b"<html>\n<title> - LESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF 2000</title>\n<body><pre>[House Hearing, 107 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \nLESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF \n                                  2000\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                 SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,\n                        FINANCIAL MANAGEMENT AND\n                      INTERGOVERNMENTAL RELATIONS\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED SEVENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 6, 2002\n\n                               __________\n\n                           Serial No. 107-124\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n\n\n\n\n\n\n                          U.S. GOVERNMENT PRINTING OFFICE\n82-355                             WASHINGTON : 2002\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n\n\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     DAN BURTON, Indiana, Chairman\nBENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California\nCONSTANCE A. MORELLA, Maryland       TOM LANTOS, California\nCHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York\nILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York\nJOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania\nSTEPHEN HORN, California             PATSY T. MINK, Hawaii\nJOHN L. MICA, Florida                CAROLYN B. MALONEY, New York\nTHOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, \nMARK E. SOUDER, Indiana                  DC\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nBOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio\nDAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois\nDOUG OSE, California                 DANNY K. DAVIS, Illinois\nRON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts\nJO ANN DAVIS, Virginia               JIM TURNER, Texas\nTODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine\nDAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois\nCHRIS CANNON, Utah                   WM. LACY CLAY, Missouri\nADAM H. PUTNAM, Florida              DIANE E. WATSON, California\nC.L. ``BUTCH'' OTTER, Idaho          STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia                      ------\nJOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont \n------ ------                            (Independent)\n\n\n                      Kevin Binger, Staff Director\n                 Daniel R. Moll, Deputy Staff Director\n                     James C. Wilson, Chief Counsel\n                     Robert A. Briggs, Chief Clerk\n                 Phil Schiliro, Minority Staff Director\n\n    Subcommittee on Government Efficiency, Financial Management and \n                      Intergovernmental Relations\n\n                   STEPHEN HORN, California, Chairman\nRON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois\nDAN MILLER, Florida                  MAJOR R. OWENS, New York\nDOUG OSE, California                 PAUL E. KANJORSKI, Pennsylvania\nADAM H. PUTNAM, Florida              CAROLYN B. MALONEY, New York\n\n                               Ex Officio\n\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\n          J. Russell George, Staff Director and Chief Counsel\n               Claire Buckles, Professional Staff Member\n                        Justin Paulhamus, Clerk\n           David McMillen, Minority Professional Staff Member\n\n\n\n\n                            C O N T E N T S\n\n\n                             ----------                              \n                                                                   Page\nHearing held on March 6, 2002....................................     1\nStatement of:\n    Dacey, Robert F., Director, Information Security, U.S. \n      General Accounting Office; Mark A. Forman, Associate \n      Director, Office of Information Technology and e-\n      Government, Office of Management and Budget; Arden L. \n      Bement, Jr., director, National Institute of Standards and \n      Technology; Roberta L. Gross, former Inspector General, \n      National Aeronautics and Space Administration; Robert G. \n      Gorrie, Deputy Staff Director, Defense-wide Information \n      Assurance Program Office, Office of the Assistant Secretary \n      of Defense for Command, Control, Communications and \n      Intelligence; and Karen S. Evans, Chief Information \n      Officer, Department of Energy..............................    17\n    Davis, Hon. Thomas M., a Representative in Congress from the \n      Commonwealth of Virginia...................................     6\nLetters, statements, etc., submitted for the record by:\n    Bement, Arden L., Jr., director, National Institute of \n      Standards and Technology:\n        Followup questions and responses.........................   120\n        Prepared statement of....................................    73\n    Dacey, Robert F., Director, Information Security, U.S. \n      General Accounting Office, prepared statement of...........    20\n    Davis, Hon. Thomas M., a Representative in Congress from the \n      Commonwealth of Virginia, prepared statement of............    10\n    Evans, Karen S., Chief Information Officer, Department of \n      Energy, prepared statement of..............................   109\n    Forman, Mark A., Associate Director, Office of Information \n      Technology and e-Government, Office of Management and \n      Budget, prepared statement of..............................    54\n    Gorrie, Robert G., Deputy Staff Director, Defense-wide \n      Information Assurance Program Office, Office of the \n      Assistant Secretary of Defense for Command, Control, \n      Communications and Intelligence, prepared statement of.....    98\n    Gross, Roberta L., former Inspector General, National \n      Aeronautics and Space Administration, prepared statement of    86\n    Horn, Hon. Stephen, a Representative in Congress from the \n      State of California, prepared statement of.................     3\n    Schakowsky, Hon. Janice D., a Representative in Congress from \n      the State of Illinois, prepared statement of...............    69\n\n\nLESSONS LEARNED FROM THE GOVERNMENT INFORMATION SECURITY REFORM ACT OF \n                                  2000\n\n                              ----------                              \n\n\n                        WEDNESDAY, MARCH 6, 2002\n\n                  House of Representatives,\n  Subcommittee on Government Efficiency, Financial \n        Management and Intergovernmental Relations,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10 a.m., in \nroom 2154, Rayburn House Office Building, Hon. Stephen Horn \n(chairman of the subcommittee) presiding.\n    Present: Representatives Horn, Schakowsky, and Maloney.\n    Staff Present: J. Russell George, staff director and chief \ncounsel; Bonnie Heald, deputy staff director; Claire Buckles, \nprofessional staff member; Justin Paulhamus, clerk; Michael \nSazonoff, intern; David McMillen, minority professional staff \nmember; and Jean Gosa, minority assistant clerk.\n    Mr. Horn. A quorum being present, the Subcommittee on \nGovernment Efficiency, Financial Management and \nIntergovernmental Relations will come to order.\n    The Federal Government relies on computer systems to \nprovide essential services to the Nation and its people. These \nlarge, complex systems help regulate the economy, collect \ntaxes, pay benefits, and defend the Nation. The speed and \naccessibility of the technology have greatly enhanced \ngovernment operations and have provided citizens with nearly \ninstant access to their government.\n    Yet, those operations are at risk. Computers at the White \nHouse, the Department of Defense, the Department of the \nTreasury, and the Department of the Interior have all been \nsuccessfully attacked. The security vulnerabilities at the \nDepartment of the Interior are so severe that a U.S. District \nCourt judge in Washington has ordered the Department to \ndisconnect its Trust Asset and Accounting Management System \nfrom the Internet. This system handles about $500 million a \nyear in royalty and lease payments to Native Americans.\n    These are not the only troubled agencies, however. In \nNovember 2001, the subcommittee issued its second annual report \ncard grading computer security efforts at 24 major executive \nbranch agencies. Overall, the executive branch earned an \nabysmal grade of ``F.'' That grade was the same during the \nClinton administration and now the Bush administration.\n    We have known for more than a decade that the government's \ninformation systems are vulnerable, yet little has changed. In \na report issued last month, the Office of Management and Budget \nconcluded that a significant part of the problem falls to \nsenior managers who have failed to focus sufficient attention \non computer security. I agree. The various bureaucracies need \nto be pushed by the political appointees, so we can have a \nbetter record.\n    Since 1987, Congress has passed legislation to address \nFederal computer security weaknesses. The most recent law, the \nGovernment Information Security Reform Act, was enacted in the \nyear 2000. This law requires Federal agencies to assess the \nnature and sensitivity of the information stored in their \ncomputers and then develop appropriate security plans to \nprotect that information. In addition, it requires that, for \nthe first time, agencies conduct annual computer security \nevaluations and report the results to the Office of Management \nand Budget.\n    Agencies filed their first reports in September 2001. \nClearly, the full benefits of the law have not been realized. \nAgencies have not yet developed security plans that balance \nprotection and risk. However, they are beginning to focus on \nthe problem. The act is scheduled to sunset next year.\n    Today's hearing will explore how Federal agencies have \nimplemented the act and what additional steps might be taken to \nensure that effective safeguards are in place. We must identify \nthe weaknesses in order to correct them. We must use the \n``lessons learned'' from the Government Information Security \nReform Act to take effective, urgently needed action to ensure \nthat it is reauthorized and improved.\n    I welcome today's witnesses, and I look forward to working \nwith each of you to ensure the security of the government's \ninformation technology resources.\n    I will enter into the record at this point as an exhibit \nafter my opening remarks the Computer Security Report Card of \nNovember 9, 2001.\n    [The prepared statement of Hon. Stephen Horn follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.001\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.002\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.003\n    \n    Mr. Horn. The ranking member is coming, and I see that my \ncolleague, Mr. Davis, has been here now as panel one, and we're \ndelighted to have you here. You have been a major force in the \nwork of e-government and the work of technology generally. So \nthe gentleman from Virginia, Mr. Davis.\n\nSTATEMENT OF HON. THOMAS M. DAVIS, A REPRESENTATIVE IN CONGRESS \n               FROM THE COMMONWEALTH OF VIRGINIA\n\n    Mr. Davis. Let me first commend you and your staff for the \ntremendous work you have done on Federal information security \nduring your tenure as chairman of this subcommittee and your \nprevious chairmanship of the Government Management, \nInformation, and Technology Subcommittee. It's a privilege \nworking with you on this critical topic.\n    I want to thank you for giving me the opportunity to speak \non this issue in the context of today's hearing, examining the \nlessons learned from the implementation of the Government \nInformation Security Reform Act of 2000 [GISRA].\n    Unquestionably, the events of September 11th and the \nensuing war on terrorism have produced a variety of responses \nthroughout the world. Nowhere has the response been so fervent \nas here in our Nation's Capital. From the creation of the new \nOffice of Homeland Security to security-related legislation, \nthere is an unprecedented awareness of the vulnerabilities we \nface.\n    This new awareness has naturally focused more attention on \nsecurity matters, particularly with respect to information \nsecurity. Yet, this issue and the fact that Federal information \nsystems continue to be woefully unprotected from both \nmalevolent acts and benign interruptions have presented a grave \nconcern to me for a number of years. I know that you and the \nmembers of this subcommittee share that concern as well.\n    From our work in the Government Reform Committee, it is \nclear that the state of Federal information security suffers \nfrom a lack of coordinated, uniform management. Resolving this \nproblem becomes even more imperative when you consider the many \nobjectives we hope to achieve through the efficient and cost-\neffective use of information technology and the advancement of \nelectronic government. These objectives include electronic \nprocurement, telecommuting, a comprehensive information-sharing \nnetwork, and improved provision of services to citizens and \nbusinesses. The common element of these goals is the \ninterconnectivity that they each require to facilitate \ncommunications between different public and private entities.\n    Poor information security management has persisted in both \nthe public and private sectors long before IT became the \nubiquitous engine driving governmental, business, and even home \nactivities. After all, the information security implicates both \nthe physical and the cyber-environment.\n    A decade ago, technology stood as one of many factors \nimportant to the mission and performance objectives of the \nFederal Government. But no longer is technology ``one of \nmany.'' Instead, the Information Revolution and the ever-\nevolving technologies that support its collection, \nassimilation, and communications have become integral to the \nfunctioning of our government.