[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
H.R. 3844, THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
FINANCIAL MANAGEMENT AND
INTERGOVERNMENTAL RELATIONS
of the
COMMITTEE ON GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
ON
H.R. 3844
TO STRENGTHEN FEDERAL GOVERNMENT INFORMATION SECURITY, INCLUDING
THROUGH THE REQUIREMENT FOR THE DEVELOPMENT OF MANDATORY INFORMATION
SECURITY RISK MANAGEMENT STANDARDS
__________
MAY 2, 2002
__________
Serial No. 107-190
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
86-343 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California PATSY T. MINK, Hawaii
JOHN L. MICA, Florida CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine
DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia ------
JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont
------ ------ (Independent)
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Chief Clerk
Phil Schiliro, Minority Staff Director
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations
STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida MAJOR R. OWENS, New York
DOUG OSE, California PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Earl Pierce, Professional Staff Member
Justin Paulhamus, Clerk
Mark Stephenson, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on May 2, 2002...................................... 1
Text of H.R. 3844............................................ 3
Statement of:
Dacey, Robert F., Director, Information Security, U.S.
General Accounting Office; Mark A. Forman, Associate
Director, Information Technology and E-Government, Office
of Management and Budget; Daniel G. Wolf, Director,
Information Assurance Directorate, National Security
Agency; Benjamin H. Wu, Deputy Under Secretary, Commerce
for Technology Administration, Department of Commerce;
Ronald E. Miller, Chief Information Officer, Federal
Emergency Management Agency; David C. Williams, Treasury
Inspector General, Tax Administration; and James X.
Dempsey, deputy director, Center for Democracy and
Technology................................................. 46
Letters, statements, etc., submitted for the record by:
Dacey, Robert F., Director, Information Security, U.S.
General Accounting Office, prepared statement of........... 48
Davis, Hon. Tom, a Representative in Congress from the State
of Virginia, prepared statement of......................... 44
Dempsey, James X., deputy director, Center for Democracy and
Technology, prepared statement of.......................... 124
Forman, Mark A., Associate Director, Information Technology
and E-Government, Office of Management and Budget, prepared
statement of............................................... 74
Miller, Ronald E., Chief Information Officer, Federal
Emergency Management Agency, prepared statement of......... 110
Schakowsky, Hon. Janice D., a Representative in Congress from
the State of Illinois, prepared statement of............... 143
Turner, Hon. Jim, a Representative in Congress from the State
of Texas, prepared statement of............................ 40
Williams, David C., Treasury Inspector General, Tax
Administration, prepared statement of...................... 118
Wolf, Daniel G., Director, Information Assurance Directorate,
National Security Agency, prepared statement of............ 87
Wu, Benjamin H., Deputy Under Secretary, Commerce for
Technology Administration, Department of Commerce, prepared
statement of............................................... 101
H.R. 3844, THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002
----------
THURSDAY, MAY 2, 2002
House of Representatives,
Subcommittee on Government Efficiency, Financial
Management and Intergovernmental Relations,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:02 a.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn, Davis, Schakowsky, and
Turner.
Staff present: J. Russell George, staff director and chief
counsel; Bonnie Heald, deputy staff director and communications
director; Earl Pierce, professional staff member; Henry Wray,
senior counsel; Justin Paulhamus and Teddy Kidd, clerks; Chip
Nottingham, counsel; David McMillen and Mark Stephenson,
minority professional staff members; and Jean Gosa, minority
assistant clerk.
Mr. Horn. A quorum being present, the Subcommittee on
Government Efficiency, Financial Management and
Intergovernmental Relations will come to order.
I am very pleased that we are holding this joint hearing
with Chairman Davis and his Subcommittee on Technology and
Procurement Policy on H.R. 3844, the Federal Information
Security Management Act of 2002.
It is clear from recent hearings held by our subcommittee
that agency valuations that the work started in 2000 must be
continued. Agencies have not yet developed security plans that
balance protection and cost. Few agencies have implemented
security controls that are adequate to protect against
violations of privacy, data loss, corruption or cyber attacks.
The current reporting requirements imposed by the Government
Information Security Reform Act have brought the scope and
magnitude of security weaknesses into sharp focus in both
Congress and the executive branch. This focus is the first
crucial step in eliminating security weaknesses.
H.R. 3844 incorporates the key provisions of the Government
Information Security Reform Act, including the requirements for
risk-based security management, independent evaluations, and
reporting of agency security programs. The bill also clarifies
some of the language in the original act; it eliminates the
sunset provision of the act and adds new provisions to reflect
lessons learned during the implementation of the 2000 act.
The purpose of today's hearing is to consider the merits of
the legislation and any potential improvements to it. I welcome
today's witnesses and I look forward to working with each of
you to ensure the security of the Government's information
technology resources.
We are delighted to have the gentleman from Texas, Mr.
Turner. He comes from Mr. Davis' committee. We lost him out of
our committee and we miss you. Mr. Turner.
[The text of H.R. 3844 follows:]
[GRAPHIC] [TIFF OMITTED] T6343.083
[GRAPHIC] [TIFF OMITTED] T6343.084
[GRAPHIC] [TIFF OMITTED] T6343.085
[GRAPHIC] [TIFF OMITTED] T6343.086
[GRAPHIC] [TIFF OMITTED] T6343.087
[GRAPHIC] [TIFF OMITTED] T6343.088
[GRAPHIC] [TIFF OMITTED] T6343.089
[GRAPHIC] [TIFF OMITTED] T6343.090
[GRAPHIC] [TIFF OMITTED] T6343.091
[GRAPHIC] [TIFF OMITTED] T6343.092
[GRAPHIC] [TIFF OMITTED] T6343.093
[GRAPHIC] [TIFF OMITTED] T6343.094
[GRAPHIC] [TIFF OMITTED] T6343.095
[GRAPHIC] [TIFF OMITTED] T6343.096
[GRAPHIC] [TIFF OMITTED] T6343.097
[GRAPHIC] [TIFF OMITTED] T6343.098
[GRAPHIC] [TIFF OMITTED] T6343.099
[GRAPHIC] [TIFF OMITTED] T6343.100
[GRAPHIC] [TIFF OMITTED] T6343.101
[GRAPHIC] [TIFF OMITTED] T6343.102
[GRAPHIC] [TIFF OMITTED] T6343.103
[GRAPHIC] [TIFF OMITTED] T6343.104
[GRAPHIC] [TIFF OMITTED] T6343.105
[GRAPHIC] [TIFF OMITTED] T6343.106
[GRAPHIC] [TIFF OMITTED] T6343.107
[GRAPHIC] [TIFF OMITTED] T6343.108
[GRAPHIC] [TIFF OMITTED] T6343.109
[GRAPHIC] [TIFF OMITTED] T6343.110
[GRAPHIC] [TIFF OMITTED] T6343.111
[GRAPHIC] [TIFF OMITTED] T6343.112
[GRAPHIC] [TIFF OMITTED] T6343.113
[GRAPHIC] [TIFF OMITTED] T6343.114
[GRAPHIC] [TIFF OMITTED] T6343.115
[GRAPHIC] [TIFF OMITTED] T6343.116
[GRAPHIC] [TIFF OMITTED] T6343.117
[GRAPHIC] [TIFF OMITTED] T6343.118
Mr. Turner. Thank you, Mr. Chairman. It is good to be at a
hearing with you again because it was a pleasure to serve with
you on your committee during the last Congress.
I understand your committee has had a number of hearings on
the issue of computer security. You have done some very hard
work on the issue and I commend you for the attention you have
paid to this very important matter. I thank you for scheduling
a joint hearing with our committee.
This legislation, the Federal Information Security
Management Act was introduced by the chairman of our
subcommittee, Tom Davis. I want to thank Mr. Davis for his
efforts and his work with the minority in working on the
various provisions of the bill. This legislation, as we know,
will permanently authorize the information security program
evaluation and reporting requirements of the Government
Information Security Reform Act that became law about 18 months
ago and will expire at the end of November.
This law has proved to be very useful in focusing agencies'
attention to the critical issue of computer security by
requiring annual reports to the Office of Management and
Budget. The bill would make a number of changes designed to
strengthen information security across the Federal Government
including the development of minimum information security
standards by the National Institute of Standards and
Technology, creation of a Federal Information Security Incident
Center, and clarification of the definition of national
security systems. Most importantly, it would require that the
reports under this bill would go not only to OMB but to the
Comptroller General of the General Accounting Office to
facilitate better congressional oversight of computer security.
Again, Chairman Horn, I commend you on your leadership on
this issue and I commend Chairman Davis for his sponsorship of
the legislation.
I yield back. Thank you, Mr. Chairman.
[The prepared statement of Hon. Jim Turner follows:]
[GRAPHIC] [TIFF OMITTED] T6343.001
[GRAPHIC] [TIFF OMITTED] T6343.002
Mr. Horn. Thank you.
I am delighted now to greet our Co-Chairman, the gentleman
from Virginia.
Mr. Davis. Good morning.
I want to thank you for holding this hearing in a joint
format and for your many years of leadership on the issues of
information security and improved government management.
I would also like to thank the distinguished group of
witnesses who have joined us today to share their expertise on
the issue of government information security, as well as for
your specific comments on H.R. 3844.
Government information security is not a new issue to this
committee and it is certainly not a new issue to our witnesses
today. Billions of dollars have been spent over the years,
numerous legislative administrative initiatives have been
implemented and some of the best thinking and most respected
expertise on information security has been cultivated by our
Federal Government in an ongoing effort to protect our
information technology systems from intrusion and tampering.
Overall, I believe that our Federal workers and managers
deserve enormous credit for adopting to the complex and fast-
moving changes that have been thrust upon our government by the
information technology revolution. Similarly, I believe we are
on the right track in strengthening our management information
security. Clearly this administration, represented by several
talented leaders here today, is taking this issue seriously and
is working harder than ever to better secure our Federal
Government's information assets.
While today's discussion focuses on just one bill that will
extend and hopefully improve the existing information security
management process, it was first codified 2 years ago with the
enactment of GISRA. We should not lose sight of the big
picture, the fact that our Nation is facing a growing and very
real threat from those who seek to harm us by targeting our
information systems in an effort to disrupt and disable the
effective operation of our government. Every day we learn of
new attacks on our information systems and every day IT
experts, managers and procurement officers are working to stay
one step ahead of the threat.
That is why it is critically important for Congress to lend
a hand in providing direction that brings coordination,
increased management attention and real accountability to the
Federal information security sector. I believe it would be a
mistake for Congress to micromanage the executive branch's
efforts in this area and we need to avoid the temptation to
prescribe a rigid, one-size fits all standard that is likely to
become outdated quickly as technology and know-how evolve.
At the same time, I am not satisfied with our Federal
Government's overall performance in securing our information
infrastructure. The bottom line is, we are still too
vulnerable. Record IT security expenditures and unprecedented
attention to IT security, while important indicators of level
of effort, are not the benchmarks we should use to determine
success. Instead, we need to focus on developing strong, risk-
based, agency-wide security management programs that cover all
operations and assets of our Federal agencies.
