[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]


For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001
 
85-840 PDF

                                 ______

2003


 
    COORDINATED INFORMATION SHARING AND HOMELAND SECURITY TECHNOLOGY

=======================================================================

                                HEARING

                               before the

           SUBCOMMITTEE ON TECHNOLOGY AND PROCUREMENT POLICY

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

                               __________

                              JUNE 7, 2002

                               __________

                           Serial No. 107-182

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform
                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             PATSY T. MINK, Hawaii
JOHN L. MICA, Florida                CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California                 DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia               JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine
DAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida              DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho          STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia                      ------
JOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont 
JOHN SULLIVAN, Oklahoma                  (Independent)


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director

           Subcommittee on Technology and Procurement Policy

                  THOMAS M. DAVIS, Virginia, Chairman
JO ANN DAVIS, Virginia               JIM TURNER, Texas
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
DOUG OSE, California                 PATSY T. MINK, Hawaii
EDWARD L. SCHROCK, Virginia

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
                    Melissa Wojciak, Staff Director
              Victoria Proctor, Professional Staff Member
                           Teddy Kidd, Clerk
          Mark Stephenson, Minority Professional Staff Member
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 7, 2002.....................................     1
Statement of:
    Harman, Hon. Jane, a Representative in Congress from the 
      State of California........................................    85
    Sugar, Ronald D., Ph.D., president and chief operating 
      officer, Northrop Grumman Corp.; Leonard Pomata, president, 
      Federal Group, webMethods, Inc.; S. Daniel Johnson, 
      executive vice president, public services, KPMG Consulting, 
      Inc.; and Kevin J. Fitzgerald, senior vice president, 
      government, education & healthcare, Oracle Corp............   100
    Yim, Randall, Managing Director, National Preparedness Team, 
      General Accounting Office; Mark Forman, Associate Director, 
      Information Technology and E-Government, Office of 
      Management and Budget; Robert J. Jordan, Director, 
      Information Sharing Task Force, Federal Bureau of 
      Investigation; George H. Bohlinger III, Executive Associate 
      Commissioner for Management, Immigration and Naturalization 
      Service; and William F. Raub, Ph.D., Deputy Director, 
      Office of Public Health Preparedness, Department of Health 
      and Human Services.........................................    11
Letters, statements, etc., submitted for the record by:
    Bohlinger, George H., III, Executive Associate Commissioner 
      for Management, Immigration and Naturalization Service, 
      prepared statement of......................................    51
    Davis, Hon. Thomas M., a Representative in Congress from the 
      State of Virginia:
        Briefing memo............................................   135
        Prepared statement of....................................     4
    Fitzgerald, Kevin J., senior vice president, government, 
      education & healthcare, Oracle Corp., prepared statement of   109
    Forman, Mark, Associate Director, Information Technology and 
      E-Government, Office of Management and Budget, prepared 
      statement of...............................................    41
    Harman, Hon. Jane, a Representative in Congress from the 
      State of California, prepared statement of.................    88
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     8
    Johnson, S. Daniel, executive vice president, public 
      services, KPMG Consulting, Inc., prepared statement of.....   115
    Jordan, Robert J., Director, Information Sharing Task Force, 
      Federal Bureau of Investigation, prepared statement of.....    75
    Pomata, Leonard, president, Federal Group, webMethods, Inc., 
      prepared statement of......................................   124
    Raub, William F., Ph.D., Deputy Director, Office of Public 
      Health Preparedness, Department of Health and Human 
      Services, prepared statement of............................    61
    Sugar, Ronald D., Ph.D., president and chief operating 
      officer, Northrop Grumman Corp., prepared statement of.....   103
    Yim, Randall, Managing Director, National Preparedness Team, 
      General Accounting Office, prepared statement of...........    14

 
    COORDINATED INFORMATION SHARING AND HOMELAND SECURITY TECHNOLOGY

                              ----------                              


                          FRIDAY, JUNE 7, 2002

                  House of Representatives,
 Subcommittee on Technology and Procurement Policy,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Thomas M. Davis 
(chairman of the subcommittee) presiding.
    Present: Representatives Tom Davis of Virginia, Jo Ann 
Davis of Virginia, Horn and Turner.
    Also present: Representative Harman.
    Staff present: Melissa Wojciak, staff director; George 
Rogers, Uyen Dinh, and John Brosnan, counsels; Victoria 
Proctor, professional staff member; Teddy Kidd, clerk; Todd 
Greenwood and Nick Vaughan, interns; Mark Stephenson, minority 
professional staff member; and Jean Gosa, minority assistant 
clerk.
    Mr. Tom Davis of Virginia. We have Members moving to take 
their seats. We're going to start with Members' statements.
    Good morning. I want to welcome everybody to today's 
oversight hearing. After September 11th, there's been a sea 
change in the mission of government. The first priority of the 
Nation has become homeland security. To win this fight, the 
government must be able to detect and respond to terrorist 
activity. We also must be ready to manage the crisis and 
consequences of future attacks, to treat casualties, and to 
protect the functioning of critical infrastructures. Thus, 
defending America in the new war against terrorism will require 
every level of government to work together with citizens and 
the private sector.
    More than ever our success is dependent upon collecting, 
analyzing and appropriately sharing information that exists in 
data bases, transactions and other data points. Effective use 
of accurate information from divergent sources is critical to 
our success in this fight. Indeed as the President said last 
night in his speech to the Nation, ``Information must be fully 
shared so we can follow every lead to find the one that may 
prevent a tragedy.''
    The President spoke with vision about our Nation's titanic 
struggle against terrorism and the triumph of freedom over 
fear. I applaud his leadership in asking the Congress to create 
a Department of Homeland Security. I'll be working with our 
colleagues to enact legislation to meet his call. I believe the 
proposed Department of Homeland Security will greatly assist 
information sharing by reorganizing the government along the 
more rational strategic lines that will more efficiently pursue 
homeland security. The new Department will be a customer of the 
FBI and the CIA and will be able to analyze, diffuse and 
disseminate information to Federal, State and local agencies, 
the private sector and citizens.
    However, integration of the information systems and 
practices of the agencies to be consolidated into the new 
Department will be a prime concern, as will the new 
information-sharing relationships that will evolve between the 
Department of Homeland Security, the FBI, the CIA and other 
agencies.
    I'm also heartened to see that the plan for the new 
Department of Homeland Security includes flexible acquisition 
policies to encourage innovation and rapid development of 
critical technologies. This concept is at the core of H.R. 
3832, the Services Acquisition Reform Act that I recently 
introduced. I look forward to discussions with the 
administration to further redefine the legislation and move 
forward the new Department.
    Today's hearing continues the subcommittee's oversight of 
the barriers to robust information sharing, both within and 
between agencies. In February of this year, we reviewed some of 
the management initiatives and technology acquisitions needed 
to ensure that stovepipes of knowledge and a lack of 
coordination between agencies would not compromise homeland 
security. While new funding for procurement of products and 
services is certainly needed if the government is going to 
effectively modernize, share information and win the war 
against terrorism, we should also continually measure the 
results of the government's efforts. When it comes to the war 
on terrorism, Americans are not asking for more spending; they 
are asking for more spending that works.
    Unfortunately, as witnessed in the February hearing 
revealed, there has not been an organized, cohesive and 
comprehensive process within the government to evaluate private 
sector solutions to the problems of information sharing and 
homeland security. Many technology firms with expertise to 
address homeland security matters have indicated that they are 
having a hard time getting a real audience for their products.
    Addressing the acquisition challenges to achieve homeland 
security must be a priority so that we can begin to leverage 
America's competitive advantage in IT innovation for the 
benefit of all Americans. After the February hearing we 
introduced legislation to facilitate private sector innovation 
by establishing an interagency team of subject matter experts 
to issue major announcements seeking unique and innovative 
anti-terror solutions. These experts would also screen and 
evaluate innovative proposals for industry and send them to the 
proper Federal agencies for action. This legislation would also 
launch a program offering monetary awards to companies with the 
best and most cutting-edge terror-fighting solutions. In 
addition, it would establish an acquisition pilot program to 
encourage agency professionals to creatively use streamlined 
authorities and waivers to buy commercial, off-the-shelf 
solutions with immediate impact on homeland security.
    In this hearing I look forward to hearing from the agencies 
and leading companies represented for their insights into how 
programmatic changes, management initiatives and technology 
acquisitions can contribute to the better sharing of 
information and the achievement of the homeland security 
mission.
    [The prepared statement of Hon. Thomas M. Davis follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.001
    
    [GRAPHIC] [TIFF OMITTED] T5840.002
    
    Mr. Tom Davis of Virginia. I now yield to my ranking 
member, Mr. Turner from Texas, for his opening statement.
    Mr. Turner. Thank you, Mr. Chairman. I appreciate the good 
timing of the hearing that you called this morning, and I join 
with you in commending the President on his initiative to 
create a new Cabinet-level position for homeland security. As 
you know, there has been legislation pending in the Congress 
which I have supported to accomplish that, and I think that the 
President's initiative will be well received, and I look 
forward to the work that our committee will have the 
opportunity to do in refining that proposal.
    We all know that the attacks of September 11th have created 
the greatest challenge our Nation has faced in its history, and 
the sophistication and fanaticism of al Qaeda and similar 
organizations no doubt represent a challenge that all of us 
must work together to address.
    I appreciate all of our government agency witnesses here 
today, as well as the private sector witnesses who have come. 
One of the common complaints that I've heard from the private 
sector business folks during the last few months is that they 
go to the Office of Homeland Security, and they present their 
ideas and offer up various proposals, and yet they never hear 
anything, and obviously part of that problem exists because of 
the lack of authority in the Office of Homeland Security. The 
President's reorganization effort will, I think, resolve that, 
and we will be on our way toward utilizing the best that the 
private sector has to offer in the war on terrorism.
    I think the American people have been quite tolerant and 
forgiving of the intelligence failures that led to the tragic 
events of September 11th, but I have no doubt that we will be 
all held accountable in the event of another similar event. And 
so it is up to us to put our shoulder to the wheel, both in the 
government sector, as well as to bring in the best assistance 
we can find from the business community to be vigilant, 
prepared and to address the threats that we face.
    Responding to the challenge requires, I think, new 
thinking, thinking out of the box, new methods, new 
technologies. All of this can be provided if we build a good, 
strong working relationship with the powerful forces of the 
private sector in this country, and I look forward to working 
with the chairman to accomplish that. And, again, I thank our 
witnesses for being here today.
    Thank you, Mr. Chairman.
    Mr. Tom Davis of Virginia. Thank you, Mr. Turner.
    Mrs. Davis, any statement?
    Mr. Horn.
    The gentleman from California is recognized.
    Mr. Horn. Thank you, Mr. Chairman.
    This is a very important hearing. My Subcommittee on 
Government Efficiency, Financial Management and 
Intergovernmental Relations has been holding a series of field 
hearings on how effectively the Federal Government is helping 
State and local agencies prepare for another terrorist attack. 
We started in Nashville, and we've done a few more: Phoenix, 
Albuquerque, Los Angeles, San Francisco. Witnesses from local 
agencies in each of these cities have said that intelligence 
sharing and their ability to communicate with other local and 
Federal agencies are among the very leading concerns. These are 
the men and women who will be on the front lines should another 
attack occur.
    We must do everything possible to ensure that they're 
equipped with the best information possible so that they can 
effectively and efficiently protect and serve the American 
people, and I would like to, Mr. Chairman, put in the record a 
letter that Mr. Shays and myself sent to Mr. Sensenbrenner, the 
chairman of the Committee on the Judiciary, with the bill we 
put in, H.R. 3483, the Intergovernmental Law Enforcement 
Information Sharing Act of 2001. Mr. Burton is very supportive 
of this, and Mr. Shays and myself, Ms. Schakowsky, Mrs. 
Maloney, so forth, and if I might put that in and----
    Mr. Tom Davis of Virginia. Without objection, it will be 
put in the record.
    [The prepared statement of Hon. Stephen Horn follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.003
    
    [GRAPHIC] [TIFF OMITTED] T5840.004
    
    [GRAPHIC] [TIFF OMITTED] T5840.005
    
    Mr. Horn. Because whatever you'd like to put on language, 
we don't have a big ego about this, we just want to get the job 
done.
    Mr. Tom Davis of Virginia. Well, thank you very much, Mr. 
Horn.
    The subcommittee is now going to hear testimony from our 
first panel. We have Mr. Randall Yim, the Managing Director of 
the National Preparedness Team at GAO; Mr. Mark Forman, a 
frequent contributor to this subcommittee's work, the Associate 
Director of Information Technology and E-government at OMB; 
George Bohlinger, the Executive Associate Commissioner for 
Management at INS; Dr. William Raub, the Deputy Director, 
Office of Public Health Preparedness at HHS; and Mr. Robert 
Jordan, the Director of the Information Sharing Task Force at 
the FBI. I appreciate everyone being here.
    It's the policy of this subcommittee that all witnesses be 
sworn, so if you would stand with me and raise your right 
hands.
    [Witnesses sworn.]
    Mr. Tom Davis of Virginia. Thank you very much.
    Mr. Yim, why don't we start with you and move straight down 
the line. Your total testimony is going to be--is a part of the 
record, so it's in the record. What I'd like you to do is try 
to use 5 minutes to hit your key points. There's a light in 
front of you. When it turns orange, you have a minute to try to 
hit your 5 minutes and try to keep it moving along. Most of the 
Members have read the total testimony, so our questions are 
kind of ready, but we'd like you to hold it to 5 minutes.
    Mr. Yim, thank you for being with us.

