[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]




 
   H.R. 3844, THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
                        FINANCIAL MANAGEMENT AND
                      INTERGOVERNMENTAL RELATIONS

                                 of the

                     COMMITTEE ON GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

                                   ON

                               H.R. 3844

   TO STRENGTHEN FEDERAL GOVERNMENT INFORMATION SECURITY, INCLUDING 
 THROUGH THE REQUIREMENT FOR THE DEVELOPMENT OF MANDATORY INFORMATION 
                   SECURITY RISK MANAGEMENT STANDARDS

                               __________

                              MAY 2, 2002

                               __________

                           Serial No. 107-190

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

86-343              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001

                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             PATSY T. MINK, Hawaii
JOHN L. MICA, Florida                CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California                 DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia               JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine
DAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida              DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho          STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia                      ------
JOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont 
------ ------                            (Independent)


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director

    Subcommittee on Government Efficiency, Financial Management and 
                      Intergovernmental Relations

                   STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida                  MAJOR R. OWENS, New York
DOUG OSE, California                 PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida              CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
                 Earl Pierce, Professional Staff Member
                        Justin Paulhamus, Clerk
          Mark Stephenson, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 2, 2002......................................     1
    Text of H.R. 3844............................................     3
Statement of:
    Dacey, Robert F., Director, Information Security, U.S. 
      General Accounting Office; Mark A. Forman, Associate 
      Director, Information Technology and E-Government, Office 
      of Management and Budget; Daniel G. Wolf, Director, 
      Information Assurance Directorate, National Security 
      Agency; Benjamin H. Wu, Deputy Under Secretary, Commerce 
      for Technology Administration, Department of Commerce; 
      Ronald E. Miller, Chief Information Officer, Federal 
      Emergency Management Agency; David C. Williams, Treasury 
      Inspector General, Tax Administration; and James X. 
      Dempsey, deputy director, Center for Democracy and 
      Technology.................................................    46
Letters, statements, etc., submitted for the record by:
    Dacey, Robert F., Director, Information Security, U.S. 
      General Accounting Office, prepared statement of...........    48
    Davis, Hon. Tom, a Representative in Congress from the State 
      of Virginia, prepared statement of.........................    44
    Dempsey, James X., deputy director, Center for Democracy and 
      Technology, prepared statement of..........................   124
    Forman, Mark A., Associate Director, Information Technology 
      and E-Government, Office of Management and Budget, prepared 
      statement of...............................................    74
    Miller, Ronald E., Chief Information Officer, Federal 
      Emergency Management Agency, prepared statement of.........   110
    Schakowsky, Hon. Janice D., a Representative in Congress from 
      the State of Illinois, prepared statement of...............   143
    Turner, Hon. Jim, a Representative in Congress from the State 
      of Texas, prepared statement of............................    40
    Williams, David C., Treasury Inspector General, Tax 
      Administration, prepared statement of......................   118
    Wolf, Daniel G., Director, Information Assurance Directorate, 
      National Security Agency, prepared statement of............    87
    Wu, Benjamin H., Deputy Under Secretary, Commerce for 
      Technology Administration, Department of Commerce, prepared 
      statement of...............................................   101


