mr. Davis. Part of it. I think that is as close as we can 
come to it, yes, sir.
    Mr. Horn. Yes. Well, my understanding is that he is a 
pretty tough-minded person.
    Mr. Davis. He is a tough-minded guy.
    Mr. Horn. So that is what we want.
    Mr. Davis. Exactly.
    Mr. Horn. OK. So, in a sense, part of that which everybody 
has wanted is now underway. So we just have to wait to see what 
OMB and he do to get the thing done.
    Mr. Davis. Mr. Chairman, the question always is you have a 
tough-minded person, but how much authority do they actually 
have, when push comes to shove? When they get on the phone, who 
are they calling from, how seriously are they taken at the 
other end of the line? That is what really remains to be seen.
    Mr. Horn. Yes, well, you are certainly right on that. If 
the President backs him up, the Cabinet Secretaries I am sure 
will listen, and if it becomes part of a Cabinet agenda, that 
will help on this.
    Mr. Davis. Mr. Chairman, as you know, we went through this 
with the Y2K issues----
    Mr. Horn. Right.
    Mr. Davis. [continuing]. Where they went through two or 
three czars.
    Mr. Horn. Right.
    Mr. Davis. Most of them having two or three other jobs and 
not having the clout until the administration finally brought 
in the appropriate person who had the clout and put it together 
at the end.
    Mr. Horn. And had the ear of the President.
    Mr. Davis. Yes, had the ear of the President.
    Mr. Horn. Knew him before he was here.
    Mr. Davis. Exactly, and, more importantly, when they 
called, the people on the other end of the phone knew that he 
was speaking for the President.
    Mr. Horn. Yes.
    Mr. Davis. And John Koskinen turned that around.
    Mr. Horn. Right. Well, thank you very much----
    Mr. Davis. Thank you.
    Mr. Horn [continuing]. For your presentation. If you would 
like to stay with us, we are delighted to have you, if you 
wish.
    Mr. Davis. I will stay for a few minutes. Thank you, Mr. 
Chairman.
    Mr. Horn. OK. We will now swear in panel two, and that is 
Robert F. Dacey, Director, Information Security, U.S. General 
Accounting Office; Mark A. Forman, Associate Director, Office 
of Information Technology and E-Government, Office of 
Management and Budget; the Honorable Arden L. Bement, Jr., 
Ph.D., Director, National Institute of Standards and 
Technology; the Honorable Roberta L. Gross, Former Inspector 
General, National Aeronautics and Space Administration; Robert 
G. Gorrie, Deputy Staff Director, Defense-wide Information 
Assurance Program Office, Assistant Secretary of Defense for 
Command, Control, Communications and Intelligence, and our last 
presenter on this panel will be Karen S. Evans, Chief 
Information Officer, Department of Energy.
    As you know, since this is an investigating subcommittee, 
you raise your right hands to accept the oath.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note that all six witnesses 
affirmed.
    Please be seated. We will start with Mr. Dacey, the 
Director of Information Security, U.S. General Accounting 
Office, which is Congress' right arm in terms of getting things 
done. GAO is presided over by the Comptroller General of the 
United States. We have a first-rate person in that role right 
now in General Walker. So we are always glad to hear what the 
General Accounting Office has to say on these areas.

STATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY, 
   U.S. GENERAL ACCOUNTING OFFICE; MARK A. FORMAN, ASSOCIATE 
 DIRECTOR, OFFICE OF INFORMATION TECHNOLOGY AND E-GOVERNMENT, 
    OFFICE OF MANAGEMENT AND BUDGET; ARDEN L. BEMENT, JR., 
   DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY; 
     ROBERTA L. GROSS, FORMER INSPECTOR GENERAL, NATIONAL 
AERONAUTICS AND SPACE ADMINISTRATION; ROBERT G. GORRIE, DEPUTY 
  STAFF DIRECTOR, DEFENSE-WIDE INFORMATION ASSURANCE PROGRAM 
   OFFICE, OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE FOR 
COMMAND, CONTROL, COMMUNICATIONS AND INTELLIGENCE; AND KAREN S. 
     EVANS, CHIEF INFORMATION OFFICER, DEPARTMENT OF ENERGY

    Mr. Dacey. Mr. Chairman and members of the subcommittee, I 
am pleased to be here today to discuss the Federal Government's 
first-year implementation of government information security 
reform provisions. As you requested, I will briefly summarize 
our written statement.
    Federal agencies rely extensively on computerized systems 
and electronic data to support their missions and critical 
operations. Concerned with reports that continuing pervasive 
computer security weaknesses place Federal operations at 
significant risk of disruption, tampering, fraud, and 
inappropriate disclosures of sensitive information, the 
Congress enacted the reform provisions to reduce these risks 
and provide for more effective oversight of Federal information 
security.
    Mr. Chairman, as you know, we have been conducting a review 
of the implementation of the reform provisions for you and the 
Ranking Member. Today I will provide a preliminary result of 
our review.
    The initial implementation of reform provisions is a 
significant step in improving Federal agencies' information 
security programs and addressing their information security 
weaknesses. The legislation consolidates information security 
requirements into an overall management framework covering all 
agency systems. It adds new statutory evaluation and reporting 
requirements and OMB and congressional oversight.
    Agencies have noted a number of benefits of this first-year 
implementation, including increased management attention to, 
and accountability for, information security. In addition, the 
legislation has resulted in other important actions by the 
administration, such as plans to integrate information security 
into the President's management agenda scorecard. Also, 
agencies have taken steps to redesign and strengthen their 
information security.
    OMB oversight, which included formal guidance, review and 
analysis of agency-reported material, agency discussion and 
feedback, and monitoring of corrective actions, has helped 
agency implementation and reporting efforts. Although agencies 
generally considered OMB guidance beneficial, the initial 
implementation of reform provisions highlighted the need for 
further guidance in several areas.
    Last month OMB released its first required annual report to 
the Congress on the results of agency implementation efforts. 
As a result, in this report OMB commended agency improvement 
efforts, but noted that many agencies have significant 
deficiencies in every important area of security. OMB also 
identified a number of common agency security weaknesses, 
including lack of senior management attention, inadequate 
accountability for job and program performance, and a limited 
capability to detect vulnerabilities or intrusions.
    We agree that OMB's report to the Congress and the agency 
reports are a valuable baseline and believe that OMB's report 
provides a useful overview of OMB and agency efforts to comply 
with the reform provisions. I would like to personally commend 
the OMB staff for their efforts in this endeavor.
    Nonetheless, certain additional information, including the 
adequacy of agency corrective action plans and the results of 
audits of evaluations for national security systems, is needed 
by Congress to fully assess and oversee these efforts and 
deliberate over agency budgets.
    OMB has not authorized agencies to release some agency 
material, such as agency corrective action plans, to the 
Congress or GAO. We plan to continue working with OMB in an 
effort to find workable solutions to obtain this information.
    Agency reports to OMB show that agencies have not 
established information security programs consistent with the 
provisions of the legislation and that significant weaknesses 
exist. Although agency actions are now underway to strengthen 
information security and implement these requirements, 
significant improvements will require sustained management 
attention, as well as OMB and congressional oversight.
    The IG's independent evaluations of agency implementation 
efforts also played a key role in the implementation process. 
The IG's first-year efforts were largely based on existing or 
ongoing audit work that had been planned to evaluate agency 
information security, which in a number of instances consisted 
primarily of audits of financial systems.
    While their future efforts should expand to include more 
systems, the IG's first-year evaluations helped to identify 
significant weaknesses in all 24 agencies, weaknesses that were 
not always identified by agencies in their reports.
    Given the recent events and reports that critical 
operations and assets are highly vulnerable to cyber-attack, it 
is essential that Congress have adequate information to oversee 
and fund the Federal information security efforts, and that 
these efforts be guided by a comprehensive strategy for 
improvement. In addition, there are a number of important steps 
that the administration and the agencies should take, including 
delineating the roles and responsibilities of the numerous 
entities involved in Federal information security and the 
related aspects of critical infrastructure protection, 
providing more specific guidance to agencies on the security 
controls they need to implement, and allocating sufficient 
agency resources for information security.
    Mr. Chairman, this concludes my statement. I would be 
pleased to answer any questions that you or other members of 
the subcommittee may have.
    [The prepared statement of Mr. Dacey follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.010
    