    STATEMENTS OF RANDALL YIM, MANAGING DIRECTOR, NATIONAL 
  PREPAREDNESS TEAM, GENERAL ACCOUNTING OFFICE; MARK FORMAN, 
 ASSOCIATE DIRECTOR, INFORMATION TECHNOLOGY AND E-GOVERNMENT, 
 OFFICE OF MANAGEMENT AND BUDGET; ROBERT J. JORDAN, DIRECTOR, 
       INFORMATION SHARING TASK FORCE, FEDERAL BUREAU OF 
  INVESTIGATION; GEORGE H. BOHLINGER III, EXECUTIVE ASSOCIATE 
  COMMISSIONER FOR MANAGEMENT, IMMIGRATION AND NATURALIZATION 
SERVICE; AND WILLIAM F. RAUB, Ph.D., DEPUTY DIRECTOR, OFFICE OF 
  PUBLIC HEALTH PREPAREDNESS, DEPARTMENT OF HEALTH AND HUMAN 
                            SERVICES

    Mr. Yim. Thank you very much, Mr. Chairman and members of 
this committee. Thank you for inviting me to share information 
with you about the critical need for information sharing, and 
integration of new and existing technologies, and to an 
effective strategy for homeland security.
    Although there are many players in this complex arena of 
homeland security, we all share the same goal, to make our 
great Nation more secure against terrorists and to prevent 
tragedies such as September 11th from ever occurring again. 
This will be a formidable task, since it will be very difficult 
to stop an enemy that is fluid, less structured and 
deliberately tries to blend into the background with our 
Federal, State and local governmental institutions that are 
more highly structured and less agile, making it all the more 
important that our governments adopt the innovative and 
creative tools of government that are flexible and have 
adaptable characteristics.
    We could never be 100 percent secure or 100 percent 
prepared, but we can be better prepared. Everyone cannot do 
everything, and everyone cannot and should not do the same 
things. Instead we must augment, foster, develop and maintain 
what particular governments do best, what the private sector 
and local communities do best and integrate these efforts 
through our national strategy.
    To fashion such a strategy, we'll need to identify those 
key enablers to the creation and implementation of the 
strategy. Clearly better information sharing and IT 
architectures are one of the most critical enablers, and 
expanding and adapting our sizable advantages in technology and 
research and development, using our positive asymmetries 
effectively against the asymmetric threats posed by terrorists 
will be a key enabler. We must overcome roadblocks that have 
been identified, such as protection of proprietary and 
sensitive information, including information that may adversely 
affect business value and financing, legal barriers such as 
antitrust and liability concerns, jurisdictional and turf 
issues such as those being highlighted in the current 
exploration of stovepiping in intelligence and law enforcement 
communities, and format and architecture mismatches to prevent 
sharing and interconnectivety even when people want to share.
    And we will need to identify an investment strategy that 
maximizes the use of our finite human and fiscal capital 
resources so our strategy is both affordable and sustainable, 
and we need to begin now since our threats are now. This means 
we cannot, unfortunately, wait to and only design new 
architectures from scratch, but we must assess what we 
currently have; assess what others have done and what they are 
doing when facing problems that share characteristics with our 
fight against terrorism; determine how we can adapt and refine 
existing or analogous mechanisms; and also consider good old-
fashioned low-tech and common-sense solutions and solutions 
that rely on the smarts of our citizens and government leaders. 
And finally, we have to acknowledge that any national strategy 
lacking measurable objectives, measurable performance 
indicators and accountability mechanisms will not be 
sustainable.
    There is no doubt that there is more than one way to 
accomplish these goals. The GAO has focused upon the factors 
relevant to the decisionmaking process and some of the emerging 
and best practices that may be adaptable to the homeland 
security mission. It is important not only to do things right, 
but also to do the right things. This means we have to get the 
right information to the right people at the right times, and 
we also have to do the right things with that information. So 
we will need an integrating strategy that makes sense of the 
information that separates the relevant few from the general 
noise, that helps us to find the relevant needles in the 
haystack that spur us to take further action to prevent, 
interdict and respond to terrorists; and we have to do this in 
ways that are already familiar to State and local and private 
sector first responders so that we don't start from scratch, 
and consider adaptive use of programs that are already 
integrated into State and local and private sector response 
mechanisms, that complement rather than become additional 
burdens, because we all know that we are asking these people to 
undertake significant homeland security tasks in addition to 
their other duties and responsibilities, all with finite human 
and fiscal resources.
    Some good examples of effective use of information in new 
technologies exist, and more are beginning to emerge. We've 
illustrated some of these for you in the one-page handout that 
we've distributed for you today. For example, computer 
intrusion detection systems constantly try to monitor 
deviations from, ``normal background,'' to detect potential 
threats.
    The same know-how can be applied to airline data bases, 
energy supply and infrastructure monitoring systems, cargo 
container tracking or manifest systems, all to try to detect 
anomalies from a, ``background that may be an indicator to spur 
further action.''
    Increasing use of digitized information, the power of 
digitization, integrating satellite-derived digital imagery 
with digitized maps of critical infrastructure and computer 
modeling to provide gaming simulations to guide preparedness or 
predict attacks or identify vulnerabilities. These models could 
even help us determine what types of data needs to be collected 
now, not only once, but consistently over time, to develop 
trends that would help us establish a background, and models 
could also be used to perhaps assign responsibilities to 
different jurisdictions or Federal agencies for detection and 
prevention.
    We will need not only, thus, to rely on new technologies, 
such as advancements in biometrics and devices to detect 
biological and radioactive agents in hidden locations, such as 
within cargo containers, but also adaptive use of existing 
technologies as well as common-sense and low-tech approaches. 
Above all, we will need to foster and augment and stimulate 
creative tools of government, combinations of high and low tech 
in ways we might not have imagined. Who would have thought that 
one of our most effective weapons in Afghanistan would have 
been 21st-century airplanes and smart weaponry guided to their 
targets by the cavalry on horseback?
    Mr. Chairman, this concludes my statement, and GAO is 
pleased to assist in whatever way we can.
    Mr. Tom Davis of Virginia. Thank you very much.
    [The prepared statement of Mr. Yim follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.006
    
    [GRAPHIC] [TIFF OMITTED] T5840.007
    
    [GRAPHIC] [TIFF OMITTED] T5840.008
    
    [GRAPHIC] [TIFF OMITTED] T5840.009
    
    [GRAPHIC] [TIFF OMITTED] T5840.010
    
    [GRAPHIC] [TIFF OMITTED] T5840.011
    
    [GRAPHIC] [TIFF OMITTED] T5840.012
    
    [GRAPHIC] [TIFF OMITTED] T5840.013
    
    [GRAPHIC] [TIFF OMITTED] T5840.014
    
    [GRAPHIC] [TIFF OMITTED] T5840.015
    
    [GRAPHIC] [TIFF OMITTED] T5840.016
    
    [GRAPHIC] [TIFF OMITTED] T5840.017
    
    [GRAPHIC] [TIFF OMITTED] T5840.018
    
    [GRAPHIC] [TIFF OMITTED] T5840.019
    
    [GRAPHIC] [TIFF OMITTED] T5840.020
    
    [GRAPHIC] [TIFF OMITTED] T5840.021
    
    [GRAPHIC] [TIFF OMITTED] T5840.022
    
    [GRAPHIC] [TIFF OMITTED] T5840.023
    
    [GRAPHIC] [TIFF OMITTED] T5840.024
    
    [GRAPHIC] [TIFF OMITTED] T5840.025
    
    [GRAPHIC] [TIFF OMITTED] T5840.026
    
    [GRAPHIC] [TIFF OMITTED] T5840.027
    
    [GRAPHIC] [TIFF OMITTED] T5840.028
    
    [GRAPHIC] [TIFF OMITTED] T5840.029
    
    [GRAPHIC] [TIFF OMITTED] T5840.030
    
    Mr. Davis of Virginia. Mr. Forman, thanks for being here.
    Mr. Forman. Good morning, Mr. Chairman, Congressman Turner 
and members of the subcommittee. I thank you for your 
leadership in holding hearings on information sharing and 
knowledge management issues for Federal agencies in the wake of 
the terrorism attacks. The President's announcement last night 
demonstrates that the administration considers homeland 
security to be a top priority. The enterprise architecture and 
e-government initiatives I'll discuss today will assist in 
accomplishing this mission.
    As you know, many Federal agencies are engaged in homeland 
security efforts that will require sharing information. 
Associated with that are many IT projects that are overlapping 
or redundant, when we need them to be integrated and unified. 
For example, there are eight law enforcement case management 
systems among our largest IT investments. To ensure investments 
improve operational performance across agencies, the President 
proposed in the fiscal year 2003 budget request the creation of 
an information integration program office known in the budget 
as the Homeland Security Information Technology and Evaluation 
Program within the Department of Commerce's Critical 
Infrastructure Assurance Office.
    I'll discuss five key barriers that need to be addressed 
for finding, tracking and responding to terrorist threats. 
Creating the Information Integration Program Office is critical 
to overcoming these barriers.
    The first impediment concerns agency culture. Agency 
cultures reflect long-standing roles and responsibilities. 
Homeland security activities affect roles and responsibilities 
that cut across jurisdictions of Federal, State and local 
government organizations. Barriers associated with insular 
agency cultures will be overcome by providing a sustained 
level, high level of leadership and commitment, establishing an 
interagency government structure and giving priority to cross-
agency work.
    Second, citizens must trust the security and privacy of the 
government. Achieving a secure homeland must be accomplished in 
a manner that builds trust, preserves liberty and strengthens 
our economy. Agencies are currently building strong controls 
into both e-government and homeland security systems. OMB will 
monitor agency security and privacy performance, as I've noted 
in previous statements before this subcommittee.
    Third, a major obstacle is a lack of funding for 
initiatives that cross agency boundaries. Funding is provided 
in a manner that matches long-standing departmental silos. We 
are seeing this issue as we've tried to obtain funding for 
cross-agency e-government initiatives and the Information 
Integration Program Office. We have recommended approaches such 
as greater Appropriations Committee attention to cross-agency 
issues.
    A fourth difficulty is stakeholder resistance. The Federal 
Government is not structured for undertaking cross-agency 
initiatives. These initiatives threaten traditional concepts of 
accountability and responsibility. Stakeholder resistance will 
be minimized by timing performance evaluations to cross-agency 
success and having members of the President's Management 
Council work collectively on initiatives. The Information 
Integration Program Office will also assist in this regard.
    Fifth and finally, the lack of a Federal enterprise 
architecture hampers efforts to communicate across business 
lines. Agencies generally buy systems that address internal 
needs, and rarely are those systems able to interoperate or 
communicate with people in other agencies. A common integrated 
business and technology architecture will help to organize 
these systems and the information they contain in order to 
retrieve, analyze and act upon information.
    The Federal Government requires business processes that 
allow for a comprehensive approach to prepare for, mitigate and 
respond to terrorist activities. It's critical to have the 
Information Integration Program Office design interagency 
business and information architectures that will support this 
interagency access to information.
    OMB and the Office of Homeland Security are currently 
defining a baseline of homeland security-related activities 
that serve as components in the Federal business reference 
model. The baseline lists those problems, constraints and gaps 
within the government's information and data base and 
recommends actions to address those gaps; additionally will 
identify modular and reusable IT capabilities and ways to 
configure it to support key homeland functions and the lines of 
business.
    As noted in the President's budget, e-government projects 
have significant impact on homeland security efforts, and today 
I'd like to discuss three of those projects.
    Project SAFECOM will identify and implement solutions that 
enable interoperability for public safety communication across 
all levels of government. Additionally, the administration's 
Geospatial One-Stop will build a distributed infrastructure 
that enables use of seamless, standardized geographic and 
geospatial data. Third, the administration's disaster 
management e-government initiative will be the authoritative 
one-stop shop for end-to-end information and services related 
to Federal disaster management activities.
    Improving our interoperability with State and local 
partners is a key piece of the President's management agenda 
for e-government and for homeland security.
    In conclusion, the administration is focused on 
identifying, locating and establishing mechanisms to share 
across government the information required to protect the 
Nation's border and to prepare for, mitigate and respond to 
terrorist activities. The President's budget noted that we need 
to focus these efforts on two measures of success: First, 
accelerating response time, and second, improving 
decisionmaking quality.
    I appreciate the opportunity to brief you today on how we 
are integrating the work and results of homeland security 
enterprise architecture and e-government initiatives.
    Mr. Tom Davis of Virginia. Thank you very much.
    [The prepared statement of Mr. Forman follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.031
    