   H.R. 3844, THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002

                              ----------                              


                         THURSDAY, MAY 2, 2002

                  House of Representatives,
  Subcommittee on Government Efficiency, Financial 
        Management and Intergovernmental Relations,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:02 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn, Davis, Schakowsky, and 
Turner.
    Staff present: J. Russell George, staff director and chief 
counsel; Bonnie Heald, deputy staff director and communications 
director; Earl Pierce, professional staff member; Henry Wray, 
senior counsel; Justin Paulhamus and Teddy Kidd, clerks; Chip 
Nottingham, counsel; David McMillen and Mark Stephenson, 
minority professional staff members; and Jean Gosa, minority 
assistant clerk.
    Mr. Horn. A quorum being present, the Subcommittee on 
Government Efficiency, Financial Management and 
Intergovernmental Relations will come to order.
    I am very pleased that we are holding this joint hearing 
with Chairman Davis and his Subcommittee on Technology and 
Procurement Policy on H.R. 3844, the Federal Information 
Security Management Act of 2002.
    It is clear from recent hearings held by our subcommittee 
that agency valuations that the work started in 2000 must be 
continued. Agencies have not yet developed security plans that 
balance protection and cost. Few agencies have implemented 
security controls that are adequate to protect against 
violations of privacy, data loss, corruption or cyber attacks. 
The current reporting requirements imposed by the Government 
Information Security Reform Act have brought the scope and 
magnitude of security weaknesses into sharp focus in both 
Congress and the executive branch. This focus is the first 
crucial step in eliminating security weaknesses.
    H.R. 3844 incorporates the key provisions of the Government 
Information Security Reform Act, including the requirements for 
risk-based security management, independent evaluations, and 
reporting of agency security programs. The bill also clarifies 
some of the language in the original act; it eliminates the 
sunset provision of the act and adds new provisions to reflect 
lessons learned during the implementation of the 2000 act.
    The purpose of today's hearing is to consider the merits of 
the legislation and any potential improvements to it. I welcome 
today's witnesses and I look forward to working with each of 
you to ensure the security of the Government's information 
technology resources.
    We are delighted to have the gentleman from Texas, Mr. 
Turner. He comes from Mr. Davis' committee. We lost him out of 
our committee and we miss you. Mr. Turner.
    [The text of H.R. 3844 follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.083
    