\n    As our reliance on technology and our desire for \ninterconnectivity have grown over the past decade, intensifying \nwith the advent of the Internet, our vulnerability to attacks \nhas grown exponentially. The high degree of interdependence \nbetween information systems, both internally and externally, \nexposes the Federal Government's computer networks to benign \nand destructive disruptions. This fact is tremendously \nimportant in understanding how we devise a comprehensive and \nyet flexible strategy for coordinating, implementing, and \nmaintaining Federal information security practices throughout \nthe Federal Government as the threat of electronic terrorism \nincreases.\n    Yet, Federal information security management continues to \nfalter. Despite consistent evaluations since 1997 showing that \nFederal information security is a government-wide, high-risk \nissue, GAO continues to find ``pervasive and continuing \nweaknesses.'' And, of course, as this subcommittee found last \nNovember, 16 of the 24 Federal agencies evaluated in 2001 each \nreceived a disappointing grade of ``F,'' with only one agency \nreceiving a grade higher than a ``C+.''\n    Of course, while these grades are disappointing, they \nreflect the difficulty of implementing effective security \nmanagement without sufficient commitment and guidance from an \naccountable entity within each agency, and for the Federal \nGovernment as a whole.\n    In July 2000, I introduced legislation that would have \ncreated, among other things, a new Federal Chief Information \nOfficer in the Executive Office of the President. One of the \nprimary components of that bill expanded upon the then yet-to-\nbe-enacted Government Information Security Reform Act [GISRA], \nintroduced by Senators Fred Thompson and Joe Lieberman.\n    My legislation, entitled, ``the Federal Information Policy \nAct'' [FIPA], reflected my firm belief that there needs to be \nan executive branch office that holds both the prestige and the \naccountability for strategically modernizing our stovepipe IT \nstructure. At the same time, that office must have the \nauthority to prioritize cross-jurisdictional e-government \ninitiatives and networked information and telecommunications \nnetworks, in order to achieve efficiencies and secure Federal \ninformation systems.\n    With the establishment of a new office of Associate \nDirector of IT and Electronic Government within the OMB, I have \nopted to withhold the reintroduction of Federal CIO legislation \nuntil I have had an opportunity to evaluate the progress that \nOMB has been able to achieve in carrying out the \nadministration's Enterprise Information Management and \nIntegration initiative.\n    That said, my concerns regarding the pervasive and \npersistent weaknesses in Federal information security \nmanagement, infrastructure, and accountability remain strong. \nThese are concerns I know you also share, Mr. Chairman, and I \napplaud your subcommittee's steady work in bringing to the \nforefront the critical need for immediate and focused attention \non this issue.\n    Yet, I would add that, to the extent that increased \nsecurity concerns rely on the ability of the public and private \nsectors to share information securely, it is even more critical \nthat the Federal Government put its own house in order with \nrespect to the security of its own Federal information and \ntelecommunications systems. It is for this reason that I have \njust introduced legislation similar to the information security \nprovisions in FIPA, and I am very pleased that you have agreed \nto co-sponsor this measure with me, Mr. Chairman.\n    The overall purpose of these efforts is to strengthen the \ninformation security management infrastructure of the Federal \nGovernment. The bill, entitled, ``the Federal Information \nSecurity Management Act'' [FISMA], undertakes this objective by \nbuilding on the foundations laid out by GISRA. As you know, \nGISRA requires every Federal agency to develop and implement \nsecurity policies that include risk assessment, risk-based \npolicies, security awareness training, and periodic reviews.\n    With GISRA set to expire on November 29th of this year, the \nFederal Information Security Management Act permanently \nreauthorizes this legislation and implements additional \nmeasures designed to enable the Federal Government to become a \nreliable public partner for protecting America's information \nhighways. In general, FISMA streamlines GISRA's provisions and \nrequires that agencies utilize information security best \npractices that will ensure the integrity, confidentiality, and \navailability of Federal information systems.\n    Moreover, the bill seeks to strengthen the role played by \nthe National Institute of Standards and Technology in \ndeveloping and maintaining standards and guidelines for minimum \ninformation security controls. Agencies would be required to \nidentify the risk levels associated with their systems and \nimplement the appropriate level of protections accordingly. \nThis latter objective is especially important in light of the \ninterconnectivity of information systems. We need to implement \na framework that ensures that when systems interconnect with \neach other, there is a uniform management infrastructure and \nuniversal benchmark for measuring the risks and vulnerabilities \nof Federal information systems.\n    We cannot afford to delay enactment of this legislation. At \na time when uncertainty threatens confidence in our Nation's \npreparedness, the Federal Government must make information \nsecurity a priority. I am heartened by the President's bold \ncommitment to tying the budget process to individual agency \nperformance, and to using information security as one \nmeasurement of that performance. However, the information \nsecurity cannot go the way of any other ``issue du jour.'' It \nis a constant management requirement that requires eternal \nvigilance, and the ranking of its importance to Federal \noperations cannot fluctuate from one administration to the \nnext.\n    It is my hope that we take this opportunity, in the context \nof extending GISRA, to signal Congress' deep concerns that \ninformation security is not being taken seriously by every \nagency and department. We must demand that in our networked \nera, where technology is the driver, every Federal information \nsystem must be managed in a way that minimizes both the risk \nthat a breach or disruption will occur and the harm that would \nresult should such a disruption take place.\n    We will learn a lot today as we determine the impact that \nGISRA has had on the information security practices throughout \nthe Federal Government. I very much look forward to working \nwith you, Mr. Chairman, the members of this subcommittee, and \nother concerned Members of the House and Senate as we move \nforward on strengthening GISRA and improving our government's \noverall information security management. Thank you.\n    [The prepared statement of Hon. Thomas M. Davis follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.004\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.005\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.006\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.007\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.008\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.009\n    \n    Mr. Horn. I thank you for all the work you have done. Could \nyou translate those two things, like ``FISMA'', was it, or \nsomething?\n    Mr. Davis. Right, it's the Federal Information Security \nManagement Act. Of course, GISRA was the previous act.\n    Mr. Horn. Now is it true that Mr. Richard Clark is really \nfulfilling the office that you and some of our friends in the \nSenate wanted to do?\n    Mr. Davis. Part of it. I think that is as close as we can \ncome to it, yes, sir.\n    Mr. Horn. Yes. Well, my understanding is that he is a \npretty tough-minded person.\n    Mr. Davis. He is a tough-minded guy.\n    Mr. Horn. So that is what we want.\n    Mr. Davis. Exactly.\n    Mr. Horn. OK. So, in a sense, part of that which everybody \nhas wanted is now underway. So we just have to wait to see what \nOMB and he do to get the thing done.\n    Mr. Davis. Mr. Chairman, the question always is you have a \ntough-minded person, but how much authority do they actually \nhave, when push comes to shove? When they get on the phone, who \nare they calling from, how seriously are they taken at the \nother end of the line? That is what really remains to be seen.\n    Mr. Horn. Yes, well, you are certainly right on that. If \nthe President backs him up, the Cabinet Secretaries I am sure \nwill listen, and if it becomes part of a Cabinet agenda, that \nwill help on this.\n    Mr. Davis. Mr. Chairman, as you know, we went through this \nwith the Y2K issues----\n    Mr. Horn. Right.\n    Mr. Davis. [continuing]. Where they went through two or \nthree czars.\n    Mr. Horn. Right.\n    Mr. Davis. Most of them having two or three other jobs and \nnot having the clout until the administration finally brought \nin the appropriate person who had the clout and put it together \nat the end.\n    Mr. Horn. And had the ear of the President.\n    Mr. Davis. Yes, had the ear of the President.\n    Mr. Horn. Knew him before he was here.\n    Mr. Davis. Exactly, and, more importantly, when they \ncalled, the people on the other end of the phone knew that he \nwas speaking for the President.\n    Mr. Horn. Yes.\n    Mr. Davis. And John Koskinen turned that around.\n    Mr. Horn. Right. Well, thank you very much----\n    Mr. Davis. Thank you.\n    Mr. Horn [continuing]. For your presentation. If you would \nlike to stay with us, we are delighted to have you, if you \nwish.\n    Mr. Davis. I will stay for a few minutes. Thank you, Mr. \nChairman.\n    Mr. Horn. OK. We will now swear in panel two, and that is \nRobert F. Dacey, Director, Information Security, U.S. General \nAccounting Office; Mark A. Forman, Associate Director, Office \nof Information Technology and E-Government, Office of \nManagement and Budget; the Honorable Arden L. Bement, Jr., \nPh.D., Director, National Institute of Standards and \nTechnology; the Honorable Roberta L. Gross, Former Inspector \nGeneral, National Aeronautics and Space Administration; Robert \nG. Gorrie, Deputy Staff Director, Defense-wide Information \nAssurance Program Office, Assistant Secretary of Defense for \nCommand, Control, Communications and Intelligence, and our last \npresenter on this panel will be Karen S. Evans, Chief \nInformation Officer, Department of Energy.\n    As you know, since this is an investigating subcommittee, \nyou raise your right hands to accept the oath.\n    [Witnesses sworn.]\n    Mr. Horn. The clerk will note that all six witnesses \naffirmed.\n    Please be seated. We will start with Mr. Dacey, the \nDirector of Information Security, U.S. General Accounting \nOffice, which is Congress' right arm in terms of getting things \ndone. GAO is presided over by the Comptroller General of the \nUnited States. We have a first-rate person in that role right \nnow in General Walker. So we are always glad to hear what the \nGeneral Accounting Office has to say on these areas.\n\nSTATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY, \n   U.S. GENERAL ACCOUNTING OFFICE; MARK A. FORMAN, ASSOCIATE \n DIRECTOR, OFFICE OF INFORMATION TECHNOLOGY AND E-GOVERNMENT, \n    OFFICE OF MANAGEMENT AND BUDGET; ARDEN L. BEMENT, JR., \n   DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY; \n     ROBERTA L. GROSS, FORMER INSPECTOR GENERAL, NATIONAL \nAERONAUTICS AND SPACE ADMINISTRATION; ROBERT G. GORRIE, DEPUTY \n  STAFF DIRECTOR, DEFENSE-WIDE INFORMATION ASSURANCE PROGRAM \n   OFFICE, OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE FOR \nCOMMAND, CONTROL, COMMUNICATIONS AND INTELLIGENCE; AND KAREN S. \n     EVANS, CHIEF INFORMATION OFFICER, DEPARTMENT OF ENERGY\n\n    Mr. Dacey. Mr. Chairman and members of the subcommittee, I \nam pleased to be here today to discuss the Federal Government's \nfirst-year implementation of government information security \nreform provisions. As you requested, I will briefly summarize \nour written statement.\n    Federal agencies rely extensively on computerized systems \nand electronic data to support their missions and critical \noperations. Concerned with reports that continuing pervasive \ncomputer security weaknesses place Federal operations at \nsignificant risk of disruption, tampering, fraud, and \ninappropriate disclosures of sensitive information, the \nCongress enacted the reform provisions to reduce these risks \nand provide for more effective oversight of Federal information \nsecurity.\n    Mr. Chairman, as you know, we have been conducting a review \nof the implementation of the reform provisions for you and the \nRanking Member. Today I will provide a preliminary result of \nour review.\n    The initial implementation of reform provisions is a \nsignificant step in improving Federal agencies' information \nsecurity programs and addressing their information security \nweaknesses. The legislation consolidates information security \nrequirements into an overall management framework covering all \nagency systems. It adds new statutory evaluation and reporting \nrequirements and OMB and congressional oversight.\n    Agencies have noted a number of benefits of this first-year \nimplementation, including increased management attention to, \nand accountability for, information security. In addition, the \nlegislation has resulted in other important actions by the \nadministration, such as plans to integrate information security \ninto the President's management agenda scorecard. Also, \nagencies have taken steps to redesign and strengthen their \ninformation security.