In addition, new legislative guidance is needed to require
the development, promulgation and compliance with mandatory
management controls for securing information systems and
managing risks as determined by agencies.
I think H.R. 3844 clarifies and strengthens the existing
Government Information Security Reform Act of 2000 in four
major ways. Under FISMA, we included a number of provisions
that require the development, promulgation and compliance with
minimum mandatory management controls for securing information.
For example, NIST would be required to develop mandatory
information security standards for all agencies. Second,
agencies would be required to submit an annual report featuring
the results of agency evaluations of information security to
both OMB and the Comptroller General. Third, the treatment of
national security systems would be clarified by removing the
term ``mission critical system'' and replacing it with
``national security system.'' This means that only truly
national security and intelligence related information systems
would be exempt from information security risk management
requirements. Fourth, OMB would oversee the establishment of a
central Federal Information Security Incident Center that would
inform agencies about information security, threats and
vulnerabilities and provide technical assistance to agencies.
In future years, all of us involved with setting and
implementing security policy during these challenging times
will be faced with the question did we do enough to safeguard
our critical information structure. I believe that FISMA will
go a long way toward allowing us to honestly answer that
question in the affirmative.
I look forward to our hearing today, to improving this
legislation if needed, and to ultimately bringing it forward to
enactment.
Thank you.
[The prepared of Hon. Tom Davis follows:]
[GRAPHIC] [TIFF OMITTED] T6343.003
[GRAPHIC] [TIFF OMITTED] T6343.004
Mr. Horn. We will begin with panel one. Our first witness,
and not a stranger to these committees, is Robert F. Dacey,
Director, Information Security, U.S. General Accounting Office,
headed by the Comptroller General of the United States. We
appreciate all the work the GAO does. We will announce one of
their books as we end this particular hearing.
STATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY,
U.S. GENERAL ACCOUNTING OFFICE; MARK A. FORMAN, ASSOCIATE
DIRECTOR, INFORMATION TECHNOLOGY AND E-GOVERNMENT, OFFICE OF
MANAGEMENT AND BUDGET; DANIEL G. WOLF, DIRECTOR, INFORMATION
ASSURANCE DIRECTORATE, NATIONAL SECURITY AGENCY; BENJAMIN H.
WU, DEPUTY UNDER SECRETARY, COMMERCE FOR TECHNOLOGY
ADMINISTRATION, DEPARTMENT OF COMMERCE; RONALD E. MILLER, CHIEF
INFORMATION OFFICER, FEDERAL EMERGENCY MANAGEMENT AGENCY; DAVID
C. WILLIAMS, TREASURY INSPECTOR GENERAL, TAX ADMINISTRATION;
AND JAMES X. DEMPSEY, DEPUTY DIRECTOR, CENTER FOR DEMOCRACY AND
TECHNOLOGY
Mr. Dacey. I am pleased to be here today to discuss the
proposed Federal Information Security Management Act of 2002,
FISMA. As you requested, I will briefly summarize my written
statement.
Since September 1996, we have reported that poor
information security is a widespread Federal problem with
potentially devastating consequences. Although agencies have
taken steps to redesign and strengthen their information
security programs, our analyses of information security at
major agencies have shown that Federal systems were not being
adequately protected from computer-based threats, even though
these systems process, store and transmit enormous amounts of
sensitive data and are indispensable to many Federal
operations.
Concerned with these reports, Congress passed into law the
Government Information Security Reform provisions commonly
referred to as GISRA to reduce these risks and provide more
effective oversight of Federal information security. First year
implementation of GISRA represented a significant step in
improving Federal agency information security programs and
addressing longstanding weaknesses.
For example, agencies have noted benefits from GISRA such
as increased management attention to and accountability for
information security and have stated that as a result of
implementing GISRA, they are taking significant steps to
improve their information security programs. Agency IGs also
view GISRA as a positive step toward improving information
security, also noting the increased management attention.
In addition, the administration has taken important actions
to address information security such as plans to integrate
information security into the President's management agenda
scorecard. Such benefits and planned actions demonstrate the
importance of GISRA's requirements and the significant impact
they have had on information security in the Federal
Government.
FISMA would permanently authorize and strengthen the
information security program, evaluation and reporting
requirements established by GISRA which is to expire in
November of this year. We believe the continued authorization
of such important information security legislation is essential
to sustaining agency efforts to identify and correct
significant weaknesses.
Further, this authorization would reinforce the Federal
Government's commitment to establishing information security as
an integral part of its operations and help ensure that the
administration and Congress continue to receive the information
they need to effectively manage and oversee Federal information
security.
FISMA continues several important GISRA provisions,
including requiring agency program managers and CIOs to
implement a risk-based security management program covering all
operations of the agency; second, requiring an independent
annual evaluation of each agency's information security
program; third, taking a governmentwide approach to information
security by accommodating a wide range of information security
needs and applying requirements to all agencies, including
those involved in national security; and fourth, through annual
reporting requirements, providing a means for both OMB and the
Congress to oversee the effectiveness of agency and
governmentwide information security, measure progress in
improving information security, and consider information
security in budget deliberations.
FISMA also proposes a number of changes and clarifications
to strengthen information security, some of which address
issues noted in the first year implementation of GISRA. In
particular, the bill requires the development, promulgation and
compliance with minimum mandatory management controls for
securing information and information systems, creates the
requirement for annual agency reporting to both OMB and the
Comptroller General, and clarifies the definition of and
evaluation of responsibilities for national security systems.
In addition, the bill proposes other changes that would require
Federal agencies to strengthen their information security
programs, update the information and security responsibilities
missed, and clarify other otherwise streamline definitions and
legislative language.
In addition to reauthorizing information security
legislation, there are a number of other important steps the
administration and agencies should take to ensure information
security receives appropriate attention and resources and that
known deficiencies are addressed. These include delineating the
roles and responsibilities of the numerous entities involved in
Federal information security and related aspects of critical
infrastructure protection; obtaining adequate technical
expertise to select, implement, and maintain controls to
protect information systems and allocating sufficient agency
resources for information security.
As the chairman noted, later today the committee will be
releasing a report which summarizes our testimony on March 6
and makes certain recommendations for improving GISRA and its
implementation.
Mr. Chairman, this concludes my statement. I would be
pleased to answer any questions that you or the Members may
have.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] T6343.005
[GRAPHIC] [TIFF OMITTED] T6343.006
[GRAPHIC] [TIFF OMITTED] T6343.007
[GRAPHIC] [TIFF OMITTED] T6343.008
[GRAPHIC] [TIFF OMITTED] T6343.009
[GRAPHIC] [TIFF OMITTED] T6343.010
[GRAPHIC] [TIFF OMITTED] T6343.011
[GRAPHIC] [TIFF OMITTED] T6343.012
[GRAPHIC] [TIFF OMITTED] T6343.013
[GRAPHIC] [TIFF OMITTED] T6343.014
[GRAPHIC] [TIFF OMITTED] T6343.015
[GRAPHIC] [TIFF OMITTED] T6343.016
[GRAPHIC] [TIFF OMITTED] T6343.017
[GRAPHIC] [TIFF OMITTED] T6343.018
[GRAPHIC] [TIFF OMITTED] T6343.019
[GRAPHIC] [TIFF OMITTED] T6343.020
[GRAPHIC] [TIFF OMITTED] T6343.021
[GRAPHIC] [TIFF OMITTED] T6343.022
[GRAPHIC] [TIFF OMITTED] T6343.023
[GRAPHIC] [TIFF OMITTED] T6343.024
[GRAPHIC] [TIFF OMITTED] T6343.025
[GRAPHIC] [TIFF OMITTED] T6343.026
[GRAPHIC] [TIFF OMITTED] T6343.027
Mr. Horn. Thank you very much. As usual, the GAO comes
through.
Now we have a new person with a rich background, Mark A.
Forman, Associate Director, Information and Technology and E-
Government, Office of Management and Budget. He knows more
about any of these problems I think than all the rest of us put
together. He created and lead the IBM Americas Public Sector E-
Business Consultant Services, was senior professional staff
member of our Senate portion of the other body, Senate
Governmental Affairs Committee. He has been deeply involved in
both the Congress and the executive branch. We are glad to have
you here.
Mr. Forman. Thank you. I am glad to be here and I
appreciate you inviting me to discuss the Federal Information
Security Management Act and the administration's views.
I also want to thank your committee and Chairman Davis'
committee for the continued vigilance on government computer
security. I have been in my job now for 10 months and we have
had three hearings on this. It is becoming almost quarterly and
I actually think that is good that we have that continued
oversight.
We at OMB and other administration officials have discussed
components of the Federal Information Security Management Act
with your staff and we are still developing an administration
position on the bill. As you will hear from my agency
colleagues today, there are many divergent views on various
provisions. We look forward to working with you and Chairman
Davis to make the bill successful as it moves through the
legislative process.
As you know, the President has given a high priority to the
security of government assets as well as improving the overall
management performance of Executive agencies. These priorities
are interrelated. As I discussed this March before the
committee, our review of agency security programs found that
most security issues in the government are fundamentally
management issues. We are tracking progress on both issues
through use of the executive branch score card for the
President's management agenda. If an agency does not meet the
IT security criteria, it will not achieve a green score,
regardless of their performance under the other e-government
criteria.
OMB reported in our February 13 Security Benchmark Report
to Congress on Government Information Security that as is, the
current state of security across the Federal enterprise is
poor. We reported on six fundamental governmentwide weaknesses
as well as agency-specific gaps. We find those weaknesses are
pervasive and many exist across the Federal community,
including the national security community. We found that
agencies must greatly increase their degree of senior
management attention, measure performance of officials charged
with security responsibility and improve security education and
awareness, fully integrate security into their capital planning
investment and control process and enterprise architecture,
ensure that contractor services are adequately secured, and
improve the ability to detect, report and share information on
incidents and vulnerabilities.
As we look at the future or what we call the ``to be''
state of Federal security, we believe it is one of the active
measures that will continue to anticipate and respond to future
needs. The future vision of Federal security incorporates
active measures and we have to be able to both prepare and
defend against attacks where preemption is not possible so that
we know how our own information systems survive attacks when
defenses fail.
Such a state is somewhere off in the future, however, and
such a number of fundamental management and program reforms are
needed to support it. Particularly, we need to complete the
development of governmentwide and agency-specific architectures
within which business processes have been unified and
simplified, and get rid of unnecessary duplication so we not
only promote common ways to conduct government business, it
will permit common protection regimes and simplified security
approaches.
The ``to be'' state also requires much in the way of using
automated security tools that reduce the need for human
intervention and reduce human error and resource requirements.
The ``to be'' state of anticipating threats will also require
something that is woefully lacking today, rapid and in-depth
threat analysis. Today's analysis products largely consist of
consolidated reports of what is happening or what has already
occurred. That is not good enough. We must improve the
development, quality and wide distribution of effective threat
analysis and response regimes.