    [GRAPHIC] [TIFF OMITTED] T6343.084
    
    [GRAPHIC] [TIFF OMITTED] T6343.085
    
    [GRAPHIC] [TIFF OMITTED] T6343.086
    
    [GRAPHIC] [TIFF OMITTED] T6343.087
    
    [GRAPHIC] [TIFF OMITTED] T6343.088
    
    [GRAPHIC] [TIFF OMITTED] T6343.089
    
    [GRAPHIC] [TIFF OMITTED] T6343.090
    
    [GRAPHIC] [TIFF OMITTED] T6343.091
    
    [GRAPHIC] [TIFF OMITTED] T6343.092
    
    [GRAPHIC] [TIFF OMITTED] T6343.093
    
    [GRAPHIC] [TIFF OMITTED] T6343.094
    
    [GRAPHIC] [TIFF OMITTED] T6343.095
    
    [GRAPHIC] [TIFF OMITTED] T6343.096
    
    [GRAPHIC] [TIFF OMITTED] T6343.097
    
    [GRAPHIC] [TIFF OMITTED] T6343.098
    
    [GRAPHIC] [TIFF OMITTED] T6343.099
    
    [GRAPHIC] [TIFF OMITTED] T6343.100
    
    [GRAPHIC] [TIFF OMITTED] T6343.101
    
    [GRAPHIC] [TIFF OMITTED] T6343.102
    
    [GRAPHIC] [TIFF OMITTED] T6343.103
    
    [GRAPHIC] [TIFF OMITTED] T6343.104
    
    [GRAPHIC] [TIFF OMITTED] T6343.105
    
    [GRAPHIC] [TIFF OMITTED] T6343.106
    
    [GRAPHIC] [TIFF OMITTED] T6343.107
    
    [GRAPHIC] [TIFF OMITTED] T6343.108
    
    [GRAPHIC] [TIFF OMITTED] T6343.109
    
    [GRAPHIC] [TIFF OMITTED] T6343.110
    
    [GRAPHIC] [TIFF OMITTED] T6343.111
    
    [GRAPHIC] [TIFF OMITTED] T6343.112
    
    [GRAPHIC] [TIFF OMITTED] T6343.113
    
    [GRAPHIC] [TIFF OMITTED] T6343.114
    
    [GRAPHIC] [TIFF OMITTED] T6343.115
    
    [GRAPHIC] [TIFF OMITTED] T6343.116
    
    [GRAPHIC] [TIFF OMITTED] T6343.117
    
    [GRAPHIC] [TIFF OMITTED] T6343.118
    
    Mr. Turner. Thank you, Mr. Chairman. It is good to be at a 
hearing with you again because it was a pleasure to serve with 
you on your committee during the last Congress.
    I understand your committee has had a number of hearings on 
the issue of computer security. You have done some very hard 
work on the issue and I commend you for the attention you have 
paid to this very important matter. I thank you for scheduling 
a joint hearing with our committee.
    This legislation, the Federal Information Security 
Management Act was introduced by the chairman of our 
subcommittee, Tom Davis. I want to thank Mr. Davis for his 
efforts and his work with the minority in working on the 
various provisions of the bill. This legislation, as we know, 
will permanently authorize the information security program 
evaluation and reporting requirements of the Government 
Information Security Reform Act that became law about 18 months 
ago and will expire at the end of November.
    This law has proved to be very useful in focusing agencies' 
attention to the critical issue of computer security by 
requiring annual reports to the Office of Management and 
Budget. The bill would make a number of changes designed to 
strengthen information security across the Federal Government 
including the development of minimum information security 
standards by the National Institute of Standards and 
Technology, creation of a Federal Information Security Incident 
Center, and clarification of the definition of national 
security systems. Most importantly, it would require that the 
reports under this bill would go not only to OMB but to the 
Comptroller General of the General Accounting Office to 
facilitate better congressional oversight of computer security.
    Again, Chairman Horn, I commend you on your leadership on 
this issue and I commend Chairman Davis for his sponsorship of 
the legislation.
    I yield back. Thank you, Mr. Chairman.
    [The prepared statement of Hon. Jim Turner follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.001
    
    [GRAPHIC] [TIFF OMITTED] T6343.002
    
    Mr. Horn. Thank you.
    I am delighted now to greet our Co-Chairman, the gentleman 
from Virginia.
    Mr. Davis. Good morning.
    I want to thank you for holding this hearing in a joint 
format and for your many years of leadership on the issues of 
information security and improved government management.
    I would also like to thank the distinguished group of 
witnesses who have joined us today to share their expertise on 
the issue of government information security, as well as for 
your specific comments on H.R. 3844.
    Government information security is not a new issue to this 
committee and it is certainly not a new issue to our witnesses 
today. Billions of dollars have been spent over the years, 
numerous legislative administrative initiatives have been 
implemented and some of the best thinking and most respected 
expertise on information security has been cultivated by our 
Federal Government in an ongoing effort to protect our 
information technology systems from intrusion and tampering.
    Overall, I believe that our Federal workers and managers 
deserve enormous credit for adopting to the complex and fast-
moving changes that have been thrust upon our government by the 
information technology revolution. Similarly, I believe we are 
on the right track in strengthening our management information 
security. Clearly this administration, represented by several 
talented leaders here today, is taking this issue seriously and 
is working harder than ever to better secure our Federal 
Government's information assets.
    While today's discussion focuses on just one bill that will 
extend and hopefully improve the existing information security 
management process, it was first codified 2 years ago with the 
enactment of GISRA. We should not lose sight of the big 
picture, the fact that our Nation is facing a growing and very 
real threat from those who seek to harm us by targeting our 
information systems in an effort to disrupt and disable the 
effective operation of our government. Every day we learn of 
new attacks on our information systems and every day IT 
experts, managers and procurement officers are working to stay 
one step ahead of the threat.
    That is why it is critically important for Congress to lend 
a hand in providing direction that brings coordination, 
increased management attention and real accountability to the 
Federal information security sector. I believe it would be a 
mistake for Congress to micromanage the executive branch's 
efforts in this area and we need to avoid the temptation to 
prescribe a rigid, one-size fits all standard that is likely to 
become outdated quickly as technology and know-how evolve.
    At the same time, I am not satisfied with our Federal 
Government's overall performance in securing our information 
infrastructure. The bottom line is, we are still too 
vulnerable. Record IT security expenditures and unprecedented 
attention to IT security, while important indicators of level 
of effort, are not the benchmarks we should use to determine 
success. Instead, we need to focus on developing strong, risk-
based, agency-wide security management programs that cover all 
operations and assets of our Federal agencies.
    In addition, new legislative guidance is needed to require 
the development, promulgation and compliance with mandatory 
management controls for securing information systems and 
managing risks as determined by agencies.
    I think H.R. 3844 clarifies and strengthens the existing 
Government Information Security Reform Act of 2000 in four 
major ways. Under FISMA, we included a number of provisions 
that require the development, promulgation and compliance with 
minimum mandatory management controls for securing information. 
For example, NIST would be required to develop mandatory 
information security standards for all agencies. Second, 
agencies would be required to submit an annual report featuring 
the results of agency evaluations of information security to 
both OMB and the Comptroller General. Third, the treatment of 
national security systems would be clarified by removing the 
term ``mission critical system'' and replacing it with 
``national security system.'' This means that only truly 
national security and intelligence related information systems 
would be exempt from information security risk management 
requirements. Fourth, OMB would oversee the establishment of a 
central Federal Information Security Incident Center that would 
inform agencies about information security, threats and 
vulnerabilities and provide technical assistance to agencies.
    In future years, all of us involved with setting and 
implementing security policy during these challenging times 
will be faced with the question did we do enough to safeguard 
our critical information structure. I believe that FISMA will 
go a long way toward allowing us to honestly answer that 
question in the affirmative.
    I look forward to our hearing today, to improving this 
legislation if needed, and to ultimately bringing it forward to 
enactment.
    Thank you.
    [The prepared of Hon. Tom Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.003
    