\n    OMB oversight, which included formal guidance, review and \nanalysis of agency-reported material, agency discussion and \nfeedback, and monitoring of corrective actions, has helped \nagency implementation and reporting efforts. Although agencies \ngenerally considered OMB guidance beneficial, the initial \nimplementation of reform provisions highlighted the need for \nfurther guidance in several areas.\n    Last month OMB released its first required annual report to \nthe Congress on the results of agency implementation efforts. \nAs a result, in this report OMB commended agency improvement \nefforts, but noted that many agencies have significant \ndeficiencies in every important area of security. OMB also \nidentified a number of common agency security weaknesses, \nincluding lack of senior management attention, inadequate \naccountability for job and program performance, and a limited \ncapability to detect vulnerabilities or intrusions.\n    We agree that OMB's report to the Congress and the agency \nreports are a valuable baseline and believe that OMB's report \nprovides a useful overview of OMB and agency efforts to comply \nwith the reform provisions. I would like to personally commend \nthe OMB staff for their efforts in this endeavor.\n    Nonetheless, certain additional information, including the \nadequacy of agency corrective action plans and the results of \naudits of evaluations for national security systems, is needed \nby Congress to fully assess and oversee these efforts and \ndeliberate over agency budgets.\n    OMB has not authorized agencies to release some agency \nmaterial, such as agency corrective action plans, to the \nCongress or GAO. We plan to continue working with OMB in an \neffort to find workable solutions to obtain this information.\n    Agency reports to OMB show that agencies have not \nestablished information security programs consistent with the \nprovisions of the legislation and that significant weaknesses \nexist. Although agency actions are now underway to strengthen \ninformation security and implement these requirements, \nsignificant improvements will require sustained management \nattention, as well as OMB and congressional oversight.\n    The IG's independent evaluations of agency implementation \nefforts also played a key role in the implementation process. \nThe IG's first-year efforts were largely based on existing or \nongoing audit work that had been planned to evaluate agency \ninformation security, which in a number of instances consisted \nprimarily of audits of financial systems.\n    While their future efforts should expand to include more \nsystems, the IG's first-year evaluations helped to identify \nsignificant weaknesses in all 24 agencies, weaknesses that were \nnot always identified by agencies in their reports.\n    Given the recent events and reports that critical \noperations and assets are highly vulnerable to cyber-attack, it \nis essential that Congress have adequate information to oversee \nand fund the Federal information security efforts, and that \nthese efforts be guided by a comprehensive strategy for \nimprovement. In addition, there are a number of important steps \nthat the administration and the agencies should take, including \ndelineating the roles and responsibilities of the numerous \nentities involved in Federal information security and the \nrelated aspects of critical infrastructure protection, \nproviding more specific guidance to agencies on the security \ncontrols they need to implement, and allocating sufficient \nagency resources for information security.\n    Mr. Chairman, this concludes my statement. I would be \npleased to answer any questions that you or other members of \nthe subcommittee may have.\n    [The prepared statement of Mr. Dacey follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.010\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.011\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.012\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.013\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.014\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.015\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.016\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.017\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.018\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.019\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.020\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.021\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.022\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.023\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.024\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.025\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.026\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.027\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.028\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.029\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.030\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.031\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.032\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.033\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.034\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.035\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.036\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.037\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.038\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.039\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.040\n    \n    Mr. Horn. Thank you very much for that succinct opening.\n    Mark A. Forman is the Associate Director, Office of \nInformation Technology and e-Government, Office of Management \nand Budget. Welcome.\n    Mr. Forman. Thank you, Mr. Chairman, and thank you, \nCongressman Davis, both for your leadership and your vision as \nit relates to e-government and computer security. Having your \nfocus and the oversight on this issue is critically important \nto the success of the initiatives that we are trying to \naccomplish for governmentwide security. We understand not only \nthe need for this, but we appreciate your having the hearing \nand the focus on this.\n    I would like to say good morning and thank you for inviting \nme here to discuss the lessons learned from the implementation \nof the Government Information Security Reform Act. I, too, have \nsubmitted the prepared testimony, and I will take a synopsis of \nthat in my oral presentation.\n    As you know, the President has given a high-priority to \nsecurity of government assets, and this includes government \ninformation systems and protection of the Nation's critical \ninformation assets from cyber threats and physical attack. We \nbelieve that protecting the information and the information \nsystems on which the Federal Government depends requires \nagencies, first, to identify and resolve the current weaknesses \nand risks, as well as to then protect against the future \nvulnerabilities and threats.\n    Last October the President issued Executive Order 13231, \nthe Critical Infrastructure Protection in the Information Age. \nThat established the Critical Infrastructure Protection Board \nand created the chair as a special advisor to the President for \nCyberspace Security.\n    Now the President has made OMB a critical member of this \nboard. Our presence reflects our statutory role regarding \nsecurity of Federal information systems. In addition, there are \nseveral committees under the board, and we chair the Standing \nCommittee on Executive Branch Information Systems Security.\n    The administration has been proactive in implementation of \nthe Government Information Security Reform Act, and I will \nrefer to this from now on as the Security Act. This includes \nexpanding the reporting requirements to include the Chief \nInformation Officer and senior agencies' officials' input with \nthe Inspectors General.\n    We have moved beyond simply reporting security weaknesses \nand are focusing on agency work to remediate the security \nweaknesses. The basic push behind our continuing work is a \nstrong focus on management implementation of security.\n    We have recently taken the following two steps to help \nensure a strong focus on maintaining senior management \nattention to security: First, in January, OMB Director Mitch \nDaniels sent letters to the heads of agencies and departments \ncommunicating our concerns regarding their fiscal year 2001 \nsecurity performance. In general, agency heads responded back \nin writing with a commitment to resolve their past flaws. OMB \nwill soon meet with all of the 24 large agencies and \ndepartments to discuss the work in implementing their \ncorrective action plans.\n    Second, the President has charged Director Daniels with \noverseeing implementation of the management agenda through the \nuse of an executive branch management scorecard. This scorecard \ntracks agency improvement in five governmentwide areas and \nassigns a red, yellow, or green score.\n    One of these areas is expanding electronic government, and \nwe are incorporating IT as a core criterion within that. This \nmeans that if an agency does not meet IT security criteria, it \nwill not achieve a green score, regardless of the agency's \nperformance under the other e-government criteria.\n    I would now like to talk a little bit about our report to \nCongress, the findings, some of the next steps. As you know, \none of OMB's responsibilities under the Security Act is to \nsubmit each year a report to Congress that summarizes the \nresults of security evaluations conducted by agencies and \nreported to OMB. On February 13th of this year, Director \nDaniels transmitted this report to the Congress.\n    At this time I would like to recognize the tremendous \namount of work of agency program officials, CIOs, IGs, my \nstaff, and all of their staffs in conducting the reviews and \nevaluations upon which the report is based. This was a large \neffort for all involved, and the report illustrates this work, \nas well as the ongoing efforts of agencies to remediate their \nweaknesses.\n    Additionally, the National Institutes of Standards of \nTechnology continue to play their critical role in promoting IT \nsecurity requirements among agencies. OMB policy requires that \neach agency's program implement policy standards and procedures \nconsistent with NIST guidance. NIST has developed a security \nquestionnaire, and most agencies use this document as the basis \nfor conducting their annual reviews under the Security Act.\n    The OMB report represents a first year of implementation. \nIt is a valuable baseline that has recorded the security agency \nperformance. Even though the Security Act only required us to \nsummarize the results, we expanded the report. We included the \nresults of CIO and program official reviews in the recent \nactivities we have undertaken in preparing the fiscal year 2003 \nbudget decisions, OMB findings, and next steps, as well as \nadditional efforts that we have undertaken and the agencies \nhave taken to improve Federal information technology security.\n    From our assessment of agency performance, we have both \nvalidated the earlier positions on what the problems were and \nidentified at a high-level important lessons learned. I would \nlike to briefly sum those up.\n    First, security is primarily a management problem, not a \ntechnical or funding problem. Are you willing to support us if \nwe push to get someone fired because they will not implement a \nsecurity plan? Second, increased spending does not necessarily \ntranslate into increased security performance. Third, high-\nquality IG audits are necessary. The IGs provide an important, \nindependent validation function. Fourth, agency employees with \nspecific security responsibilities must have the authority to \nfulfill their responsibilities and at the same time have to be \nheld accountable for their performance.\n    There are a number of additional actions I have described. \nA key part of the written testimony I would ask you to look at \nare the actions under the OMB Security Committee of the \nCritical Infrastructure Protection Board. Therein we have laid \nout a process to focus more rapidly on actions needing to be \naddressed, because this is an ever-changing issue both in terms \nof vulnerability and threats.\n    I would also ask you to take a look at the decisions that \nwe have made in the budget, and would ask your support in the \nappropriations decisions that ultimately will have to make \nthese into reality.\n    Finally, I would like to focus on the governmentwide \ninitiatives that we have underway leveraging the project matrix \nwork and the enterprise architecture work. The development of \nthe governmentwide enterprise architecture assessment is \ncritical and a central part of not only our e-government \nefforts, but our cyber-security efforts. Basically, to more \nclearly identify and prioritize the security needs for \ngovernment assets, OMB is going to direct all large agencies to \nundertake a project matrix review, and that was a key element \nof the 2003 budget.\n    Again, I would like to thank you for the opportunity to \ntestify. We have a summary in the testimony of the six \ngovernment problems that we identified in the report, and I \nwould be willing to answer any questions in that regard at the \nappropriate time.\n    [The prepared statement of Mr. Forman follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.041\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.042\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.043\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.044\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.045\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.046\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.047\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.048\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.049\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.050\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.051\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.052\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.053\n    \n    Mr. Horn. Well, thank you very much. I want to emphasize \nwhat you just did now, the President's Executive order, which \nwas Critical Infrastructure Protection in the Information Age, \nand he established a board, as you suggested. The chair, who \nserves as a special advisor to the President for Cyberspace \nSecurity, and that, of course, is Richard Clark, who serves as \nthe Board and he is the Special Advisor to the President for \nCyberspace Security. He reports both to Governor Ridge on \nissues that affect homeland security and to the National \nSecurity Advisor, Condoleezza Rice, on the issues that affect \nnational security.