OMB is pursuing a five part approach to improved government
security which includes items such as business cases, capital
planning, project matrix analysis, which I have spoken about
before, annual agency security reports and corrective action
plans that reflect priorities. All efforts must come together
to clear us clear audit trails that link the needs, corrective
action plans and spending priorities including business cases.
More detail on that is in my prepared statement.
Through this five part approach, we are building toward a
``to be'' state and believe within 18 months we will have
demonstrably improved performance and results in agency
security programs. We give some of the details of that in my
prepared statement. That includes using security performance
measures that identify the gaps and set priorities within each
agency and form agency and OMB budget decisions and assist in
preparing the President's budget.
We are also identifying opportunities to reduce or
eliminate unnecessary duplication of security effort among
agencies making certain practices more uniform and
consolidating programs and operations to increase performance
while reducing costs. Among the candidates for consolidating
greater uniformity are consolidating the security curriculum as
well as the actual conduct of training and education and
awareness for Federal employees; improving incident handling,
information sharing, software patch identification and
distribution; improving methods for grading or designating the
level of risk, assigning core security requirements for
operations, assets and the same risk level, unifying and
simplifying requirements for and implementation of contingency
planning and continuity of operations, improving security and
the acquisition of products and services, very similar to some
of the concepts outlined in Congressman Davis' bill.
While many security requirements within the Government are
similar, many are distinctly different. Therefore we must be
careful and resist overly simplistic attempts to standardize
management, operational and technical security controls.
Security controls must be built to the specifications of the
programs, not programs built to security initiatives.
NIST continues to play a critical role in supporting OMB
and assisting agencies in improving their security performance
and there are details in my prepared testimony.
I want to finish up by talking about the specific stats
associated with the OMB chaired executive branch Information
Systems Security Committee which is one of the components of
the President's Critical Infrastructure Board. I mentioned this
in my statement at the March hearing.
Last month, we held our first meeting of the committee and
have begun work on the following four issues, and details are
in my prepared testimony: grading risks; uniform security
practices, including acquisition of products and services;
review of current policy standards and guidance.
Future security reporting will drive the performance
improvements not simply tallying numbers. As GAO, OMB and
others recognize, today's information security world demands
each agency employ a continuing process of risk-management that
keeps pace with rapidly evolving threats and vulnerabilities.
So too, OMB's oversight process must keep up with the changes
in status. A conventional view is the comparison should show
security weaknesses have been reduced and no new ones have
cropped up. That, we believe, is the old way of thinking.
Identifying more weaknesses is not necessarily a reflection
of performance. Reaching the ``to be'' state I described
earlier demands more deeply and more often into programs and
systems to find problems as the vulnerabilities arise and
before they can be exploited. The more you look, the more you
find.
In conclusion, we have developed a strategy to measure
program performance and drive improvements by an order of
magnitude. Some of what is needed involves technology, much
more involves integrating security into project development and
management decisionmaking. At this point in time, new standards
and technology, while impacting little in improving security
performance, must be first addressed and correct management
weaknesses.
We look forward to working with the committee and
Congressman Davis as the bill moves forward through the
process.
[The prepared statement of Mr. Forman follows:]
[GRAPHIC] [TIFF OMITTED] T6343.028
[GRAPHIC] [TIFF OMITTED] T6343.029
[GRAPHIC] [TIFF OMITTED] T6343.030
[GRAPHIC] [TIFF OMITTED] T6343.031
[GRAPHIC] [TIFF OMITTED] T6343.032
[GRAPHIC] [TIFF OMITTED] T6343.033
[GRAPHIC] [TIFF OMITTED] T6343.034
[GRAPHIC] [TIFF OMITTED] T6343.035
[GRAPHIC] [TIFF OMITTED] T6343.036
[GRAPHIC] [TIFF OMITTED] T6343.037
[GRAPHIC] [TIFF OMITTED] T6343.038
Mr. Horn. We thank you for that and we will have a number
of questions when we finish the panel.
We next have Daniel G. Wolf, Director, Information
Assurance Directorate, National Security Agency. He has had
responsibility for the various information situations and
strategies to protect the defense information infrastructure
and as appropriate, the national information infrastructure. He
spent about 33 years in this type of analytic work and has
received numerous awards for his many contributions in defense
intelligence communities. We are delighted to have you here. We
have had great cooperation from the National Security Agency
and we appreciate the tough job he has and they have. We are
glad to have you here. Mr. Wolf.
Mr. Wolf. My name is Dan Wolf and I am NSA's Information
Assurance Director. I appreciate the opportunity to be here
today to talk about information technology security as your
subcommittee considers H.R. 3844.
My organization is responsible for providing IA
technologies, services, processes and policies that protect
national security information systems throughout DOD, the
intelligence community and related law enforcement agencies.
While some may suggest that NSA's perspective is too narrow
because we focus on national security systems, I would like to
note NSA has been in the business of protecting information
systems from attack and exploitation since 1953.
During NSA's nearly 50 years of producing not only policy
but also in the hard work of developing security products and
services to implement these policies, we have learned, and I
believe we agree with many members of this committee that
successful information security demands aggressive management
oversight, extensive sharing of best practices and a bedrock
foundation of proven security standards.
While I am not in a position to express the
administration's view of H.R. 3844, I thought it might be
helpful if I shared NSA's technical experience in these matters
with you. There are a number of areas in H.R. 3844 where we
believe improvements can be made based on our experience. My
written testimony goes into much more detail but I would like
to briefly highlight four areas.
The first area is defining and identifying national
security and mission critical systems. We suggest that the
proposed definition for identifying national security systems
in H.R. 3844 might add more confusion to an already complex
process. We have also learned by analysis of dependence between
computer systems during the Y2K crisis, that there are many
similarities found in identifying and protecting mission
critical systems and national security systems. Therefore, we
suggest that you consider keeping the original GISRA definition
of national security systems.
In a related matter, the provision that directs NIST to
develop guidelines for identifying an information system as a
national security system is unnecessary because the national
security system is already defined in the existing laws.
The second area is risk assessments and system engineer
connection management processes. There are many references to a
risk assessment process in H.R. 3844. It has been our
experience that useful risk assessments are extremely difficult
to complete and maintain. This problem gets especially
dangerous when you consider that although these systems are
assessed for risk independently, they soon become
interconnected. We have consistently found one organization's
risk calculations and assumptions will be very different from
another unless the process of performing the risk assessment is
exceptionally well specified and managed.
We suggest that a standard method for performing risk
assessments be developed for use throughout the Federal
Government. It must describe not only the assessment process
but also define standard methods for characterizing threats,
defining potential mission failures and include a process for
ensuring that these baseline risk assessments are periodically
reevaluated, especially as changes are made in connectivity.
The quality of risk assessments for our interconnected systems
must not be left to chance or independent decisions. Otherwise,
the weakest link in the chain will fail.
Third, coordinating incident detection and consequence
management, the defense of Federal and DOD networks against
cyber attacks requires a robust and time sensitive defense in-
depth approach. NSA's National Security Incidence Response
Center provides real-time reporting of cyber attack incidences.
Through around the clock, 7-day-a-week operation, NSIRC
provides DOD, the intelligence community and the Federal law
offices with information valuable in identifying and
encountering cyber attacks. NSA has established a trusted
relationship with the Fed CIRC. Moreover, we have similar
relations with the National Infrastructure Protection Center
and the NIPC and the Department of Defense's Incidence Center,
the DODCERT. We believe that adding a new Federal Incident
Management Center as described in the proposed legislation
would add unnecessary redundancy and decrease both the
efficiency and effectiveness of our existing processes.
Fourth, sharing vulnerability information, the technology
we used today throughout the Government and the private sector
is a veritable monoculture. For example, this means that
knowledge of vulnerability discovered in a system at the Labor
Department could be used by an adversary to attack the computer
in the Defense Department. While we agree it is extremely
important for all Federal departments to share vulnerability
information, we also believe this information must be
disseminated only through consideration regarding the
consequences, not just to an organization's internal systems
but the consequences to all Government systems is vulnerability
becomes widely known.
I would like to thank the members of both subcommittees for
your consistently strong interest and attention to this vital
area. Your leadership is providing a public service by raising
the issue of the serious security challenges we are all facing
in the age of interconnected and interdependent networks.
This concludes my testimony. I would be happy to answer any
questions.
[The prepared statement of Mr. Wolf follows:]
[GRAPHIC] [TIFF OMITTED] T6343.039
[GRAPHIC] [TIFF OMITTED] T6343.040
[GRAPHIC] [TIFF OMITTED] T6343.041
[GRAPHIC] [TIFF OMITTED] T6343.042
[GRAPHIC] [TIFF OMITTED] T6343.043
[GRAPHIC] [TIFF OMITTED] T6343.044
[GRAPHIC] [TIFF OMITTED] T6343.045
[GRAPHIC] [TIFF OMITTED] T6343.046
[GRAPHIC] [TIFF OMITTED] T6343.047
[GRAPHIC] [TIFF OMITTED] T6343.048
[GRAPHIC] [TIFF OMITTED] T6343.049
Mr. Horn. Thank you.
Next is a person well known to this subcommittee and the
Congress, Mr. Benjamin Wu, Deputy Under Secretary of Commerce
for Technology Administration, Department of Commerce. He was
very helpful to us in our Y2K computer problems and worked very
closely with Representative Morella of Maryland in her role on
the Science Committee as well as in Government Reform. Nice to
see you again.
Mr. Wu. Thank you, Chairman Horn, and good morning. Good
morning to you, Mr. Davis and also Ranking Member Schakowsky.
On behalf of the Department of Commerce's Technology
Administration and its National Institute of Standards and
Technology, I want to share with you our views on Congressman
Davis' bill, H.R. 3844.
Let me first commend you, Mr. Chairman, and the entire
subcommittee for continuing to focus on the critical issue of
cyber security in the Federal Government. Today's hearing will
once again remind Federal agencies that cyber security must be
addressed in a comprehensive manner and on a continuing basis.
As you mentioned, I had the privilege and the pleasure of
working with you, Chairman Horn, and also Chairman Davis, as we
successfully battled the Y2K computer problem which some have
drawn parallels to the issue of computer security. With Y2K as
you well know, we knew who the enemy was, we knew how it was
going to strike, we knew when it was going to attack. We don't
have that luxury with computer security. That is why it is
important that we continue to focus on Federal efforts on
computer security and I am very proud that NIST plays an
important cyber security role for our Nation.
We have specific statutory responsibilities for Federal
agencies under the Computer Security Act of 1987 and also its
follow on legislation, including GISA. NIST has been tasked by
Congress to develop standards and guidelines to assist the
Federal Government in protection of sensitive, unclassified
systems. These responsibilities supplement NIST's broader
mission of strengthening the U.S. economy, including proving
the competitiveness of America's information technology
industry.
In support of this mission, NIST conducts standards and
technology work to help industry produce more secure, yet cost
effective products which we believe will enhance
competitiveness in the marketplace. Having more secure products
available in the marketplace will also benefit Federal agencies
because they principally use commercial products that construct
and secure their systems.