    [GRAPHIC] [TIFF OMITTED] T5840.032
    
    [GRAPHIC] [TIFF OMITTED] T5840.033
    
    [GRAPHIC] [TIFF OMITTED] T5840.034
    
    [GRAPHIC] [TIFF OMITTED] T5840.035
    
    [GRAPHIC] [TIFF OMITTED] T5840.036
    
    [GRAPHIC] [TIFF OMITTED] T5840.037
    
    [GRAPHIC] [TIFF OMITTED] T5840.038
    
    Mr. Tom Davis of Virginia. Mr. Bohlinger.
    Mr. Bohlinger. Morning, Mr. Chairman and members of the 
committee. I appreciate the opportunity to participate in your 
continuing review of information sharing and knowledge 
management between and among Federal agencies in the war 
against terrorism.
    Since September 11th, we at the Immigration and 
Naturalization Service have seen the unprecedented sharing of 
data and knowledge among Federal agencies. Under the direction 
and leadership of the Attorney General, all components of the 
Department of Justice have stepped up efforts to coordinate 
information and improve data sharing in the common effort to 
prevent terrorism and disrupt its sources.
    The INS is clearly one of the core agencies that requires 
enhanced information-sharing capabilities. Just as we need to 
tap into additional external sources of data to support our 
enforcement and intelligence functions, so can the data we 
collect be crucial to other law enforcement and intelligence 
communities. Consequently, we are deeply involved in efforts to 
overcome the barriers to the appropriate and secure exchange of 
data and, just as importantly, the conversion of data to useful 
information that supports clear operational objectives.
    The INS has worked on important data-sharing initiatives in 
both the pre- and post-September 11th periods. As early as 
1985, INS was sharing vital information with the U.S. Customs 
Service. Other data-sharing programs have been under way for 
some time with the Department of State, the U.S. Marshals 
Service, the FBI and the Social Security Administration. INS 
also assists State and local law enforcement through its Law 
Enforcement Support Center.
    We also verify immigration status for State and local 
benefit-granting agencies, some employers and some State 
driver's license bureaus. However, in all of these data-sharing 
initiatives, we have to be sensitive to established regulatory, 
statutory and policy constraints in the routine and customary 
use of information by other agencies. While making information 
available to other entities, security, privacy considerations 
and appropriate user access are primary considerations.
    The management principle guiding INS's approach to 
development of information systems is to build a sound 
strategic foundation. INS has established important mechanisms 
to address this principle internally. Our initial contribution 
to a governmentwide effort is to assure that our own 
information environment is sound and interoperable. Our formal 
enterprise architecture and technical architectures are nearing 
completion. Additionally, our information technology investment 
management process ensures that IT investments are spent wisely 
and coordinated among INS components. In doing so, we are 
mindful of the relationships that we must support with our 
technical enhancements while integrating our business 
objectives and developing technical solutions.
    The development and prioritization of clear and integrated 
Federal law enforcement in intelligence mission requirements is 
an undertaking that must be completed quickly. Only when these 
are clearly articulated can industry assist us meaningfully in 
applying the best technical solutions.
    Some of the most compelling progress that I have seen in 
recent months has been the formalization of the planning and 
management processes that must occur if the wide array of 
Federal, State, local and private entities are to achieve the 
level of information sharing that we all desire. This will 
ensure that we first define what our operational objectives 
should be, identify the data and data sources needed to support 
those objectives, and then apply the appropriate technological 
solutions to deliver that information. This leads to the 
crucial task of examining the barriers that may inhibit or 
otherwise thwart full partnership between public and private 
sectors in coming together in the war against terrorism.
    Barriers come in two forms, human and technological, and 
they manifest themselves three ways, through cultural, 
organizational or resource approaches. Like many of my 
colleagues, I have met with representatives from the private 
sector who have proffered technologically based products and 
solutions to any number of counterterrorism-driven prevention, 
detection and mitigation scenarios. Their sincerity and 
commitment are of the highest order. Unfortunately, in many 
instances, they perceive the Federal Government as an 
unresponsive bureaucracy. Some have suggested that the Federal 
procurement process may be to blame. However, I believe it 
would be a mistake to look at the procurement process as the 
sole culprit. If clear requirements can be formulated, many 
procurement alternatives are available that can fulfill our 
needs while ensuring broad participation by industry.
    Without well-defined requirements, even the best solutions 
stand little chance of effective and timely application. 
Encouraging the private sector to participate in problem 
solution through the request for information as well as other 
processes prior to the initiation of a formal procurement makes 
good sense. This will preserve a fair and open procurement 
process enabling the government to make best use of America's 
technological superiority and the creative problem-solving 
resources in the private sector.
    In summary, we in the Federal Government must establish and 
employ standards for information sharing between and amongst 
ourselves and further fully define our mission requirements or 
needs. Then we can take advantage of the wealth of existing 
technology solutions that currently exist within Federal 
agencies and corporations. This will enable us to develop 
solutions that better balance our openness to new ideas with 
applications that directly address our needs.
    Thank you, Mr. Chairman, for this opportunity, and I 
appreciate the opportunity to appear with you--before you and 
the committee.
    Mr. Tom Davis of Virginia. Thank you very much.
    [The prepared statement of Mr. Bohlinger follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.039
    
    [GRAPHIC] [TIFF OMITTED] T5840.040
    
    [GRAPHIC] [TIFF OMITTED] T5840.041
    
    [GRAPHIC] [TIFF OMITTED] T5840.042
    
    [GRAPHIC] [TIFF OMITTED] T5840.043
    
    [GRAPHIC] [TIFF OMITTED] T5840.044
    
    [GRAPHIC] [TIFF OMITTED] T5840.045
    
    [GRAPHIC] [TIFF OMITTED] T5840.046
    
    Mr. Tom Davis of Virginia. Dr. Raub.
    Mr. Raub. Morning, Mr. Chairman, Mr. Turner, members of the 
committee. I appreciate the opportunity to represent the 
Department----
    Mr. Tom Davis of Virginia. Push your button there.
    Mr. Raub. I appreciate the opportunity to represent the 
Department of Health and Human Services and describe our 
activities related to the theme of the hearing this morning.
    With your permission, Mr. Chairman, I'll submit my prepared 
statement for the record and make only a few comments now. 
First has to do with the item on our perception of barriers to 
achieving homeland security.
    With respect to bioterrorism and other aspects of public 
health emergencies, we believe we face formidable problems, but 
that none of them are intrinsically insurmountable. We don't 
believe that we can anticipate every threat scenario, but we do 
believe that with a strong, sustained and closely coordinated 
effort among public health, medical, scientific and 
technological communities, we can develop the basic 
capabilities we need to respond effectively.
    On pages 3 and 4 of my prepared statement, I summarize five 
fundamental functions that a local community must be able to do 
if it is able to respond effectively to bioterrorism or some 
other public health emergency. All five of those functions 
currently are doable with current knowledge and current 
technology. Doing any one of them is hard. Doing all five is 
very hard. Doing all five in every community in the country is 
daunting. But that's, in fact, what we're attempting to do.
    We have a vigorous effort under way and our State and our 
local partners are responding enthusiastically to this. The 
President and the Congress for this fiscal year have provided 
more than $1 billion for this purpose, and we have moved very 
quickly to mobilize it. Moreover, the President is requesting 
more than $1.5 billion for the similar purpose in fiscal year 
2003. We have in place cooperative agreements with every State 
and other eligible entities. We are well along with them in 
their work plans for use of these funds. These plans focus on 
particular targets, things we call critical benchmarks and 
critical capacities, and the watchwords for all of this are 
speed, flexibility and accountability; speed in getting the 
money out, flexibility in giving the State and others 
considerable discretion in how they address the benchmarks 
we've set out, but also accountability, because at the end of 
the day, unless we have measurable milestones and objective 
evidence of enhanced preparedness, we will not have met the 
charge of the President and the Congress.
    My second area of comment has to do with information 
technology and its applications in that in every one of those 
five fundamental functions and many other aspects of public 
health, information technology is absolutely central to public 
health preparedness. I'm talking about electronic 
communications, computer-manipulable data bases and about 
statistical and analytical software. The information technology 
community has presented us with a wealth of tools and, in fact, 
is way ahead of our ability to apply them right now.
    In some States in this Nation, the public health 
capabilities are already linked by high-speed Internet 
connections with substantial computer systems supporting them. 
In other public health departments in our Nation, there are no 
computers. There are no Internet connections. There are rotary 
telephones, and case reports arrive by postcard. We have a 
substantial effort in front of us to reduce the variance in 
this.
    Our immediate challenge is to choose judicially amongst the 
information technology options available to us as a community 
with respect to the effectiveness for our immediate and longer-
term purposes, the efficiency and the economy with which we can 
deploy them, and, most of all, achieving the interoperability. 
Unless these systems link at every level from the fundamental 
connections to the operating systems, to the applications 
programs, we will fail in achieving the kind of true public 
health system we must achieve.
    Our Centers for Disease Control and Prevention has 
promulgated a set of information technology standards. It's 
been adopted by our other agencies and is being used in our 
efforts with not only State and local health departments, but 
also hospitals throughout the United States.
    As this effort evolves with our State and local partners, 
we look forward to our and their collaborations with the 
information technology industry as we can catch up and make 
more effective use of what's available and as they proceed to 
offer us a still richer array of capabilities for us.
    Thank you, Mr. Chairman.
    Mr. Tom Davis of Virginia. Thank you very much.
    [The prepared statement of Mr. Raub follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.047
    
    [GRAPHIC] [TIFF OMITTED] T5840.048
    
    [GRAPHIC] [TIFF OMITTED] T5840.049
    
    [GRAPHIC] [TIFF OMITTED] T5840.050
    
    [GRAPHIC] [TIFF OMITTED] T5840.051
    
    [GRAPHIC] [TIFF OMITTED] T5840.052
    
    [GRAPHIC] [TIFF OMITTED] T5840.053
    
    [GRAPHIC] [TIFF OMITTED] T5840.054
    
    [GRAPHIC] [TIFF OMITTED] T5840.055
    
    [GRAPHIC] [TIFF OMITTED] T5840.056
    
    [GRAPHIC] [TIFF OMITTED] T5840.057
    
    [GRAPHIC] [TIFF OMITTED] T5840.058
    
    Mr. Tom Davis of Virginia. Mr. Jordan.
    Mr. Jordan. Good morning, Mr. Chairman and members of the 
subcommittee. My name is Bob Jordan, and I serve as the head of 
the FBI's Information Sharing Task Force. I welcome this 
opportunity to meet with you today about the status of the 
FBI's information-sharing initiatives within the Bureau and 
with other government agencies for homeland defense purposes.
    The FBI is an organization in change. Not only are we 
structurally different, but in very fundamental ways Director 
Mueller has revamped our approaches to counterterrorism and 
prevention. Since September 11th, we have seen massive shifts 
in our resource deployments. Our missions and priorities are 
being redefined to better reflect the post September 11th 
realities. As an agency we are committed to devoting whatever 
resources are necessary to meet our prevention mission and 
continue to sustain a dramatically enhanced worldwide 
counterterrorism effort. A substantial component of this 
approach is information sharing not only at the Federal level, 
but also within the entire law enforcement and intelligence 
communities. Over the last several years, much has improved, 
but this seemingly simple issue is actually a complex myriad of 
technology, legal policy and cultural issues.
    Since the tragic events of September 11th, this single 
issue critical to public safety is receiving the sustained 
high-level attention necessary to ensure that everything that 
can be done is being done. In that regard, I'm happy to say 
that the spirit of collaboration and willingness to exchange 
data has never been stronger or more pronounced than it is 
today. Many of the legal and policy impediments that kept us 
from more fully exchanging information in the past have been or 
are now being changed.
    The Patriot Act has greatly improved our ability to 
exchange data within the Intelligence Community and across law 
enforcement. In addition, the Attorney General's recent 
directive to increase coordination and sharing of information 
between DOJ, FBI, INS, Marshals Service and the Foreign 
Terrorist Tracking Task Force on terrorist matters and to 
establish secure means of working with State and local 
officials are major milestones in improving our information-
sharing and collaboration efforts.
    Equally important, the difficult technology challenges we 
all face are on top of everyone's list. This is especially so 
at the FBI. Under Director Mueller's leadership, the FBI on 
every front is hard at work carrying out the Attorney General's 
information-sharing directive.
    Within the FBI, Director Mueller has taken on the challenge 
of improving information sharing and has directed FBI executive 
management to develop every means necessary to share as much 
information as possible with other agencies, as well as State 
and local law enforcement. Years of experience have 
demonstrated that joint terrorism task forces, JTTFs, have 
proven to be one of the most effective methods of unifying 
Federal, State and local law enforcement efforts to prevent and 
investigate terrorist activity. There are currently 47 JTTFs. 
We are working expeditiously to establish JTTFs in each of our 
56 field offices. As recently as 1996, there were only 11 of 
these task forces.
    The creation of JTTFs this year is resulting in an expanded 
level of interaction and cooperation between the FBI and our 
Federal, State and local counterparts. Among the full-time 
participants in JTTFs are INS, Marshals Service, Secret 
Service, the FAA, Customs, ATF, State Department, Postal 
Inspection, IRS, Department of Defense and U.S. Park Police. 
State and local agencies are heavily represented. Information 
is also being shared with the Transportation Security 
Administration and the U.S. Coast Guard.
    The FBI has a long tradition of exchanging unclassified 
information with Federal, State and local law enforcement 
agencies on warrants, fingerprints, forensic information and 
watch lists. The last few years have seen dramatic increases in 
the exchange of specific case-related information, due in large 
part to the proliferation of JTTFs. Now we are improving our 
sharing of classified information again through such mechanisms 
as the JTTFs.
    Director Mueller has undertaken several initiatives that 
directly enhance the FBI's information-sharing capacities. All 
of these efforts are designed around the recognition that post-
September 11th, the FBI has adopted both a new focus and 
priorities that recognize that a substantial investment is 
being made in prevention. A few examples include Director 
Mueller has named Lewis Kay, who is currently chief of the High 
Point, North Carolina, Police, to be the FBI's Assistant 
Director for Law Enforcement Coordination. Our Office of 
Intelligence is now part of the FBI's organizational structure. 
The FBI has undertaken major recruiting and hiring initiatives 
to bring into the FBI private sector IT experts who can greatly 
assist our sizable IT projects. We have a new Records 
Management Division that has been established, and the FBI is 
detailing personnel to other agencies and vice versa to ensure 
that information is shared and understood within our agencies. 
These efforts are particularly critical to programs like our 
National Infrastructure Protection Center, the Counterterrorism 
Center at CIA and others.
    Information security is a significant issue in these 
initiatives. We must balance our desire to share information as 
freely as possible with the need for the security of 
information.
    I'm going to go to the last part of my comments here. The 
FBI's future ability to deter and prevent crimes requires the 
use of current and relevant IT. We have several critical 
initiatives under way to upgrade the FBI's IT infrastructure 
and investigative applications. Funding for these programs is 
essential to provide our investigators and analysts with IT 
resources and tools.
    That concludes my prepared remarks, Mr. Chairman. I'll be 
happy to answer any questions.
    Mr. Tom Davis of Virginia. Thank you very much.
    [The prepared statement of Mr. Jordan follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.059
    
    [GRAPHIC] [TIFF OMITTED] T5840.060
    
    [GRAPHIC] [TIFF OMITTED] T5840.061
    
    [GRAPHIC] [TIFF OMITTED] T5840.062
    
    [GRAPHIC] [TIFF OMITTED] T5840.063
    
    [GRAPHIC] [TIFF OMITTED] T5840.064
    
    [GRAPHIC] [TIFF OMITTED] T5840.065
    
    [GRAPHIC] [TIFF OMITTED] T5840.066
    
    [GRAPHIC] [TIFF OMITTED] T5840.067
    
    [GRAPHIC] [TIFF OMITTED] T5840.068
    
    Mr. Tom Davis of Virginia. The subcommittee is pleased to 
have Representative Jane Harman from California sit in with us 
today, and I would ask unanimous consent to allow her to give a 
statement and participate in a hearing.
    Hearing no objection, the gentlelady from California is 
recognized.