    [GRAPHIC] [TIFF OMITTED] 82355.011
    
    [GRAPHIC] [TIFF OMITTED] 82355.012
    
    [GRAPHIC] [TIFF OMITTED] 82355.013
    
    [GRAPHIC] [TIFF OMITTED] 82355.014
    
    [GRAPHIC] [TIFF OMITTED] 82355.015
    
    [GRAPHIC] [TIFF OMITTED] 82355.016
    
    [GRAPHIC] [TIFF OMITTED] 82355.017
    
    [GRAPHIC] [TIFF OMITTED] 82355.018
    
    [GRAPHIC] [TIFF OMITTED] 82355.019
    
    [GRAPHIC] [TIFF OMITTED] 82355.020
    
    [GRAPHIC] [TIFF OMITTED] 82355.021
    
    [GRAPHIC] [TIFF OMITTED] 82355.022
    
    [GRAPHIC] [TIFF OMITTED] 82355.023
    
    [GRAPHIC] [TIFF OMITTED] 82355.024
    
    [GRAPHIC] [TIFF OMITTED] 82355.025
    
    [GRAPHIC] [TIFF OMITTED] 82355.026
    
    [GRAPHIC] [TIFF OMITTED] 82355.027
    
    [GRAPHIC] [TIFF OMITTED] 82355.028
    
    [GRAPHIC] [TIFF OMITTED] 82355.029
    
    [GRAPHIC] [TIFF OMITTED] 82355.030
    
    [GRAPHIC] [TIFF OMITTED] 82355.031
    
    [GRAPHIC] [TIFF OMITTED] 82355.032
    
    [GRAPHIC] [TIFF OMITTED] 82355.033
    
    [GRAPHIC] [TIFF OMITTED] 82355.034
    
    [GRAPHIC] [TIFF OMITTED] 82355.035
    
    [GRAPHIC] [TIFF OMITTED] 82355.036
    
    [GRAPHIC] [TIFF OMITTED] 82355.037
    
    [GRAPHIC] [TIFF OMITTED] 82355.038
    
    [GRAPHIC] [TIFF OMITTED] 82355.039
    
    [GRAPHIC] [TIFF OMITTED] 82355.040
    
    Mr. Horn. Thank you very much for that succinct opening.
    Mark A. Forman is the Associate Director, Office of 
Information Technology and e-Government, Office of Management 
and Budget. Welcome.
    Mr. Forman. Thank you, Mr. Chairman, and thank you, 
Congressman Davis, both for your leadership and your vision as 
it relates to e-government and computer security. Having your 
focus and the oversight on this issue is critically important 
to the success of the initiatives that we are trying to 
accomplish for governmentwide security. We understand not only 
the need for this, but we appreciate your having the hearing 
and the focus on this.
    I would like to say good morning and thank you for inviting 
me here to discuss the lessons learned from the implementation 
of the Government Information Security Reform Act. I, too, have 
submitted the prepared testimony, and I will take a synopsis of 
that in my oral presentation.
    As you know, the President has given a high-priority to 
security of government assets, and this includes government 
information systems and protection of the Nation's critical 
information assets from cyber threats and physical attack. We 
believe that protecting the information and the information 
systems on which the Federal Government depends requires 
agencies, first, to identify and resolve the current weaknesses 
and risks, as well as to then protect against the future 
vulnerabilities and threats.
    Last October the President issued Executive Order 13231, 
the Critical Infrastructure Protection in the Information Age. 
That established the Critical Infrastructure Protection Board 
and created the chair as a special advisor to the President for 
Cyberspace Security.
    Now the President has made OMB a critical member of this 
board. Our presence reflects our statutory role regarding 
security of Federal information systems. In addition, there are 
several committees under the board, and we chair the Standing 
Committee on Executive Branch Information Systems Security.
    The administration has been proactive in implementation of 
the Government Information Security Reform Act, and I will 
refer to this from now on as the Security Act. This includes 
expanding the reporting requirements to include the Chief 
Information Officer and senior agencies' officials' input with 
the Inspectors General.
    We have moved beyond simply reporting security weaknesses 
and are focusing on agency work to remediate the security 
weaknesses. The basic push behind our continuing work is a 
strong focus on management implementation of security.
    We have recently taken the following two steps to help 
ensure a strong focus on maintaining senior management 
attention to security: First, in January, OMB Director Mitch 
Daniels sent letters to the heads of agencies and departments 
communicating our concerns regarding their fiscal year 2001 
security performance. In general, agency heads responded back 
in writing with a commitment to resolve their past flaws. OMB 
will soon meet with all of the 24 large agencies and 
departments to discuss the work in implementing their 
corrective action plans.
    Second, the President has charged Director Daniels with 
overseeing implementation of the management agenda through the 
use of an executive branch management scorecard. This scorecard 
tracks agency improvement in five governmentwide areas and 
assigns a red, yellow, or green score.
    One of these areas is expanding electronic government, and 
we are incorporating IT as a core criterion within that. This 
means that if an agency does not meet IT security criteria, it 
will not achieve a green score, regardless of the agency's 
performance under the other e-government criteria.
    I would now like to talk a little bit about our report to 
Congress, the findings, some of the next steps. As you know, 
one of OMB's responsibilities under the Security Act is to 
submit each year a report to Congress that summarizes the 
results of security evaluations conducted by agencies and 
reported to OMB. On February 13th of this year, Director 
Daniels transmitted this report to the Congress.
    At this time I would like to recognize the tremendous 
amount of work of agency program officials, CIOs, IGs, my 
staff, and all of their staffs in conducting the reviews and 
evaluations upon which the report is based. This was a large 
effort for all involved, and the report illustrates this work, 
as well as the ongoing efforts of agencies to remediate their 
weaknesses.
    Additionally, the National Institutes of Standards of 
Technology continue to play their critical role in promoting IT 
security requirements among agencies. OMB policy requires that 
each agency's program implement policy standards and procedures 
consistent with NIST guidance. NIST has developed a security 
questionnaire, and most agencies use this document as the basis 
for conducting their annual reviews under the Security Act.
    The OMB report represents a first year of implementation. 
It is a valuable baseline that has recorded the security agency 
performance. Even though the Security Act only required us to 
summarize the results, we expanded the report. We included the 
results of CIO and program official reviews in the recent 
activities we have undertaken in preparing the fiscal year 2003 
budget decisions, OMB findings, and next steps, as well as 
additional efforts that we have undertaken and the agencies 
have taken to improve Federal information technology security.
    From our assessment of agency performance, we have both 
validated the earlier positions on what the problems were and 
identified at a high-level important lessons learned. I would 
like to briefly sum those up.
    First, security is primarily a management problem, not a 
technical or funding problem. Are you willing to support us if 
we push to get someone fired because they will not implement a 
security plan? Second, increased spending does not necessarily 
translate into increased security performance. Third, high-
quality IG audits are necessary. The IGs provide an important, 
independent validation function. Fourth, agency employees with 
specific security responsibilities must have the authority to 
fulfill their responsibilities and at the same time have to be 
held accountable for their performance.
    There are a number of additional actions I have described. 
A key part of the written testimony I would ask you to look at 
are the actions under the OMB Security Committee of the 
Critical Infrastructure Protection Board. Therein we have laid 
out a process to focus more rapidly on actions needing to be 
addressed, because this is an ever-changing issue both in terms 
of vulnerability and threats.
    I would also ask you to take a look at the decisions that 
we have made in the budget, and would ask your support in the 
appropriations decisions that ultimately will have to make 
these into reality.
    Finally, I would like to focus on the governmentwide 
initiatives that we have underway leveraging the project matrix 
work and the enterprise architecture work. The development of 
the governmentwide enterprise architecture assessment is 
critical and a central part of not only our e-government 
efforts, but our cyber-security efforts. Basically, to more 
clearly identify and prioritize the security needs for 
government assets, OMB is going to direct all large agencies to 
undertake a project matrix review, and that was a key element 
of the 2003 budget.
    Again, I would like to thank you for the opportunity to 
testify. We have a summary in the testimony of the six 
government problems that we identified in the report, and I 
would be willing to answer any questions in that regard at the 
appropriate time.
    [The prepared statement of Mr. Forman follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.041
    
    [GRAPHIC] [TIFF OMITTED] 82355.042
    
    [GRAPHIC] [TIFF OMITTED] 82355.043
    
    [GRAPHIC] [TIFF OMITTED] 82355.044
    
    [GRAPHIC] [TIFF OMITTED] 82355.045
    
    [GRAPHIC] [TIFF OMITTED] 82355.046
    
    [GRAPHIC] [TIFF OMITTED] 82355.047
    
    [GRAPHIC] [TIFF OMITTED] 82355.048
    
    [GRAPHIC] [TIFF OMITTED] 82355.049
    
    [GRAPHIC] [TIFF OMITTED] 82355.050
    
    [GRAPHIC] [TIFF OMITTED] 82355.051
    
    [GRAPHIC] [TIFF OMITTED] 82355.052
    
    [GRAPHIC] [TIFF OMITTED] 82355.053
    
    Mr. Horn. Well, thank you very much. I want to emphasize 
what you just did now, the President's Executive order, which 
was Critical Infrastructure Protection in the Information Age, 
and he established a board, as you suggested. The chair, who 
serves as a special advisor to the President for Cyberspace 
Security, and that, of course, is Richard Clark, who serves as 
the Board and he is the Special Advisor to the President for 
Cyberspace Security. He reports both to Governor Ridge on 
issues that affect homeland security and to the National 
Security Advisor, Condoleezza Rice, on the issues that affect 
national security.
    The President has made OMB a member of the Critical 
Infrastructure Protection Board. Are you on that board as part 
of it?
    Mr. Forman. Yes, I am.
    Mr. Horn. I think it shows the President has taken some 
real action with people that did have his ear.
    I am going to have to recess now. When I come back, the 
ranking member, Ms. Schakowsky, will have her statement in, and 
we will then go down the line. We have a Journal vote before 
us.
    Ms. Schakowsky. Is there an opportunity for me to do that 
now?
    Mr. Horn. Sure, sure. She will put it in now, and once she 
finishes, we are in recess.
    Ms. Schakowsky. Thank you, Mr. Chairman. I appreciate that.
    I want to thank the chairman for holding this hearing and 
for his leadership on computer security issues in the House. I 
look forward to working with him to improve government 
information security reform language that was passed in the 
Congress.
    It was passed in the last Congress as a part of the Defense 
Authorization Act, and as such, really didn't get, in my view, 
adequate review in the House. No hearings were held, and we had 
very little opportunity to affect the content.
    Consequently, under Representative Waxman's leadership, we 
sought and received a 2-year sunset on this legislation. Our 
experience over the past year has substantiated the wisdom of 
that approach.
    There are a number of problems in this legislation that 
have already come to our attention. I am hopeful that today's 
hearing will help us put together a more complete picture of 
the actions to make this legislation more effective.
    One problem has already come to our attention. One of the 
problems is the reports prepared by the agencies. We asked the 
GAO to use agency information security reports to develop the 
scorecards for our hearing last fall. It came as a surprise 
when the administration refused to allow access to those 
reports, claiming that they were predecisional and part of the 
budget process. After much negotiation, we were finally given 
access to executive summaries, hardly a satisfactory outcome.
    A more serious shortcoming of this legislation is the 
absence of any system to assure that all agency systems are 
checked and protected. Today few, if any, agencies have a 
complete inventory of its computer systems, even though just 
such an inventory was required for Y2K compliance just 2 years 
ago. Without a complete inventory, it is impossible to know if 
all systems have had the risks assessed and the protections 
tested. We must make sure that every agency maintains a current 
inventory of systems and has in place a systematic process to 
assess risk for those systems and to test the protections in 
place.
    I am sorry that I was late. I do look forward to hearing 
today's witnesses, if not reading the testimony, and hope that 
each of you will understand that we share the common goal of 
assuring the public that our systems have adequate protection. 
So I thank you all for coming today.
    We will be back.
    [The prepared statement of Hon. Janice D. Schakowsky 
follows:]
[GRAPHIC] [TIFF OMITTED] 82355.054