The Computer Security Division in our Information
Technology Laboratory is the focal point of our cyber security
program. The Computer Security Division focuses on a few key
areas: photography standards and applications, security
research, security management, and security testing. In
previous testimony before this committee on March 6, the
Director of NIST, Arden Bement, provided you with a broad
review of current NIST activities undertaken to fulfill our
important cyber security responsibilities, so it is not
necessary to repeat to you what NIST is doing now but I do want
to discuss with you what NIST would be asked to do if H.R. 3844
was enacted, as introduced, and offer some comments.
Under FISMA, NIST would be tasked with a number of
responsibilities ranging from developing IT standards and
guidelines, developing security standards and guidelines,
consulting with other Federal agencies, providing assistance to
agencies, submitting proposed standards and guidelines to OMB
for promulgation, conducting security research, developing
security performance indicators, evaluating private sector
information, security policies and also reporting annually to
OMB among others.
Additionally germane to NIST's key security
responsibilities, H.R. 3844 would establish an Office for
Information Security Programs at NIST which the director would
be responsible for administering. NIST information security
responsibilities, under FISMA, authorize a $20 million level
funding for NIST's security program, rename the computer
security system and Privacy Advisory Board as the Information
Security Board with new responsibilities, as well as
eliminating the existing process under limited and specified
circumstances for agencies to waive the use of mandatory and
binding security standards.
The Department believes that overall, the drafters of the
bill are to be commended for taking a sound and practical
approach to information security, one that will serve the
Nation well in the years ahead. The bill appropriately
maintains existing separation of responsibilities for security
and sensitive systems, which is a major concern for the IT
industry.
Current NIST activities are well aligned with the majority
of the bill's provisions and additional activities, specific
assignments and also the envisioned growth of NIST in the cyber
security program will further strengthen the security of all
Federal security agency systems. Moreover, the bill will
promote the consistencies in the protection accorded to similar
systems and information across the entire Government.
Let me respectfully offer, however, the Department's
specific concerns on the bill for the committee's
consideration. I am mindful of the time constraints I have so
let me just run over them in general. I would be happy to
respond to them at a later point in the questions.
One is proposed transfer authority to issue standards and
guidelines from the Secretary of Commerce to the Director of
OMB. We believe that should be reconsidered because the
Secretary represents industry and that is an inherent function
of the Secretary.
In the bill there are also a number of references to the
standards development role of OMB. We believe that OMB develops
and issues broad security policy and guidance and this should
be clarified vis-a-vis what NIST does in collaboration with
OMB.
The third concern has to do with the agency's current
limited ability to waive mandatory and binding standards.
Finally, the bill would also require that NIST provide OMB
with an annual report regarding major deficiencies in
information security at Federal agencies and since NIST's
responsibilities do not extend to providing day-to-day
operational security for Federal systems and Federal agencies,
any such report we believe would be woefully incomplete.
I want to close by emphasizing that our national commitment
to improving cyber security must be increased in Federal
agencies and elsewhere. As Congressman Davis' bill
reemphasizes, there is much more to be done as we address cyber
security in the Federal Government. The NIST cyber security
program has a proven track record of success and stands ready
to work with you, the committee and other Federal agencies in
the enhanced role envisioned in FISMA.
Thank you very much.
[The prepared statement of Mr. Wu follows:]
[GRAPHIC] [TIFF OMITTED] T6343.050
[GRAPHIC] [TIFF OMITTED] T6343.051
[GRAPHIC] [TIFF OMITTED] T6343.052
[GRAPHIC] [TIFF OMITTED] T6343.053
[GRAPHIC] [TIFF OMITTED] T6343.054
[GRAPHIC] [TIFF OMITTED] T6343.055
[GRAPHIC] [TIFF OMITTED] T6343.056
Mr. Horn. We appreciate your testimony and we will get into
that in the question period shortly.
Our next witness is Ronald E. Miller, Chief Information
Officer and Assistant Director, Information Technology Services
Director, Federal Emergency Management Agency, FEMA. That is a
very fine agency. Over the last 10 years, they have really put
their act together and with all the problems that have come
forth with tornadoes, floods, you name it, they have done great
work with all of us in the Congress.
Mr. Miller, you have a very fine record in the military. We
are glad to see you here.
Mr. Miller. Thank you, Chairman Horn, Chairman Davis and
members of the committee.
I would like to take the opportunity to thank you for
addressing this very important issue and while I cannot present
the administration's view, I would like to share both FEMA's
position on information security and my perspective as the
security liaison for the CIO Council.
Very briefly I want to spend a few moments talking about
FEMA's approach to IT security. It is fairly straightforward.
As a Federal agency, we are required to deliver mandated
products and services and we must do so in full compliance with
laws of the land. That includes the security requirements put
forth in public laws, executive branch directives, Federal
standards and agency-specific policies. We view those
requirements as being the minimum set of security standards
that we must comply with in the development of our systems, so
that in that regard we want to include a certain set of steps
to take for every system we implement. Those steps include
formally certified system security plan, formal accreditation
and approval to operate by the appropriate management official,
tested contingency plans, implemented incident handling
capabilities, security education awareness program and a
capital plan for funding security across the systems life
cycle.
Our approach is to use a well disciplined capital planning
and investment process and ensure security costs are
incorporated into the system development life cycle. Our
capital planning process is strongly linked to the agency's
performance plan and goals. Using this approach, we have
created a framework whereby IT solutions are implemented to
support prioritized agency mission requirements and security is
made a part of the IT solution itself. In this manner, we are
also able to determine that the resources we apply to our IT
security activities are directly aligned with the agency's
performance goals.
With regard to GISRA, there are noticeable improvements in
the area of IT security because of the enactment of that
legislation because it helped put management focus on this
important problem. We still have need for additional progress
and believe that FISMA is sound and will help.
The CIO community overall views GISRA as a very positive
step forward because it codified many of the requirements put
forth in OMB Circular 30. The codification of those
requirements signaled a heightened awareness on the part of the
legislative branch concerning the importance of implementing
adequate IT security. It also helped to clarify the role of the
Chief Information Officer as being responsible for implementing
an adequate IT security program across the agencies. It
required that a senior official be designated to head IT
security and that official would report directly to the CIO.
We find the annual report requirement to be particularly
useful because it allows us to not only gain a full perspective
on the state of our security programs, but it also ensures that
the state of IT security is well documented and understood by
senior agency managers. In general, we see FISMA as similar to
GISRA in most regards and we are confident in our abilities to
implement if enacted.
There are areas where we believe the bill needs improvement
and we would like to see it address the following. First, we
would like to see a stronger link between IT security
requirements and the capital planning process, stronger
emphasis on resources for IT security training, the retention
of IT security professionals, support for day to day security
efforts and individual accountability for security.
We need to ensure that capital planning investments include
consideration for security which is a powerful incentive for
program officials. We believe we need a work force that is well
trained and prepared to address the complex issues found in IT
security and an emphasis should be placed on providing
resources that provide training to employees responsible for
implementing these standards.
We also believe we need to look to retaining the work force
once we have recruited and trained folks that are skilled in IT
security. We support the administration's Managerial
Flexibility Act which would allow Federal agencies the
flexibility to provide hiring and retention incentives to
potential employees, including IT security professionals.
There needs to be overarching support for the day to day
security efforts across the Federal Government such as CERT,
the FedCIRC, incident support, patch distribution service is
just beginning at GSA, training and guidelines and soon. We
need to hold Federal Government officials individually
responsible in their performance plans for the implementation
of security within their programs. OMB has certainly taken a
step in the right direction with the balanced score card.
The world has changed in many ways since September 11th and
I believe that with the concept of electronic government, the
security requirements are more prevalent now than ever before.
I am looking forward to working with the committee and each one
of you in helping the Federal Government address needed
improvements in Federal IT security.
Thank you for this opportunity. I look forward to questions
at the end of the testimony.
[The prepared statement of Mr. Miller follows:]
[GRAPHIC] [TIFF OMITTED] T6343.057
[GRAPHIC] [TIFF OMITTED] T6343.058
[GRAPHIC] [TIFF OMITTED] T6343.059
[GRAPHIC] [TIFF OMITTED] T6343.060
[GRAPHIC] [TIFF OMITTED] T6343.061
[GRAPHIC] [TIFF OMITTED] T6343.062
Mr. Horn. Thank you.
Next is David C. Williams, Inspector General of quite a few
agencies. He started out, I suspect, being a Special Agent in
both the U.S. Secret Service but also in U.S. military
intelligence. He is a recipient of a U.S. Bronze Star and the
Vietnamese Medal of Honor. We are delighted to have you here.
I had one question on the Inspector General role with the
Tax Administration. Was that to deal with the 100,000 people
that are in IRS or the clients they deal with?
Mr. Williams. I believe we have a very strong commitment
toward their clients, the taxpayers and certainly as
represented through the House and Senate committees. Our
coverage involves the activities of the Tax Administration,
which is both the IRS and some policy units inside main
Treasury.
Mr. Horn. Great. Go ahead with your summary.
Mr. Williams. I appreciate the opportunity to appear today
to provide an Inspector General's perspective.
Government agencies continue to struggle with the
appropriate balance between IT security and computing capacity,
too often with an overwhelming bias toward speed and ease of
operations. The Government Information Security Reform Act has
served as an essential beacon urging agencies toward a more
balanced course. During fiscal year 2001, the GISRA assessments
identified substantial vulnerabilities across government that
could threaten the security of information systems. These
included formal security training and awareness programs for
all employees were frequently ineffective or nonexistent.
In the IRS for instance, 70 of 100 employees were willing
to compromise their passwords during pretext telephone calls by
IG auditors. No matter how strong other controls may be,
employees can often be the most vulnerable component of an
agency's IT security program.
Specific performance measures were often absent such as the
effectiveness of efforts to reduce the impact of computer
viruses. Oversight of contractors was not sufficient and many
had not received the necessary background clearances. An
unacceptable number of systems and applications critical to the
agency missions were not security certified or accredited.
System intrusion incidents were not consistently reported and
shared throughout the Government to assist agencies to
proactively identify and combat hacking. Security controls
often seem to be an after thought in IT budget investment
decisions and senior managers often assumed little
responsibility for IT security within their programs, deferring
entirely to small security offices.
To increase the likelihood of success, agencies need to be
held accountable for their security programs. Some agencies
appear to view the GISRA annual reporting process as a pro
forma exercise. To assure GISRA effectiveness funding requests
for IT initiatives should be contingent on the integration of
adequate security controls. To assist agencies in adhering to
GISRA and H.R. 3844 provisions, we offer the following
suggestions to improve the consistency in conducting and
reporting information security assessments and investigations.
Certain terminology should be clarified to avoid confusion
in reporting. Terms such as programs, systems, networks,
mission critical and mission essential are subject to varying
interpretations. Agency officials should be required to use the
NIST IT security assessment framework. Agency and IG reporting
requirements should be integrated to reduce duplication of
effort. The OMB should provide implementation and guidance at
the beginning of each reporting year. Annual submissions should
contain a conclusions section on agency compliance with the law
and its overall information security posture.