    [GRAPHIC] [TIFF OMITTED] T6343.004
    
    Mr. Horn. We will begin with panel one. Our first witness, 
and not a stranger to these committees, is Robert F. Dacey, 
Director, Information Security, U.S. General Accounting Office, 
headed by the Comptroller General of the United States. We 
appreciate all the work the GAO does. We will announce one of 
their books as we end this particular hearing.

STATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY, 
   U.S. GENERAL ACCOUNTING OFFICE; MARK A. FORMAN, ASSOCIATE 
 DIRECTOR, INFORMATION TECHNOLOGY AND E-GOVERNMENT, OFFICE OF 
 MANAGEMENT AND BUDGET; DANIEL G. WOLF, DIRECTOR, INFORMATION 
 ASSURANCE DIRECTORATE, NATIONAL SECURITY AGENCY; BENJAMIN H. 
      WU, DEPUTY UNDER SECRETARY, COMMERCE FOR TECHNOLOGY 
ADMINISTRATION, DEPARTMENT OF COMMERCE; RONALD E. MILLER, CHIEF 
INFORMATION OFFICER, FEDERAL EMERGENCY MANAGEMENT AGENCY; DAVID 
 C. WILLIAMS, TREASURY INSPECTOR GENERAL, TAX ADMINISTRATION; 
AND JAMES X. DEMPSEY, DEPUTY DIRECTOR, CENTER FOR DEMOCRACY AND 
                           TECHNOLOGY