  STATEMENT OF HON. JANE HARMAN, A REPRESENTATIVE IN CONGRESS 
                  FROM THE STATE OF CALIFORNIA

    Ms. Harman. Thank you, Mr. Chairman, and Mr. Turner and 
members of the subcommittee. I'm delighted to be here, and I 
want to commend you on your perfect timing. So far as I can 
tell, this is the first hearing on a critical piece of the 
homeland security subject to be held following the President's 
dramatic, bold and courageous announcement of last night. Good 
work.
    Mr. Tom Davis of Virginia. Thank you. We saw it coming.
    Ms. Harman. I also want to say about you, Mr. Chairman, 
that we go way back. You know, the Smith-Amherst Axis is pretty 
powerful, but also we represent communities that have some of 
the fastest growing tech communities on the planet. In my case, 
my district in southern California has a very large aerospace 
base. I know yours does, too, but I think mine is bigger. No 
competition here. It's diversified, and a lot of the aerospace 
companies--in fact, we're going to hear from one later--have 
large IT businesses.
    I would like to, if you don't mind, welcome one of my 
constituents who will testify on your second panel, Ron Sugar, 
who is the president and chief executive officer of a tiny 
little firm called Northrop Grumman, and that is an example of 
the diversification that I'm talking about.
    I just wanted to make a few points. First, I am late and I 
apologize, because I was one of 10 Members of the House and 
Senate who was at the White House meeting with the President 
and Governor Ridge today to talk about next steps in the turf 
and other battles related to unfolding this new Department of 
Homeland Security. I thought it was a very constructive 
meeting, and I think that this topic that you are exploring 
today is absolutely central to an effective homeland security 
effort, and the effort to put more functions into one 
department is related, does have a relationship to the need to 
improve information sharing.
    It's not that it's a magic answer. It's not that all the 
information sharing we need will happen inside the borders of 
the Department of Homeland Security. Obviously other 
departments are represented here, and they need to share, too. 
But it is that this is a critical piece of the reason why we 
need to do this Department of Homeland Security.
    Let me just touch on three issues, and I'll just summarize 
my testimony. First is procurement. As I mentioned, I represent 
a huge IT base in the South Bay of Los Angeles. Lots of the 
firms there, both aerospace and nonaerospace, have developed 
critical technologies that we need for a successful homeland 
security effort, and they don't really know how to access the 
Federal Government, how to learn about what's needed, and how 
to conform whatever products they make and services they render 
to what's needed. And we have tried hard to find places in the 
Federal Government that should be the right places to access, 
like the Technical Support Working Group, TSWG, at DOD, and 
that effort, for example, has a very capable leader, John 
Reingrubber, who came to Los Angeles to meet with members of 
these firms. But his group has been overwhelmed by requests, 
and there's no possible way that one place in the Defense 
Department can handle all of the needs.
    I want to commend you for H.R. 4629, of which I am a 
cosponsor, and I know that legislation would create a body 
responsible for receiving and routing technology proposals to 
the right government agencies. I think that's a good start. I 
think we need that regardless of the need to create the 
Department of Homeland Security. But as you know, none of this 
is easy. The new organization would have many bureaucratic 
challenges, need to recruit staff and so forth. Nonetheless, I 
think it is an important thing that we consider your 
legislation, and I strongly support it.
    The second issue is data integration. I think, again, both 
the government and private witnesses understand this. Example: 
The Intelligence Community needs to be able to access 
information in any agency and to search multiple data bases for 
common themes. Looking backward in hindsight is always better. 
Wouldn't it have been great if we could punch in ``flight 
training'' and ``Moussaoui,'' just two random ideas, and have 
multiple hits in FBI reports, the CIA watch list, FAA rosters?
    When you talk about connecting the dots, you talk about 
data integration, and we need work on our data integration 
processes, and in that regard I think this new analytical 
capability that the President is proposing for the Office of 
Homeland Security is a terrific idea. Even this morning the 
press was asking about, well, what about the CIA and the FBI 
and all of the other agencies? Isn't this duplication? Or 
shouldn't they be pulled into all of this? And my answer is, 
yes and no. Yes, it's duplication. Another set of eyes, an 
analytical capability focused on homeland security to make sure 
that we do connect the dots and that our threat condition 
warnings are as accurate and informational as possible is a 
great idea. The no is that, no, we don't need to move the FBI 
and the CIA someplace else. They have important functions which 
they should still continue to perform. But at any rate, data 
integration is a big deal.
    Final comment is on public-private partnerships, and, 
again, Mr. Chairman, I want to commend you and Mr. Turner and 
the others for all of the work that you do. It was true 
sometime back that we had and could afford separate industrial 
bases, a defense industrial base and a commercial industrial 
base. We invested huge amounts of money in government R&D. A 
lot of the most critical technologies that we employ across the 
board now, like GPS, were invented by the government, and with 
all affection for Al Gore, the Internet was invented by the 
government. But nonetheless, it is now true that we can no 
longer afford separate industrial bases. We need one industrial 
base with both commercial and government application, and most 
of that base does presently reside and should reside in the 
private sector, and that is why it is so critically important 
that we leverage private sector technologies for government 
uses.
    In many cases the government can serve as an information 
clearinghouse, sharing best practices and reports. The Cyber 
Security Information Act, H.R. 2435, is a good example of this. 
But it is also true that the government has to find better 
mechanisms to leverage technologies. The future of homeland 
security will depend on whether we do this well, and I have no 
doubt that our second panel will talk about how best to do 
that.
    I just want to commend you one more time, and it's the last 
time I'm planning to flatter you this week, no matter what, for 
your enormous leadership and your partnership on a bipartisan 
basis with those of us in this House who have focused on this 
issue for a long time. I think that this is the future, and I'm 
very happy that you let me participate in your hearing. Thank 
you.
    Mr. Tom Davis of Virginia. Well, thank you, and you keep 
talking that way, you can come to any of our hearings.
    [The prepared statement of Hon. Jane Harmon follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.069
    