\n    The President has made OMB a member of the Critical \nInfrastructure Protection Board. Are you on that board as part \nof it?\n    Mr. Forman. Yes, I am.\n    Mr. Horn. I think it shows the President has taken some \nreal action with people that did have his ear.\n    I am going to have to recess now. When I come back, the \nranking member, Ms. Schakowsky, will have her statement in, and \nwe will then go down the line. We have a Journal vote before \nus.\n    Ms. Schakowsky. Is there an opportunity for me to do that \nnow?\n    Mr. Horn. Sure, sure. She will put it in now, and once she \nfinishes, we are in recess.\n    Ms. Schakowsky. Thank you, Mr. Chairman. I appreciate that.\n    I want to thank the chairman for holding this hearing and \nfor his leadership on computer security issues in the House. I \nlook forward to working with him to improve government \ninformation security reform language that was passed in the \nCongress.\n    It was passed in the last Congress as a part of the Defense \nAuthorization Act, and as such, really didn't get, in my view, \nadequate review in the House. No hearings were held, and we had \nvery little opportunity to affect the content.\n    Consequently, under Representative Waxman's leadership, we \nsought and received a 2-year sunset on this legislation. Our \nexperience over the past year has substantiated the wisdom of \nthat approach.\n    There are a number of problems in this legislation that \nhave already come to our attention. I am hopeful that today's \nhearing will help us put together a more complete picture of \nthe actions to make this legislation more effective.\n    One problem has already come to our attention. One of the \nproblems is the reports prepared by the agencies. We asked the \nGAO to use agency information security reports to develop the \nscorecards for our hearing last fall. It came as a surprise \nwhen the administration refused to allow access to those \nreports, claiming that they were predecisional and part of the \nbudget process. After much negotiation, we were finally given \naccess to executive summaries, hardly a satisfactory outcome.\n    A more serious shortcoming of this legislation is the \nabsence of any system to assure that all agency systems are \nchecked and protected. Today few, if any, agencies have a \ncomplete inventory of its computer systems, even though just \nsuch an inventory was required for Y2K compliance just 2 years \nago. Without a complete inventory, it is impossible to know if \nall systems have had the risks assessed and the protections \ntested. We must make sure that every agency maintains a current \ninventory of systems and has in place a systematic process to \nassess risk for those systems and to test the protections in \nplace.\n    I am sorry that I was late. I do look forward to hearing \ntoday's witnesses, if not reading the testimony, and hope that \neach of you will understand that we share the common goal of \nassuring the public that our systems have adequate protection. \nSo I thank you all for coming today.\n    We will be back.\n    [The prepared statement of Hon. Janice D. Schakowsky \nfollows:]\n[GRAPHIC] [TIFF OMITTED] 82355.054\n\n[GRAPHIC] [TIFF OMITTED] 82355.055\n\n    [Recess.]\n    Mr. Horn. Recess has ended, and we will begin next with Mr. \nBement, who is the Director of the National Institute of \nStandards and Technology [NIST]--not in the mist, but NIST. \n[Laughter.]\n    Dr. Bement. Right. Thank you, Mr. Chairman.\n    Mr. Horn. As a little kid, I remembered well the standards \nand your beautiful campus out there.\n    Dr. Bement. You are more than welcome anytime, Mr. \nChairman.\n    Thank you very much for giving me the opportunity to speak \nto you about NIST's role in cyber-security. NIST's Computer \nSecurity Program supports the vision of strong cyber-security \nand its critical role both in homeland security and e-\ngovernment. Our agency has specific statutory responsibilities \nunder both GISRA and the Computer Security Act of 1987 for \ndeveloping standards and guidances that help Federal agencies \nto protect sensitive, unclassified information.\n    Specifically, NIST has published a guidance for firewalls, \nintrusion detection, cryptography, public Web servers, and risk \nmanagement. We also conduct computer security research in close \ncooperation with industry and academia. We work to find ways to \napply new technologies in a secure manner.\n    The solutions that we develop are made available to both \npublic and private users. This research helps us to find more \ncost-effective ways to implement and address security \nrequirements.\n    I would now like to highlight a few of our more important \nrecent contributions to improve cyber-security in Federal \nagencies. In December the Secretary of Commerce approved the \nAdvanced Encryption Standard [AES], as a Federal security \nstandard. Within days, commercial firms were announcing \nproducts that incorporated the AES. It is clear that AES soon \nwill be used extensively internationally and be available in a \nwide array of commercial products to protect sensitive Federal \ninformation. We expect AES will be used daily to secure \ntrillions of dollars in electronic transactions and to protect \nsensitive personal business and government information.\n    The Chief Information Officers' Council and NIST developed \na security assessment framework to assist agencies with a very \nhigh-level review of their security status. The framework \nestablished the groundwork for standardizing on five levels of \nsecurity and defined the criteria agencies could use to \ndetermine if the levels were adequately implemented. By using \nthe framework levels, an agency can prioritize agency efforts \nas well as to evaluate progress.\n    Building from the framework, NIST issued a more detailed \nsecurity questionnaire that most agencies use to conduct their \nprogrammed system reviews. This document provided guidance on \napplying the framework. In addition, the guide provides control \nobjectives and techniques that can be measured for each area. \nMany agencies use this to prepare their GISRA responses to OMB.\n    NIST also recently formed a team that specializes in \nhelping Federal agencies navigate through the dangers of \ncyberspace. The Computer Security Expert Assist Team [CSEAT], \nhelps agencies understand how to protect their computer \nsystems, how to identify and fix existing vulnerabilities, and \nhow to anticipate and prepare for future security threats.\n    The CSEAT reviews are also valuable to NIST. They give us a \nfirsthand look at how NIST guidance is implemented, helping us \nto improve our products and processes.\n    Our new information-sharing Web site for Federal agency \nsecurity practices covers a host of topics ranging from \ncontingency planning to network security. Computer security \nprofessionals from various Federal agencies have contributed \nmuch of the material on the site. The site also contains the \nbest practices for critical infrastructure protection and \ncomputer security identified by the Federal Chief Information \nOfficers' Council. The site is one of the latest additions to \nNIST's Computer Security Resource Center and is one of the \nbusiest and most popular spots on the entire NIST Web site.\n    Another aspect of our work involves security testing which \ncomplements security standards by giving users confidence that \nthe security standards and specifications are implemented \ncorrectly in the products they buy. NIST and our Canadian \ncounterpart have set up a joint program to help ensure correct \nand secure implementation of unclassified cryptographic \nalgorithms and products. Statistics show that 48 percent of the \nmodules tested voluntarily under this program have security \nflaws that were corrected during testing. So, without our \nprogram, the Federal Government would have only a 50/50 chance \nof buying products that correctly implemented cryptography.\n    I would like to point out that in carrying out our \nresponsibilities under GISRA and the Computer Security Act, we \nconsult frequency with other agencies. In particular, we work \nvery closely with the Office of Management and Budget. We \nconsult with OMB representatives on the Federal Chief \nInformation Officers' Council, the Federal Computer Security \nProgram Managers' Forum, and the Committee on National Security \nSystems. We soon will serve on the newly formed Committee on \nExecutive Branch Information Systems Security. I would like to \ntake this opportunity to commend my OMB colleagues for their \nsteadfast support in promoting our security standards and \nguidelines with Federal agencies.\n    Let me close by emphasizing that our national commitment to \nimproved cyber-security must be increased in Federal agencies \nand elsewhere. NIST has a proven track record of success and \nstands ready to play key roles in this and other facets of \nhomeland security.\n    Thank you very much, Mr. Chairman. I will be pleased to \nanswer any of your questions.\n    [The prepared statement of Dr. Bement follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.056\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.057\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.058\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.059\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.060\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.061\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.062\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.063\n    \n    Mr. Horn. Thank you, and we are delighted to have your \npaper in particular.\n    We now turn to the Honorable Roberta L. Gross, former \nInspector General, National Aeronautics and Space \nAdministration. I lost track of you. You have been a witness \nhere before. When did you leave the Inspector General's \nposition?\n    Ms. Gross. Saturday.\n    Mr. Horn. Saturday? OK.\n    Ms. Gross. But your staffer had asked me prior to the time, \nand I had told her that I would be leaving, but we talked about \nI would still come. So here I am.\n    Mr. Horn. Great. Well, welcome. So if we could summarize \nyour testimony?\n    Ms. Gross. Absolutely. I thank you for inviting me to \ntestify today on GISRA, and my testimony is obviously based on \nmy recent experience as NASA's Inspector General. I served in \nthat post from August 1995 through March 2, 2002. I am also \nbasing it on my experience as being the former Chair of the \nIGs' IT Roundtable, where we discuss cross-cutting issues \nacross the government.\n    Last year I, along with a representative of the GAO, \ntestified before the Senate Committee on Governmental Affairs \non a precursor of GISRA, Senate bill 1993. The then-chair of \nthe committee, the Honorable Senator Thompson, began his \nopening statement by recounting how time after time the GAO \nkept writing reports, Inspectors General kept writing reports, \nabout serious lapses in IT security, deficiencies in IT \ncapital, in human resources planning. He observed that over the \nyears law after law was passed, regulation after regulation, \nand the issues seemed to reoccur and nothing seemed to get \nbetter, and it was no wonder, with so many laws and \nregulations, that this Senator rhetorically asked, ``Why are we \nenacting GISRA?'' The answer is that GISRA was needed, GISRA \nhas had success, and it can be improved.\n    My remarks are going to be divided into three sections: bad \nnews--I couldn't be an Inspector General, or former Inspector \nGeneral, without that, right? Good news, next steps, and \nlessons learned.\n    During our GISRA reviews and audits at NASA, we found \nproblems in each of the six areas highlighted by OMB. I am only \ngoing to address three of them, using NASA as an illustration, \nand I incorporate by reference my written testimony.\n    The three that I would like to use as illustration are, \none, lack of senior management attention; two, limited programs \nfor security awareness and education, and, three, failure to \nexercise oversight of contractor security services.\n    While some of the agency's IT practices are more mature \nthan those at many agencies, and I notice that NASA got a ``C-\n,'' and they are above one of the yellow lines, NASA management \nhas historically been unwilling to recognize and/or fully \nacknowledge the significance of the IT weaknesses and deal with \nthem in a timely manner. There are various interrelated reasons \nfor that.\n    They were engaged, since I have been there, in downsizing, \nfunding problems, but also, seriously, an unwillingness of \nmiddle management or IT security officials to tell senior \nmanagement the extent of the problem, as well as lack of \nreception by senior management to hear about the extent of the \nproblem. So that is a good segueway into the first problem: \nsenior management attention.\n    Leaderships of all the agencies occupy bully pulpits by \nvirtue of their positions. They can regularly remind staff of \ntheir IT responsibilities and obligations. No cost; talk is \ncheap. What should they be doing?