    Mr. Dacey. I am pleased to be here today to discuss the 
proposed Federal Information Security Management Act of 2002, 
FISMA. As you requested, I will briefly summarize my written 
statement.
    Since September 1996, we have reported that poor 
information security is a widespread Federal problem with 
potentially devastating consequences. Although agencies have 
taken steps to redesign and strengthen their information 
security programs, our analyses of information security at 
major agencies have shown that Federal systems were not being 
adequately protected from computer-based threats, even though 
these systems process, store and transmit enormous amounts of 
sensitive data and are indispensable to many Federal 
operations.
    Concerned with these reports, Congress passed into law the 
Government Information Security Reform provisions commonly 
referred to as GISRA to reduce these risks and provide more 
effective oversight of Federal information security. First year 
implementation of GISRA represented a significant step in 
improving Federal agency information security programs and 
addressing longstanding weaknesses.
    For example, agencies have noted benefits from GISRA such 
as increased management attention to and accountability for 
information security and have stated that as a result of 
implementing GISRA, they are taking significant steps to 
improve their information security programs. Agency IGs also 
view GISRA as a positive step toward improving information 
security, also noting the increased management attention.
    In addition, the administration has taken important actions 
to address information security such as plans to integrate 
information security into the President's management agenda 
scorecard. Such benefits and planned actions demonstrate the 
importance of GISRA's requirements and the significant impact 
they have had on information security in the Federal 
Government.
    FISMA would permanently authorize and strengthen the 
information security program, evaluation and reporting 
requirements established by GISRA which is to expire in 
November of this year. We believe the continued authorization 
of such important information security legislation is essential 
to sustaining agency efforts to identify and correct 
significant weaknesses.
    Further, this authorization would reinforce the Federal 
Government's commitment to establishing information security as 
an integral part of its operations and help ensure that the 
administration and Congress continue to receive the information 
they need to effectively manage and oversee Federal information 
security.
    FISMA continues several important GISRA provisions, 
including requiring agency program managers and CIOs to 
implement a risk-based security management program covering all 
operations of the agency; second, requiring an independent 
annual evaluation of each agency's information security 
program; third, taking a governmentwide approach to information 
security by accommodating a wide range of information security 
needs and applying requirements to all agencies, including 
those involved in national security; and fourth, through annual 
reporting requirements, providing a means for both OMB and the 
Congress to oversee the effectiveness of agency and 
governmentwide information security, measure progress in 
improving information security, and consider information 
security in budget deliberations.
    FISMA also proposes a number of changes and clarifications 
to strengthen information security, some of which address 
issues noted in the first year implementation of GISRA. In 
particular, the bill requires the development, promulgation and 
compliance with minimum mandatory management controls for 
securing information and information systems, creates the 
requirement for annual agency reporting to both OMB and the 
Comptroller General, and clarifies the definition of and 
evaluation of responsibilities for national security systems. 
In addition, the bill proposes other changes that would require 
Federal agencies to strengthen their information security 
programs, update the information and security responsibilities 
missed, and clarify other otherwise streamline definitions and 
legislative language.
    In addition to reauthorizing information security 
legislation, there are a number of other important steps the 
administration and agencies should take to ensure information 
security receives appropriate attention and resources and that 
known deficiencies are addressed. These include delineating the 
roles and responsibilities of the numerous entities involved in 
Federal information security and related aspects of critical 
infrastructure protection; obtaining adequate technical 
expertise to select, implement, and maintain controls to 
protect information systems and allocating sufficient agency 
resources for information security.
    As the chairman noted, later today the committee will be 
releasing a report which summarizes our testimony on March 6 
and makes certain recommendations for improving GISRA and its 
implementation.
    Mr. Chairman, this concludes my statement. I would be 
pleased to answer any questions that you or the Members may 
have.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.005
    