    [GRAPHIC] [TIFF OMITTED] T5840.070
    
    [GRAPHIC] [TIFF OMITTED] T5840.071
    
    Mr. Tom Davis of Virginia. Thank you very much, Ms. Harman. 
Let me just say your leadership on a number of these issues has 
been very, very important to our coalition in the House, and 
I'll continue to value your advice, expertise and leadership as 
we move through this. So thank you very much for being here.
    I'm going to start the questioning with Mrs. Davis. We'll 
do 5 minutes around the first time. Then we'll move to Mr. 
Turner and back and forth.
    Mrs. Jo Ann Davis of Virginia. Thank you, Mr. Chairman, and 
thank you, gentlemen, for being here to testify this morning.
    Sort of in conjunction with what my colleague from 
California said, I believe she stated that she has a lot of 
private IT companies that don't know how to access what the 
Federal Government needs, and in that regard are your agencies 
or your departments, are they inundated with private sector 
security technology proposals, No. 1? And two, do you believe 
you have the staff qualified to sort out what would be useful 
and what would not be useful? And do you have the procedures in 
place to accomplish your goals? Any of you? Do you want to 
start, Mr. Yim?
    Mr. Yim. Yes. I think one of the concerns that the GAO has 
is how will the variety of technical solutions be evaluated. I 
think a lot of agencies would be deluged with proposals, and do 
we have effective mechanisms to assess the viability efficacies 
of that? The GAO has undertaken a pilot project working with 
the National Academy of Sciences to evaluate, for example, 
emerging biometric techniques. So even though we may not have 
the expertise in-house, although we have substantial expertise 
in-house, we wish to augment that with the significant 
scientific base provided by the National Academy, and that is 
one model I think that we could pursue.
    Mr. Tom Davis of Virginia. Anyone else?
    Mr. Forman. I'd like to speak a little bit about the 
framework that was laid out in the Clinger-Cohen Act. I really 
don't think the problem at this point is with the procurement 
work force in terms of staffing requirements. I think the 
problem, as was indicated, is in the requirements definition.
    You know, the issue of how we bring technology in the 
government has been going on for several decades and is--just 
as the Congresswoman stated, a shift from the government being 
at the leading edge of technology to being significantly behind 
commercial industry technology led to several rounds of 
legislation. Most of that legislation said we're trying to 
choose technology through the procurement process, but we don't 
have the requirements well enough defined to make any use of 
the technology. So we tend to buy it as commercial best 
practices, and we hear terms like ``governmentizing the 
technology.'' If we risked that with some of this leading-edge 
technology, we're not going to get the benefit out of it. We're 
going to expend too much out of it.
    So the issue is if we've got 50 proposals for different 
aspects of security technology, can the government today become 
the systems integrator? Do we want it to become a systems 
integrator? Right now we don't have the talent, and we don't 
have the technical skills. I know this has been a subject of 
another hearing in another very fine piece of legislation from 
this subcommittee. We have to focus on clearly understanding 
our requirements, and we also, I think, have to focus on 
getting good teamwork in industry.
    You know, when a company goes out to buy security 
technology, it's not quite the same as they announce that 
they've been hit by some cybervandals, and then people start 
showing up. They generally look for a security architecture, a 
comprehensive solution approach. That's what we are trying to 
do in the Federal Government as well, and I think that may be 
tough to understand for a lot of industry, that the government 
works not by being our own integrator oftentimes. So when they 
come to--many companies that have just pieces of the technology 
puzzle come to talk to us, they expect us to know how to 
integrate it together and to buy the pieces. That's very 
difficult right now for the Federal Government.
    Mr. Bohlinger. I'd like to assure you that the three of us 
did not get together before we were making these comments, 
but--and not to sound like just reiterating----
    Mrs. Jo Ann Davis of Virginia. It's OK.
    Mr. Bohlinger. The issue is requirements. There's no 
question about it. We are significantly engaged in meeting with 
people from the private sector and have been going to their 
forums, talking with them individually, meeting with the senior 
people from these corporations, and there are many wonderful 
ideas out there, but can you imagine ideas just being thrown 
over the transom, all of which are good? How do you sort them 
out?
    And what I said in my testimony I think I'd like to 
emphasize again is that we need to be able to tell the people 
in the private sector exactly what our needs are and allow them 
to----
    Mrs. Jo Ann Davis of Virginia. Let me interrupt you there, 
because my time is about running out. Where do you get what 
your needs are? Who gives them to you? All three of you have 
said requirements. Where do you get them from?
    Mr. Forman. I--especially in this area of security, there 
are two areas. One is in the Government Information Security 
Reform Act requirements that were laid out. The baseline set of 
best practices identified by the National Institute for 
Standards and Technology gave us the ability to do a gap 
analysis. It's a very comprehensive gap analysis. That's led to 
a listing, a plan of actions and milestones, that in some 
agencies are 2 or 3 inches thick, and those are the 
requirements. So we're first year into the process, several 
months into the process. We now--the requirements are there, 
and we can make sense and go buy the technology.
    Mr. Bohlinger. If I might just continue for a second on the 
requirements issue, I think it's both on a macro and a micro 
scale. On the macro scale, it's something that has also been 
discussed here in talking about enterprise architectures. 
Federal agencies must have robust and thoroughly vetted 
enterprise architectures, and this is exactly how we are doing 
our business. On the micro area of requirements, it's as you go 
out with specific requests, and that might be a particular 
system having to do with something that just is local, it may 
be a nationwide system, but being able to clearly lay out in 
the request for information--and I'm a great proponent of that, 
of allowing corporations that come in and suggesting solutions 
to well-defined requirements, then allow you to go out with 
RFPs that people can apply their best technology to.
    Mrs. Jo Ann Davis of Virginia. Mr. Chairman, can they all 
have the time to answer?
    Mr. Tom Davis of Virginia. Go ahead.
    Mr. Raub. I can just comment briefly. With respect to 
Health and Human Services, we won't claim perfection in our 
interface with the private sector, but we believe we're doing 
well and are getting better.
    Secretary Thompson is taking two major structural steps 
that have helped us along. One is the creation of the office I 
represent, the Office of Public Health Preparedness, last 
November. He's given us a focal point within the Secretary's 
office for all $3 billion worth of it related to bioterrorism 
across our 11 agencies in the Department. And representatives 
of the technology community have not been bashful in seeking us 
out, nor have we in our interactions with them, either for 
activities of our own office or steering them to the Centers 
for Disease Control and Prevention, the National Institutes of 
Health, the drug administration or other elements of our 
Department.
    Even before that, last summer the Secretary created his 
Council on Private Sector Initiatives. The idea was to bring 
together a team of representatives from every agency in the 
Department that would meet on a regular basis and be a one-stop 
shop for members of the community to bring ideas that might 
have some pertinence to programs of Health and Human Services. 
This is not limited to terrorism. It's much more broadly 
including the hospital sector. At a most recent meeting of that 
team, no fewer than nine company representatives were present 
describing their activities, how they might relate to Health 
and Human Services, and seeking some requirements and general 
guidance of how best to relate to the Department.
    Mrs. Jo Ann Davis of Virginia. Thank you.
    Mr. Jordan.
    Mr. Jordan. As I mentioned in my direct testimony, the FBI 
has begun to hire outside IT experts who are helping us sift 
through the various suggestions made to us, and we are well 
along in that process. And we have an established process for 
interfacing with the private sector.
    Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman.
    Mr. Tom Davis of Virginia. Thank you very much.
    Mr. Turner.
    Mr. Turner. Thank you, Mr. Chairman.
    Mr. Forman, talk to us a little bit about how far along we 
are in developing the enter prise architecture that is 
necessary for homeland security and how the new Homeland 
Security Department or office will function with regard to the 
work that, apparently, currently you are responsible for.
    Mr. Forman. I can't at this point discuss any of the issues 
related to the President's announcement last night. It is just 
too early in the process. But as you point out, there are many 
issues that need to be addressed. So let me go through what 
issues you raise.
    We are taking a two-tiered approach with respect to 
homeland security that there very clearly has to be progress 
made in homeland security lines of business, is the way we 
refer to them. A line of business could be disaster management 
preparedness. Within that, people have to make architecture 
decisions. They have got to look at which agencies, which 
organizations within those agencies have what roles and 
responsibilities, and what performance results or outcomes 
those organizations are supposed to achieve. Within that, there 
is an awful lot of overlap, so we have to have some clear way 
to identify those. We call those business functions.
    And so you could have, for example, within disaster 
management, emergency planning, and you would find out that 
there are many bureaus involved in that planning. You would 
also find out that there is a core business process, a way of 
doing disaster planning that cuts across those department--
departments, and is probably replicated multiple times. They 
probably have redundant information systems. And the 
unfortunate thing about this is, when you pull in the focus of 
this, the citizen voice, the customer, if you will, which tends 
to be State and local emergency management officials, they have 
told us consistently, it is too confusing to deal with all 
these different activities, these different processes run by 
these different entities of the Federal Government.
    So identifying that, consolidate it, that's what I call 
simplified business process. To interoperate with State and 
local government requires pulling people together and 
identifying, depicting, laying out the way we are going to work 
together, and we call that process design or process 
integration.
    So, indeed, you have these in the multiple: homeland 
security functions. Steve Cooper, who is doing terrific work as 
essentially the CIO for the Office of Homeland Security, has 
laid out a concept as referred to as Foundation Projects; and, 
within those types of projects are essentially these kind of 
more detailed architecture projects. At a high level, we are 
making sure that all the different departments and agencies 
that play in that line of business are working together with 
him.
    The actual work that needs to be done has to be done under 
some cross-agency organization. We have laid that out as the 
Information Integration Program Office, and we have requested 
accelerating that fund--that funding into the supplemental, and 
then that would be managed under the CIAO, the Critical 
Infrastructure Assurance Office.
    So, at the high level, my office is making sure we are 
moving forward on the architecture, those business components 
that we have measures of effectiveness.
    At the next tier down this Information Integration Program 
Office, working with the Office of Homeland Security, making 
sure that people are coming together to actually lay that out 
and go through the thought work, which can then define 
requirements. That work is due to be completed at the end of 
this fiscal year, so the end of September.
    Mr. Turner. It has been suggested by the GAO that we can't 
wait for this architecture to be developed, we have got to move 
faster. How do you respond to that?
    Mr. Forman. We are moving faster, and the tradeoff I have 
is between roughly 2,900 major and significant IT projects in 
the budget. At the same time, we do not have 2,900 solutions 
architects. We don't have 2,900 world-class program managers.
    So the trick is to allow enough good things to move forward 
without tying up resources that we need to focus. We are 
focusing our efforts on the strategic priorities that were in 
the budget: the war on terrorism, homeland security, 
revitalizing the economy. So we are not trying to boil the 
ocean, per se, but focus our resources.
    Mr. Turner. Do you have any comments on that from the GAO's 
perspective?
    Mr. Yim. Well, I think that is actually the right strategy, 
but we also need to look and see what we currently have, what 
capabilities are currently already integrated into State and 
locals and the private sector which would be feeding the 
information up into the integrating strategy that would be 
included in the Office of Homeland Security and the national 
strategy. There is existing architecture that already is there 
that could be adapted, and one of the reasons why we may want 
to look at that is not only because it is familiar to State and 
local governments, and this would not be viewed as an 
additional burden upon them, but much of the information being 
collected there is being collected for other purposes, which, 
frankly, would help assure the reliability and validity of some 
of that data, rather than specialized data calls related to the 
Office of Homeland Security or any Federal agency asking for 
specific information.
    For example, if highway information was being collected for 
highway improvement or Federal funding of highway projects, for 
example, but that was also relevant to evacuation proposals or 
the ability to bring law enforcement or first responders into 
an area of concern quickly, we would hate to see a specialized 
data call that, frankly, could be skewed or perhaps being done 
on too quick of a basis. We would like to have the ability to 
draw from existing data sets that were generated for other 
purposes. So the key would be integrating those data sets, 
being able to define some set of format or to focus on 
middleware that could integrate diverging formats so that there 
could be some central model in which these disparate data 
pieces could be sent and something made of the information in a 
timely manner.
    Mr. Forman. I concur 100 percent with that.
    Mr. Turner. Do we have the staffing and expertise to 
accomplish this?
    Mr. Forman. We do. We have to supplement it with the 
wonders of the IT industry. There is no question about it. Part 
of the emerging technologies, especially in the middleware 
arena in what's referred to as objectory architectures, where 
things--you hear terms like plug and play--now give you the 
ability to quickly leverage that data base or that work flow 
that was built for a different purpose, but fits this new 
mission. That's new technology. That's come out over the last 9 
months to 12 months. And so we have to operate with the 
contractors helping us in this arena, consultants helping us 
who have already thought through this. We are not the first 
industry to grapple with this issue.
    Mr. Turner. Thank you, Mr. Chairman.
    Mr. Tom Davis of Virginia. Thank you very much.
    Let me ask a general question. First I will start with Mr. 
Bohlinger.
    I understand that the development of requirements is a key 
challenge, but are those requirements not the result of agency 
and government interaction? Would that process not be enhanced 
by a single portal type of process that we envision in our 
legislation? What I'm trying to say is, I am not sure you even 
know all your requirements sometimes until you have gone out to 
the private sector and seen what they have available and some 
of the issues they are tackling. There is an awareness gap 
sometimes between what government is doing and working on and 
what the private sector is out there doing.
    Mr. Bohlinger. I certainly concur with that, and as I said 
the request for information process and also more informal 
process working with the various private sector associations. 
Heaven knows, we don't know what the universe is out there, and 
it's a continuing education process, an education process for 
us in the Federal Government, and an education process for 
those in the private sector, on not only how you access the 
Federal Government, but how you assist. There are ways to 
assist that make a great deal of sense in helping refine 
requirements, in helping us understand, on the Federal side, 
the best way to apply technologies.
    So I certainly do agree with you that these avenues have to 
be explored just because of the volume and complexity of the 
data.
    Mr. Tom Davis of Virginia. OK. Dr. Raub, let me ask you; 
you refer to Secretary Thompson's Council on Private Sector 
Initiatives to improve the security, safety, and quality of 
health care. The Council was established in part to provide the 
private sector with a single point of contact for innovative 
ideas that cut across HHS's agencies and departments. Now, H.R. 
4629, which I've introduced, would, among other things, 
establish a similar mechanism in the Office of Federal 
Procurement Policy, would apply to all agencies for innovative 
homeland security solutions. What do you think about extending 
the concept you use at HHS government-wide?
    Mr. Raub. Well, the concept has proved quite efficacious 
for HHS, and, in principle, I see no reason why it couldn't 
work on a broader basis across other agencies. Were that to be 
established, we would certainly work cooperatively and hard to 
ensure its success.
    Mr. Tom Davis of Virginia. OK. Some allege that there was a 
communications breakdown between the CDC and the FBI and others 
when the anthrax letters came to Capitol Hill, New York and 
Philadelphia. Do you have any thoughts on that?
    Mr. Raub. Yes, sir, I do. I think both agencies have worked 
hard at that communication issue, and we believe will continue 
to improve. Some of the issues are the fundamental differences 
in our missions and our cultures that I think both agencies are 
doing better to recognize and understand one another. For 
example, when a matter involves a potential crime scene or a 
subject under surveillance from the FBI's perspective, which we 
appreciate significantly, a close hold of that kind of 
information and a very deliberate process is critical to be 
able to bring an ultimate successful prosecution. At the same 
time, the public health community needs to ensure that it has 
the information early enough to be able to mount various kinds 
of protective initiatives in the community.
    So I think in general our view is the more time we spend 
interacting with one another, understanding the missions, the 
restraints, the better those communication systems can be.
    Mr. Tom Davis of Virginia. Thank you.
    Mr. Jordan, let me ask you a couple questions. FBI Agent 
Rowley testified yesterday at the Senate hearing that field 
agents have less access to information than the press because 
there are too many layers within the organization that clog 
information sharing. Do you have any comments on the 
reorganization efforts that have been announced by the FBI and 
how they might contribute to better information sharing?
    Mr. Jordan. Well, the reorganization efforts plan that the 
Director has submitted focus on having the FBI recognize that 
terrorism is our No. 1 mission, and that we are going to put 
more resources on terrorism, not just the investigation, but 
the prevention of it. And as we respond to that challenge, we 
are going to have new information needs and challenges to share 
our information outside the FBI with other intelligence and law 
enforcement agencies as well as make sure that information gets 
out to our field, which Special Agent Rowley is a 
representative.
    So we recognize the need to--we need to share our 
information outside, but internally first, and we are making 
efforts in that regard.
    Mr. Tom Davis of Virginia. Well, one of the reasons we 
called the hearing today was to determine the progress that 
Federal agencies involved in the homeland security were making 
in assessing the respective knowledge needs and information-
sharing requirements.
    There has been a lot of Monday-morning quarterbacking on 
this. Where are we in the process, in your opinion, over at the 
FBI?
    Mr. Jordan. We have made great strides. Our--outside of the 
Intelligence Community, our single largest group of partners in 
the prevention of terrorism are 650,000 State and local police 
officers who are the largest single available force to help us 
in a war against terrorism. We have met with them through their 
major city chiefs, through the ,IACP, International Association 
of Chiefs of Police, their representatives. We have attended 
their recent information-sharing summit. Director Mueller was 
the keynote speaker.
    As I mentioned in my direct testimony, the directors 
brought in a high-profile chief to basically ensure that we 
recognize that State and local law enforcement are our partners 
in this effort, and that we get them the information they need, 
and that they share with us the--exactly what it is that they 
need. There are some obstacles, and, for example, some of the 
information that would be valuable to them is classified. It's 
probably not feasible to get Secret or Top Secret security 
clearances for 650,000 police officers. Maybe there is 
something in the middle that we can do, maybe some middle--or 
maybe there is a way to create a classification level below 
Secret where we can take information and change some of its 
attributes so that it could be disseminated at a below Secret 
level.
    I mean, these are all the things we are working on. We are 
working on them with State and local law enforcement, and our 
Joint Terrorism Task Forces are probably one of the best and 
most successful and, historically, best efforts in this regard.
    Mr. Tom Davis of Virginia. Some of the Secret stuff always 
gets in the hands of the press. So, you know, you want to get 
it in the hands of the agents as well.
    Mr. Jordan. Yeah.
    Mr. Tom Davis of Virginia. All right. Thanks.
    Let me ask Mr. Forman. Your statement stresses the 
important role that standards play in ensuring that the 
different systems can work together in furthering the homeland 
security mission. Where does the responsibility rest for 
developing and enforcing these standards?
    Mr. Forman. There are two types of standards. One is at the 
technology level, and that resides with the Secretary of 
Commerce, and largely standards being defined at the National 
Institute for Standards and Technology. The other is a common 
component or standard of functionality, if you will. That's 
what we have undertaken via the CIO Council, and with the 
Federal Enterprise Architecture Program Office work that my 
office is overseeing. So I have kind of taken on that 
responsibility in my role at OMB on those functional standards. 
But we are doing it and the enforcement of it via the CIO 
Council's architecture committee. And, in that manner, as you 
know, probably the fastest way to get a standard is to get 
everybody who has to buy the technology to agree that this is 
what they are going to buy, this type of functional capability, 
and therefore ensuring not just the agreement on the standard, 
but the enforcement of that standard.
    Mr. Tom Davis of Virginia. Thank you. I'm just going to 
make a final comment, and then I think Ms. Davis has a couple 
more questions.
    Do you have a couple more questions for this panel? I think 
Jo Ann wants to get a question cleared up.
    You know, we have gone through some of these security 
briefings on the House floor, and I get more out of CNN and Fox 
News than I do from our security briefings. And, of course, 
they are so nervous that somebody is going to leak something I 
assume they have the same kind of problems in the FBI and other 
agencies with getting word down to members on the street, to 
employees on the street who could use information, but are just 
so afraid that the classification, whether it's Secret or Top 
Secret or classified doesn't fit. And we have got to find a way 
to cut through this and get the information to the people on 
the street appropriately.
    That has been one of the problems; as we look back and try 
to Monday-morning-quarterback this we get so hung up on all 
these classification systems that the word is not getting out 
in an appropriate fashion to the people who could benefit from 
it. The press has no problem getting ahold of a lot of this 
stuff and so we are basically victims of our own overregulation 
and inability to classify. And it's something we have got to 
continue to wrestle with. And also in our conversations with 
the private sector, some of this stuff I think we are overly 
protective of. That's just an observation, stepping back.
    But I see a lot of progress being made, and I appreciate 
everybody taking the time to share with us and answer our 
questions today.
    Ms. Davis.
    Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman. And 
I don't mean to beat a dead horse, but I'm sort of just a 
straight-talking person, and I've got to say, I didn't 
understand your answers. The best I could understand is that 
the resources aren't the problem; the problem is the 
requirements and defining the requirements. But aren't you all 
supposed to define the requirements?
    Mr. Forman. Well, we have new major IT investments in this 
year's budget, roughly $30 billion, and so the requirements 
have to come, we know best practices, from the people who are 
actually doing the work. When we bring in modern tools and 
techniques for essentially e-business in the private sector, 
that has tremendous applicability in virtually all the homeland 
security areas.
    Ms. Jo Ann Davis of Virginia. So are you supposed to, sir, 
define the requirements?
    Mr. Forman. No. It's got to be at the level of the people 
actually who will use it in doing the work, married together 
with the CIOs or people within the CIO organization who are 
responsible for identifying.
    Ms. Jo Ann Davis of Virginia. How long does it take to do 
that and then to get the--I mean, by the time you do all that 
and get the technology in place, isn't it outdated?
    Mr. Forman. No. Unfortunately, we tend to hide behind that 
in resisting change in many of the Federal agencies. It 
shouldn't take more than a couple weeks or a month to do this.
    Ms. Jo Ann Davis of Virginia. So, then, the problem more is 
in the culture and not requirements?
    Mr. Forman. And resistance to change.
    Ms. Jo Ann Davis of Virginia. Which is the culture.
    Mr. Forman. I tend to focus on, both dealing with the 
industry and with the agencies, these two simple measures of 
outcome that I mentioned before. How do we increase their 
response time, cycle time, the decisionmaking time? How do we 
improve the quality of the decisions that you are responsible 
for?
    And I give the same test to the industry folks that come 
in, and I found from industry, some of the folks will come back 
to us with a very low-cost, very modern solution just because 
of the technologies that are out there. And when I look at low 
cost, I mean 40-, 50-, $60,000 for a program that had been 
budgeted for $30 million. To me, that's the pay off of bringing 
these modern technologies in; but what it means is people in 
the line of business do their work differently. If they don't 
sign up to doing their work that way, then we won't get that 
acceleration in decisionmaking, we won't get the results. What 
we will get is a 50-, $60,000 effort that turns into a $30 
million effort and doesn't give us the results.
    This is a chronic problem. It's been around for about 10 
years now in government. It's part of change management, and, 
at the end of the day, a big part of the puzzle that we are 
using here is the management scorecard. We are literally 
tracking whether the agencies are adopting these modern 
business approaches and scoring them on that on a quarterly 
basis.
    Ms. Jo Ann Davis of Virginia. Well, maybe I just did things 
a little different in the private sector, but when I had people 
that worked for me, if they didn't do the changes the way I 
wanted them, they weren't there anymore.
    Thank you, Mr. Chairman.
    Mr. Tom Davis of Virginia. Thank you very much.
    Anything anyone on the panel want to add additionally?
    Well, thank you all very much for your testimony today and 
in your answering our questions. If you want to supplement 
anything over the next couple of weeks, feel free to. I'll put 
it in the record.
    I'm going to declare about a 2-minute recess as we switch 
panels. We have an outstanding panel coming up: Dr. Sugar of 
Northrop Grumman, who has already been introduced by Ms. 
Harman; Mr. Johnson, KPMG; Mr. Fitzgerald from Oracle, I see in 
the audience; and Mr. Pomata from webMethods. We will just take 
a couple minutes to exchange, and we will be back in 2 minutes. 
Thank you.
    [Recess.]
    Mr. Tom Davis of Virginia. I think we can resume the 
hearing. If everyone could just remain standing here, I want to 
swear our next distinguished panel in.
    [Witnesses sworn.]
    Mr. Tom Davis of Virginia. Let me just explain. This isn't 
the major investigative committee in Congress; so, by our 
rules, we swear every witness in. We are not trying to catch 
you on everything, but those are just the rules we operate 
under.
    And so let me start with Dr. Sugar and work our way down. 
Try to keep it to 5 minutes. Again, we have the lights on 
there, and we will give some time for questions and then 
submit. And thank you for being with us today, Dr. Sugar.