The IG should be required to evaluate whether agencies have
a process that incorporates information security into their
enterprise architectures. Reporting intrusion incidents to Fed
CIRC should not be limited to national security incidents but
should also include threats to critical infrastructure as was
the case during the Y2K initiative.
Importantly, agencies should identify the IG or another law
enforcement agency that will investigate intrusions and refer
them for prosecution.
In conclusion, while it is still early in the GISRA
implementation process, we are optimistic that if enforced,
GISRA and its successor legislation will ultimately succeed in
strengthening information security throughout the government.
I would be happy to answer questions at the appropriate
time.
[The prepared statement of Mr. Williams follows:]
[GRAPHIC] [TIFF OMITTED] T6343.063
[GRAPHIC] [TIFF OMITTED] T6343.064
[GRAPHIC] [TIFF OMITTED] T6343.065
[GRAPHIC] [TIFF OMITTED] T6343.066
Mr. Horn. Thank you.
Our last presenter before the questioning is James Dempsey,
Deputy Director, Center for Democracy and Technology. You have
a very rich background and I note here that with a Professor
David Cole. What university was he with?
Mr. Dempsey. Georgetown University.
Mr. Horn. You did this book on ``Terrorism and the
Constitution, Sacrificing Civil Liberties in the Name of
National Security.'' The second edition is out, so you are a
well designed author with a second edition in 2002 as well as
journal articles, and a background of Yale and Harvard Law
School.
When I was at Harvard, we used to say there was a great
operation at Yale but they would come to Harvard for an
education. So you covered both, you and the Bush family have
covered all of them.
You are a member of the District of Columbia Bar. Tell us a
bit about the Center for Democracy and Technology.
Mr. Dempsey. Good morning, Mr. Chairman, Chairman Davis and
Congresswoman. Thank you very much for inviting us to testify
this morning on the important issue of the security of Federal
Government computer systems.
The Center for Democracy and Technology is a non-profit,
public interest organization. Our goals include enhancing
privacy protections for individuals and preserving and
promoting the democratic potential of the Internet. We work
closely with industry and with policymakers to develop balanced
policy solutions to the information technology issues that face
both the Government and the private sector. We focus much of
our attention on the Internet because we believe that, more
than any other medium, it has characteristics that are uniquely
supportive of democratic values. The Internet has the power to
enhance the delivery of Government services, to provide cost
efficiencies for government, businesses and individuals, and to
facilitate interaction between the Government and its citizens.
Hanging over that and potentially threatening that
potential is the vulnerability of computer networks, which also
affects fundamental government operations and the private
sector, and the economy as well.
Unlike the gentlemen who testified before me who are very
much in the trenches dealing with this issue, I am going to
take, if I could, a somewhat broader perspective, looking at
the issue of government information system security in a
somewhat broader context.
I want to congratulate you, Chairman Horn, and Chairman
Davis, for your leadership in addressing this issue in a
comprehensive and serious way. I commend you for bringing
forward H.R. 3844 to build on the important progress of GISRA.
My basic message today is that, in developing and
implementing policy solutions for the security deficiencies
that exist in government computer systems, it is imperative to
recognize and preserve the open, innovative, and interactive
nature of the medium and to use that to promote the government
objectives that all of these agencies are so nobly trying to
advance.
In creating a standard, setting policy for government
computer systems, we urge you to draw upon the expertise of the
private sector. Chairman Davis referred to the importance of
having flexibility and to recognize the speed with which this
technology is developing, and to buildupon developments within
the private sector where systems designers and managers are
grappling with these same issues of balancing security,
efficiency, privacy and openness.
On the point of privacy particularly,k we believe that it
needs to be a part of the equation of computer security. If you
look at any of the legislation and the fair information
principles going back to the 1970's, privacy and security
always went hand in hand.
I have four basic suggestions or comments on the
legislation today. One is to focus on government computer
systems not information per se. The question of management of
government information generally, its security, disclosure,
privacy, is a very complicated subject. With lots of
legislation, while clearly what we are talking about today is
the unique challenges, threats and difficulties posed by
networked computer systems. Yet if you look at the legislation,
it refers to information and information systems. I think all
of the focus here at the table is on information systems which
pose these unique, documented vulnerabilities and the need for
some top down leadership within the Government to get the
Government's security house in order. That should be the focus
and I think unintentionally perhaps the legislation is a little
misleading in that regard.
Second, is to recognize and promote a balanced approach.
Security needs to be dealt with in tandem with privacy,
openness and efficiency, which are the four interests I think
the goal is to balance. In looking at the legislation as it is
drafted, I don't think that balancing point comes through
clearly enough.
Third, it is necessary, particularly at this time, to
preserve and enhance within the executive branch a privacy
advisory function. The bill would amend the charter of the
Computer Systems Security and Privacy Advisory Board as I read
it to remove privacy from the jurisdiction of that body and at
this time, I think it is very important to have within and
available to the Federal Government an advisory function that
looks at the privacy implications of computer system design and
other information issues facing the Government.
Fourth, just to repeat the point about working with, and
consulting with a broad range of interests within the private
sector where there is obviously a tremendous amount of energy
and attention being given to these computer security issues.
These are the people designing the systems. Some of the same
problems and vulnerabilities that the Government is grappling
with are recognized in the private sector as well.
We would look forward to working with you. I look forward
to answering your questions. Thank you again for inviting COT
to testify today.
[The prepared statement of Mr. Dempsey follows:]
[GRAPHIC] [TIFF OMITTED] T6343.067
[GRAPHIC] [TIFF OMITTED] T6343.068
[GRAPHIC] [TIFF OMITTED] T6343.069
Mr. Horn. Thank you.
We now yield 10 minutes to the gentleman from Virginia to
begin the questioning.
Mr. Davis. My intent for the Incident Center was not to
create multiple centers or to duplicate existing centers, but
to ensure that there be at least one governmentwide center and
that it have a strong statutory mandate to provide effective
instant response and assistance to all agencies.
The bill makes it very clear that it is up to OMB to ensure
that such a center is established. Does anyone have a problem
with the Federal Government having a strong central information
security incident response?
Mr. Williams. Not only do I not have a problem, I think it
is a very good idea. At this point, we don't have a very mature
process for identifying the kinds of incidents to be forwarded,
we are still feeling our way through dissemination and with
regard to dissemination of the information once we gather and
analyze it. There is not necessarily a strong, consistent way
of dealing with the incidents once we identify them. We don't
want them just to pass, we want to aggressively move against
them where the intrusion has been illegal.
We need something like this. This is pointed in the right
direction, it is a void and I am for it.
Mr. Forman. I think clearly as indicated in my testimony,
that is the direction we have been moving within the executive
branch in how we have been using FedCIRC and the capabilities
they have been building. The corollary to creating the
organization is the process and that is what is really lacking.
We need to not just think about the annual reporting and risk
management process. When you deal at the incident level, you
deal basically within 24 hours as a cycle of time. That means
we have to have a very streamlined, fast and responsive process
to the vulnerabilities and the threats. It is a 3 x 3 matrix of
potential risks, vulnerabilities, and responses the agencies
have to look at.
This is clearly one of the areas where we definitely agree.
Things need to be done and I would go so far as to say, not
just in the organization itself, but in the type of
streamlining process, reporting response requirements. There
should be some guidance.
Mr. Wolf. In my testimony, I stated that we have several
centers set up and we interact with them on a routine basis. I
think it is important that you emphasize in terms of what gets
reported and the processes of how all that gets put together.
Mr. Dempsey. Just one comment. I think the prior
administration stubbed its toe on this issue to some extent
when it talked about the FIDNET intrusion detection monitoring
system and put that forward without adequately considering the
privacy issues that posed. I think that is a classic example of
how privacy should be built into decisionmaking and development
processes because I think while there is tremendous merit to a
centralized information security incident center, some of the
issues of intrusion detection do raise obvious privacy issues
that need to be addressed or otherwise the thing is going to
run into criticism and potential problems again.
Mr. Miller. From the perspective of an agency, my hope is
that we have a center of excellence to support what we are
trying to do in the area of IT security. It may be more of a
process issue than an organizational issue, but the bottom line
for us is that we need help in getting that kind of support. If
we can bring the resources of the Federal Government together
in such a way that they can provide us with that center of
excellence we can report to, that we can get advice and counsel
from in security matters, and that we can get some form of
assistance when we have a critical incident, then that is
always helpful for us. We don't have enough resources to do it
on our own.
Mr. Davis. Mr. Wu, will NIST be able to quickly develop the
standards and guidelines called for in the bill? Some skeptics
have shared concern that NIST is just not up to the task. What
do you think?
Mr. Wu. NIST is prepared and willing to take on any
responsibilities that would be delineated if H.R. 3844 were to
be enacted. We would be working in conjunction with OMB but
also we would be working with industry.
One concern, however, is the NIST resources. I think you
are correct in stating that the current NIST resources may be
overtaxed with some of the responsibilities under FISMA, but
given the importance of the computer security issue, we would
hope that Congress would be kind and look forward to an
appropriation that would be a sufficient amount for NIST to
take on other responsibilities. But the technical expertise,
the energy, and the enthusiasm to take on these
responsibilities is there at NIST.
Mr. Davis. You understand we are not looking for a specific
technical standard that could be quickly outdated and obsolete.
We are looking for more specific guidelines and benchmarks to
take some of the subjectivity and guesswork out of the process
of determining whether an agency has truly done a good job
addressing these information security risks.
Mr. Wu. NIST is very engaged in the voluntary consensus
standards organization process. NIST has worked very closely
with industry to make sure that industry concerns are
represented and NIST also works with the general public as well
and will continue to work with those stakeholders, OMB, and the
other Federal agencies.
Mr. Davis. Mr. Dacey, one of the significant differences
between FISMA and GISRA can be found in the way that FISMA
proposes to define national security systems. As you know,
GISRA added a third category to the traditional two-part
formulation of national security systems and called it
debilitating impact systems. GISRA then includes this third
category in an exemption in allowing these systems to be
excluded from GISRA's information security risk management
requirements. Could you expand on this and discuss some of the
history and policies involved?
Mr. Dacey. The issues related to, that have to do with
that, require you look at the FISMA bill in its entirety. One
of the provisions in there is the requirement for establishment
of risk levels and minimum standards at those various risk
levels. FISMA would include all non-national security systems
in the consideration of that area. So those would be considered
at various risk levels and appropriate minimum standards.
One of the concerns that had been expressed during the
GISRA implementation was how do you define debilitating impact
systems and how will they be treated in the process. They were
excluded, as you said, from some of the other areas of GISRA
and the provisions of GISRA. This would basically put into
place the requirements over those systems that were formerly
debilitating impact but also would allow those to be considered
in terms of risk assessment and various specified levels of
risk.