    [GRAPHIC] [TIFF OMITTED] T6343.006
    
    [GRAPHIC] [TIFF OMITTED] T6343.007
    
    [GRAPHIC] [TIFF OMITTED] T6343.008
    
    [GRAPHIC] [TIFF OMITTED] T6343.009
    
    [GRAPHIC] [TIFF OMITTED] T6343.010
    
    [GRAPHIC] [TIFF OMITTED] T6343.011
    
    [GRAPHIC] [TIFF OMITTED] T6343.012
    
    [GRAPHIC] [TIFF OMITTED] T6343.013
    
    [GRAPHIC] [TIFF OMITTED] T6343.014
    
    [GRAPHIC] [TIFF OMITTED] T6343.015
    
    [GRAPHIC] [TIFF OMITTED] T6343.016
    
    [GRAPHIC] [TIFF OMITTED] T6343.017
    
    [GRAPHIC] [TIFF OMITTED] T6343.018
    
    [GRAPHIC] [TIFF OMITTED] T6343.019
    
    [GRAPHIC] [TIFF OMITTED] T6343.020
    
    [GRAPHIC] [TIFF OMITTED] T6343.021
    
    [GRAPHIC] [TIFF OMITTED] T6343.022
    
    [GRAPHIC] [TIFF OMITTED] T6343.023
    
    [GRAPHIC] [TIFF OMITTED] T6343.024
    
    [GRAPHIC] [TIFF OMITTED] T6343.025
    
    [GRAPHIC] [TIFF OMITTED] T6343.026
    
    [GRAPHIC] [TIFF OMITTED] T6343.027
    
    Mr. Horn. Thank you very much. As usual, the GAO comes 
through.
    Now we have a new person with a rich background, Mark A. 
Forman, Associate Director, Information and Technology and E-
Government, Office of Management and Budget. He knows more 
about any of these problems I think than all the rest of us put 
together. He created and lead the IBM Americas Public Sector E-
Business Consultant Services, was senior professional staff 
member of our Senate portion of the other body, Senate 
Governmental Affairs Committee. He has been deeply involved in 
both the Congress and the executive branch. We are glad to have 
you here.
    Mr. Forman. Thank you. I am glad to be here and I 
appreciate you inviting me to discuss the Federal Information 
Security Management Act and the administration's views.
    I also want to thank your committee and Chairman Davis' 
committee for the continued vigilance on government computer 
security. I have been in my job now for 10 months and we have 
had three hearings on this. It is becoming almost quarterly and 
I actually think that is good that we have that continued 
oversight.
    We at OMB and other administration officials have discussed 
components of the Federal Information Security Management Act 
with your staff and we are still developing an administration 
position on the bill. As you will hear from my agency 
colleagues today, there are many divergent views on various 
provisions. We look forward to working with you and Chairman 
Davis to make the bill successful as it moves through the 
legislative process.
    As you know, the President has given a high priority to the 
security of government assets as well as improving the overall 
management performance of Executive agencies. These priorities 
are interrelated. As I discussed this March before the 
committee, our review of agency security programs found that 
most security issues in the government are fundamentally 
management issues. We are tracking progress on both issues 
through use of the executive branch score card for the 
President's management agenda. If an agency does not meet the 
IT security criteria, it will not achieve a green score, 
regardless of their performance under the other e-government 
criteria.
    OMB reported in our February 13 Security Benchmark Report 
to Congress on Government Information Security that as is, the 
current state of security across the Federal enterprise is 
poor. We reported on six fundamental governmentwide weaknesses 
as well as agency-specific gaps. We find those weaknesses are 
pervasive and many exist across the Federal community, 
including the national security community. We found that 
agencies must greatly increase their degree of senior 
management attention, measure performance of officials charged 
with security responsibility and improve security education and 
awareness, fully integrate security into their capital planning 
investment and control process and enterprise architecture, 
ensure that contractor services are adequately secured, and 
improve the ability to detect, report and share information on 
incidents and vulnerabilities.
    As we look at the future or what we call the ``to be'' 
state of Federal security, we believe it is one of the active 
measures that will continue to anticipate and respond to future 
needs. The future vision of Federal security incorporates 
active measures and we have to be able to both prepare and 
defend against attacks where preemption is not possible so that 
we know how our own information systems survive attacks when 
defenses fail.
    Such a state is somewhere off in the future, however, and 
such a number of fundamental management and program reforms are 
needed to support it. Particularly, we need to complete the 
development of governmentwide and agency-specific architectures 
within which business processes have been unified and 
simplified, and get rid of unnecessary duplication so we not 
only promote common ways to conduct government business, it 
will permit common protection regimes and simplified security 
approaches.
    The ``to be'' state also requires much in the way of using 
automated security tools that reduce the need for human 
intervention and reduce human error and resource requirements. 
The ``to be'' state of anticipating threats will also require 
something that is woefully lacking today, rapid and in-depth 
threat analysis. Today's analysis products largely consist of 