   STATEMENTS OF RONALD D. SUGAR, Ph.D., PRESIDENT AND CHIEF 
  OPERATING OFFICER, NORTHROP GRUMMAN CORP.; LEONARD POMATA, 
PRESIDENT, FEDERAL GROUP, WEBMETHODS, INC.; S. DANIEL JOHNSON, 
  EXECUTIVE VICE PRESIDENT, PUBLIC SERVICES, KPMG CONSULTING, 
     INC.; AND KEVIN J. FITZGERALD, SENIOR VICE PRESIDENT, 
        GOVERNMENT, EDUCATION & HEALTHCARE, ORACLE CORP.

    Mr. Sugar. Can you hear me?
    Thank you, Mr. Chairman, Ms. Davis, Mr. Turner. It's always 
a pleasure to meet with you. My name is Ron Sugar, president 
and chief operating officer of Northrop Grumman, Incorporated, 
one of our Nation's major defense industrial firms. Northrop 
Grumman has a dedicated work force of over 100,000 engineers, 
scientists, and other professionals applying advanced 
technology in support of our military services and other 
governmental agencies. It's a great privilege to appear before 
you today and to talk about some of my observations on the 
important issue of providing technology solutions to the 
serious homeland security challenges facing our Nation today.
    As a senior executive of a major defense firm, I cannot 
advise you on national policy or how to organize the government 
to approach this daunting task of homeland security. I can, 
however, provide a perspective on how those of us in the world 
of technology can help address this major challenge, and I can 
suggest certain steps the government can take to create a 
favorable environment where the innovative thinking, the 
manufacturing skills, and the procedural discipline of the 
defense industry could be applied to this pressing national 
need.
    One should not underestimate the power of American 
industry, working with government, to provide good solutions to 
major challenges. We do rise to the occasion. The record of the 
past speaks for itself. The Manhattan Project of World War II, 
the development of strategic weapons and ICBMs during the cold 
war, and the placing of a man on the moon in the 1960's 
demonstrate what can be accomplished in a relatively short 
period of time when efforts are focused, resources are 
provided, and there is a national will to do it. As with these 
past examples, of course, urgency must now prevail.
    I would like to identify for you three concerns that I 
believe may be inhibiting our ability to bring the power of 
American technological capability into this effort, and I will 
call them the three Rs, for lack of a better term: 
requirements, resources, and release from unreasonable 
liabilities. Requirements, resources, and release from 
unreasonable liabilities. Addressing these three Rs will 
greatly improve the requirement for industry to innovate and 
create effective technology solutions for this problem.
    Now, let me briefly address what I mean by these three 
items. First, requirements. Despite the passage of 9 months, 
there are still very few specific requirements that have been 
identified by the many numerous agencies at all levels of 
government on what they need to meet the challenges that they 
face. We typically in industry provide technological solutions 
in response to governmental requests for proposals or requests 
for information, and their companion statements of requirements 
or specifications. Because there is great uncertainty among 
many agencies about their exact roles and missions in homeland 
security, there have been to date very few RFPs as a result of 
September 11th, and I would strongly second the testimony of 
Mr. Bohlinger from the INS on this matter. Requirements are 
very, very important here.
    Second, resources. Now, certainly much money has been 
appropriated to date for this effort. With the original 
emergency funding, the current supplemental under 
consideration, and the fiscal 2003 proposal, there has been 
over $100 billion identified for homeland security, but the 
large percentage of these funds is for response and recovery. 
Very little to date has translated into requests for specific 
technology solutions. Neither Northrop Grumman Corp., nor any 
other major corporation that I know of at the moment, is yet 
able to determine from a business standpoint the additional 
business or revenue potential of this important emerging 
homeland security market. We know something is there, but we 
are not quite sure what it is and how we are going to address 
it.
    And, finally, there is the third R: release from 
unreasonable liability, or indemnification. Many companies, 
including our own, now have technologies available to assist 
all levels of government in detecting and preventing future 
terrorist attacks. Paradoxically, our tort system has the 
capability of shifting the economic loss due to a terrorist 
criminal act onto those providing the tools to detect and 
prevent such acts.
    Despite our best efforts, no technical system is 
infallible. The unintended consequence of even a single failure 
in a well-intended system or device that we might provide could 
result in a significant legal exposure that could financially 
ruin a company. Prudent companies may find themselves unwilling 
to provide their critical technologies to the government and 
its agencies that need them because of the great financial risk 
involved. At Northrop Grumman, for example, we find ourselves 
face to face with this very issue now in our efforts to provide 
the Postal Service with a biological detection system to 
counter the anthrax threat. Clearly, containing liability 
exposure for those in industry who are trying to do good is a 
major policy issue that must be addressed by both Congress and 
the executive branch.
    Now, if we can successfully deal with these three Rs, we 
can do a lot of good things. We have, for example, at Northrop 
Grumman sophisticated airborne surveillance platforms, such as 
the Global Hawk, that can be adapted for use in improving 
border and coastline security. We have Fire Scout, a smaller 
unmanned helicopter that can provide point surveillance around 
ports or other vulnerable national assets such as nuclear power 
stations. We have modern command, control, communications 
systems that can be adapted for domestic use by State and local 
organizations. We have increasingly effective systems for 
detecting and tracking chemical and biological agents. We have 
sophisticated information technology systems capable of 
managing and integrating large amounts of data, making it 
rapidly available. This can assist security officials, 
immigration officers, Customs agents, and the Border Patrol in 
greatly complicating any terrorist efforts to launch 
coordinated and deadly attacks against American facilities and 
citizens. We can do a lot right now.
    Now, from a classical business perspective, however, 
homeland security would be viewed as an emerging market. But to 
be vibrant and viable, any market needs customers with clearly 
defined needs who have funds they are willing to spend to 
secure goods and services. Presently, with a handful of 
exceptions, the homeland security market is still somewhat 
clouded.
    Mr. Chairman, your legislation, H.R. 4629, aimed at 
promoting innovative solutions for homeland security is a very 
appropriate first step. Its recommendation establishing an 
office to rapidly review technology proposals while providing 
procurement point of entry will be most helpful. I would urge 
you to move this legislation forward as quickly as possible. 
Combined with the President's announcement last evening about 
an establishing a Department of Homeland Security, this should 
provide increased momentum to allow us to bring the full power 
of our industry to bear.
    Finally, let me be frank. I am concerned about the rate of 
progress we are making in protecting the Nation. This is a 
serious issue. Many good ideas are flowing from both the 
government and from industry. What we need now are the firm, 
specific requirements, immediately available funding resources, 
and protection from the risks of unreasonable liability. Give 
us these and we in industry will provide our Nation the tools 
to do this job.
    Mr. Chairman, I applaud the efforts of the committee. I 
wish you well in your important endeavors, and thank you very 
much for having me here today.
    Mr. Tom Davis of Virginia. Thank you very much.
    [The prepared statement of Mr. Sugar follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.072
    
    [GRAPHIC] [TIFF OMITTED] T5840.073
    
    [GRAPHIC] [TIFF OMITTED] T5840.074
    
    Mr. Tom Davis of Virginia. Mr. Fitzgerald.
    Mr. Fitzgerald. Mr. Chairman, Ranking Member Turner, 
Congressman Davis, my name is Kevin Fitzgerald. I am the senior 
vice president of Oracle Corp., and on behalf of Oracle, I 
would like to thank you for inviting me to share experiences 
and perspective on information sharing and homeland security 
technology.
    Mr. Chairman, since September 11th, we have been engaged in 
a battle on two fronts. First, we have been fighting to protect 
the lives of Americans from the threat of terrorism, and at the 
same time we have been struggling to protect the single most 
important asset needed to promote and preserve liberty and 
prosperity: the U.S. economy. If the investments made today to 
improve our homeland security prove ineffective, we will have 
missed a seminal opportunity to shape our future for the 
better, an opportunity that we are unlikely to see again.
    If we step back and look at the goal of strengthening 
homeland security, the over whelming obstacle will be the 
effective partnering of the organizations, public and private, 
involved in the process. There are national, State, and local 
organizations geared toward law enforcement and intelligence, 
first responders, health care, Border Patrol, transportation, 
agriculture, and countless others. It is difficult to know 
where to start, and spending our Nation's tax dollars 
effectively will be challenging.
    In order to protect the United States, we need an 
integrated national strategy and information infrastructure; 
yet implementing a national strategy with countless independent 
organizations will be like building a plane with at least 50 
totally independent contractors. One builds the wings, another 
builds a navigation system, and yet another builds the fuselage 
and so on. Even if each organization excels at his or her given 
task, it will still work in a vacuum without any guidance on 
how and whether these separate parts work together in an 
effective whole, the combined concoction could never fly.
    Imagine building our homeland security information systems 
airplane--like this airplane, not having any way to ensure they 
fit into a broader national strategy. The result will be a 
waste.
    Fortunately, the President took a step in the right 
direction yesterday with his proposal to create a Department of 
Homeland Security, which would provide for a clearinghouse for 
terrorism intelligence. This is a significant and positive 
development, and I hope Congress will act on the President's 
proposal before you adjourn later this year.
    For this new Department to succeed, Congress will have to 
target a significant amount of investments toward information 
technology. No doubt information is one of the most powerful 
weapons that we have in the fight against terrorism. The fact 
is that we have an extraordinary amount of information, but we 
lack sufficient capability to establish relationships between 
various information sources. Even today we see there are lots 
of facts we had about the individual terrorists responsible for 
the attacks on September 11th. Since we were unable to bring 
these facts together, intelligence agencies and law enforcement 
were not able to see the whole picture.
    It would not be possible, prudent, or politically expedient 
to try and build a single national system for homeland security 
information; we can, however, make it possible for the relevant 
organizations to build their systems in such a way that, 
although they are different, they can work in concert to 
support a national homeland security strategy, or, in more 
practical terms, a Department of Homeland Security.
    Accomplishing this requires a commitment to standards. If 
Congress provides homeland security resources to 50 States, 
absent any kind of systematic direction, it will be used in at 
least 50 different ways, and certainly far more if these 
resources flow to localities. The system that would be built 
under this scenario may have local needs, but they will almost 
certainly not talk to one another unless there is an effort on 
a national level to require a few standards for information 
sharing and security. For information systems, those standards 
fall into three categories: data, integration, and security.
    Data standards provide guidelines for how data is collected 
and stored, making data possible--sharing possible. For 
example, in law enforcement, the Department of Justice has 
defined a standard called the National Incident-Based Reporting 
System, or NIBRS. This standard defines guidelines for 
collecting and reporting information related to criminal 
incidents. So if my system is NIBRS-compliant, and your system 
is NIBRS-compliant, then we can compare data with one another 
because we both use and understand the codes that represent 
that type of criminal incident. Data standards like NIBRS are 
critically important for ensuring that once we establish 
connectivity between systems, we will know how to compare and 
interpret the results.
    Integration standards define how a system exposes its data 
to other systems. For example, Web Services standards like 
WSDL, UDDI, and SOAP, define how a system wraps its data and 
publishes it to other systems. So a system can use these 
standards to say, in effect, I know all about pilot licenses in 
the State of Florida. If you give me a Social Security number, 
I will check your credentials and then give you XML in the 
following format that includes that person's license 
information. This approach means that I don't care what a 
system does or how it was built, I only care that it can accept 
and answer my question.
    Perhaps the most important form of information standard is 
geared toward security. The most significant barrier to 
information sharing will not be technical issues, but concerns 
raised by organizations about exposing their data to 
potentially insecure systems. There are well-established 
standards in existence, and they have matured around the world, 
and they are now accepted globally. In the United States their 
use is managed by NIAP, the National Information Assurance 
Partnership. This is a collaboration between the National 
Security Agency and the National Institute of Standards and 
Technology.
    Consistent government enforcement of security standards has 
been a source of frustration for Oracle. Despite its importance 
to national security, what we too often see is that the 
requirements for independent security evaluations are waived in 
procurement. This summer, a National Information Assurance 
Acquisition policy called NSTISSP No. 11 is scheduled to go 
into effect for systems that contain information relating to 
national security and requires these systems to use products 
that have undergone an independent security evaluation. After 
September 11th, it is fair to say more and more Federal systems 
have a direct link to national security. Thus, policies like 
this one need to be strengthened and enforced through the 
procurement policy.
    What can the Federal Government do to better ensure the use 
of these standards? First, national agencies need to take 
responsibility for defining more data standards as the Justice 
Department has done in the defining of NIBRS. Second, we urge 
Congress not to try and create integration standards. Industry 
and the Internet are defining and refining these standards 
faster than the government possibly could. Exploit what they 
develop. Third, Congress should encourage relevant agencies to 
enforce NSTISSP No. 11. These standards and processes are 
already in place.
    We all know there will be an accounting for how Congress 
has targeted Federal spending on homeland security, and, with 
the President's announcement yesterday, this new Department, 
should Congress create it, will likely be held accountable as 
well for the administrative success of homeland security. If 
the result is 1,000 little systems with no improved national 
capacity to deal with the threat of terrorism, the American 
people will recognize this failure of planning and protection. 
Let's work together to make sure that doesn't happen. Congress, 
in its role as policy leader, can include appropriate standards 
to guide Federal, State, and local organizations down a common 
path of information sharing. The information technology 
industry can devise the systems to make sure these policies can 
work to accomplish our national goals.
    Thank you again, Mr. Chairman, for the opportunity to be 
heard today. I look forward to answering any questions you 
have.
    Mr. Tom Davis of Virginia. Thank you very much.
    [The prepared statement of Mr. Fitzgerald follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.075
    