\n    They should be addressing their employees in as many forums \nas possible and reinforce that IT security is everybody's \nresponsibility. For example, we saw that the former \nAdministrator used his office--this is at NASA again--used his \noffice as a bully pulpit for safety. Safety was NASA's No. 1 \ncore value. At senior staff meetings, leadership reiterated \nthis value, discussed lessons learned, and tracked programs \nrelated to safety.\n    However, no similar attention to ITS, other than during the \nY2 crisis. Y2 came and went, and senior management attention \ncame and went. I hope the new Administrator will use his office \nas a bully pulpit on IT issues.\n    Let's talk about the CIO. The CIO also did not utilize the \nbully pulpit to communicate IG findings, and we had the same \nfindings over and over again, and NASA agreed to implement our \nrecommendations over and over again. They didn't monitor these \nrecommendations that they agreed to implement.\n    Instead of using the bully pulpit and communicating to the \nstaff and saying, ``Don't wait for the IG. Why don't you look \nto see if your systems have similar problems? And here are some \nsuggestions that the agency IG recommended. Maybe these will be \nfixes for you.'' This really didn't happen.\n    But I do want to point out the good news. Since the GISRA \nreport, the CIO has shown improvement in communicating and \nsharing his communications with the OIG about IT \nvulnerabilities we identified in the IT reviews. I used lack of \ncommunication as one of the reasons why we found material \nweakness for purposes of the GISRA report; the CIO failed to \nuse a very low-cost/no-cost forum.\n    No. 2, another problem highlighted by OMB, as well as the \nIGs, is insufficient security awareness and training. Civil \nservants and contractors, they all need to have the training \nbefore being given access to systems. If personnel have more \nresponsibilities and higher-level sensitivities to systems, \nthey need to have different kind of training.\n    But NASA did not establish 100 percent training \nparticipation for the targeted groups for all its measures, \ndespite the age-old adage: ``You're only as good as your \nweakest link.'' The point is not that you are going to make 100 \npercent of your goal, but shouldn't that be your goal? How \ncould you have less than 100 percent for people to be trained \nas your goal? Otherwise, you're going to allow and accept weak \nlinks.\n    Our biggest complaint on this training issue was that NASA \ndid not have all of its civil servant system administrators \ntrained, but even more significant is that they excluded, as \ntheir performance measure, contractor personnel. Guess what? \nSeventy-nine percent of NASA's systems administrators are \ncontractors. Their training is not even measured; they are not \neven tracked in terms of whether they have the appropriate \ntraining. This is an obvious risk for which NASA did not \nimplement compensating controls.\n    Oversight of contractor responsibility. Over and beyond \nincorporating IT clauses into contracts, which OMB addressed \nand we address, you still have to make sure that you know who \nthese contractors are with who you are working with. They have \nwide-range responsibilities. Think about it. They are your \nsystems administrators. They purchase and provide desktops. \nThey are the ones that safeguard sensitive information. They \nmaintain your systems. They put the patches in your system.\n    Who are these people? What are they doing? And are you \noversighting them? Contractor oversight is an area where the \ngovernment needs to be attentive, and certainly NASA does.\n    OK, good news. OMB focuses greater cooperation between OIGs \nand CIOs. I do want to say and give credit to two individuals \nwho are here. Never say IGs don't say good things about people. \nGlen Schlarman and Kamela White are both here. There's Glen, \nand Kamela, she's hiding over there.\n    Mr. Horn. Why don't you speak that back into the mike? They \ndidn't quite catch it.\n    Ms. Gross. OK. Both Kamela and Glen are here. In forwarding \ntheir summary report to Congress, they did not try to paint a \nrosy picture, but tried to present an accurate picture, and \nthis wasn't always easy because sometimes it looked like the \nIGs and the agencies were reporting on two different worlds.\n    I also want to commend them for their steadfast insistence \nthat management work with IGs in developing corrective action \nplans. This has been a welcomed increase in cooperation between \nIGs and CIOs. IG after IG report this.\n    Equally important, GISRA brought accountability to the \nheads of the agencies. They had to forward the report. They had \nto forward an IG report as well as the agency report and put \ntheir name on it. It was their report. No more plausible \ndeniability. They couldn't claim they didn't know what the IT \nissues were at their agencies. That was real good.\n    OK, next steps, and I'm going quickly--GISRA I think should \nbe extended in some form for 2 to 5 years, so that agencies \nwill implement agreed-upon changes. In subsequent legislation, \nCongress should consider to allow the IGs to have more \nflexibility in their reporting responsibilities. This year it \nwill still be the same, but if you still have to do this kind \nof level of intensity without having additional funding from \nthe agency and OMB, you are not going to be able to move into \nother high-risk areas. Unlike when Congress passed the CFO \naudit and most IGs got more resources, that didn't happen for \nGISRA.\n    Another suggestion is that there should be a sunset \nprovision maybe in the 3 to 5 years, so you can evaluate is \nwhat you want to do. Are the means overtaking the end? So I \nthink a sunset provision is good.\n    Another way to ensure greater uniformity is to eliminate \nthe act's bifurcation of responsibilities for national security \nprograms. Under the act, the agency head asks an outside \nevaluator to come in, look at national security systems, which \nthe IG later reviews. NASA's IG's office never got that \nsecurity report in time to review it for the GISRA Act.\n    The IGs use at the least, a uniform evaluation methodology. \nThey will either use government standards, PCIE-wide standards \nfor reviews, or GAGAS, government auditing standards for their \naudits. This is not always the case. Agency heads bring in \ndifferent people. Who knows what standards they are using? So \nthis should be eliminated, and it should be having the IGs do \n100 percent of that.\n    These next steps require a focus on agencies' \ninfrastructure for reporting intrusions, and also the agencies' \nfirst-responders. Are they training first-responders? When you \nhave a program manager they want to fix the problem. Often \ntheir fixes may increase the problem. Maybe the intruder is \nstill in the network trojanizing the systems. Program managers \ndon't always know what they are doing when they fix problems, \npartly because they are not coordinating with law enforcement. \nIGs must look at, and I think this should be an area of \nCongress could look at to see if they are actually, the \nagencies, are implementing law enforecement coordination. The \nCongress passed the USA Patriot's Act of 2001 to help law \nenforcement with the cyber war. One section allows victims of \ncomputer attacks to authorize persons acting in color of law to \nmonitor trespassers on their computer systems. This provides \nlaw enforcement with the same authority in the cyber world that \na police officer has in the normal world if there is a burglary \nin progress. This had to be amended so the monitoring wouldn't \nbe considered wiretapping. This is important. I want to commend \nHoward Schmidt, vice chair, President's Critical Infrastructure \nBoard. He is working with Richard Clark. He has initiated \ncontacts with NASA's Inspector General's office to help frame a \nOIG-wide response for the victim agencies. NASA, under my term, \nestablished the first Inspector General's Computer Crimes Unit, \nand Howard was turning to our unit in part because we were \nrecognized both nationally and internationally for our \nexpertise. It is crucial that OIGs help their victim agencies \nand those agencies look to this monitoring provision. Let's not \nwait for the cyber-attack, the law has already passed.\n    Nobody has procedures. I know, because I put a request for \nmonitoring into the agency, and it is under review. We need to \nhave more sense of urgency for something like this. The law was \npassed because there was an urgent situation. That urgency \ncannot wait for the next attack, and if that is a cyber \nattack----\n    Mr. Horn. Let me ask you a minute about this particular \naspect on the follow up and getting that. Did they use the \nCarnegie-Mellon operation in part or did they use the FBI one?\n    Ms. Gross. Carnegie-Mellon is not a law enforcement entity. \nThey get information from both the private sector, and \ngovernment agencies. Part of the way Carnegie-Mellon works, is \nsharing of information. Although it is not a law enforcement \nentity, they do have a member of the FBI on the Cert. They do \nshare information with law enforcement. It goes back and forth, \nbut it is not a law enforcement entity.\n    The FBI also wanted this Computer Security Act passed. \nThey, like any other law enforcement entity needed that in \norder to do the monitoring; consensual monitoring by the owners \nof systems when you know there is a burglary, a cyber burglary \nin process, they can monitor. They needed that provision. \nThere's no nationwide or agencywide practices on how to use \nthat authority though.\n    But, again, remember with the FBI, the FBI has to look at \nthe private sector, universities and international entities. \nThe group that really looks for their victim agencies is the \nOIGs. Many of them know the agency people; they know the \nsystems; they know the programs. You might have a shot at \nfiguring out the intent and motive of intruders if IGs are \ninvolved.\n    They have fully qualified law enforcement special agents. \nThis is a way of ensuring those much needed protections.\n    Right now, you have a focus of the FBI looking at physical \nterrorism. The role of the IGs becomes even more paramount \nbecause of that. They need to step-up to the plate. I would be \nglad to speak more on that. I can wax eloquent on that issue.\n    Mr. Horn. We will get to that again, but we will move on to \nMr. Gorrie.\n    Ms. Gross. Yes.\n    [The prepared statement of Ms. Gross follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.064\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.065\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.066\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.067\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.068\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.069\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.070\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.071\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.072\n    \n    Mr. Horn. Robert G. Gorrie is the Deputy Staff Director, \nDefense-wide Information Assurance Program Office, and \nAssistant Secretary of Defense for Command, Control, \nCommunications and Intelligence.\n    When did you fill that Assistant Secretaryship?\n    Mr. Gorrie. No, sir, I am Office of the Assistant \nSecretary. They have that a little backward there.\n    Mr. Horn. I see, OK.\n    Mr. Gorrie. I conspire to that, though, but----\n    Mr. Horn. Well, remind me, who is the Assistant Secretary \nin that area?\n    Mr. Gorrie. Mr. Stenbit is, sir.\n    Mr. Horn. Mr. Who?\n    Mr. Gorrie. John Stenbit.\n    Mr. Horn. How do you spell the last name?\n    Mr. Gorrie. S-T-E-N-B-I-T.\n    Mr. Horn. OK, yes, because I haven't really followed it, \nbut in the days of Y2K, until the General occupying the effort \nleft, I know there's been sort of up and down under the \nprevious administration. I assume Mr. Stenbit, then, is the \nBush administration?\n    Mr. Gorrie. Yes, sir, he followed Mr. Art Money, who was \nthe previous ASDC3I.\n    Mr. Horn. Well, go ahead.\n    Mr. Gorrie. Yes, sir, thank you, Mr. Chairman and members \nof the subcommittee. I am honored to be here and pleased to \nhave the opportunity to speak with your committee about lessons \nlearned by DOD from assessments we conducted in response to the \nGovernment Information Security Reform legislation.\n    Secretary Rumsfeld, in his testimony last month before the \nHouse Appropriations Defense Subcommittee, identified six key \ntransformational goals for the Department. Leveraging \ninformation technology to create seamless, interoperable \nnetwork-centric environments is one of those foundation \ntransformational goals.\n    However, as our dependence on information networks \nincreases, it creates new vulnerabilities, as adversaries \ndevelop new ways of attacking and disrupting U.S. forces. In \nrecognition of this dichotomy, the Secretary established the \nprotection of U.S. information networks from attack as another \nfoundation transformational goal.\n    Emphasizing that transformation is not an event, Secretary \nRumsfeld described it as an ongoing process or a journey that \nbegins with a transformed leading-edge force. Mr. Stenbit, the \nDOD CIO, is committed to support our transformation by \nproviding the power to that information leading edge. To do \nthat, he established three goals for his supporting efforts of \nMr. Rumsfeld, and one of those is making the exchange of \ninformation available on a network that people depend and \ntrust.\n    Now all of these goals in large measure are influenced by \nour ability to provide information assurance to the edge and \nthroughout the entire information enterprise. Our senior \nleadership's stated commitment to these goals is testament to \nthe importance placed on information assurance within DOD.\n    The Department initiated work on its 2001 assessment in \nJanuary 2001. The former DOD CIO, Mr. Art Money, established an \nIA Integrated Process Team to lead the assessments. In \naddition, the DOD IG ensured that independent audits were \nperformed to assess and test DOD programs and policies for \neffectiveness and compliance with the law and other policies, \nprocedures, standards, and guidelines.