Mr. Davis. I am also interested in the distinctions between
national security and non-national security systems. In his
prepared statement, Mr. Wolf said there is very little
diversity in the underlying technology and therefore, the
security vulnerabilities found in national security systems as
compared with other Federal systems. It sounds to me like the
steps needed to protect national security systems are the same
as for non-national security systems. Would you agree with
that?
Mr. Dacey. I would agree with the observations that the
technologies that are used in both systems have converged and
are essentially the same types of technologies. Certainly in
the national security systems, they are fairly hardened and
strengthened in terms of the level of security placed on them.
However, we have a lot of sensitive information, too, in the
Federal Government that may require similar levels of
protection in the system.
I think in terms of standards, ideally, there would be a
coordination between national security and non-national
security systems. I think some of the same types of
technologies and controls would be relevant to both and in
considering the different risk levels for non-national security
systems, particularly at the top end with the more secure
needs, those could be very consistent with national security
requirements.
Mr. Wolf. If I could add one comment, the technologies are
very similar. The one thing I would add is that with national
security systems, you do have a higher level encryption,
stronger encryption than you are dealing with in some of the
diplomatic and military activities. So there is a difference
there.
Mr. Davis. Mr. Dempsey, let me ask you a question. I think
we are all concerned with protecting privacy, trying to strike
the right balance between national security, critical
information security and privacy interests of citizens. Would
you agree one of the biggest threats to privacy interest today
is the fact that hackers and other unauthorized individuals can
break into government information systems and access this
personal, sensitive information?
Mr. Dempsey. I think that is an important piece of the
privacy problem. I think that goes to the complementarity
between privacy and security.
Mr. Davis. We put walls around a lot of that information so
that no one should see it who shouldn't get it and yet a hacker
breaks in.
Mr. Dempsey. Exactly, and I agree with that. I think some
of the interests at stake also in terms of privacy involve the
right of individuals under the Privacy Act to access personally
identifiable information that is in the hands of the
Government. On the one hand, the goal of privacy is to preserve
confidentiality but also under the rubric of privacy we have a
broader set of fair information principles, which include the
concept of access. That is part of the balance that I was
talking about.
I agree with you entirely that one of the goals here is not
only to protect government operations but also to protect the
huge amount of personal information the government has.
Mr. Davis. Mr. Williams, with your extensive experience in
law enforcement and IRS, can you share some of your concerns
about the seriousness and the threat our Government is facing
in the information security area without disclosing too much,
the types of problems? That is what we are trying to get at
with this.
Mr. Williams. The threat is serious. We also have the
difficulty of this emerging area being one in which we are
constantly sort of preparing for the last war, the last attack,
rather than being able to look at a completely mature industry
and begin to do some dynamic forward looking things. The things
that concern us and things we have encountered involve the
destruction of information.
We recently caught a contractor who was being discharged
who planted a logic bomb inside three of our servers. We were
able to halt that but had that gone through, an enormous amount
of information would have been lost.
Mr. Davis. Does the contractor get debarred for that, are
they being appropriately sanctioned?
Mr. Williams. The person received 3 years in prison.
Mr. Davis. How about the contractor?
Mr. Williams. The contractor was unaware of the incident.
We did an extensive lessons learned with the contractor but
they appeared to have been as much victimized.
Mr. Davis. Can you explain what a logic bomb is?
Mr. Williams. It was a device triggered when the computer
reached a certain capacity which would allow the person time to
escape and distance himself from the event. At that point
through a system of algorithms, shutdowns and destruction would
automatically begin in a remote fashion while the person was
separated. I am sure there are some other people who are really
good at it but I think that is about how it works.
In addition to the destruction of material, which is more
visible, is the theft of material. I am not sure without our
shields being up, we really even know how many times we are
being raided and sensitive information is being taken. Just at
the IRS, and there is the full spectrum of agencies, we have
the private financial data of 128 million Americans, there is
market sensitive data on there, proprietary data. Those are
things of value.
Another type of crime is altering the data in order to gain
something of value, in order to have benefits brought to
someone that either doesn't exist or doesn't deserve it, or
forgiveness of an IRS obligation, manipulating it to wipe out
the debt.
Those are some of the different flavors of vulnerability
that we have.
Mr. Davis. Mr. Chairman, I think my time is up.
Mr. Horn. We are glad to extend the time. It is your bill,
we are just trying to get it moving.
Mr. Davis. I am satisfied for now.
Mr. Horn. Let us ask the whole panel then, what do you see
as the primary challenges to developing and implementing the
minimum security standards required by the bill? When we
discussed this in the last few days with the staff, I was
particularly interested in the Commerce and NIST bit on various
standards. I would like Mr. Wu to give me an idea of typical
standards we ought to be thinking about.
Mr. Wu. There are a number of standards, encryption
standards, interoperability standards, all very critical to
maintaining an effective computer security infrastructure.
Mr. Horn. What else?
Mr. Wu. Our NIST technical and cyber security team have
been working with those in industry to identify the remaining
standards and other standards that exist and other issues,
trying to be forward thinking to try to be able to find out or
figure out what vulnerabilities there may be in advance and
what we should be looking forward to.
Mr. Horn. And you have a role in that and we need to know
what are the levels of the standards, what is the impact in
terms of security? Or is it just reacting to some particular
case.
Mr. Wu. No, it seems clear that when we have major
information technology glitches, such as Love Bug and other
viruses, that impact not just our Nation but the world, that we
need to be much more forward thinking and that we are too
reactive. It is important for NIST, as well as the industry, to
work together to try to be as responsive, to look at the
vulnerabilities, to intercept them in advance. We work with the
other Federal agencies to do that as well.
Mr. Davis. Mr. Wolf, what is your thinking on this, on the
standards and are they needed and in what direction should they
be developed?
Mr. Wolf. I think standards are very, very important. We
need to make sure we cover the waterfront in terms of all the
areas that need the standards and I think my partner on the
committee here mentioned some of those. We need to make sure
they get implemented. I think that is probably one of the
toughest things in terms of standards out there, do people
actually make use of it? And it goes along with the assessment
that you have in your bill where you talk about the
assessments, where you are actually doing security assessment.
If you have a set of standards, how do you make sure people are
actually implementing them? How do you do an assessment to see
that is happening? And how do you do the reporting to make sure
that happens?
We look at various hacking incidents we see in FedCIRC and
in many cases, it is because people haven't implemented
standards, haven't implemented patches, things like that.
Mr. Horn. It was mentioned earlier that the encryption
would require greater standards than others. What would be the
difference between a domestic agency and an intelligence
foreign affairs agency, would it make much difference in terms
of what NIST is going to undertake which is various types of
standards, could that be used to cross areas? How many simple
standards are there that go across the whole executive branch?
Mr. Wolf. I would say there are certainly things NIST is
doing that apply across the Government. There are probably some
additional things you would want to do in the national security
arena that are probably a little stricter, because of the
nature of the data being handled, the Internet connections, the
internetting, things like that.
Mr. Horn. That makes some common sense. Do you believe we
should continue to manage national security systems separately
from the Federal information systems?
Mr. Wolf. I think you need to set a set of standards, I
think they need to be comprehensive but in some cases, when you
are talking national security, there may be reasons why they
cannot be implemented because of the national security
environment in terms of what we are doing. So I think there are
some distinctions there. Standards are important, they need to
be comprehensive but not necessarily dictating they are always
used. There needs to be that case, where because of national
security, there is a reason you are not going to implement them
and maybe you propose an alternate set of standards for the
national security which may be stricter or may have some
differences because of national security environment.
Mr. Horn. What interests me is can we keep this going with
OMB having the responsibility on behalf of the President and we
are not looking for jobs up here on Capitol Hill, we have
plenty to do. The question will be how do we know and how do
inspectors general, in particular, know when they are being
sandbagged within a particular agency because nobody can talk
to them?
Mr. Wolf. I am afraid I am not qualified to answer that
question. In terms of the role NSA has in terms of defining
what are good security practices across the board, we are very
active with NIST in those. In terms of enforcing those in
various government agencies, we are not able to do that. We
certainly can define what they should be.
Mr. Horn. Mr. Forman, is the best way to see if the CIA is
going along with the type of security situation and to take a
look at it of either leaving it to the Inspector General at CIA
or you are going to do it? Or do you just turn NSA loose on
them to see they really have done what OMB would want so you
don't have another Ames or whatever? There ought to have been a
lot of things that they haven't done.
Mr. Forman. While I am always loathe to recommend more
bureaucracy, I think this is an area where we want to make sure
we are taking a good, cost-effective approach, but we ought to
err on the side of risk-diversity. We are forever hearing terms
about standards in areas where, technically, they don't mean
the same thing as a standard.
We recently produced, last November, the advanced
encryption standard, which is a product of NIST but really a
product as much as any of the standards we have, leading edge,
a function of where industry is going, the national security
community, and civilian agencies. It is a fine standard, a
technology standard.
I differentiate that from saying what is our standard for
middle ware or what is our standard for a Web applications
server. Those are more what I would consider to be components.
The nexus that we have there, the process that we are rolling
out, combines the CIO Architecture Committee, which I think you
will see, have an increasingly important role in terms of
understanding and agreeing to the architecture components, and
there is now in circulation a framework for doing that.
I think Ron's role as the CIO Council Security Liaison,
integrating within the Cyber Board executive branch committee
which NSA also sits as a member, is another critical part of
that puzzle, pulling together the key issues to focus.
So we know we will have that focusing, we will get that
more rapid approach to different types of standards as well as
the architecture components. The next step then is how do you
police that? We will do some by the budget process, and I think
that is key, but there is a set of analytical capabilities as
Ron mentioned, that center for excellence, that also has to
focus the audit work, inform and accelerate that standard
setting process.
I think as you heard before, there is some good language in
FISMA, and I think the suggestions in the testimony and answers
to the questions will focus that a bit more. At the end of the
day, I think you are looking at a couple of key elements here,
how fast can we make this process work and some end results.
Not only are we seeing increased vulnerabilities because those
are going to increase just because we are detecting more, but
are you seeing people taking advantage or hackers taking
advantage of those both within, the internal threat, and the
external threat in a way that causes mission critical problems,
loss of privacy.
I think the bill should lay out very clearly what are the
criteria, what are the results that will measure? Is it loss of
privacy? I think that is a fine one, it is in some of the
legislation already and it would be good to focus it in FISMA.
Is there loss of mission critical capability or downtime? If
you lay out the guidance and the measures I think that will
help us in focusing the oversight and the standard setting
process through components.
Mr. Horn. Mr. Dacey, what does the General Accounting
Office think about the various standards that might be put
forth under this bill? The question is, does it help with doing
it or if it isn't, why even have it?
Mr. Dacey. We think standards are important. I think one of
the challenges to your original question is to provide some
level of standardization but yet build in sufficient
flexibility to make sure we don't make bad decisions and put in
things we don't really need. I think that will be the challenge
in implementing it.
I think there are a couple of things I would like to focus
on here. In FISMA, it sets up a requirement which is general
good practice, that you should assess your risk and develop
security controls commensurate with that risk. As part of that
process, FISMA then goes on to establish a requirement for risk
levels and standards for those various risk levels. Let me talk
briefly about risk levels and standards.