[GRAPHIC] [TIFF OMITTED] 82355.055

    [Recess.]
    Mr. Horn. Recess has ended, and we will begin next with Mr. 
Bement, who is the Director of the National Institute of 
Standards and Technology [NIST]--not in the mist, but NIST. 
[Laughter.]
    Dr. Bement. Right. Thank you, Mr. Chairman.
    Mr. Horn. As a little kid, I remembered well the standards 
and your beautiful campus out there.
    Dr. Bement. You are more than welcome anytime, Mr. 
Chairman.
    Thank you very much for giving me the opportunity to speak 
to you about NIST's role in cyber-security. NIST's Computer 
Security Program supports the vision of strong cyber-security 
and its critical role both in homeland security and e-
government. Our agency has specific statutory responsibilities 
under both GISRA and the Computer Security Act of 1987 for 
developing standards and guidances that help Federal agencies 
to protect sensitive, unclassified information.
    Specifically, NIST has published a guidance for firewalls, 
intrusion detection, cryptography, public Web servers, and risk 
management. We also conduct computer security research in close 
cooperation with industry and academia. We work to find ways to 
apply new technologies in a secure manner.
    The solutions that we develop are made available to both 
public and private users. This research helps us to find more 
cost-effective ways to implement and address security 
requirements.
    I would now like to highlight a few of our more important 
recent contributions to improve cyber-security in Federal 
agencies. In December the Secretary of Commerce approved the 
Advanced Encryption Standard [AES], as a Federal security 
standard. Within days, commercial firms were announcing 
products that incorporated the AES. It is clear that AES soon 
will be used extensively internationally and be available in a 
wide array of commercial products to protect sensitive Federal 
information. We expect AES will be used daily to secure 
trillions of dollars in electronic transactions and to protect 
sensitive personal business and government information.
    The Chief Information Officers' Council and NIST developed 
a security assessment framework to assist agencies with a very 
high-level review of their security status. The framework 
established the groundwork for standardizing on five levels of 
security and defined the criteria agencies could use to 
determine if the levels were adequately implemented. By using 
the framework levels, an agency can prioritize agency efforts 
as well as to evaluate progress.
    Building from the framework, NIST issued a more detailed 
security questionnaire that most agencies use to conduct their 
programmed system reviews. This document provided guidance on 
applying the framework. In addition, the guide provides control 
objectives and techniques that can be measured for each area. 
Many agencies use this to prepare their GISRA responses to OMB.
    NIST also recently formed a team that specializes in 
helping Federal agencies navigate through the dangers of 
cyberspace. The Computer Security Expert Assist Team [CSEAT], 
helps agencies understand how to protect their computer 
systems, how to identify and fix existing vulnerabilities, and 
how to anticipate and prepare for future security threats.
    The CSEAT reviews are also valuable to NIST. They give us a 
firsthand look at how NIST guidance is implemented, helping us 
to improve our products and processes.
    Our new information-sharing Web site for Federal agency 
security practices covers a host of topics ranging from 
contingency planning to network security. Computer security 
professionals from various Federal agencies have contributed 
much of the material on the site. The site also contains the 
best practices for critical infrastructure protection and 
computer security identified by the Federal Chief Information 
Officers' Council. The site is one of the latest additions to 
NIST's Computer Security Resource Center and is one of the 
busiest and most popular spots on the entire NIST Web site.
    Another aspect of our work involves security testing which 
complements security standards by giving users confidence that 
the security standards and specifications are implemented 
correctly in the products they buy. NIST and our Canadian 
counterpart have set up a joint program to help ensure correct 
and secure implementation of unclassified cryptographic 
algorithms and products. Statistics show that 48 percent of the 
modules tested voluntarily under this program have security 
flaws that were corrected during testing. So, without our 
program, the Federal Government would have only a 50/50 chance 
of buying products that correctly implemented cryptography.
    I would like to point out that in carrying out our 
responsibilities under GISRA and the Computer Security Act, we 
consult frequency with other agencies. In particular, we work 
very closely with the Office of Management and Budget. We 
consult with OMB representatives on the Federal Chief 
Information Officers' Council, the Federal Computer Security 
Program Managers' Forum, and the Committee on National Security 
Systems. We soon will serve on the newly formed Committee on 
Executive Branch Information Systems Security. I would like to 
take this opportunity to commend my OMB colleagues for their 
steadfast support in promoting our security standards and 
guidelines with Federal agencies.
    Let me close by emphasizing that our national commitment to 
improved cyber-security must be increased in Federal agencies 
and elsewhere. NIST has a proven track record of success and 
stands ready to play key roles in this and other facets of 
homeland security.
    Thank you very much, Mr. Chairman. I will be pleased to 
answer any of your questions.
    [The prepared statement of Dr. Bement follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.056
    