    [GRAPHIC] [TIFF OMITTED] T5840.076
    
    [GRAPHIC] [TIFF OMITTED] T5840.077
    
    [GRAPHIC] [TIFF OMITTED] T5840.078
    
    Mr. Tom Davis of Virginia. Mr. Johnson.
    Mr. Johnson. Mr. Chairman and members of the subcommittee, 
thank you for this opportunity to share KPMG Consulting's views 
on the topic of homeland security. My name is Dan Johnson, and 
I lead our public services business unit, which is comprised of 
over 3,000----
    Mr. Tom Davis of Virginia. Mr. Johnson, you don't need to 
keep it a secret; you need to turn on your microphone.
    Mr. Johnson. Got it now?
    Mr. Tom Davis of Virginia. Got it.
    Mr. Johnson. Sorry. I'll start over again.
    Mr. Chairman and members of the subcommittee, thank you for 
this opportunity to share KPMG Consulting's views on the topic 
of homeland security. My name is Dan Johnson, and I lead our 
public services business unit, which is comprised of over 3,000 
professionals serving Federal, State, and local government 
clients.
    KPMG Consulting supports large-scale information technology 
modernization programs at many of the Federal agencies that are 
critical to our homeland security efforts, including the 
Immigration and Naturalization Service, the Customs Service, 
the Department of State, the Internal Revenue Service, the 
Federal Aviation Administration, Coast Guard, and the military 
departments, as well as many public safety agencies in key 
States such as Pennsylvania, New York, Texas, California, South 
Carolina, and the District of Columbia. Most recently we have 
been engaged to help stand up the Transportation Security 
Agency in defining its mission activities in business processes 
as well as supporting development of an entry/exit system at 
Immigration and Naturalization Service which would document the 
arrival and departure of aliens at U.S. ports of entry.
    Mr. Chairman, we feel that our 40 years of experience in 
serving government entities such as these and the knowledge of 
their organizations, systems, processes, and protocols that 
experience brings uniquely qualifies KPMG Consulting to discuss 
change management issues and technology acquisition measures as 
they relate to homeland security. In the aftermath of September 
11th, when KPMG Consulting mobilized to provide recovery 
assistance to our New York Port Authority and New York 
Department of Finance clients at the World Trade Center, as 
well as our DOD Office of the Comptroller clients at the 
Pentagon, the requirements for a higher level of cooperation 
and collaboration between Federal, State, and local 
governments, as well as the private sector, has reached a new 
level of urgency. We would like to address several areas which 
will impact and challenge attaining that higher level of 
integration.
    The first is leveraging existing capabilities. We must get 
a firm grasp of the information available today, the 
technologies that are being employed, and match that data and 
those technologies to identifiable programs. An example we are 
most familiar with is the Pennsylvania Criminal Justice 
Network, commonly referred to as JNET. Following the crash of 
United Airlines Flight 93 in Western Pennsylvania, a JNET 
terminal was set up for the FBI. Running the Flight 93 
passenger list through JNET and searching multiple Commonwealth 
justice system data bases simultaneously, the FBI was able to 
identify one of the suspected terrorists on board, and 
confirmed that another suspected terrorist was, in fact, 
already incarcerated.
    The JNET story is a microcosm of the challenges that 
homeland security faces. Initiated in 1998, it overcame the 
stovepipe territorial issues of sharing sensitive information 
across 17 different State agencies, 2 cities, and 20 counties, 
now totaling over 5,000 users this year. It did so with an 
architecture which lent itself to gradual and interactive 
development showing incremental benefit and promoting comfort 
among its stakeholders as it evolved. It did so through strong 
executive sponsorship and a centralized independent budget for 
it alone. It did so through protecting the integrity of the 
individual stakeholder data bases by implementing rigid access 
controls, and it did so by establishing a government structure 
in which all the key stakeholders were represented.
    The second area, as agencies look across their investments 
with an eye toward addressing homeland security missions, they 
must first determine what information is needed before looking 
for new technology solutions. They must match this with their 
understanding of what their problems are, what technologies 
exist today to address those problems, and how can they best 
leverage those technology solutions and improve upon them. 
Then, and only then, can agencies take the next step of 
determining what else needs to be done, what other technologies 
must be acquired.
    Last, Mr. Chairman, we commend you for introducing H.R. 
4629, which would establish a program to encourage and support 
carrying out innovative proposals to enhance homeland security. 
Its provisions for the streamlined acquisition of innovative 
solutions certainly is needed.
    In our experience, application of IT investment and 
portfolio management disciplines is essential to the success of 
a technology program of the magnitude of homeland security. A 
set of standard criteria should be established to streamline 
and focus the screening of these technology proposals and to 
normalize the evaluation of their potential. Using this type of 
approach, each proposal is viewed as a component of an overall 
homeland security technology portfolio. The portfolio would be 
continuously monitored and adjusted as new proposals were 
presented and technologies were tested and implemented, and 
would ensure that all components of homeland security are 
considered against an integrated framework.
    Mr. Chairman, again, thank you for holding this important 
hearing today. We look forward to working closely with you and 
the rest of the subcommittee in any way you deem appropriate.
    Mr. Tom Davis of Virginia. Thank you very much.
    [The prepared statement of Mr. Johnson follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.079
    
    [GRAPHIC] [TIFF OMITTED] T5840.080
    
    [GRAPHIC] [TIFF OMITTED] T5840.081
    
    [GRAPHIC] [TIFF OMITTED] T5840.082
    
    [GRAPHIC] [TIFF OMITTED] T5840.083
    
    [GRAPHIC] [TIFF OMITTED] T5840.084
    
    Mr. Tom Davis of Virginia. Mr. Pomata, you are our cleanup 
speaker here.
    Mr. Pomata. Thank you. Mr. Chairman, thank you for the 
opportunity to testify today. My name is Len Pomata, and I 
serve as the president of webMethods' Federal business unit, 
part of webMethods, Incorporated, a Fairfax, Virginia, company.
    WebMethods manufactures integration software, a technology 
that enables the government agencies and companies of all sizes 
to connect their computers and data systems together. The 
technology is straightforward, cost-effective, reliable, 
secure, and readily available. It facilitates the right 
information getting to the right people at the right time.
    It is interesting that much of America's investment to date 
in homeland security has been spent on the last line of 
defense, guards, gates, and guns. That's a natural and critical 
part of the response, but there is a part of the September 11th 
answer that has still received too little public attention, and 
that is the use of information technology as a proactive first 
line of defense. It is ironic, because it is information 
technology and those capabilities that give America one of the 
greatest competitive advantages in combating terrorism and 
securing the homeland.
    The INS and the FBI are currently highly visible examples 
of the need for integration software and the sharing of 
information across agencies. Like most Americans, I applaud 
these agencies for their dedicated employees and their 
leadership, but there are lessons we have learned and can learn 
from the events of September and the importance of sharing 
critical information. In some instances agencies had identified 
important information, but the information was not effectively 
coordinated into a common view or given to relevant officials.
    I realize that in many instances substantial policy and 
political issues may argue against sharing, but there is no 
technological reason. My point, Mr. Chairman, is that sharing 
of critical information, both inside and outside the 
government, is straightforward and relatively easy. Linking 
systems has become secure and affordable. At webMethods, we 
know this because we do this every day in our business.
    Public and private sector organizations alike face the 
cultural policy issues, but I would like to mention a few 
lessons that we have learned in addressing this with our 
customers.
    First, organizations don't have to share or integrate 
entire systems, only that which is important, only that which 
is defined as part of their critical mission. Defining those as 
precisely as possible can make the cultural and political 
boundaries and barriers seem much lower than they may first 
appear.
    Second, simply connecting data bases and applications does 
not produce the right information to the right people. It is 
necessary to define the mission and particular information to 
be shared in a logical process, and not an artificial 
organization. That is what determines what--and you need to 
determine who is providing and who is receiving information. 
Those are the critical parts.
    Third, it should be remembered the purpose of integrating 
information is not just to distribute it, but to be able to 
push it or give it to those--that right information to the 
high-level officials as well as down to the field agents that 
may need it in a push technology.
    Fourth, as customers like Covisint, an e-business exchange 
for major automakers, we have discovered the utility of 
building an online hub, for instance, that has competitive 
organizations plugging in, and without disclosing proprietary 
information works very well in the commercial sector, and this 
is a model that I think the government may use for sharing 
information in the public sector.
    You know, there is a temptation to think that with so much 
money already spent on information systems, surely we can be 
much better at coordinating information; but these systems have 
become increasingly more complex, and have been dedicated to 
very specific tasks, and have become individual silos and 
islands of information, which actually can sometimes hamper the 
facilitation of information coordination. These systems contain 
mountains of information, and, as a result, helping them simply 
to communicate with each other has the potential to tap 
tremendous new value from existing resources.
    Traditionally this integration of disparate systems, 
applications, and data bases has taken place through costly, 
time-consuming customization efforts. Until recently, it would 
require deploying scores of programmers and software writers to 
go into a company or agency and manually write code to create 
custom connections among these systems. In recent years, 
particularly in the last 12 to 17 months, this has become 
virtually unnecessary. It can now be done far more quickly, 
cheaply, and reliably, largely through off-the-shelf software. 
As a result, companies and agencies can now modernize and 
extend the life of old systems and avoid the huge expense of 
replacing them, much like the Navy might view in extending the 
life with modernization of one of their ships.
    Integration software can make this happen now amongst the 
vast--and makes this happen now amongst the vast majority of 
the top 2,000 global companies. Government, too, is now 
appreciating the power and the potential of this latest IT 
revolution.
    Integration software depends on language protocols. One of 
those is XML. Recently the GAO emphasized the importance of XML 
and the need for government to focus on it in terms of 
standards and utilization. As the GAO pointed out, XML offers 
the greatest potential for agencies to share information with 
each other and across the government. XML is here now and is 
the language that can be used to integrate complex technology 
systems, built over time, multiple platforms, and they can work 
together.
    Mr. Chairman and members of the committee, every American 
recognizes the importance of homeland security, and for obvious 
reasons. My message to you is that government, recognizing the 
importance of information technology, information sharing, and 
new integration technologies, can contribute to this effort. 
This subcommittee in particular, and the committee in general, 
has been the voice of ensuring the effective use of different 
technology gets distributed across the government. Mr. 
Chairman, I applaud this hearing and encourage you to continue 
this program.
    Finally, Mr. Chairman, I, as well as some of the other 
panelists, would like to take this opportunity to express my 
strong support for H.R. 4629, your bill. As any business 
executive can tell you, even the brightest and best ideas would 
not advance unless there was a process and organization that 
could properly review them and advance them. Especially in 
times that call for urgent action, there must be an effective 
and efficient clearinghouse within the government to consider 
leading-edge technology. Your idea was well thought out and 
responded to concerns of your February hearing. I know that the 
committee considers the testimony of its witnesses, and I 
appreciate the opportunity for the private sector to be at this 
hearing. I stand ready to answer any questions.
    Mr. Tom Davis of Virginia. Thank you.
    [The prepared statement of Mr. Pomata follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.085
    