\n    The analysis of the system-specific data and the responses \nto the OMB questions indicate that DOD has good IA policies, \npractices, and procedures in place, but needs verification of \ncompliance. Without a capability to enforce and properly audit \nIA policy compliance, it is difficult to ensure that all \nsystems operate based on up-to-date procedures and proper \nconfigurations.\n    Based on the data analysis, however, it is evident that \neven for those systems lacking accreditation, most have robust \nIA measures in place and programs with high IA awareness. DOD \nhas a strong foundation in IA that will be expanded and more \nfully developed as that program matures.\n    Without question, though, the biggest single lesson learned \nduring the conduct of GISRA 2001 was the problems associated \nwith our Security Certification and Accreditation Program. \nCompliance is a major issue. However, stricter audit and \nenforcement of DITSCAP, which is our Defense Information \nTechnology Security, Certification, and Accreditation Program, \nstricter audit and enforcement of that will not necessarily \nrectify the problem. Non-compliance is more a symptom of the \ncomplexity of that process and the clarity of its implementing \npolicy. These problems were previously identified, but \ndefinitively confirmed in the GISRA 2001 assessment.\n    That certification and accreditation policy is undergoing \ndramatic modification in policy as well as in implementation. \nThe DOD policy governing DITSCAP will streamline the \ncertification and accreditation process and provide better \nclarity on definitions and responsibilities. DOD is also \npursuing the use of automated tools to ease the documentation \nburden on security and systems administrators. The combination \nof these two efforts should significantly improve our ability \nto conduct certification and accreditation and, as a result, \nimprove compliance.\n    DOD, through the Defense Information System Agency, has \nalso aggressively implemented comprehensive connection approval \nprograms for both our Non-Secure and Secret Internet Protocol \nRouter Networks, the SIPRNET and the NIPRNET. These programs \nhave initial and subsequent periodic validation of network \ncertification and accreditation as a precondition for \nconnection to the network, and this will serve as a valuable \ncompliance control mechanism to make sure that those programs \nare fully carried out.\n    The DOD IG identified oversight and review of IA policy \nimplementation and programming of funds and resources to \nsupport IA as areas requiring attention in the last GISRA \nassessment. Conduct of worthwhile oversight and review of IA \npolicy implementation requires not only an established process, \nbut also relevant and current IA policy. As mentioned in the IG \nreport, DOD Directive 5200.28 was, or still is, our current \nsecurity policy, but that happened to be written in 1992 and \nwas woefully out-of-date.\n    In its place, DOD is issuing a series of new IA directives \nand instructions to accommodate a more complex IA environment. \nThe capstone directive is in formal coordination now within the \nDepartment and will be released soon. Other supporting \ndirectives have recently been released or will be released \nlater this year. The responsibilities established in these \ndirectives are clear and concise, as are the management \ncontrols associated with the policies.\n    Oversight of budgets and programming to support IA is one \nof the functions of my office, the Defense-wide Information \nAssurance Program Office. We are now reviewing, with all the \nDOD components, the services, and the agencies, IA budgets and \nprograms during their development to coordinate efforts across \nthe Department and to check for policy implementation. \nSubsequent to that, we conduct reviews to match the resource \nallocations and expenditures with the original plans to make \nsure that they match.\n    Now, those were the things we noticed during regular GISRA. \nHowever, there were some procedural lessons learned that we \nalso developed. One, as was mentioned previously, was to work \nclosely with the DOD IG in the conduct of GISRA. Unfortunately, \nduring last year's GISRA, we weren't able to do that because of \ntime constraints and previous scheduling problems with the DOD \nIG. They looked at one small population of DOD systems, and we \nlooked at another population. Optimally, we would have looked, \nboth we would have done an assessment of DOD systems and then \nthe IG would have come behind us and audited the same systems \nto verify the veracity of the information that we were getting.\n    Because of that, DOD's Fiscal Year 2002 GISRA assessment \nefforts will focus on three particular areas. One is review of \nselected systems from 2001, and then we will go in and take a \nlook at the major DOD networks, and also the third part of that \nis the departmental response to OMB IA management process \nquestions.\n    Approximately 168 systems from the 2001 assessment will be \nreviewed. The second area of this year's effort will focus on a \nrandom sample of major local, wide, and metropolitan DOD area \nnetworks.\n    Then the final area in 2001 will be the response to the OMB \nIA management questions. OMB has indicated that the questions \nwill be similar to those in the 2001 assessment, and will \nencompass all aspects of IA throughout the Department, from \ntraining and awareness to response capability. As DOD \ncomponents conduct their assessments, the DOD IG will audit the \nsubset of the 168 systems from last year, again, as I said \nbefore, to verify compliance and the veracity of the \ninformation that we collected.\n    We in DOD find the GISRA assessments as a valuable tool. \nCombined with other assessment tools we have--for instance, the \nJoint Chiefs of Staff Joint Monthly Readiness Reviews, the \nCommanders-in-Chief's Integrated Priority Lists, Mission Need \nStatements, and other requirements documents--we are better \nable to discern what actions and direction are needed to be \ntaken to sustain our IA posture and to transition to a more \nrobust posture. Having identified these necessary actions and \ndirections, we were able to better coordinate more effectively \nour oversight and coordination of the Department's IA budgets \nand the entire enterprise-wide program.\n    That's it, sir.\n    [The prepared statement of Mr. Gorrie follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.073\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.074\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.075\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.076\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.077\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.078\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.079\n    \n    Mr. Horn. Thank you very much. I want to ask you about the \nrole of Mr. Stenbit. Now he is Assistant Secretary for the \nthree C's--Command, Communications, and what else is it?\n    Mr. Gorrie. Command, Communications, and Control and \nIntelligence.\n    Mr. Horn. Control and Intelligence?\n    Mr. Gorrie. Yes, sir, and he is also the DOD CIO.\n    Mr. Horn. Yes. Now is that too much for one person to \nhandle?\n    Mr. Gorrie. No, sir. Actually, it is probably a pretty good \ncombination because not only does he see or oversee the policy \nand the budgetary parts of IT within the Department, but then, \nagain, as the CIO of DOD, that gives him a more pervasive view \nnot only of the programming and budgeting aspect and bringing \nnew systems on board, but getting into the daily operational \nthings that go on within the Department.\n    Is it too big of a job to handle? No. I mean, he obviously \nhas staff to deal with his CIO functions and also with his \nAssistant Secretary functions, but to have that all brought \ntogether in one person is valuable, because you get to see not \nonly the policy development and also the procurement side of \nit, but also the operational side of it.\n    Now there are people who would disagree with that and say \nthat we should split this function and have a separate DOD CIO \nand a separate Assistant Secretary for Command, Control, \nCommunications and Intelligence. The jury is still out on that. \nI don't personally subscribe to splitting those \nresponsibilities, but until I become the Secretary, I won't be \nable to make that decision, sir. [Laughter.]\n    Mr. Horn. Well, I would like a little table with little \nboxes as to how many people we have for those various \nfunctions. I have gone through this with another agency 5 or 6 \nyears ago. They piled everything onto what Congress had said \nabout Chief Financial Officers, Chief Information Officers, and \nthe thrust of that was to get somebody of high-rank that we \ncould get in the private sector or in the executive branch out \nof the Senior Service. We just looked at it, and not much was \nhappening because the poor soul was overloaded.\n    So I would like a chart at this point in the record. \nWithout objection, it will be put there. So if you and \neverybody else can give us one, just so we can see the picture \nof who's helping and how many are helping and addressed to \nthis?\n    Mr. Gorrie. Yes, sir.\n    And if I might add one other reason why I don't think you \nnecessarily want to separate those functions is because the \nlevel--if you split those functions, I don't know that \nnecessarily the level of importance of the person holding that \njob would carry enough sway within the Department to have \ninfluence. At the Assistant Secretary level--and, actually, I \nthink it should be at the Under Secretary level, but, again, I \nam not in a position to make that call--there is enough \nleverage there, and they have enough influence and the ear of \nthe Secretary of Defense to make things happen. If you split it \nand diluted it, that might not necessarily be the case.\n    Mr. Horn. I have great admiration for the Secretary of \nDefense. I remember, going back about seven administrations, \none person had about 12 of the functions we now have Assistant \nSecretaries hold. As you know, he did a very fine job. But when \nwe have troubles in this area, where we haven't had it yet up \nwhere they can get a C, B, or A in looking at the computing \noperation, it just means we have got to focus on that and not \nbe waylaid by all the other things that are very important.\n    Mr. Gorrie. Yes, sir.\n    Mr. Horn. OK, so we now have our last presenter, Chief \nInformation Officer Karen S. Evans of the U.S. Department of \nEnergy.\n    Glad to have you here. When were you appointed? I see \nJanuary 28th.\n    Ms. Evans. Yes, sir, just 6 weeks ago.\n    Good morning, and thank you for this opportunity to appear \ntoday to address the very important issue of improving the \nsecurity of our Federal information systems. I was named the \nDepartment of Energy's Chief Information Officer 6 weeks ago, \non January 28, 2002. As the CIO, I believe that effective cyber \nsecurity is a balance of managed policies, procedures, \ntechnology, training, and people. It is also a major enabler of \nour Department's information technology initiatives, especially \nour e-government initiatives.\n    My remarks today focus on the implementation of the \nGovernment Information Security Reform Act, improvements in the \nDepartment's cyber security infrastructure, and our plans for \nfurther strengthening our cyber security posture.\n    GISRA provides a comprehensive framework for establishing \nand ensuring effectiveness of security controls over \ninformation resources that support Federal operations and \nassets. Secretary Abraham submitted the Department's first \nannual security review last September. This committee \nestablished grading criteria, and the Department received an \n``F.''\n    The scoring acknowledged that we were either complete or in \nthe process of implementing 9 of 10 areas. Our raw score was \n71. The score was weighed against weaknesses identified by our \nprevious Department Inspector General and the Office of \nIndependent Oversight and Performance assurance audits and \nassessments. Our final scoring was lowered to 51.\n    Since the passage of GISRA, the Department has taken an \nactive leadership role to further strengthen its cyber security \nposture. First, we developed and incorporated an enterprise-\nwide perimeter defense strategy to reduce the number and the \nseverity of successful attacks. Analysis reveals that while the \noverall threat from virus and malicious code increased, the \nnumber of successful intrusions diminished. Virus and malicious \ncode incidents dropped from 60 in fiscal year 2000 to 39 in \nfiscal year 2001, a 35 percent reduction. In addition, while \nprobes and scans escalated over 2,000 percent from fiscal year \n1999 to 2001, unauthorized access and Web defacements \ndiminished by over 50 percent.\n    In addition, we have trained 6,200 managers and cyber \nsecurity staff in the last year alone, and are continuing an \naggressive training and awareness program, so that every \nDepartment member is aware that cyber security is an integral \npart of his or her job.\n    Like many other government agencies, we still have a long \nway to go, but we have an excellent foundation on which to \nbuild. We recognize the importance of cyber security as a \nmanagement issue. Our goal is to give line management the \nauthority to determine how to implement policy, because it is \nin the best position to assess the appropriate levels of \nprotection.\n    Our Performance Improvement Plan and Performance Report \nCard provide a clean remediation road map for those program \noffices with GISRA-identified deficiencies, and our sites have \nmade significant progress toward their elimination.