    [GRAPHIC] [TIFF OMITTED] 82355.057
    
    [GRAPHIC] [TIFF OMITTED] 82355.058
    
    [GRAPHIC] [TIFF OMITTED] 82355.059
    
    [GRAPHIC] [TIFF OMITTED] 82355.060
    
    [GRAPHIC] [TIFF OMITTED] 82355.061
    
    [GRAPHIC] [TIFF OMITTED] 82355.062
    
    [GRAPHIC] [TIFF OMITTED] 82355.063
    
    Mr. Horn. Thank you, and we are delighted to have your 
paper in particular.
    We now turn to the Honorable Roberta L. Gross, former 
Inspector General, National Aeronautics and Space 
Administration. I lost track of you. You have been a witness 
here before. When did you leave the Inspector General's 
position?
    Ms. Gross. Saturday.
    Mr. Horn. Saturday? OK.
    Ms. Gross. But your staffer had asked me prior to the time, 
and I had told her that I would be leaving, but we talked about 
I would still come. So here I am.
    Mr. Horn. Great. Well, welcome. So if we could summarize 
your testimony?
    Ms. Gross. Absolutely. I thank you for inviting me to 
testify today on GISRA, and my testimony is obviously based on 
my recent experience as NASA's Inspector General. I served in 
that post from August 1995 through March 2, 2002. I am also 
basing it on my experience as being the former Chair of the 
IGs' IT Roundtable, where we discuss cross-cutting issues 
across the government.
    Last year I, along with a representative of the GAO, 
testified before the Senate Committee on Governmental Affairs 
on a precursor of GISRA, Senate bill 1993. The then-chair of 
the committee, the Honorable Senator Thompson, began his 
opening statement by recounting how time after time the GAO 
kept writing reports, Inspectors General kept writing reports, 
about serious lapses in IT security, deficiencies in IT 
capital, in human resources planning. He observed that over the 
years law after law was passed, regulation after regulation, 
and the issues seemed to reoccur and nothing seemed to get 
better, and it was no wonder, with so many laws and 
regulations, that this Senator rhetorically asked, ``Why are we 
enacting GISRA?'' The answer is that GISRA was needed, GISRA 
has had success, and it can be improved.
    My remarks are going to be divided into three sections: bad 
news--I couldn't be an Inspector General, or former Inspector 
General, without that, right? Good news, next steps, and 
lessons learned.
    During our GISRA reviews and audits at NASA, we found 
problems in each of the six areas highlighted by OMB. I am only 
going to address three of them, using NASA as an illustration, 
and I incorporate by reference my written testimony.
    The three that I would like to use as illustration are, 
one, lack of senior management attention; two, limited programs 
for security awareness and education, and, three, failure to 
exercise oversight of contractor security services.
    While some of the agency's IT practices are more mature 
than those at many agencies, and I notice that NASA got a ``C-
,'' and they are above one of the yellow lines, NASA management 
has historically been unwilling to recognize and/or fully 
acknowledge the significance of the IT weaknesses and deal with 
them in a timely manner. There are various interrelated reasons 
for that.
    They were engaged, since I have been there, in downsizing, 
funding problems, but also, seriously, an unwillingness of 
middle management or IT security officials to tell senior 
management the extent of the problem, as well as lack of 
reception by senior management to hear about the extent of the 
problem. So that is a good segueway into the first problem: 
senior management attention.
    Leaderships of all the agencies occupy bully pulpits by 
virtue of their positions. They can regularly remind staff of 
their IT responsibilities and obligations. No cost; talk is 
cheap. What should they be doing?
    They should be addressing their employees in as many forums 
as possible and reinforce that IT security is everybody's 
responsibility. For example, we saw that the former 
Administrator used his office--this is at NASA again--used his 
office as a bully pulpit for safety. Safety was NASA's No. 1 
core value. At senior staff meetings, leadership reiterated 
this value, discussed lessons learned, and tracked programs 
related to safety.
    However, no similar attention to ITS, other than during the 
Y2 crisis. Y2 came and went, and senior management attention 
came and went. I hope the new Administrator will use his office 
as a bully pulpit on IT issues.
    Let's talk about the CIO. The CIO also did not utilize the 
bully pulpit to communicate IG findings, and we had the same 
findings over and over again, and NASA agreed to implement our 
recommendations over and over again. They didn't monitor these 
recommendations that they agreed to implement.
    Instead of using the bully pulpit and communicating to the 
staff and saying, ``Don't wait for the IG. Why don't you look 
to see if your systems have similar problems? And here are some 
suggestions that the agency IG recommended. Maybe these will be 
fixes for you.'' This really didn't happen.
    But I do want to point out the good news. Since the GISRA 
report, the CIO has shown improvement in communicating and 
sharing his communications with the OIG about IT 
vulnerabilities we identified in the IT reviews. I used lack of 
communication as one of the reasons why we found material 
weakness for purposes of the GISRA report; the CIO failed to 
use a very low-cost/no-cost forum.
    No. 2, another problem highlighted by OMB, as well as the 
IGs, is insufficient security awareness and training. Civil 
servants and contractors, they all need to have the training 
before being given access to systems. If personnel have more 
responsibilities and higher-level sensitivities to systems, 
they need to have different kind of training.
    But NASA did not establish 100 percent training 
participation for the targeted groups for all its measures, 
despite the age-old adage: ``You're only as good as your 
weakest link.'' The point is not that you are going to make 100 
percent of your goal, but shouldn't that be your goal? How 
could you have less than 100 percent for people to be trained 
as your goal? Otherwise, you're going to allow and accept weak 
links.
    Our biggest complaint on this training issue was that NASA 
did not have all of its civil servant system administrators 
trained, but even more significant is that they excluded, as 
their performance measure, contractor personnel. Guess what? 
Seventy-nine percent of NASA's systems administrators are 
contractors. Their training is not even measured; they are not 
even tracked in terms of whether they have the appropriate 
training. This is an obvious risk for which NASA did not 
implement compensating controls.
    Oversight of contractor responsibility. Over and beyond 
incorporating IT clauses into contracts, which OMB addressed 
and we address, you still have to make sure that you know who 
these contractors are with who you are working with. They have 
wide-range responsibilities. Think about it. They are your 
systems administrators. They purchase and provide desktops. 
They are the ones that safeguard sensitive information. They 
maintain your systems. They put the patches in your system.
    Who are these people? What are they doing? And are you 
oversighting them? Contractor oversight is an area where the 
government needs to be attentive, and certainly NASA does.
    OK, good news. OMB focuses greater cooperation between OIGs 
and CIOs. I do want to say and give credit to two individuals 
who are here. Never say IGs don't say good things about people. 
Glen Schlarman and Kamela White are both here. There's Glen, 
and Kamela, she's hiding over there.
    Mr. Horn. Why don't you speak that back into the mike? They 
didn't quite catch it.
    Ms. Gross. OK. Both Kamela and Glen are here. In forwarding 
their summary report to Congress, they did not try to paint a 
rosy picture, but tried to present an accurate picture, and 
this wasn't always easy because sometimes it looked like the 
IGs and the agencies were reporting on two different worlds.
    I also want to commend them for their steadfast insistence 
that management work with IGs in developing corrective action 
plans. This has been a welcomed increase in cooperation between 
IGs and CIOs. IG after IG report this.
    Equally important, GISRA brought accountability to the 
heads of the agencies. They had to forward the report. They had 
to forward an IG report as well as the agency report and put 
their name on it. It was their report. No more plausible 
deniability. They couldn't claim they didn't know what the IT 
issues were at their agencies. That was real good.
    OK, next steps, and I'm going quickly--GISRA I think should 
be extended in some form for 2 to 5 years, so that agencies 
will implement agreed-upon changes. In subsequent legislation, 
Congress should consider to allow the IGs to have more 
flexibility in their reporting responsibilities. This year it 
will still be the same, but if you still have to do this kind 
of level of intensity without having additional funding from 
the agency and OMB, you are not going to be able to move into 
other high-risk areas. Unlike when Congress passed the CFO 
audit and most IGs got more resources, that didn't happen for 
GISRA.
    Another suggestion is that there should be a sunset 
provision maybe in the 3 to 5 years, so you can evaluate is 
what you want to do. Are the means overtaking the end? So I 
think a sunset provision is good.
    Another way to ensure greater uniformity is to eliminate 
the act's bifurcation of responsibilities for national security 
programs. Under the act, the agency head asks an outside 
evaluator to come in, look at national security systems, which 
the IG later reviews. NASA's IG's office never got that 
security report in time to review it for the GISRA Act.
    The IGs use at the least, a uniform evaluation methodology. 
They will either use government standards, PCIE-wide standards 
for reviews, or GAGAS, government auditing standards for their 
audits. This is not always the case. Agency heads bring in 
different people. Who knows what standards they are using? So 
this should be eliminated, and it should be having the IGs do 
100 percent of that.
    These next steps require a focus on agencies' 
infrastructure for reporting intrusions, and also the agencies' 
first-responders. Are they training first-responders? When you 
have a program manager they want to fix the problem. Often 
their fixes may increase the problem. Maybe the intruder is 
still in the network trojanizing the systems. Program managers 
don't always know what they are doing when they fix problems, 
partly because they are not coordinating with law enforcement. 
IGs must look at, and I think this should be an area of 
Congress could look at to see if they are actually, the 
agencies, are implementing law enforecement coordination. The 
Congress passed the USA Patriot's Act of 2001 to help law 
enforcement with the cyber war. One section allows victims of 
computer attacks to authorize persons acting in color of law to 
monitor trespassers on their computer systems. This provides 
law enforcement with the same authority in the cyber world that 
a police officer has in the normal world if there is a burglary 
in progress. This had to be amended so the monitoring wouldn't 
be considered wiretapping. This is important. I want to commend 
Howard Schmidt, vice chair, President's Critical Infrastructure 
Board. He is working with Richard Clark. He has initiated 
contacts with NASA's Inspector General's office to help frame a 
OIG-wide response for the victim agencies. NASA, under my term, 
established the first Inspector General's Computer Crimes Unit, 
and Howard was turning to our unit in part because we were 
recognized both nationally and internationally for our 
expertise. It is crucial that OIGs help their victim agencies 
and those agencies look to this monitoring provision. Let's not 
wait for the cyber-attack, the law has already passed.
    Nobody has procedures. I know, because I put a request for 
monitoring into the agency, and it is under review. We need to 
have more sense of urgency for something like this. The law was 
passed because there was an urgent situation. That urgency 
cannot wait for the next attack, and if that is a cyber 
attack----
    Mr. Horn. Let me ask you a minute about this particular 
aspect on the follow up and getting that. Did they use the 
Carnegie-Mellon operation in part or did they use the FBI one?
    Ms. Gross. Carnegie-Mellon is not a law enforcement entity. 
They get information from both the private sector, and 
government agencies. Part of the way Carnegie-Mellon works, is 
sharing of information. Although it is not a law enforcement 
entity, they do have a member of the FBI on the Cert. They do 
share information with law enforcement. It goes back and forth, 
but it is not a law enforcement entity.
    The FBI also wanted this Computer Security Act passed. 
They, like any other law enforcement entity needed that in 
order to do the monitoring; consensual monitoring by the owners 
of systems when you know there is a burglary, a cyber burglary 
in process, they can monitor. They needed that provision. 
There's no nationwide or agencywide practices on how to use 
that authority though.
    But, again, remember with the FBI, the FBI has to look at 
the private sector, universities and international entities. 
The group that really looks for their victim agencies is the 
OIGs. Many of them know the agency people; they know the 
systems; they know the programs. You might have a shot at 
figuring out the intent and motive of intruders if IGs are 
involved.
    They have fully qualified law enforcement special agents. 
This is a way of ensuring those much needed protections.
    Right now, you have a focus of the FBI looking at physical 
terrorism. The role of the IGs becomes even more paramount 
because of that. They need to step-up to the plate. I would be 
glad to speak more on that. I can wax eloquent on that issue.
    Mr. Horn. We will get to that again, but we will move on to 
Mr. Gorrie.
    Ms. Gross. Yes.
    [The prepared statement of Ms. Gross follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.064
    