    [GRAPHIC] [TIFF OMITTED] T5840.086
    
    [GRAPHIC] [TIFF OMITTED] T5840.087
    
    [GRAPHIC] [TIFF OMITTED] T5840.088
    
    Mr. Tom Davis of Virginia. I am going to recognize.
    Ms. Davis to start the questions, but I've got to ask this 
question: This XML, this is new to me. Is this kind of a 
universal language that everybody can tap into?
    Mr. Fitzgerald. Central markup language.
    Mr. Pomata. And it is used within the Internet. It's an 
Internet technology language. It allows many different types of 
systems over many different platforms to communicate through 
the Internet and share information.
    Mr. Tom Davis of Virginia. How widely used is that in the 
private sector?
    Mr. Pomata. Very, very extensively.
    Mr. Fitzgerald. Pervasively.
    Mr. Tom Davis of Virginia. You have got to remember, I left 
PRC in, what, 1994.
    Mr. Pomata. A few years ago.
    Mr. Tom Davis of Virginia. I'm just trying to get it.
    OK. Ms. Davis.
    Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman.
    And thank you, gentlemen, for being here.
    And, Dr. Sugar, it is a pleasure to see you again.
    You know, I sit on the House Armed Services Committee, and 
you talk about turf wars, you have got the Army, Navy, Air 
Force, Marines, and there is a little turf war there sometimes. 
But in this war in Afghanistan, I was able to watch how, when 
there was a requirement, we had an Army fellow on a horse, and 
we had a Navy pilot in the sky, and within a 2-week period they 
developed technology on a Palm Pilot for that Army fellow, the 
soldier on the horse, to let the Navy pilot know exactly where 
to drop the bomb. So in a 2-week period, we can get the 
technology.
    And, Mr. Johnson, I want to go to you.
    Well, Dr. Sugar, I heard you say that requirements were--
you were still waiting on the requirements. And you heard me in 
the former panel ask those why we don't have them; and, if I 
heard you correct, Mr. Johnson, you said that relatively, you 
know, in a short period of time, you could get those 
requirements. Those weren't your words, but that's what I 
gleaned out of it. But we are 9 months since September 11th, 
and we don't have requirements. We are nowhere close in many of 
these agencies to seeing what we need to help us with homeland 
security, and we are getting ready here to vote on the proposed 
new Department of Homeland Security.
    Should we be having a struggle getting those requirements 
from these agencies? I know you are contracted with some of 
them, but not all of them. Can you help us out, help me out, 
there to understand why we don't have them?
    Mr. Johnson. Well, I think the driver here is the sense of 
urgency. When we were prosecuting the war in Afghanistan, the 
sense of urgency was very, very high in terms of being able to 
get things done on short notice. The example I used in 
Pennsylvania, again, was a situation where it is a somewhat 
smaller group of people, a little narrowly focused effort to go 
forward with. But the driver is--this country can do amazing 
things in short order when there is a sense of urgency to drive 
it to that, and I think many of us see that we don't see that 
sense of urgency as being pushed down through the organization 
to execute those things in a rapid fashion.
    Ms. Jo Ann Davis of Virginia. Well, I would certainly hope 
we don't have a another disaster for that sense of urgency.
    Dr. Sugar, do you want to add something?
    Mr. Sugar. Could I add to that? I certainly agree on the 
urgency sense. There is no question about that necessity is the 
mother of invention. When lives are on the line, people do 
remarkable things and put aside partisan and parochial 
boundaries.
    There is also an issue of skills, and skills and the 
ability to know how to define requirements, how to transform a 
nebulous set of needs or vague sense of wants into very 
specific actionable statements and quantitative measures that 
can be used, and then put in place the technology that solves 
the problem. That's a skills set which doesn't generally 
reside, quite frankly, in most of the agencies in the U.S. 
Government, and generally does not reside in great abundance in 
the State and local government agencies around the country. 
That is not an indictment of them, it is just simply a fact 
that it is just not something that has been done. It has been 
developed in the Intelligence Community, it has been developed 
in the Department of Defense. Certainly the ballistic missile 
program and all these things have enforced that discipline.
    So, there is an issue of not just urgency and a desire, but 
there is an issue of skills and capability.
    One thought could be that, for the Office of Homeland 
Security and perhaps even for this agency that might be created 
by such a bill as proposed here, you could have either a DARPA-
like or a systems-engineering-like organization, a seat-like 
organization whose job it is to look at being sort of a central 
clearinghouse of requirements and standards so that you don't 
have to replicate the creation of something every police 
department in the Nation is going to need, you know, at every 
police department. So the thought of skills and methodology 
would be very helpful here as well.
    Ms. Jo Ann Davis of Virginia. Well, let me ask, on the 
Department of Homeland Security that is proposed, as I 
understand it, there is going to be one element that would 
analyze all the information. So if I am hearing you correct--
all the information from, I guess, the FBI, everyone, I guess. 
If I'm hearing you all correctly, that wouldn't even be--I 
mean, it's not possible because we can't get the information to 
them; is that correct?
    Mr. Fitzgerald. That's----
    Ms. Jo Ann Davis of Virginia. Is that what I'm hearing?
    Mr. Fitzgerald [continuing]. Pretty much correct. Grants 
will be given by the Justice Department to local police 
departments to build systems, and then we will have necessary 
standards associated with those, so when the information that 
they gather is requested, it may not be able to be understood 
by the Office of Homeland Defense.
    Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman. I 
think that is all I have.
    Mr. Tom Davis of Virginia. Thank you very much.
    Mr. Turner.
    Mr. Turner. Thank you, Mr. Chairman.
    Dr. Sugar, talk to us a little bit about the problem that 
you mentioned briefly in your testimony that you had with the 
Postal Service on the liability issue for the anthrax, the 
detection equipment purchase.
    Mr. Sugar. Yeah. And, again, this is not the forum to talk 
about a very specific issue and a specific contract, but it 
does, I think, represent a problem we are all facing.
    We have a system which we think can solve a problem. We had 
a certain quantity of these things planned to be ordered. We 
had to cut back that quantity because we were unwilling to take 
it past the stage of prototype demonstration until we were 
certain that putting it in the field, and if there were any 
unintended consequences, it would not come back and materially 
impact or financially destroy our company. That's really the 
situation.
    Now, there is an indemnification, I guess the 85804, which 
is in place for--which is public law, which helps; it's nuclear 
and other identification, and that is very helpful. It is used 
certainly in all of our defense work.
    What's not as clear is when we migrate the products to 
other civilian agencies, the State and local agencies or, 
frankly, even the private sector, for example, a private 
company that owns and operates a nuclear power plant and wants 
to utilize one of our great devices that one of our companies 
comes up with, how do you ensure that we're not going to end 
up, you know, having a situation where no good deed ever goes 
unpunished? We do something good, and we have something happen 
bad. It's a serious issue.
    I'm not a lawyer, but I know that this is now becoming--
emerging as a stumbling block on even the very few RFPs and 
programs we're seeing. I think you're going to see this become 
a very broad issue. It's going to become a policy issue for the 
Nation.
    On the other hand, I would say that no Federal agency wants 
to take on unlimited liability that may be created by a 
contractor who provides a device which then reflects back on 
the government.
    So we're going to have to find some way as a Nation to 
figure out how to share this so we can get on with applying 
technology correctly.
    Mr. Turner. So you're saying there's no statutory authority 
now for an agency to negotiate this issue of liability with a 
private sector vendor?
    Mr. Sugar. I think there is in some cases. I know, for 
example, with the U.S. Navy we can receive, because we build 
nuclear aircraft carriers, a nuclear indemnification as part of 
85804. I'm not sure how widely that is allowed with other 
agencies or whether it, in fact, becomes a local decision of 
the contracting officer on any given procurement.
    Mr. Fitzgerald. Capping liabilities would clearly be a step 
in the right direction.
    Mr. Turner. Thank you.
    Mr. Tom Davis of Virginia. Thank you. I appreciate you 
raising the liability issue, because we don't think about that.
    Many times as we go out to contracting and--government 
lawyers are trained to protect the government. If something 
goes wrong, it's the other guy's fault; and, of course, it has 
the end result of sometimes discouraging some of those 
innovative ideas, innovative companies, from doing business 
with the government. You get higher markups in the private 
sector, you know, why do you have to come here?
    So I appreciate you raising that. I think we will take a 
closer look at that.
    Any more specific examples that you can give to the 
subcommittee in terms of where that has been a deterrent or 
where maybe a company has in good faith provided a service and 
it went awry and they ended up losing their shirt? I know some 
State and local government instances of that, but at the 
Federal level that would be helpful to get it into the record 
so the members could understand why they're waiving something 
that otherwise it seems we wouldn't do. So I appreciate you 
raising that factor, and we'll take a closer look at that.
    You know, virtually all of the private-sector witnesses 
here today have, in one way or another, expressed a concern 
about our ability to take advantage of the technology that the 
private sector has to offer. I think there's a great 
frustration at this point among companies who have invested in 
new ideas and think they can be of service, maybe make a profit 
along the way. But you have ideas that we're just not 
utilizing. What are the specific problems you face in getting 
that to market at this point?
    Maybe this homeland security agency will be more of a 
clearinghouse. Maybe our legislation, if it is enacted, can at 
least give you some kind of organized route where you can 
pursue some of these. But do you have particular concerns 
regarding attacks on computer systems and infrastructure and 
intellectual property piracy issues?
    Let me just try to hit those two offhand. Does anybody want 
to go----
    Mr. Fitzgerald. Yeah, sure.
    For Oracle Corp., I think our frustration comes in--we 
built systems specifically for the government for intelligence 
and defense purposes to share classified data, various 
classifications to audit all data to make sure we know who sees 
what. Once we spent the millions and tens of millions of 
dollars to build these systems, the government tends not to 
include them as part of the procurement process; and we sit 
there and scratch our heads at that. We've built a solution 
specifically to attack a problem like this, and then when it's 
waived or it's--agencies are given waivers around the policies 
associated with security and the sharing of classified data, we 
wonder why we spent the money to do it.
    So I guess our situation is slightly different, Congressman 
Davis, in the sense that we stepped up the ante and put the 
money to do the development. Then we find that many agencies 
won't use what we've developed, and it's been developed for 
that purpose.
    Mr. Tom Davis of Virginia. Let me ask--Mr. Pomata, let me 
ask you. You've been in the business a long time.
    The Federal Government has a history of failed system 
development efforts. A lot of times we've spent a lot of money 
and we don't get what we want. It used to be that it was driven 
by the procurements itself, that we were so afraid of--once 
you'd go out with an RFP, you were so afraid of changing it 
even as your needs changed, because you'd have to go back out 
to the street. You're afraid of protests.
    We've tried to loosen that up a little bit. I don't know 
how it's actually working, but we're trying to loosen it up a 
little bit so that the government buyers who know what they 
want can go off and they have GWACS and schedules and areas 
where they can go out and say, here's what we want, how do you 
provide it? And not have to go out the route we used to have to 
have.
    Can you think of other steps that the government can take 
to ensure that systems that we get work properly? You've sat on 
the other side of this for years.
    Mr. Pomata. I think a couple things. I think----
    Mr. Tom Davis of Virginia. Go ahead.
    Mr. Pomata. Did you----
    Mr. Tom Davis of Virginia. No. I was going to go with you 
first.
    Mr. Pomata. Sorry. One of the things I think of is that 
requirements need to be well defined. We know that. But as 
procurements progress, there are typically requirement changes. 
So there needs to be some flexibility on both sides to be able 
to understand as changes come up how to handle them.
    The other thing we found is that a lot of the requirements 
in the IT world and a lot of the way procurements were proposed 
and executed was that, rather than utilize commercial 
standards, rather than utilize commercial off-the-shelf 
software, the government always insisted that they had unique 
requirements and that they had to be custom tailored to what 
they needed to do, as opposed to try to change some of the 
processes to conform and to use off-the-shelf software, a lower 
risk approach. So, typically, the risk is higher when you try 
to customize things.
    Mr. Tom Davis of Virginia. And more expensive, too.
    Mr. Pomata. And more expensive. And I think part of the 
solution there is for--even in homeland defense certainly there 
are mission-critical things that are going to be very specific 
and very important to the way the government needs to look at 
data and needs to do business, but I would suggest there are 
robust off-the-shelf technologies available that can be 
implemented quicker, faster and more--and cheaper into the 
systems at lower risks to solve the government's problem. I 
think we should look at that.
    Mr. Tom Davis of Virginia. OK. Does anyone else want to add 
anything to that?
    Mr. Johnson. Yes, I'd like to add a few things.
    There are a couple of aspects that are common to many of 
the failures that we've seen. One is in some cases a lack of 
top leadership which can push down activity requirements and 
implementation across multiple stovepipes. In other words, 
without top management, emphasis on a major program of that 
size is typically doomed to failure.
    A second one is there has to be a very strong government 
project manager and project team involved going forward, and 
oftentimes there's a shortage of those within government 
agencies.
    A third one is that these large-scale systems and 
implementation efforts are certainly team approaches. They 
cannot be executed from an arm's-length arrangement between 
contractor and government agency. The team going forward needs 
to be effectively transparent and committed to the success of 
the program, rather than operating in an impeding communication 
kind of atmosphere.
    Mr. Tom Davis of Virginia. OK. Anyone else on that?
    Let me address the culture issues. Improving information 
sharing for homeland security is one of the largest changes to 
management initiatives I think that's ever been attempted. Many 
view the culture gap between the public and the private sectors 
as just a significant impediment to leveraging private sector 
management expertise to private and the information sharing 
that we need to get to. Any suggestions for bridging the gap?
    Mr. Fitzgerald. Well, I think it's somewhat hard, because 
there's an arm's-length relationship between the government and 
the contractors on many of these projects. We all have to 
remember, at the same time, we all have the best interests of 
the country involved. We want to bring our skills to bear on 
these innovative solutions, as the bill you're sponsoring 
points out, and there has to be a little bit of a trust factor. 
I know trust is a difficult commodity to have between 
government and industry, but the stakes are very high.
    Mr. Tom Davis of Virginia. Now, you all hire people who 
worked for the government to come work for you.
    Mr. Fitzgerald. Yes.
    Mr. Tom Davis of Virginia. They could have some knowledge 
to try to at least do translations and speak the language.
    Mr. Fitzgerald. Yeah. And that does help, Congressman. But, 
again, there is still an insular attitude toward the private 
sector. So I think there just has to--and I'm not sure what the 
answer to that is. We really don't. We've all struggled with 
that. But I know from speaking with the other members with me 
today, I mean, we're all sitting here with one purpose. We are 
interested, we are capable, and we all believe in what we have 
ahead of us is a very important project.
    Mr. Tom Davis of Virginia. Dr. Sugar, let me ask you a 
question. In your testimony, you talked about much of what 
Northrop Grumman has done for years and that the defense 
program area can be adopted for use domestically by State and 
even local organizations. In your experience, do the State and 
local organizations have the human resources needed to 
implement these programs?
    Mr. Sugar. Well, the fact is it varies, but generally not 
at the levels that you'd want. I think that the challenge here 
is to create standard solutions that we can replicate, that are 
easy to use, that we can also assist with training and to 
conduct exercises in standard ways so that you're not 
reinventing the wheel.
    You know, if you think about it, we have 40 or 50 Federal 
agencies, 50 States and probably 200 cities of more than 
100,000 or 200,000 people. So you can imagine that if everybody 
is trying to solve a problem like this, you might have 10,000, 
50,000 solutions, and that is total chaos. And the irony is 
it's basically the same problem. It's the same problem being 
replicated.
    So one value we could have here from your bill and from a 
central department is that a certain class of problems which 
are going to clearly be what you might call killer apps in the 
software business, where you have a standard need for a baggage 
detection or a standard need for a sniffer for biochem or 
something, can be identified. Requirements can be quickly 
finalized for it. RFPs can go out. The best ideas from industry 
can be brought together, and that can become a standard 
solution.
    It doesn't even necessarily have to be the same guy. It can 
be a standard set of specifications that apply; and as long as 
you comply with that you've got a qualified device that is 
homeland security, department-qualified, and that becomes the 
standard.
    By the way, if that is used in some way which creates an 
unintended consequence but you did comply with this in good 
faith, you have some limitations around your liability. I think 
that is the way to address the issue of the training and 
viability for the people around----
    Mr. Tom Davis of Virginia. We don't even have to legislate 
this. We're such a huge purchaser in the market that if we 
could keep our procurement needs consistent we would be able to 
define the marketplace. But we're not consistent. That's one of 
the problems.
    Mr. Fitzgerald. In the granting process as well, too, 
because many of these systems will be purchased through grants 
from various agencies.
    Mr. Tom Davis of Virginia. That's where Mr. Forman and the 
previous panel just need to step up. Still so often within 
agencies we're finding disparate ways to get there, and it's 
just not consistent. That really rings true.
    Well, I want to thank you all. Those are all the questions 
I have.
    Any other questions for the panelists?
    I said I'd get us out at 12, and we're a few minutes late, 
but actually the questions took a little longer.
    I think this has been a good panel and a very timely panel, 
and I appreciate the thoughtfulness and reflection that each of 
you have brought to this today.
    Let me sum up. I'm going to enter into the record the 
briefing memo distributed to the subcommittee members.
    [The information referred to follows:]
    [GRAPHIC] [TIFF OMITTED] T5840.089
    
    [GRAPHIC] [TIFF OMITTED] T5840.090
    
    [GRAPHIC] [TIFF OMITTED] T5840.091
    
    [GRAPHIC] [TIFF OMITTED] T5840.092
    
    [GRAPHIC] [TIFF OMITTED] T5840.093
    
    Mr. Tom Davis of Virginia. We'll hold the record open for 2 
weeks from today for those who want to forward submissions for 
possible inclusion. I suggest, with the delay of regular mail 
going in and out of the Capitol campus, that you e-mail these 
submissions to the attention of my counsel, George Rogers, and 
we'll get them in.
    All right. Thank you very much. These proceedings are 
closed.
    [Whereupon, at 12:12 p.m., the subcommittee was adjourned.]

                                   -