\n    Today I am pleased to announce additional cyber security \ninitiatives. First, I will focus initially on developing and \nimplementing a Department-wide certification and accreditation \nprocess to ensure that our unclassified information systems \ncomply with departmental cyber security policies. Our \nCertification and Accreditation Program will establish a \nDepartment-wide process to certify that an information system \nor a site complies with documented security requirements, and \nthat the program will continue to maintain an accredited \nsecurity posture throughout the system life cycle.\n    Processes such as certification and accreditation are \ninsufficient without adequate risk-management and configuration \nmanagement directives. The Department has identified some \nshortcomings in its approach in both areas, and I am committed \nto developing directives in these areas.\n    The Department is also committed to protecting our national \ncritical and mission-critical assets. As one of the first five \nagencies to complete the Critical Infrastructure Assurance \nOffice Project Matrix Step One, we now have a comprehensive \nlist of our most critical assets, which we used to focus our \nenhanced protection efforts.\n    In addition, I am committed to implementing a robust, \nindependent validation and verification process to provide an \nadditional objective level of assurance regarding the \ncontinuity of operations for all of Department of Energy's \nmission-critical cyber assets.\n    The Department has also initiated a renewed IT capital \nplanning process to manage the cost of acquiring and \nmaintaining IT assets. We are improving that process to ensure \nthe seamless integration of security into each system's \nlifecycle costs. Although each of these efforts is only a part \nof our cyber security program, together they are effective \ntools to protect the Department's critical information assets. \nThey will also serve as enablers for our electronic government \nefforts.\n    I am intent on making the Department a national center of \nexcellence for safeguarding classified and unclassified \ninformation on electronic systems. This will be accomplished \nthrough three objectives: strengthening the Department's cyber \nsecurity community, ensuring a Department-wide risk-based \napproach to cyber security implementation, and enhancing \nprotection of our internal cyber assets, especially our \nnationally critical and mission-critical assets.\n    As CIO, I have been given programmatic authority to provide \nmanagement oversight of the Department's cyber security program \nthrough the use of information technology capital planning and \ninvestment process. Our Performance Improvement Plan and \nPerformance Report Card clearly communicate the status of \nidentified issues of concern. This plan builds upon the \nfoundation provided by GISRA and fosters solution-sharing \nwithin the enterprise.\n    Our performance metric program provides us feedback on key \nelements for a healthy cyber security program. I am moving \nforward to strengthen our approach to risk and configuration \nmanagement; implement a comprehensive certification and \naccreditation process, and an independent validation and \nverification process. With these initiatives, I am confident \nthat the Department will continue to strengthen its cyber \nsecurity posture.\n    Success in this area takes continued and focused efforts \ndue to the increasing complexity of threats and the rapid \nevolution of technology. We at the Department are committed to \nmeeting this challenge.\n    Mr. Chairman, this concludes my statement, and I would be \nhappy to answer any questions.\n    [The prepared statement of Ms. Evans follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.080\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.081\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.082\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.083\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.084\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.085\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.086\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.087\n    \n    Mr. Horn. Thank you very much. We appreciate your \npresentation.\n    We are now going to go down the line for a few questions. I \nwould like all of you to give us some information on them.\n    The question basically is, are there adequate standards and \nknown best practices to implement an effective information \ntechnology security program, especially for the CIOs, as to \nwhere that source is. Is it OMB? Is it GAO, so forth?\n    Mr. Dacey.\n    Mr. Dacey. Let me answer that question at two levels. I \nthink we have some guidance at GAO with respect to overall \nsecurity management programs. I have included that as best \npractices from leading organizations for security management \nprograms and for risk-assessment.\n    With respect to more details controls, I think there isn't \nconsistent information out there. There is a lot of good \ninformation in industry, and there is a lot more being \ndeveloped. I would say that NIST, a combination of NIST and the \nNSA, through the NIIAP, another organization, and some others, \nare starting to develop more detailed policies. These have been \nreceived fairly well for those who are trying to implement \nsecurity in their systems. So it is, again, at two levels: one \nat the management level and one at the detailed standards \nlevel.\n    Mr. Horn. Mr. Forman.\n    Mr. Forman. I think the focus is wrong there. I think there \nare a plethora of standards, best practices tools. I think you \nhave got to go beyond the United States and look at what the \nU.K. has done and other countries.\n    The reality that we are working in, the environment that I \nam trying to bring about here, has to operate as fast as the \nInternet. Traditional bureaucratic processes simply will not \ngive us the security we are looking for. We have--and I will \nlay out some of the elements of the puzzle--threat data \naggregation, NIPC at the FBI, FedCirc for the Federal \nGovernment, Cert at Carnegie-Mellon, the Sands Institute, the \nNational Security Agency, organizations within the Defense \nDepartment.\n    So if there is a threat on the Internet and it moves at \nInternet speed, by the time any one of these organizations \nfinds out about it and puts out an alert, you or I may hear \nabout it on WTOP coming into the office in the morning. That is \na day.\n    We are talking about, on the other hand, an annual process \nwith GISRA. We are moving to a quarterly process to oversee the \nmanagement by the President's Management Council for Security \nManagement. At once I feel, yea, finally, after for me 12 years \nof trying to get management attention, we've got the management \nattention; we've got a terrific set at both the policy levels \nand the technology levels of standards from NIST, from NSA, \nfrom DOD, and others. Those standards are adequate to do what \nwe need to do for the management policy, but they are \ninadequate to address some of the major issues within the \nInternet in regards to vulnerabilities.\n    We need to look at how we put in place a process, not \nstandards. If, in the end, we want fast identification of \nthreats, fast remediation of vulnerabilities, we need to make \nsure that we are providing for that infrastructure. I fear the \npath we are going on right now is identifying people who are \naccountable, identifying visible sets of metrics and are they \nfollowing them? If so, the potential exists to ignore the fact \nthis stuff is moving in hours or days, not months, quarters or \nyears.\n    In essence, this is what we are trying to bring about with \nthe Critical Infrastructure Protection Board. The process needs \nthreat data aggregation. It needs vulnerability assessment. We \nhave to make some decisions as a country about the remediation \nand deployment of remediation. In other words, is that going to \nbe industry-driven or government-driven? I fear that the type \nof structures we put in place for Y2K, from a bureaucratic \nstandpoint, won't work now.\n    So, clearly, all of that is evolving, and we are working \nthrough that. But, by the same time, there is this issue of \nenterprise security issue, and that has been the focus of \nGISRA. That has been the focus of many people at this table as \nwell as many of our staff in the back for well over a decade. \nThere we have made the progress.\n    I would rather see the focus being on, ``What do we need to \nbe successful at Internet time'' than, ``How do we continue \ndown this path of enterprise security management in a \nbureaucratic process?''\n    Mr. Horn. You mentioned that there were certain nations \nthat would seem to be ahead of us in some of these areas. Could \nyou give us a feeling for that?\n    Mr. Forman. I wouldn't say necessarily ahead of us in the \nsense that they have done a better job, but had some perhaps \nmore complete or some accepted standards. I think the U.K was \none of those. I know when I was at IBM, we used the U.K. \nstandard for our security audits that we did in a number of \nindustries. Since then, of course, NIST has, I believe, widely \nrecognized, has put together a much broader set of standards \nfrom the technology level to the management level, which now \nmany of the CIOs adopted. We didn't have that 2 years ago.\n    Mr. Horn. Dr. Bement, how do you feel about what's \nhappening abroad that we might use in our own administration?\n    Dr. Bement. Well, in this area I think our current \nstandards and accepted best practices are current and will put \nus in good standing, but it's very dynamic. The technology is \nchanging rapidly. So we have to continually review these \nstandards. Also, our risk models need to be changed as we get \nnew threat information. So we have to keep on top of that.\n    But we have cross-cutting alliances with Canada, with the \nU.K., and many other countries in the work that we do.\n    Mr. Horn. How about Australia?\n    Dr. Bement. Pardon me?\n    Mr. Horn. How about Australia? Or New Zealand? I mean, \nthey've got a particularly different government.\n    Dr. Bement. I think all the members of the Coordinating \nCommittee are very closely coupled with the work that we do, \nand Australia, New Zealand, Canada, the U.K. would be included \nin that.\n    I feel that, apart from the standards and the best \npractices, and again we're going to come right back again to \ntraining, awareness, high-level oversight and compliance, there \nhas to be enforcement of compliance. There has to be critical \nmonitoring, and, of course, people really have to continually \nkeep on top of the changes, as Mr. Forman mentioned. I think \nthose are the critical issues.\n    Mr. Horn. Moving to another country before we finish that \npart of the question, India produces a tremendous number of \nvery talented people that relate to computing.\n    Dr. Bement. Yes, that is correct.\n    Mr. Horn. What do we know about India's Government. Many or \nmost of the people probably come to the United States. I don't \nknow if they are within the Government of India, but do you \nhave any thoughts on that?\n    Dr. Bement. I don't know that NIST has strong interactions \nwith India and I don't know that we have a number of citizens \nfrom India working at NIST. We may have some. But I am \ncertainly aware of the fact that industry looks to the talent \nand the capabilities in India and draws on that very actively. \nOf course, we also interact very much with industry. So \nindirectly we probably do have some connections.\n    Mr. Horn. Ms. Gross----\n    Dr. Bement. Oh, Mr. Chairman, may I ask a privilege?\n    Mr. Horn. Sure.\n    Dr. Bement. I have another hearing in 15 minutes, and if I \nmay, I would like to be excused.\n    Mr. Horn. Fine, and if we have a couple of questions, we \nwill send them to you, and we will put them in the record at \nthis point.\n    Dr. Bement. I would be pleased to respond to those. Thank \nyou.\n    Mr. Horn. Fine. Thank you.\n    [The information referred to follows:]\n    [GRAPHIC] [TIFF OMITTED] 82355.088\n    \n    [GRAPHIC] [TIFF OMITTED] 82355.089\n    \n    Mr. Horn. Ms. Gross, how do you feel about, are there \nadequate standards and known best practices to implement an \neffective information technology security program?\n    Ms. Gross. I think there are a number of standards that are \ndeveloping and, if implemented, would make our systems safer. I \nthink you have to talk about human capital. You can have all \nthe policies and all the procedures, but, ultimately, security \nis a matter of layers. It is policies; it is procedures; it is \nhaving the right people. If you don't have the right person as \nthe CIO, you don't have the right people in law enforcement. It \ndoesn't matter that you have an NIPC if the people there are \nnot technical agents or they don't have technicians that know \nwhat they are doing.\n    You can't have this vision of reacting to Internet speed \nunless you make sure that, in fact, you have the human capital \nin place. We need to start reacting with Internet speed; about \nmaking sure we have the right people in the right places. I \nthink you can get your layers of policies and procedures, but I \nam not sure we have been good about sharing best practices. You \nhave organizations like SANS to give out some and so does OMB.\n    I think this focus needs to be done. What are those best \npractices? You can't have that many ``F's'' and say that we \nhave people that know what best practices are or know what the \nright procedures are, or don't have the right people in place.\n    Mr. Horn. How about your thoughts, Mr. Gorrie?\n    Mr. Gorrie. Standards and best practices, yes, sir, there \nare standards and best practices out there, and we use them, \nbut they have to be tailored to specific environments. You just \ncan't run out willy-nilly and pull them out of the blue. The \nNIST guidance for evaluating systems, NASA, NIST, security \nconfiguration, guidance for operating systems, they're all \ngood, but you have to bring them in and build them into your \nown system and then evolve your own system along the way.