    [GRAPHIC] [TIFF OMITTED] 82355.065
    
    [GRAPHIC] [TIFF OMITTED] 82355.066
    
    [GRAPHIC] [TIFF OMITTED] 82355.067
    
    [GRAPHIC] [TIFF OMITTED] 82355.068
    
    [GRAPHIC] [TIFF OMITTED] 82355.069
    
    [GRAPHIC] [TIFF OMITTED] 82355.070
    
    [GRAPHIC] [TIFF OMITTED] 82355.071
    
    [GRAPHIC] [TIFF OMITTED] 82355.072
    
    Mr. Horn. Robert G. Gorrie is the Deputy Staff Director, 
Defense-wide Information Assurance Program Office, and 
Assistant Secretary of Defense for Command, Control, 
Communications and Intelligence.
    When did you fill that Assistant Secretaryship?
    Mr. Gorrie. No, sir, I am Office of the Assistant 
Secretary. They have that a little backward there.
    Mr. Horn. I see, OK.
    Mr. Gorrie. I conspire to that, though, but----
    Mr. Horn. Well, remind me, who is the Assistant Secretary 
in that area?
    Mr. Gorrie. Mr. Stenbit is, sir.
    Mr. Horn. Mr. Who?
    Mr. Gorrie. John Stenbit.
    Mr. Horn. How do you spell the last name?
    Mr. Gorrie. S-T-E-N-B-I-T.
    Mr. Horn. OK, yes, because I haven't really followed it, 
but in the days of Y2K, until the General occupying the effort 
left, I know there's been sort of up and down under the 
previous administration. I assume Mr. Stenbit, then, is the 
Bush administration?
    Mr. Gorrie. Yes, sir, he followed Mr. Art Money, who was 
the previous ASDC3I.
    Mr. Horn. Well, go ahead.
    Mr. Gorrie. Yes, sir, thank you, Mr. Chairman and members 
of the subcommittee. I am honored to be here and pleased to 
have the opportunity to speak with your committee about lessons 
learned by DOD from assessments we conducted in response to the 
Government Information Security Reform legislation.
    Secretary Rumsfeld, in his testimony last month before the 
House Appropriations Defense Subcommittee, identified six key 
transformational goals for the Department. Leveraging 
information technology to create seamless, interoperable 
network-centric environments is one of those foundation 
transformational goals.
    However, as our dependence on information networks 
increases, it creates new vulnerabilities, as adversaries 
develop new ways of attacking and disrupting U.S. forces. In 
recognition of this dichotomy, the Secretary established the 
protection of U.S. information networks from attack as another 
foundation transformational goal.
    Emphasizing that transformation is not an event, Secretary 
Rumsfeld described it as an ongoing process or a journey that 
begins with a transformed leading-edge force. Mr. Stenbit, the 
DOD CIO, is committed to support our transformation by 
providing the power to that information leading edge. To do 
that, he established three goals for his supporting efforts of 
Mr. Rumsfeld, and one of those is making the exchange of 
information available on a network that people depend and 
trust.
    Now all of these goals in large measure are influenced by 
our ability to provide information assurance to the edge and 
throughout the entire information enterprise. Our senior 
leadership's stated commitment to these goals is testament to 
the importance placed on information assurance within DOD.
    The Department initiated work on its 2001 assessment in 
January 2001. The former DOD CIO, Mr. Art Money, established an 
IA Integrated Process Team to lead the assessments. In 
addition, the DOD IG ensured that independent audits were 
performed to assess and test DOD programs and policies for 
effectiveness and compliance with the law and other policies, 
procedures, standards, and guidelines.
    The analysis of the system-specific data and the responses 
to the OMB questions indicate that DOD has good IA policies, 
practices, and procedures in place, but needs verification of 
compliance. Without a capability to enforce and properly audit 
IA policy compliance, it is difficult to ensure that all 
systems operate based on up-to-date procedures and proper 
configurations.
    Based on the data analysis, however, it is evident that 
even for those systems lacking accreditation, most have robust 
IA measures in place and programs with high IA awareness. DOD 
has a strong foundation in IA that will be expanded and more 
fully developed as that program matures.
    Without question, though, the biggest single lesson learned 
during the conduct of GISRA 2001 was the problems associated 
with our Security Certification and Accreditation Program. 
Compliance is a major issue. However, stricter audit and 
enforcement of DITSCAP, which is our Defense Information 
Technology Security, Certification, and Accreditation Program, 
stricter audit and enforcement of that will not necessarily 
rectify the problem. Non-compliance is more a symptom of the 
complexity of that process and the clarity of its implementing 
policy. These problems were previously identified, but 
definitively confirmed in the GISRA 2001 assessment.
    That certification and accreditation policy is undergoing 
dramatic modification in policy as well as in implementation. 
The DOD policy governing DITSCAP will streamline the 
certification and accreditation process and provide better 
clarity on definitions and responsibilities. DOD is also 
pursuing the use of automated tools to ease the documentation 
burden on security and systems administrators. The combination 
of these two efforts should significantly improve our ability 
to conduct certification and accreditation and, as a result, 
improve compliance.
    DOD, through the Defense Information System Agency, has 
also aggressively implemented comprehensive connection approval 
programs for both our Non-Secure and Secret Internet Protocol 
Router Networks, the SIPRNET and the NIPRNET. These programs 
have initial and subsequent periodic validation of network 
certification and accreditation as a precondition for 
connection to the network, and this will serve as a valuable 
compliance control mechanism to make sure that those programs 
are fully carried out.
    The DOD IG identified oversight and review of IA policy 
implementation and programming of funds and resources to 
support IA as areas requiring attention in the last GISRA 
assessment. Conduct of worthwhile oversight and review of IA 
policy implementation requires not only an established process, 
but also relevant and current IA policy. As mentioned in the IG 
report, DOD Directive 5200.28 was, or still is, our current 
security policy, but that happened to be written in 1992 and 
was woefully out-of-date.
    In its place, DOD is issuing a series of new IA directives 
and instructions to accommodate a more complex IA environment. 
The capstone directive is in formal coordination now within the 
Department and will be released soon. Other supporting 
directives have recently been released or will be released 
later this year. The responsibilities established in these 
directives are clear and concise, as are the management 
controls associated with the policies.
    Oversight of budgets and programming to support IA is one 
of the functions of my office, the Defense-wide Information 
Assurance Program Office. We are now reviewing, with all the 
DOD components, the services, and the agencies, IA budgets and 
programs during their development to coordinate efforts across 
the Department and to check for policy implementation. 
Subsequent to that, we conduct reviews to match the resource 
allocations and expenditures with the original plans to make 
sure that they match.
    Now, those were the things we noticed during regular GISRA. 
However, there were some procedural lessons learned that we 
also developed. One, as was mentioned previously, was to work 
closely with the DOD IG in the conduct of GISRA. Unfortunately, 
during last year's GISRA, we weren't able to do that because of 
time constraints and previous scheduling problems with the DOD 
IG. They looked at one small population of DOD systems, and we 
looked at another population. Optimally, we would have looked, 
both we would have done an assessment of DOD systems and then 
the IG would have come behind us and audited the same systems 
to verify the veracity of the information that we were getting.
    Because of that, DOD's Fiscal Year 2002 GISRA assessment 
efforts will focus on three particular areas. One is review of 
selected systems from 2001, and then we will go in and take a 
look at the major DOD networks, and also the third part of that 
is the departmental response to OMB IA management process 
questions.
    Approximately 168 systems from the 2001 assessment will be 
reviewed. The second area of this year's effort will focus on a 
random sample of major local, wide, and metropolitan DOD area 
networks.
    Then the final area in 2001 will be the response to the OMB 
IA management questions. OMB has indicated that the questions 
will be similar to those in the 2001 assessment, and will 
encompass all aspects of IA throughout the Department, from 
training and awareness to response capability. As DOD 
components conduct their assessments, the DOD IG will audit the 
subset of the 168 systems from last year, again, as I said 
before, to verify compliance and the veracity of the 
information that we collected.
    We in DOD find the GISRA assessments as a valuable tool. 
Combined with other assessment tools we have--for instance, the 
Joint Chiefs of Staff Joint Monthly Readiness Reviews, the 
Commanders-in-Chief's Integrated Priority Lists, Mission Need 
Statements, and other requirements documents--we are better 
able to discern what actions and direction are needed to be 
taken to sustain our IA posture and to transition to a more 
robust posture. Having identified these necessary actions and 
directions, we were able to better coordinate more effectively 
our oversight and coordination of the Department's IA budgets 
and the entire enterprise-wide program.
    That's it, sir.
    [The prepared statement of Mr. Gorrie follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.073
    