In terms of the risk levels, it is clear and it has been
said on the panel here, we really need to have an effective and
efficient process for assessing risk. It is a very important
aspect because if we don't do that properly, we are not going
to have the right controls in place to protect our systems.
It is also important to consider how you go about doing
that. FISMA comes up with levels of risk. That could be a very
feasible approach I think to categorizing the types of risks
and systems and the various ways you could build that around. I
think that would be part of the deliberative process to
consider how those would best be established.
I think they are important too when we talk about
connectivity because we are talking about right now pretty
broad spread connectivity within agencies, between agencies,
between the Federal Government and State and local and with the
private sector. I think ultimately we need to be considering
what is the level of risk in those systems and do we want to
have them connected together. That would be one way which this
could go through the process.
You wouldn't want to be connecting openly a high risk
system with a low risk system because a low risk system would
have less safeguards and those safeguards could potentially be
breached and gain access to the more sensitive system and that
is typically what we do when we do our work in trying to get
into Federal systems with the agency's knowledge. We get into
systems that are simple to get into and use that ability to
advance our privileges and gain access to some very sensitive
information.
In terms of standards, I think there may be some
definitional issues. One of the concerns is the word standard
oftentimes evokes a certain amount of rigidity or
inflexibility. I don't think that should be the intent of
standards under FISMA. I have been doing auditing for about 25
years and we use auditing standards. I audited small shops, I
have audited the Federal Government with its $2 trillion of
revenue. We use the same standards, not the same procedures but
the same standards nonetheless and it has worked pretty well
and it is generally applicable. That is the kind of standard I
think I would refer to.
I think they are important for several reasons. I think
they clarify expectations. I think they are a good criteria to
measure how effective security is, as well as to manage
performance or measure performance over time. I think it
provides a certain consistency if we have standard levels of
risk, that we have some nomenclature to share within the
Federal Government as well as those we choose to hook up to our
systems as to what level of risk we want them to respond to. In
fact, in some of our more secure systems, there are
requirements before you hook up to the systems. You have to
meet certain minimum security requirements or you don't play
the game. I think there are some examples already where that is
being used to say we need certain standards to deal with that.
GAO's approach has to address all these. When we do our
audits, there aren't universal, governmentwide standards
necessarily and that is a challenge to us. But what we find
oftentimes is that there is a core set of standards or
requirements that are pretty universally agreed upon. I don't
think we have found anyone who said if you are going to have
passwords, you probably ought to say fault passwords should be
removed because everybody knows what they are and if they get
in the system, they can break right in.
Also, you could argue that maybe you shouldn't have
passwords if you are going to use passwords to say ``Redskins''
or ``password'' as the password. Those are the types of things
in which I think there is a lot of agreement. There are
probably some other standards that there is some reasonable
difference between knowledgeable people as to whether it should
be a requirement or not. I think that could be considered again
in the structure of a standard-setting process.
I think there are some other side-benefits to standards. I
think if we are going to have some consistent training across
the Federal Government, which I think is one of the goals of
the administration, I think it is a very important goal to the
extent you have some standards to build that around. To be
training people on the same thing would be very important.
We also have a lot of people running these systems that
have worked very hard and to the extent you can provide them
some information rather than have them independently try to
determine what level of security they should employ would be
beneficial.
Last, in terms of tools, I think that is another important
area, we need better automated tools. Many of those tools
currently look for certain things in the systems. I think if
you agree upon what those things are you want to look at, tools
can be built rather readily to test for those types of
conditions in those systems.
Mr. Horn. We look on the General Accounting Office to be
the sort of umpire on behalf of Congress. What are the benefits
and disadvantages of shifting responsibility for promulgating
standards and moving it from the Secretary of Commerce to the
Director of Office of Management and Budget? How do you feel
about that one?
Mr. Dacey. If you go back in terms of prior legislation,
there certainly has been the involvement of both NIST and OMB
in development of standards and oversight of responsibilities
for those standards' I think starting with the Computer
Security Act and going on. What FISMA would do would be to
align those responsibilities with OMB, who is directly
responsible for the oversight and coordination of the agency
information security. That is where it would place that. I
think that is a good matter for discussion. Obviously we have
some differing views and I think that ought to be considered in
any final legislation.
Mr. Wu. As I mentioned in my opening statement, we believe
that should be a matter for reconsideration. The Director of
OMB issues broad information security policy and guidelines to
agencies complemented by detailed security standards and
guidelines which NIST develops.
The proposed process presents an opportunity for delay as
additional senior managerial approvals are going to be required
up the bureaucracy. As we fight the war on terrorism, we
believe we should be thinking about how to streamline the
development and issuance of new security standards while still
maintaining the important process of public review and comment.
Since NIST activities are more directly linked to industry and
the Secretary of Commerce represents business and industry and
commerce, we believe it is more appropriate for that role to
remain with the Secretary and not with OMB.
Mr. Horn. What criteria would you use to determine if a
standard is mandatory or non-mandatory? How would you go about
that?
Mr. Wu. Quite frankly, I am not sure how we are going to
make that determination but we would have a plan in place. I
don't think it is necessarily going to be a uniform
determination but done more on an ad hoc basis, in consultation
with the experts and our cyber security team.
Mr. Forman. Mr. Chairman, the process we have laid out in
my prepared statement with the cyber boards, executive branch
committee, lays it out, a cost-benefit, risk-based approach,
very similar to how one might say you should insure yourself
because that is in essence what we are trying to achieve here.
So cost-benefits, risks, specifics of that situation, I think
is what is going to drive that determination, certainly the
guidance that cyber board will provide to NIST and NIST
supporting us on that board.
Mr. Horn. Can you provide, Mr. Wu, an example of a minimum
standard the National Institute of Standards and Technology
would make mandatory?
Mr. Wu. As I said, I am not clear as to the determination
on what would be defined as mandatory. We can get back to you
on that in consultation with our cyber security team.
Mr. Horn. One would be the password to get at the basic
machine or the software or whatever. Then the question, what
kind of watching does the control authority, OMB and you,
partially in that, and that would be it seems to me one of the
obvious.
Mr. Wu. That would be one but I don't have a definitive
list for you. We can try to provide that for you if you like
and to the committee.
Mr. Horn. I understand that NIST has developed mandatory
standards in the area of cryptography. What has been your
experience in implementing those standards within the Federal
agency? Have you developed mandatory standards in other areas
or just in the ones with encryption?
Mr. Wu. Right now, my understanding is that it is only with
encryption. We have had a lot of success working with OMB and
the other agencies with AES, advanced encryption standard. We
look forward to continuing with that collaboration under that
framework and structure.
Mr. Horn. Is the 1988 Secretary of Commerce delegation of
authority to waive Federal information processing standards to
the agency still in effect?
Mr. Wu. I personally don't know that answer but we can get
back to you.
Mr. Horn. We will put it in the record at this point.
Mr. Wu. I have been told the answer is yes.
Mr. Horn. That it has waived Federal information processing
standards to the agency heads and that is still in effect. OK.
The problem often comes up over time, like 100 years, that
it is very difficult for a member of the Cabinet to work with
his other members of the Cabinet and they will listen to OMB
and might not listen to good old Joe or Susie who are doing
something. That is one of the things we look at and wonder who
will do what.
Mr. Forman, what type of standards and guidelines has the
CIO Council developed?
Mr. Forman. Let me differentiate standards versus
guidelines. The CIO Council was established by Executive Order,
it is not created in statute. The Executive Order has OMB as
the Chair of the council and directs the council to provide
recommendations and advice to OMB on IT issues and that the
members share best practices across the agencies. It really has
had no policy guidance or standard setting authority.
In that regard, one of the changes I put in place being the
Director of the Council is to actually get them focused on some
standardized processes or procedures or approaches. Let me give
you some examples and then I will talk about security. Let us
refer to these as guidelines to make it clear.
One is the Enterprise Architecture Management System, a
tool that was developed for tracking and leveraging the
component based framework we have been deploying.
The second is the Federal Enterprise Architecture
Framework. Basically, this is the way now that we back up with
a scorecard and the budgeting process to get agencies to
clearly identify the linkage between their IT investment and
the mission of the agencies driving through to business cases.
There is a corollary tool to that, ITIPS, the IT Investment
Portfolio System. Now each agency is supposed to use and put in
place a capital planning process. This is a tool and between
those two tools that are the guidelines laid out by the CIO
Council, we are now able to get the information in and start to
analyze the architecture we have built in the Federal
Government. We are not to the point where we can define it yet.
The Federal Enterprise Architecture Framework document is
getting to that point. We have laid in terms of a governance
structure with that is a role for the Architecture Committee.
They will come to agreement on components, this approach is
essentially the CIO's all coming agreement and they are doing
it for a number of reasons, not the least of which is money,
leveraging their investments to get more out of industry by
moving those component points, to be able to take advantage of
Web services and some of those are emerging in the security
arena.
The fourth area I would say we have a decent example of a
guideline is in the work force training arena. Security is a
key component of that. I think the CIO Council training
components and the framework laid out for CIO University Center
is widely regarded even in industry. We see more industry take
up of that agenda than government employees.
Those are the types of things that are appropriate. We are
leveraging NIST very highly in the security arena. For example,
taking the benchmarking or the analytical guidelines, I
wouldn't quite call those standards that were developed over
the last year, and that serves--and everybody has agreed to use
that--as the basis for the GISRA work. It allows us a
standardized approach if you will, but not the same as the
Federal information processing standards which are technical
standards.
Mr. Horn. What types of standards and guidelines has the
Chief Information Officer Council developed and if so, do they
go through OMB primarily to get those functions across or do
they have any authority to spread the guidelines, if you will?
Mr. Forman. They do refer them to OMB and we work, like in
those four examples, by incorporating those into two basic OMB
circulars. We can obviously issue other guidance, but the
predominant way you will see this is through the A-11 Circular
and the A-130 Circular. Again, that is what I would consider
guidance or guidelines as opposed to standards.
I think you will see this get integrated much quicker by
the CIOs agreeing to those architecture components and going
back and putting that into their architecture. We will see that
through their IT investments and the architecture results they
have to submit to OMB but at the end of the day, this is about
managing change. What we are seeing, I believe, is formalizing
the Clinger-Cohen approach on the roles and responsibility of
the CIOs.
I will give you an example of what I am talking about. As
you know, we have an issue in the Justice Department on
leveraging the technology to make the management changes.
Recently they hired a very well qualified CIO and made that
person a direct report to the Attorney General with the full
fledged authorities, architecture included, laid out under the
Clinger-Cohen Act.
So coming to agreement using the technology insight from
both NSA and NIST, the results coming out of the Cyber Board
Executive Committee, firming up those agreements by that
Architecture Committee, and then we provide the oversight to
make sure when we review the architecture and the business
cases that indeed they are complying to those guidelines.
Mr. Horn. The current bill removes OMB specific authority
to approve agency security plans. Do you believe that authority
should be restored?