\n    To just elaborate a little bit on what we heard about human \ncapital, the training of people and the problems we have \nassociated with that, people turning over and leaving the \nservice and things like that, that is really more symptomatic \nof a deeper problem. That is again what was alluded to before, \nwhich is the velocity of the technology.\n    In order for us to be able to track that velocity or track \nthat technology as it moves forward, you are constantly having \nto retrain people, constantly having to modify operational \ntechniques and procedures to keep up with that. However, as we \nlook at that technology as it progresses along, we find that, \nin the terms of my boss, it isn't born secure, that security \nisn't built in from the beginning. That is what needs to be \ndone, not only the technological security, the crypto-\nalgorithms, the built-in entries and detection and things of \nthat nature, but also a systemic view where you have to have \nsecurity management built into it, too. It can be a very, very \nsecure box, but if you can't put it in the system and be able \nto manage all these disparate security devices, then you're \nsort of barking up the wrong tree.\n    I think Mike Vatis, when he testified before your committee \nlast September, sort of alluded to that problem, that it is not \nnecessarily the training of the people; it is not necessarily \nthe operational techniques that you employ, is looking ahead to \nwhere technology is going and to try to track it. Now that is \nonly part of the problem. You can track technology and try to \nbuild in security later, but the better part would be to \nengineer in security at the front, and not only the security \ntechnology, but to enable it to be managed effectively.\n    Because today we have applications that are point-click, \nand before you used to have to sit down forever and a day to \nprogram these things out. What we need is security and security \nmanagement that is also point and click, which would remediate \nsome of our training problems, would remediate some of our \noperational problems, and go a long way to making this big bear \nof information security a little bit easier to tame.\n    Mr. Horn. Two weeks ago I was talking about various things \nwith members of the NATO Assembly. Of course, you have a lot of \nproblems in terms of the various countries in the Eastern part \nof Europe. I wonder, is the CIO role of Mr. Stenbit, do they \nrelate to NATO and different things, where we do a lot of \ncomputing?\n    Mr. Gorrie. Yes, sir. As a matter of fact, one of the \nreasons I am here today, and not my boss, is that he is in \nfirst--not China, somewhere in the Far East, and then going \ndown to Australia and New Zealand. But there is a very large \ninternational play in the ASDC3I and in the CIO, too.\n    One, interface with the five I's, which are the five \nEnglish-speaking nations, the United States, the U.K., Canada, \nNew Zealand, and Australia. But then even further than that, in \nthrough all the NATO subcommittees that we sit on, and then the \nPartnership for Peace People, and all the other people that it \nis expanding to, and then actually to even third-party \ncountries to make sure that, when we need to go somewhere, that \nwe have not only infrastructure support, but infrastructure \nsupport that has high availability, security, and some \nconfidence that there isn't anybody prowling around in that \ninfrastructure.\n    Mr. Horn. On Y2K, and now on this, where computing is a \nmajor factor, it comes up under Department of Defense, and they \ndidn't do too well overall. When they have a lot of other \nthings there besides the services. My instinct was that the Air \nForce was way ahead of the father, namely, the DOD, and we \nwould have been giving them an ``A'' and still giving a ``D'' \nto the other groups, like Logistics and Procurement.\n    I just wonder, is there a way to get the pressure so that \nthe services that are doing well with CIOs--and maybe my \ninstinct is wrong; you're on top of it, but I just think \nsometimes we ought to put the ``A's'' there if they are doing \n``A'' work.\n    Mr. Gorrie. I don't know if I can address that, sir. I \nmean, I work with not necessarily the CIOs, but their IA \nunderlings. I don't know if I am qualified to answer that \nquestion.\n    Mr. Horn. Well, if you could get me an answer, I would like \nto know that----\n    Mr. Gorrie. Yes, sir, I will.\n    Mr. Horn [continuing]. Because we ought to see the \nbreakdown by the services and make sure that they are moving \nalong on a path, and they aren't just off in a corner.\n    Mr. Gorrie. From that particular perspective, sir, at least \nas far as IA goes, and that is my area of responsibility, so \nthe only thing that I can talk to, you have each of the \nservices--at least about 3 years ago, when I was on the Joint \nStaff, there were certain services that excelled in particular \nareas. For instance, the Air Force was far ahead of the Navy \nand the Army in terms of its ability to do intrusion detection, \nconsolidated intrusion detection, across the enterprise. Such \nis not the case now. They have pretty much become even-keeled, \nbecause of the sharing of best practices and being able to go \nin and audit the capabilities for the individual services to do \nthose things and then to apply resources for those services and \nactually prod them along to come about a little bit better.\n    Things like information assurance vulnerability alerts, \nwhere we find out that there is a particular vulnerability in a \npiece of equipment or piece of software, those things are \nstarting to become enterprise-wide endeavors, and not strictly \nlimited to the services. The services have realized that in \norder to be successful in this world, that they have to \nexercise enterprise-wide solutions and not just limit them \nstrictly to services, because they are all vulnerable. They all \nride the basic backbone network. They all, both security and \nnon-secure, know that if they are going to succeed, that they \nhave to cooperate, and by and large they are cooperating.\n    So from that perspective, the IA perspective, I do not see \na great disparity in the capability of either the Air Force, \nthe Army, or the Navy, or, as a matter of fact, across any of \nthe agencies. We have endeavored, like I said before, to try to \nenforce enterprise-wide solutions rather than stovepipe \nsolutions within the services.\n    Mr. Horn. If you would, just for the record, on IA, could \nyou spell it out?\n    Mr. Gorrie. Information Assurance. I'm sorry, sir.\n    Mr. Horn. OK, and that's your office basically?\n    Mr. Gorrie. The Defense-wide Information Assurance Program \nOffice, yes, sir.\n    Mr. Horn. Yes. Is that the way most of the agencies have--\n--\n    Mr. Gorrie. Federal agencies or?\n    Mr. Horn. Yes, Federal.\n    Mr. Gorrie. I don't know that. The DIAP, or Defense-wide \nInformation Assurance Program Office, was mandated in \nlegislation, and I can't think off-the-top-of-my-head what that \nwas, but it was in 1998, where the Secretary was told, ``You \nwill have a defense-wide information assurance program,'' and a \nyear after that's when the office that I belong to was formed. \nNow whether or not that is as pervasive across all of the other \nFederal agencies, I can't speak to that, sir.\n    Mr. Horn. OK, thank you. That was Secretary Cohen that put \nthat mandate in.\n    Mr. Gorrie. Yes, sir.\n    Mr. Horn. Yes, well, he was very knowledgeable in that \narea, as a Member of the Senate.\n    Ms. Evans, any thoughts on best practices? Because you have \nput a lot of emphasis on it.\n    Ms. Evans. Yes, I did. It is my opinion that we do have \nadequate standards and that there are best practices available \ntoday for a good security program. In many cases a lot of the \nbest practices are obtained currently from our National \nLaboratories, and they are being used by other Federal \ndepartments and agencies.\n    The Department itself does use the NIST standards best \npractices for our own classified systems, and we use the \nCommittee on the National Security Systems for best practices \nfor our classified systems. But I believe to have an effective \nsecurity program, it is a discipline that needs to be practiced \nevery day, and it has to be incorporated into the daily \noperations.\n    So a lot of the comments that have been made by my esteemed \ncolleagues here I support all the way down the line, in that as \na CIO I need to incorporate that for the Department as a whole, \nso that it is practiced on a daily basis, so that we can effect \nremediation in Internet time, when a vulnerability is \nidentified.\n    Mr. Horn. Well, thank you. That is very helpful.\n    Let me ask just a few more questions, and then we will call \nit a day.\n    Ms. Gross----\n    Ms. Gross. Yes?\n    Mr. Horn [continuing]. You've got a very active record, \nthrough the President's Council on Integrity and Efficiency, in \nhelping both the agencies and Inspectors General implement \nthe--excuse us. [Bells are ringing.] How many minutes? Ten? It \nis 9 minutes to go.\n    You can see you are about to be released by the votes. This \nwould be a great place if it wasn't for all the votes, you \nknow. [Laughter.]\n    You have given us some very good testimony. So, Ms. Gross, \nhelping both the agencies and the Inspectors General implement \nthe government information security reform provisions, I was \njust interested; you have been active in this. You have helped \nin that. What challenges do you see for Inspectors General \nexpanding their annual evaluations to encompass all agency \nsystems?\n    Ms. Gross. I think the challenges for the Inspectors \nGeneral are to make sure that there is implementation with \nagreed-upon recommendations, but I think a wider perspective \nthan just the narrow, let's do the next GISRA report, which is \nvery time-consuming and very resource-intensive, is to make \nsure that they are focusing on issues governmentwide. I think \nthat it is very important that the individual Inspectors \nGeneral go back into the PCIE, which is the IGs' group, and \nlook to see both best practices and also look to see about how \ncan they help. Since the President is going to have an \ninitiative with e-government, IG's need to make sure that \ninformation will be available, that it will be secure, and that \nit will have integrity. Unless the IGs move out governmentwide \nand look past their own agencies, I think we are going to have \na problem. So that would have been my thrust.\n    Mr. Horn. Well, thank you.\n    Mr. Forman, has your office considered imposing mandatory \nsecurity standards and requirements on Federal agencies?\n    Mr. Forman. Requirements we have; we will continue to do \nthat, and we will tighten that up. Standards we rely on NIST, \nunder the Computer Security Act for Federal information \nprocessing standards.\n    There is another area where some people would call them \nstandards, but they are architecture elements that are agreed \nupon. They are not technology standards at the NIST or FIPS \nlevel. For that, we have orchestrated--and I have actually done \nsome changes in my role as directing the CIO Council. We have \nthe Architecture Committee, which focuses on this. Lee Holcomb, \nthe CIO at NASA, chairs it. John Gilligan, who had been \nchairing or co-chair of the Security Committee is now co-chair \nof the Architecture Committee. It is through that I believe we \ncan be most successful.\n    There is a final element, which is, how do we get patches \nout rapidly when major threats are identified? That is an area \nwhere we need to rapidly get in touch with at least 40,000 \npeople. So I am making increasing use of FedCirc for that.\n    Mr. Horn. Well, I want to thank the following people that \nprepared this hearing: J. Russell George, staff director and \nchief counsel, standing-up back there; and Bonnie Heald, deputy \nstaff director; Claire Buckles, on my left, a very fine \nprofessional staff member on loan to us. And thank you.\n    Earl Pierce, professional staff, isn't here today, and then \nJustin Paulhamus, majority clerk, is with us doing a great job. \nHe just came in with us. And Michael Sazonov, subcommittee \nintern, and our court reporter, Joan Trumps. Thank you very \nmuch, and thanks to all of you.\n    If we might, I think we will send you a few questions, and \nput them at this point in the record.\n    So, unfortunately, I have got to get over there and vote. \nWe are adjourned.\n    [Whereupon, at 12:01 p.m., the subcommittee was adjourned, \nto reconvene at the call of the Chair.]\n    [Additional information submitted for the hearing record \nfollows:]\n[GRAPHIC] [TIFF OMITTED] 82355.090\n\n[GRAPHIC] [TIFF OMITTED] 82355.091\n\n[GRAPHIC] [TIFF OMITTED] 82355.092\n\n[GRAPHIC] [TIFF OMITTED] 82355.093\n\n[GRAPHIC] [TIFF OMITTED] 82355.094\n\n[GRAPHIC] [TIFF OMITTED] 82355.095\n\n[GRAPHIC] [TIFF OMITTED] 82355.096\n\n[GRAPHIC] [TIFF OMITTED] 82355.097\n\n[GRAPHIC] [TIFF OMITTED] 82355.098\n\n[GRAPHIC] [TIFF OMITTED] 82355.099\n\n[GRAPHIC] [TIFF OMITTED] 82355.100\n\n[GRAPHIC] [TIFF OMITTED] 82355.101\n\n[GRAPHIC] [TIFF OMITTED] 82355.102\n\n[GRAPHIC] [TIFF OMITTED] 82355.103\n\n[GRAPHIC] [TIFF OMITTED] 82355.104\n\n[GRAPHIC] [TIFF OMITTED] 82355.105\n\n[GRAPHIC] [TIFF OMITTED] 82355.106\n\n[GRAPHIC] [TIFF OMITTED] 82355.107\n\n[GRAPHIC] [TIFF OMITTED] 82355.108\n\n[GRAPHIC] [TIFF OMITTED] 82355.109\n\n[GRAPHIC] [TIFF OMITTED] 82355.110\n\n[GRAPHIC] [TIFF OMITTED] 82355.111\n\n[GRAPHIC] [TIFF OMITTED] 82355.112\n\n[GRAPHIC] [TIFF OMITTED] 82355.113\n\n[GRAPHIC] [TIFF OMITTED] 82355.114\n\n[GRAPHIC] [TIFF OMITTED] 82355.115\n\n                                   - \n\x1a\n</pre></body></html>\n"