    [GRAPHIC] [TIFF OMITTED] 82355.074
    
    [GRAPHIC] [TIFF OMITTED] 82355.075
    
    [GRAPHIC] [TIFF OMITTED] 82355.076
    
    [GRAPHIC] [TIFF OMITTED] 82355.077
    
    [GRAPHIC] [TIFF OMITTED] 82355.078
    
    [GRAPHIC] [TIFF OMITTED] 82355.079
    
    Mr. Horn. Thank you very much. I want to ask you about the 
role of Mr. Stenbit. Now he is Assistant Secretary for the 
three C's--Command, Communications, and what else is it?
    Mr. Gorrie. Command, Communications, and Control and 
Intelligence.
    Mr. Horn. Control and Intelligence?
    Mr. Gorrie. Yes, sir, and he is also the DOD CIO.
    Mr. Horn. Yes. Now is that too much for one person to 
handle?
    Mr. Gorrie. No, sir. Actually, it is probably a pretty good 
combination because not only does he see or oversee the policy 
and the budgetary parts of IT within the Department, but then, 
again, as the CIO of DOD, that gives him a more pervasive view 
not only of the programming and budgeting aspect and bringing 
new systems on board, but getting into the daily operational 
things that go on within the Department.
    Is it too big of a job to handle? No. I mean, he obviously 
has staff to deal with his CIO functions and also with his 
Assistant Secretary functions, but to have that all brought 
together in one person is valuable, because you get to see not 
only the policy development and also the procurement side of 
it, but also the operational side of it.
    Now there are people who would disagree with that and say 
that we should split this function and have a separate DOD CIO 
and a separate Assistant Secretary for Command, Control, 
Communications and Intelligence. The jury is still out on that. 
I don't personally subscribe to splitting those 
responsibilities, but until I become the Secretary, I won't be 
able to make that decision, sir. [Laughter.]
    Mr. Horn. Well, I would like a little table with little 
boxes as to how many people we have for those various 
functions. I have gone through this with another agency 5 or 6 
years ago. They piled everything onto what Congress had said 
about Chief Financial Officers, Chief Information Officers, and 
the thrust of that was to get somebody of high-rank that we 
could get in the private sector or in the executive branch out 
of the Senior Service. We just looked at it, and not much was 
happening because the poor soul was overloaded.
    So I would like a chart at this point in the record. 
Without objection, it will be put there. So if you and 
everybody else can give us one, just so we can see the picture 
of who's helping and how many are helping and addressed to 
this?
    Mr. Gorrie. Yes, sir.
    And if I might add one other reason why I don't think you 
necessarily want to separate those functions is because the 
level--if you split those functions, I don't know that 
necessarily the level of importance of the person holding that 
job would carry enough sway within the Department to have 
influence. At the Assistant Secretary level--and, actually, I 
think it should be at the Under Secretary level, but, again, I 
am not in a position to make that call--there is enough 
leverage there, and they have enough influence and the ear of 
the Secretary of Defense to make things happen. If you split it 
and diluted it, that might not necessarily be the case.
    Mr. Horn. I have great admiration for the Secretary of 
Defense. I remember, going back about seven administrations, 
one person had about 12 of the functions we now have Assistant 
Secretaries hold. As you know, he did a very fine job. But when 
we have troubles in this area, where we haven't had it yet up 
where they can get a C, B, or A in looking at the computing 
operation, it just means we have got to focus on that and not 
be waylaid by all the other things that are very important.
    Mr. Gorrie. Yes, sir.
    Mr. Horn. OK, so we now have our last presenter, Chief 
Information Officer Karen S. Evans of the U.S. Department of 
Energy.
    Glad to have you here. When were you appointed? I see 
January 28th.
    Ms. Evans. Yes, sir, just 6 weeks ago.
    Good morning, and thank you for this opportunity to appear 
today to address the very important issue of improving the 
security of our Federal information systems. I was named the 
Department of Energy's Chief Information Officer 6 weeks ago, 
on January 28, 2002. As the CIO, I believe that effective cyber 
security is a balance of managed policies, procedures, 
technology, training, and people. It is also a major enabler of 
our Department's information technology initiatives, especially 
our e-government initiatives.
    My remarks today focus on the implementation of the 
Government Information Security Reform Act, improvements in the 
Department's cyber security infrastructure, and our plans for 
further strengthening our cyber security posture.
    GISRA provides a comprehensive framework for establishing 
and ensuring effectiveness of security controls over 
information resources that support Federal operations and 
assets. Secretary Abraham submitted the Department's first 
annual security review last September. This committee 
established grading criteria, and the Department received an 
``F.''
    The scoring acknowledged that we were either complete or in 
the process of implementing 9 of 10 areas. Our raw score was 
71. The score was weighed against weaknesses identified by our 
previous Department Inspector General and the Office of 
Independent Oversight and Performance assurance audits and 
assessments. Our final scoring was lowered to 51.
    Since the passage of GISRA, the Department has taken an 
active leadership role to further strengthen its cyber security 
posture. First, we developed and incorporated an enterprise-
wide perimeter defense strategy to reduce the number and the 
severity of successful attacks. Analysis reveals that while the 
overall threat from virus and malicious code increased, the 
number of successful intrusions diminished. Virus and malicious 
code incidents dropped from 60 in fiscal year 2000 to 39 in 
fiscal year 2001, a 35 percent reduction. In addition, while 
probes and scans escalated over 2,000 percent from fiscal year 
1999 to 2001, unauthorized access and Web defacements 
diminished by over 50 percent.
    In addition, we have trained 6,200 managers and cyber 
security staff in the last year alone, and are continuing an 
aggressive training and awareness program, so that every 
Department member is aware that cyber security is an integral 
part of his or her job.
    Like many other government agencies, we still have a long 
way to go, but we have an excellent foundation on which to 
build. We recognize the importance of cyber security as a 
management issue. Our goal is to give line management the 
authority to determine how to implement policy, because it is 
in the best position to assess the appropriate levels of 
protection.
    Our Performance Improvement Plan and Performance Report 
Card provide a clean remediation road map for those program 
offices with GISRA-identified deficiencies, and our sites have 
made significant progress toward their elimination.
    Today I am pleased to announce additional cyber security 
initiatives. First, I will focus initially on developing and 
implementing a Department-wide certification and accreditation 
process to ensure that our unclassified information systems 
comply with departmental cyber security policies. Our 
Certification and Accreditation Program will establish a 
Department-wide process to certify that an information system 
or a site complies with documented security requirements, and 
that the program will continue to maintain an accredited 
security posture throughout the system life cycle.
    Processes such as certification and accreditation are 
insufficient without adequate risk-management and configuration 
management directives. The Department has identified some 
shortcomings in its approach in both areas, and I am committed 
to developing directives in these areas.
    The Department is also committed to protecting our national 
critical and mission-critical assets. As one of the first five 
agencies to complete the Critical Infrastructure Assurance 
Office Project Matrix Step One, we now have a comprehensive 
list of our most critical assets, which we used to focus our 
enhanced protection efforts.
    In addition, I am committed to implementing a robust, 
independent validation and verification process to provide an 
additional objective level of assurance regarding the 
continuity of operations for all of Department of Energy's 
mission-critical cyber assets.
    The Department has also initiated a renewed IT capital 
planning process to manage the cost of acquiring and 
maintaining IT assets. We are improving that process to ensure 
the seamless integration of security into each system's 
lifecycle costs. Although each of these efforts is only a part 
of our cyber security program, together they are effective 
tools to protect the Department's critical information assets. 
They will also serve as enablers for our electronic government 
efforts.
    I am intent on making the Department a national center of 
excellence for safeguarding classified and unclassified 
information on electronic systems. This will be accomplished 
through three objectives: strengthening the Department's cyber 
security community, ensuring a Department-wide risk-based 
approach to cyber security implementation, and enhancing 
protection of our internal cyber assets, especially our 
nationally critical and mission-critical assets.
    As CIO, I have been given programmatic authority to provide 
management oversight of the Department's cyber security program 
through the use of information technology capital planning and 
investment process. Our Performance Improvement Plan and 
Performance Report Card clearly communicate the status of 
identified issues of concern. This plan builds upon the 
foundation provided by GISRA and fosters solution-sharing 
within the enterprise.
    Our performance metric program provides us feedback on key 
elements for a healthy cyber security program. I am moving 
forward to strengthen our approach to risk and configuration 
management; implement a comprehensive certification and 
accreditation process, and an independent validation and 
verification process. With these initiatives, I am confident 
that the Department will continue to strengthen its cyber 
security posture.
    Success in this area takes continued and focused efforts 
due to the increasing complexity of threats and the rapid 
evolution of technology. We at the Department are committed to 
meeting this challenge.
    Mr. Chairman, this concludes my statement, and I would be 
happy to answer any questions.
    [The prepared statement of Ms. Evans follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.080
    