Mr. Forman. I think, as I understand the bill and what is
currently in GISRA, is the approval of the security programs
and we have to differentiate between the security programs and
the plan of actions and milestones. There, I think, is actually
where the Director of OMB should focus. We know and are getting
terrific insight from the IGs, from the reviews GAO is doing
and our strong relationship there, and indeed from some of the
CIOs' risk assessments.
To have us prove the fact that there was a problem, I don't
think gets us anywhere. The focus on approving the plans of
action and milestones is the appropriate approach and I think
that is what is laid out in the bill.
Mr. Horn. With GISRA, with expiring in November of this
year, and the OMB estimating that the fiscal year 2003 funding
for the information security will be $4.2 billion, is it
reasonable to expect the Congress to wait until September or
later to learn whether agencies are taking the appropriate
corrective actions to address their information security
weaknesses?
Mr. Forman. I think it is really a question of the
oversight and governance structure you have. I think what we
are moving to with your subcommittee is a quarterly review of
our progress. That is certainly the approach we have moved to
in OMB. The approach I am going to adhere to is a quarterly
review of agency progress.
Mr. Horn. That is when we went through the Y2K bit, that is
exactly where we got and went to. It started out with almost
once a year and then to two times a year and then Dr. Raines in
particular understood all this and we got to quarterly. I think
that makes sense so everybody knows we want to look in that
quarterly operation because Congress might look at it.
How does the committee, Mr. Wolf, the Committee on National
Security Systems which has set minimum standards for the
protection of national security systems and if so, what is your
experience in implementing these requirements?
Mr. Wolf. I think the committee has been very active since
it was formed. It replaces one of the earlier committees that
started in 1990. There are over about 100 policies that have
been issued; some of those include some standards. The
standards I think are fairly rigorously enforced in the
national security environment, so I think it has been very
effective. I think it has addressed many areas where standards
are needed, been very active. So I think it has been very
successful.
In terms of looking at some of the policies, the rest of
the Federal Government might look at some of those policies as
at least a start in terms of policies in some areas where they
might not have been addressed so far.
Mr. Horn. Has the National Security Agency developed a
standard for risk assessments and management that is used for
national security systems?
Mr. Wolf. We have some templates. I am not sure to the
detail that we have those developed but we have some templates
that we use. There is I believe a DOD standard also.
Mr. Horn. How did NSA approach the evaluations of national
security systems under the Government Information Security
Reform Act? How has it gone?
Mr. Wolf. I am not sure I can answer that question. We will
have to get back to you on that one. Again, our role is sort of
an advisor in the agency. We are not the actual agency that
does that evaluation.
Mr. Horn. OK. What guidance did NSA provide to agencies
with national security systems? Did NSA work with the Director
of Central Intelligence to coordinate evaluations or guidance
for the evaluation of intelligence systems?
Mr. Wolf. We certainly are given input, yet, again, as an
advisor.
Mr. Horn. It is the Director of CIO that has that
authority?
Mr. Wolf. Yes.
Mr. Horn. Let me ask you, Mr. Miller, about FEMA. You
recommend that the bill be revised to strengthen the link
between IT security requirements and the capital planning
process. What specific revisions to the bill would you
recommend to strengthen the link between them?
Mr. Miller. First of all, OMB has taken some steps to
ensure that when we do our funding documents, our 300-Bs, that
there is a security tie to it. I think tying the approval of IT
spending to a demonstrable security plan, not just saying we
are going to spend money on security but actually having a plan
you can demonstrate you have processes and procedures in place,
would be a powerful incentive because from the CIO perspective,
we have to persuade our program officials, the folks actually
benefiting from these systems, that there is a reason why
security should be factored into their equations.
Within FEMA, we are trying to implement a process by which
we don't spend a dime or allocate a person or time to a project
until they have addressed the security issue among others. That
process has caused a lot of interesting responses but we
believe it is the right thing to do.
The key there is to make sure that people just don't pay
lip service to security and the 300-Bs, that they can actually
demonstrate there is someone thing behind it when they say they
are addressing security.
Mr. Horn. Mr. Williams, in your role as an Inspector
General, what challenges do the IGs face in integrating an
annual independent evaluation into their audit workload?
Mr. Williams. As with anything, the prototype consumed
about three or four times the amount it will on an annual
basis. I don't know that it was a great difficulty for the IGs.
It was certainly something that we were pleased to see come and
we appreciated the role that we played.
It is very important that we stay in touch with the
advances and challenges on the security side. This is a role
that allows us to do that without being overly intrusive. It is
an important part of the entire process in GISRA. I think it is
one we embrace. Where there is need for advanced or temporary
skills, we can get that through contractors as the department
does as well.
Beyond that, I don't know that it represents any sort of
formidable challenge. I think it has been something we have
appreciated.
Mr. Horn. Mr. Dempsey, you suggest as an interim measure
that agencies should adopt a widely accepted set of standards
developed by the private sector. Can you provide some examples
of those?
Mr. Dempsey. It takes me a little bit outside my direct
area of expertise, I have to admit. I know that there is the
so-called common criteria standards which have been developed
that address computer security issues. I think that there are
others in industry who are much more familiar with those than
I. I can certainly flesh that out for you and give you some
examples of work that has been done in the private sector that
would contribute to the Government's efforts.
Mr. Horn. We would welcome those.
Mr. Dempsey. We have to do so.
Mr. Horn. I want to put in the statement of the ranking
member, Ms. Schakowsky at the opening and we will put that
after Mr. Davis' opening.
She has two points here that I think are very important.
She says, ``There does seem to be one significant hole in this
legislation. As we learned in confronting the Y2K problem, we
cannot be sure all of the systems are fixed until we know where
they all are. The first thing most agencies had to do to
prepare for the turn of the millennium was to create an
inventory of all computer systems and then assess the risk
posed by the failure of each of those systems. It is a
commentary on computer security that no such inventory
existed.'' Is that correct?
Mr. Forman. That is the corollary on why the CIO Council
was adopted the enterprise architecture management system to
build that inventory.
Mr. Horn. She says, ``When we mark up the bill''--Mr. Davis
might want to listen to this--``I intend to offer an amendment
that would first require all agencies to maintain a current
inventory of systems. Second, I will require that agencies
develop and include in the security report a plan that
establishes a system whereby every system will be tested over a
5-year period. With a current inventory and scheduled testing,
we will be closer to security being a routine and not a unique
government function.'' I think those are pretty good comments.
Let us go right down the line with your thinking about
that.
Mr. Wolf. I would add one comment. It is not only the
inventory of all those systems, but it is how they are
interconnected and whether or not they have implemented the
standards and what standards they have implemented so you know
what you are really talking to.
We have a very active red team and you rattle the windows
of a house and you only have to find one window that is open
and that is the one place where they haven't implemented the
standard or put in the patch. It is not only an inventory of
all systems, but how they are interconnected and what they have
done in terms of standards.
Mr. Williams. Probably an emerging area that ought to also
be considered is a corollary, the establishment of new
gateways. We are discovering that some of the gateways are not
to expand the e-government and other kinds of good initiatives.
They are not always apprising the CIO of the existence of the
gateway and the gateways aren't always being tested for
intrusions and vulnerabilities.
I think the point the Congresswoman makes is a good one but
I would add that to it as well. That is probably the one where
we have seen most recent vulnerabilities emerging.
Mr. Miller. I want to second what he said because I think
it is very important. Awareness is where we begin in the area
of security and just as an example, in our agency we discovered
during a vulnerability assessment that we had over 500 servers
in an agency of 2,500 people. We weren't aware of them, so
right away we have all these potential entry points to our
network that we didn't know about.
We have initiated an audit of all FEMAs IT assets and that
starts this month and goes until we find everything. Key to
that is having our Director's full support which he has given
us, so we won't have people trying to hide things under their
desks. We will find them and once we know where they are, we
can start the process of holding people accountable for them in
the area of security.
Mr. Wu. As you alluded, the success of Y2K wasn't just that
we battled back the Millennium Bug but also that we were able
to engage in the first ever exercise in which we had a Federal
inventory of our IT infrastructure. This was also being
replicated in the private sector as well.
The inventory is only the first step of trying to assess
what our critical needs are and what the demands are. I think
the inventory could prove to be very useful.
Mr. Horn. I agree with you completely. The fact was we
asked that the hardware and the software be inventoried if you
are going to come up to the Congress for money and you deserve
to have it in a lot of those agencies. I would think that would
be worth doing. We did have a list that was put together by a
lot of the CIOs and when Mr. Gingrich was here as Speaker, he
was quite interested in this sort of thing, so we were able to
give the appropriators the ``go'' signal which is green up here
as opposed to some systems I have seen where the Xerox just
doesn't give a nice color to it. I think that is what we need
if we are going to solve some of this problem. It is going to
take money and hopefully we will get that going.
I now yield to the gentleman from northern Virginia and the
world across the Potomac. He has a great bill here. Any
questions you to ask?
Mr. Davis. No, I think I am OK. I really appreciate the
panel coming today and sharing your observations. I hope we can
make it a better bill and I think between Chairman Horn, myself
and the leadership, we intend to move this pretty quickly. We
would look forward to any additional input you can offer.
Mr. Horn. I want to thank the subcommittees involved in
this. In back of me is J. Russell George, staff director and
chief counsel for our subcommittee. He is a nominee of the
President of the United States to be a fellow IG, you might see
him, but first we have to get him confirmed. He has been a
great leader in this for years now.
Also, Bonnie Heald, deputy staff director and
communications director. On my left is a very able person,
Claire, who is our professional staff on loan from the American
Political Science Association, and has done a wonderful job.
Henry Wray, I think most of you know, our senior counsel,
worked with the Senate and we tied him up, got him across the
Rotunda and he now works for us, and he is doing a great job.
Then Earl Pierce, professional staff, and Justin Paulhamus is
the majority clerk.
We thank today the court reporters, Mary Ross, and with Mr.
Davis, you have Chip Nottingham and Teddy Kidd from the
Subcommittee on Technology and Procurement Policy.
We thank them all.
Gentlemen, I appreciate what you put on the record today.
Keep at it.
[Whereupon, at 12 p.m., the subcommittee was adjourned, to
reconvene at the call of the Chair.]
[The prepared statement of Hon. Janice D. Schakowsky and
additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T6343.070
[GRAPHIC] [TIFF OMITTED] T6343.071
[GRAPHIC] [TIFF OMITTED] T6343.072
[GRAPHIC] [TIFF OMITTED] T6343.073
[GRAPHIC] [TIFF OMITTED] T6343.074
[GRAPHIC] [TIFF OMITTED] T6343.075
[GRAPHIC] [TIFF OMITTED] T6343.076
[GRAPHIC] [TIFF OMITTED] T6343.077
[GRAPHIC] [TIFF OMITTED] T6343.078
[GRAPHIC] [TIFF OMITTED] T6343.079
[GRAPHIC] [TIFF OMITTED] T6343.080
[GRAPHIC] [TIFF OMITTED] T6343.081
[GRAPHIC] [TIFF OMITTED] T6343.082