    [GRAPHIC] [TIFF OMITTED] 82355.081
    
    [GRAPHIC] [TIFF OMITTED] 82355.082
    
    [GRAPHIC] [TIFF OMITTED] 82355.083
    
    [GRAPHIC] [TIFF OMITTED] 82355.084
    
    [GRAPHIC] [TIFF OMITTED] 82355.085
    
    [GRAPHIC] [TIFF OMITTED] 82355.086
    
    [GRAPHIC] [TIFF OMITTED] 82355.087
    
    Mr. Horn. Thank you very much. We appreciate your 
presentation.
    We are now going to go down the line for a few questions. I 
would like all of you to give us some information on them.
    The question basically is, are there adequate standards and 
known best practices to implement an effective information 
technology security program, especially for the CIOs, as to 
where that source is. Is it OMB? Is it GAO, so forth?
    Mr. Dacey.
    Mr. Dacey. Let me answer that question at two levels. I 
think we have some guidance at GAO with respect to overall 
security management programs. I have included that as best 
practices from leading organizations for security management 
programs and for risk-assessment.
    With respect to more details controls, I think there isn't 
consistent information out there. There is a lot of good 
information in industry, and there is a lot more being 
developed. I would say that NIST, a combination of NIST and the 
NSA, through the NIIAP, another organization, and some others, 
are starting to develop more detailed policies. These have been 
received fairly well for those who are trying to implement 
security in their systems. So it is, again, at two levels: one 
at the management level and one at the detailed standards 
level.
    Mr. Horn. Mr. Forman.
    Mr. Forman. I think the focus is wrong there. I think there 
are a plethora of standards, best practices tools. I think you 
have got to go beyond the United States and look at what the 
U.K. has done and other countries.
    The reality that we are working in, the environment that I 
am trying to bring about here, has to operate as fast as the 
Internet. Traditional bureaucratic processes simply will not 
give us the security we are looking for. We have--and I will 
lay out some of the elements of the puzzle--threat data 
aggregation, NIPC at the FBI, FedCirc for the Federal 
Government, Cert at Carnegie-Mellon, the Sands Institute, the 
National Security Agency, organizations within the Defense 
Department.
    So if there is a threat on the Internet and it moves at 
Internet speed, by the time any one of these organizations 
finds out about it and puts out an alert, you or I may hear 
about it on WTOP coming into the office in the morning. That is 
a day.
    We are talking about, on the other hand, an annual process 
with GISRA. We are moving to a quarterly process to oversee the 
management by the President's Management Council for Security 
Management. At once I feel, yea, finally, after for me 12 years 
of trying to get management attention, we've got the management 
attention; we've got a terrific set at both the policy levels 
and the technology levels of standards from NIST, from NSA, 
from DOD, and others. Those standards are adequate to do what 
we need to do for the management policy, but they are 
inadequate to address some of the major issues within the 
Internet in regards to vulnerabilities.
    We need to look at how we put in place a process, not 
standards. If, in the end, we want fast identification of 
threats, fast remediation of vulnerabilities, we need to make 
sure that we are providing for that infrastructure. I fear the 
path we are going on right now is identifying people who are 
accountable, identifying visible sets of metrics and are they 
following them? If so, the potential exists to ignore the fact 
this stuff is moving in hours or days, not months, quarters or 
years.
    In essence, this is what we are trying to bring about with 
the Critical Infrastructure Protection Board. The process needs 
threat data aggregation. It needs vulnerability assessment. We 
have to make some decisions as a country about the remediation 
and deployment of remediation. In other words, is that going to 
be industry-driven or government-driven? I fear that the type 
of structures we put in place for Y2K, from a bureaucratic 
standpoint, won't work now.
    So, clearly, all of that is evolving, and we are working 
through that. But, by the same time, there is this issue of 
enterprise security issue, and that has been the focus of 
GISRA. That has been the focus of many people at this table as 
well as many of our staff in the back for well over a decade. 
There we have made the progress.
    I would rather see the focus being on, ``What do we need to 
be successful at Internet time'' than, ``How do we continue 
down this path of enterprise security management in a 
bureaucratic process?''
    Mr. Horn. You mentioned that there were certain nations 
that would seem to be ahead of us in some of these areas. Could 
you give us a feeling for that?
    Mr. Forman. I wouldn't say necessarily ahead of us in the 
sense that they have done a better job, but had some perhaps 
more complete or some accepted standards. I think the U.K was 
one of those. I know when I was at IBM, we used the U.K. 
standard for our security audits that we did in a number of 
industries. Since then, of course, NIST has, I believe, widely 
recognized, has put together a much broader set of standards 
from the technology level to the management level, which now 
many of the CIOs adopted. We didn't have that 2 years ago.
    Mr. Horn. Dr. Bement, how do you feel about what's 
happening abroad that we might use in our own administration?
    Dr. Bement. Well, in this area I think our current 
standards and accepted best practices are current and will put 
us in good standing, but it's very dynamic. The technology is 
changing rapidly. So we have to continually review these 
standards. Also, our risk models need to be changed as we get 
new threat information. So we have to keep on top of that.
    But we have cross-cutting alliances with Canada, with the 
U.K., and many other countries in the work that we do.
    Mr. Horn. How about Australia?
    Dr. Bement. Pardon me?
    Mr. Horn. How about Australia? Or New Zealand? I mean, 
they've got a particularly different government.
    Dr. Bement. I think all the members of the Coordinating 
Committee are very closely coupled with the work that we do, 
and Australia, New Zealand, Canada, the U.K. would be included 
in that.
    I feel that, apart from the standards and the best 
practices, and again we're going to come right back again to 
training, awareness, high-level oversight and compliance, there 
has to be enforcement of compliance. There has to be critical 
monitoring, and, of course, people really have to continually 
keep on top of the changes, as Mr. Forman mentioned. I think 
those are the critical issues.
    Mr. Horn. Moving to another country before we finish that 
part of the question, India produces a tremendous number of 
very talented people that relate to computing.
    Dr. Bement. Yes, that is correct.
    Mr. Horn. What do we know about India's Government. Many or 
most of the people probably come to the United States. I don't 
know if they are within the Government of India, but do you 
have any thoughts on that?
    Dr. Bement. I don't know that NIST has strong interactions 
with India and I don't know that we have a number of citizens 
from India working at NIST. We may have some. But I am 
certainly aware of the fact that industry looks to the talent 
and the capabilities in India and draws on that very actively. 
Of course, we also interact very much with industry. So 
indirectly we probably do have some connections.
    Mr. Horn. Ms. Gross----
    Dr. Bement. Oh, Mr. Chairman, may I ask a privilege?
    Mr. Horn. Sure.
    Dr. Bement. I have another hearing in 15 minutes, and if I 
may, I would like to be excused.
    Mr. Horn. Fine, and if we have a couple of questions, we 
will send them to you, and we will put them in the record at 
this point.
    Dr. Bement. I would be pleased to respond to those. Thank 
you.
    Mr. Horn. Fine. Thank you.
    [The information referred to follows:]
    [GRAPHIC] [TIFF OMITTED] 82355.088
    
    [GRAPHIC] [TIFF OMITTED] 82355.089
    
    Mr. Horn. Ms. Gross, how do you feel about, are there 
adequate standards and known best practices to implement an 
effective information technology security program?
    Ms. Gross. I think there are a number of standards that are 
developing and, if implemented, would make our systems safer. I 
think you have to talk about human capital. You can have all 
the policies and all the procedures, but, ultimately, security 
is a matter of layers. It is policies; it is procedures; it is 
having the right people. If you don't have the right person as 
the CIO, you don't have the right people in law enforcement. It 
doesn't matter that you have an NIPC if the people there are 
not technical agents or they don't have technicians that know 
what they are doing.
    You can't have this vision of reacting to Internet speed 
unless you make sure that, in fact, you have the human capital 
in place. We need to start reacting with Internet speed; about 
making sure we have the right people in the right places. I 
think you can get your layers of policies and procedures, but I 
am not sure we have been good about sharing best practices. You 
have organizations like SANS to give out some and so does OMB.
    I think this focus needs to be done. What are those best 
practices? You can't have that many ``F's'' and say that we 
have people that know what best practices are or know what the 
right procedures are, or don't have the right people in place.
    Mr. Horn. How about your thoughts, Mr. Gorrie?
    Mr. Gorrie. Standards and best practices, yes, sir, there 
are standards and best practices out there, and we use them, 
but they have to be tailored to specific environments. You just 
can't run out willy-nilly and pull them out of the blue. The 
NIST guidance for evaluating systems, NASA, NIST, security 
configuration, guidance for operating systems, they're all 
good, but you have to bring them in and build them into your 
own system and then evolve your own system along the way.
    To just elaborate a little bit on what we heard about human 
capital, the training of people and the problems we have 
associated with that, people turning over and leaving the 
service and things like that, that is really more symptomatic 
of a deeper problem. That is again what was alluded to before, 
which is the velocity of the technology.
    In order for us to be able to track that velocity or track 
that technology as it moves forward, you are constantly having 
to retrain people, constantly having to modify operational 
techniques and procedures to keep up with that. However, as we 
look at that technology as it progresses along, we find that, 
in the terms of my boss, it isn't born secure, that security 
isn't built in from the beginning. That is what needs to be 
done, not only the technological security, the crypto-
algorithms, the built-in entries and detection and things of 
that nature, but also a systemic view where you have to have 
security management built into it, too. It can be a very, very 
secure box, but if you can't put it in the system and be able 
to manage all these disparate security devices, then you're 
sort of barking up the wrong tree.
    I think Mike Vatis, when he testified before your committee 
last September, sort of alluded to that problem, that it is not 
necessarily the training of the people; it is not necessarily 
the operational techniques that you employ, is looking ahead to 
where technology is going and to try to track it. Now that is 
only part of the problem. You can track technology and try to 
build in security later, but the better part would be to 
engineer in security at the front, and not only the security 
technology, but to enable it to be managed effectively.
    Because today we have applications that are point-click, 
and before you used to have to sit down forever and a day to 
program these things out. What we need is security and security 
management that is also point and click, which would remediate 
some of our training problems, would remediate some of our 
operational problems, and go a long way to making this big bear 
of information security a little bit easier to tame.
    Mr. Horn. Two weeks ago I was talking about various things 
with members of the NATO Assembly. Of course, you have a lot of 
problems in terms of the various countries in the Eastern part 
of Europe. I wonder, is the CIO role of Mr. Stenbit, do they 
relate to NATO and different things, where we do a lot of 
computing?
    Mr. Gorrie. Yes, sir. As a matter of fact, one of the 
reasons I am here today, and not my boss, is that he is in 
first--not China, somewhere in the Far East, and then going 
down to Australia and New Zealand. But there is a very large 
international play in the ASDC3I and in the CIO, too.
    One, interface with the five I's, which are the five 
English-speaking nations, the United States, the U.K., Canada, 
New Zealand, and Australia. But then even further than that, in 
through all the NATO subcommittees that we sit on, and then the 
Partnership for Peace People, and all the other people that it 
is expanding to, and then actually to even third-party 
countries to make sure that, when we need to go somewhere, that 
we have not only infrastructure support, but infrastructure 
support that has high availability, security, and some 
confidence that there isn't anybody prowling around in that 
infrastructure.
    Mr. Horn. On Y2K, and now on this, where computing is a 
major factor, it comes up under Department of Defense, and they 
didn't do too well overall. When they have a lot of other 
things there besides the services. My instinct was that the Air 
Force was way ahead of the father, namely, the DOD, and we 
would have been giving them an ``A'' and still giving a ``D'' 
to the other groups, like Logistics and Procurement.
    I just wonder, is there a way to get the pressure so that 
the services that are doing well with CIOs--and maybe my 
instinct is wrong; you're on top of it, but I just think 
sometimes we ought to put the ``A's'' there if they are doing 
``A'' work.
    Mr. Gorrie. I don't know if I can address that, sir. I 
mean, I work with not necessarily the CIOs, but their IA 
underlings. I don't know if I am qualified to answer that 
question.
    Mr. Horn. Well, if you could get me an answer, I would like 
to know that----
    Mr. Gorrie. Yes, sir, I will.
    Mr. Horn [continuing]. Because we ought to see the 
breakdown by the services and make sure that they are moving 
along on a path, and they aren't just off in a corner.
    Mr. Gorrie. From that particular perspective, sir, at least 
as far as IA goes, and that is my area of responsibility, so 
the only thing that I can talk to, you have each of the 
services--at least about 3 years ago, when I was on the Joint 
Staff, there were certain services that excelled in particular 
areas. For instance, the Air Force was far ahead of the Navy 
and the Army in terms of its ability to do intrusion detection, 
consolidated intrusion detection, across the enterprise. Such 
is not the case now. They have pretty much become even-keeled, 
because of the sharing of best practices and being able to go 
in and audit the capabilities for the individual services to do 
those things and then to apply resources for those services and 
actually prod them along to come about a little bit better.
    Things like information assurance vulnerability alerts, 
where we find out that there is a particular vulnerability in a 
piece of equipment or piece of software, those things are 
starting to become enterprise-wide endeavors, and not strictly 
limited to the services. The services have realized that in 
order to be successful in this world, that they have to 
exercise enterprise-wide solutions and not just limit them 
strictly to services, because they are all vulnerable. They all 
ride the basic backbone network. They all, both security and 
non-secure, know that if they are going to succeed, that they 
have to cooperate, and by and large they are cooperating.
    So from that perspective, the IA perspective, I do not see 
a great disparity in the capability of either the Air Force, 
the Army, or the Navy, or, as a matter of fact, across any of 
the agencies. We have endeavored, like I said before, to try to 
enforce enterprise-wide solutions rather than stovepipe 
solutions within the services.
    Mr. Horn. If you would, just for the record, on IA, could 
you spell it out?
    Mr. Gorrie. Information Assurance. I'm sorry, sir.
    Mr. Horn. OK, and that's your office basically?
    Mr. Gorrie. The Defense-wide Information Assurance Program 
Office, yes, sir.
    Mr. Horn. Yes. Is that the way most of the agencies have--
--
    Mr. Gorrie. Federal agencies or?
    Mr. Horn. Yes, Federal.
    Mr. Gorrie. I don't know that. The DIAP, or Defense-wide 
Information Assurance Program Office, was mandated in 
legislation, and I can't think off-the-top-of-my-head what that 
was, but it was in 1998, where the Secretary was told, ``You 
will have a defense-wide information assurance program,'' and a 
year after that's when the office that I belong to was formed. 
Now whether or not that is as pervasive across all of the other 
Federal agencies, I can't speak to that, sir.
    Mr. Horn. OK, thank you. That was Secretary Cohen that put 
that mandate in.
    Mr. Gorrie. Yes, sir.
    Mr. Horn. Yes, well, he was very knowledgeable in that 
area, as a Member of the Senate.
    Ms. Evans, any thoughts on best practices? Because you have 
put a lot of emphasis on it.
    Ms. Evans. Yes, I did. It is my opinion that we do have 
adequate standards and that there are best practices available 
today for a good security program. In many cases a lot of the 
best practices are obtained currently from our National 
Laboratories, and they are being used by other Federal 
departments and agencies.
    The Department itself does use the NIST standards best 
practices for our own classified systems, and we use the 
Committee on the National Security Systems for best practices 
for our classified systems. But I believe to have an effective 
security program, it is a discipline that needs to be practiced 
every day, and it has to be incorporated into the daily 
operations.
    So a lot of the comments that have been made by my esteemed 
colleagues here I support all the way down the line, in that as 
a CIO I need to incorporate that for the Department as a whole, 
so that it is practiced on a daily basis, so that we can effect 
remediation in Internet time, when a vulnerability is 
identified.
    Mr. Horn. Well, thank you. That is very helpful.
    Let me ask just a few more questions, and then we will call 
it a day.
    Ms. Gross----
    Ms. Gross. Yes?
    Mr. Horn [continuing]. You've got a very active record, 
through the President's Council on Integrity and Efficiency, in 
helping both the agencies and Inspectors General implement 
the--excuse us. [Bells are ringing.] How many minutes? Ten? It 
is 9 minutes to go.
    You can see you are about to be released by the votes. This 
would be a great place if it wasn't for all the votes, you 
know. [Laughter.]
    You have given us some very good testimony. So, Ms. Gross, 
helping both the agencies and the Inspectors General implement 
the government information security reform provisions, I was 
just interested; you have been active in this. You have helped 
in that. What challenges do you see for Inspectors General 
expanding their annual evaluations to encompass all agency 
systems?
    Ms. Gross. I think the challenges for the Inspectors 
General are to make sure that there is implementation with 
agreed-upon recommendations, but I think a wider perspective 
than just the narrow, let's do the next GISRA report, which is 
very time-consuming and very resource-intensive, is to make 
sure that they are focusing on issues governmentwide. I think 
that it is very important that the individual Inspectors 
General go back into the PCIE, which is the IGs' group, and 
look to see both best practices and also look to see about how 
can they help. Since the President is going to have an 
initiative with e-government, IG's need to make sure that 
information will be available, that it will be secure, and that 
it will have integrity. Unless the IGs move out governmentwide 
and look past their own agencies, I think we are going to have 
a problem. So that would have been my thrust.
    Mr. Horn. Well, thank you.
    Mr. Forman, has your office considered imposing mandatory 
security standards and requirements on Federal agencies?
    Mr. Forman. Requirements we have; we will continue to do 
that, and we will tighten that up. Standards we rely on NIST, 
under the Computer Security Act for Federal information 
processing standards.
    There is another area where some people would call them 
standards, but they are architecture elements that are agreed 
upon. They are not technology standards at the NIST or FIPS 
level. For that, we have orchestrated--and I have actually done 
some changes in my role as directing the CIO Council. We have 
the Architecture Committee, which focuses on this. Lee Holcomb, 
the CIO at NASA, chairs it. John Gilligan, who had been 
chairing or co-chair of the Security Committee is now co-chair 
of the Architecture Committee. It is through that I believe we 
can be most successful.
    There is a final element, which is, how do we get patches 
out rapidly when major threats are identified? That is an area 
where we need to rapidly get in touch with at least 40,000 
people. So I am making increasing use of FedCirc for that.
    Mr. Horn. Well, I want to thank the following people that 
prepared this hearing: J. Russell George, staff director and 
chief counsel, standing-up back there; and Bonnie Heald, deputy 
staff director; Claire Buckles, on my left, a very fine 
professional staff member on loan to us. And thank you.
    Earl Pierce, professional staff, isn't here today, and then 
Justin Paulhamus, majority clerk, is with us doing a great job. 
He just came in with us. And Michael Sazonov, subcommittee 
intern, and our court reporter, Joan Trumps. Thank you very 
much, and thanks to all of you.
    If we might, I think we will send you a few questions, and 
put them at this point in the record.
    So, unfortunately, I have got to get over there and vote. 
We are adjourned.
    [Whereupon, at 12:01 p.m., the subcommittee was adjourned, 
to reconvene at the call of the Chair.]
    [Additional information submitted for the hearing record 
follows:]
[GRAPHIC] [TIFF OMITTED] 82355.090

[GRAPHIC] [TIFF OMITTED] 82355.091

[GRAPHIC] [TIFF OMITTED] 82355.092

[GRAPHIC] [TIFF OMITTED] 82355.093

[GRAPHIC] [TIFF OMITTED] 82355.094

[GRAPHIC] [TIFF OMITTED] 82355.095

[GRAPHIC] [TIFF OMITTED] 82355.096

[GRAPHIC] [TIFF OMITTED] 82355.097

[GRAPHIC] [TIFF OMITTED] 82355.098

[GRAPHIC] [TIFF OMITTED] 82355.099

[GRAPHIC] [TIFF OMITTED] 82355.100

[GRAPHIC] [TIFF OMITTED] 82355.101

[GRAPHIC] [TIFF OMITTED] 82355.102

[GRAPHIC] [TIFF OMITTED] 82355.103

[GRAPHIC] [TIFF OMITTED] 82355.104

[GRAPHIC] [TIFF OMITTED] 82355.105

[GRAPHIC] [TIFF OMITTED] 82355.106

[GRAPHIC] [TIFF OMITTED] 82355.107

[GRAPHIC] [TIFF OMITTED] 82355.108

[GRAPHIC] [TIFF OMITTED] 82355.109

[GRAPHIC] [TIFF OMITTED] 82355.110

[GRAPHIC] [TIFF OMITTED] 82355.111

[GRAPHIC] [TIFF OMITTED] 82355.112

[GRAPHIC] [TIFF OMITTED] 82355.113

[GRAPHIC] [TIFF OMITTED] 82355.114

[GRAPHIC] [TIFF OMITTED] 82355.115

                                   - 