consolidated reports of what is happening or what has already 
occurred. That is not good enough. We must improve the 
development, quality and wide distribution of effective threat 
analysis and response regimes.
    OMB is pursuing a five part approach to improved government 
security which includes items such as business cases, capital 
planning, project matrix analysis, which I have spoken about 
before, annual agency security reports and corrective action 
plans that reflect priorities. All efforts must come together 
to clear us clear audit trails that link the needs, corrective 
action plans and spending priorities including business cases. 
More detail on that is in my prepared statement.
    Through this five part approach, we are building toward a 
``to be'' state and believe within 18 months we will have 
demonstrably improved performance and results in agency 
security programs. We give some of the details of that in my 
prepared statement. That includes using security performance 
measures that identify the gaps and set priorities within each 
agency and form agency and OMB budget decisions and assist in 
preparing the President's budget.
    We are also identifying opportunities to reduce or 
eliminate unnecessary duplication of security effort among 
agencies making certain practices more uniform and 
consolidating programs and operations to increase performance 
while reducing costs. Among the candidates for consolidating 
greater uniformity are consolidating the security curriculum as 
well as the actual conduct of training and education and 
awareness for Federal employees; improving incident handling, 
information sharing, software patch identification and 
distribution; improving methods for grading or designating the 
level of risk, assigning core security requirements for 
operations, assets and the same risk level, unifying and 
simplifying requirements for and implementation of contingency 
planning and continuity of operations, improving security and 
the acquisition of products and services, very similar to some 
of the concepts outlined in Congressman Davis' bill.
    While many security requirements within the Government are 
similar, many are distinctly different. Therefore we must be 
careful and resist overly simplistic attempts to standardize 
management, operational and technical security controls. 
Security controls must be built to the specifications of the 
programs, not programs built to security initiatives.
    NIST continues to play a critical role in supporting OMB 
and assisting agencies in improving their security performance 
and there are details in my prepared testimony.
    I want to finish up by talking about the specific stats 
associated with the OMB chaired executive branch Information 
Systems Security Committee which is one of the components of 
the President's Critical Infrastructure Board. I mentioned this 
in my statement at the March hearing.
    Last month, we held our first meeting of the committee and 
have begun work on the following four issues, and details are 
in my prepared testimony: grading risks; uniform security 
practices, including acquisition of products and services; 
review of current policy standards and guidance.
    Future security reporting will drive the performance 
improvements not simply tallying numbers. As GAO, OMB and 
others recognize, today's information security world demands 
each agency employ a continuing process of risk-management that 
keeps pace with rapidly evolving threats and vulnerabilities. 
So too, OMB's oversight process must keep up with the changes 
in status. A conventional view is the comparison should show 
security weaknesses have been reduced and no new ones have 
cropped up. That, we believe, is the old way of thinking.
    Identifying more weaknesses is not necessarily a reflection 
of performance. Reaching the ``to be'' state I described 
earlier demands more deeply and more often into programs and 
systems to find problems as the vulnerabilities arise and 
before they can be exploited. The more you look, the more you 
find.
    In conclusion, we have developed a strategy to measure 
program performance and drive improvements by an order of 
magnitude. Some of what is needed involves technology, much 
more involves integrating security into project development and 
management decisionmaking. At this point in time, new standards 
and technology, while impacting little in improving security 
performance, must be first addressed and correct management 
weaknesses.
    We look forward to working with the committee and 
Congressman Davis as the bill moves forward through the 
process.
    [The prepared statement of Mr. Forman follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.028
    
    [GRAPHIC] [TIFF OMITTED] T6343.029
    
    [GRAPHIC] [TIFF OMITTED] T6343.030
    
    [GRAPHIC] [TIFF OMITTED] T6343.031
    
    [GRAPHIC] [TIFF OMITTED] T6343.032
    
    [GRAPHIC] [TIFF OMITTED] T6343.033
    
    [GRAPHIC] [TIFF OMITTED] T6343.034
    
    [GRAPHIC] [TIFF OMITTED] T6343.035
    
    [GRAPHIC] [TIFF OMITTED] T6343.036
    
    [GRAPHIC] [TIFF OMITTED] T6343.037
    
    [GRAPHIC] [TIFF OMITTED] T6343.038
    
    Mr. Horn. We thank you for that and we will have a number 
of questions when we finish the panel.
    We next have Daniel G. Wolf, Director, Information 
Assurance Directorate, National Security Agency. He has had 
responsibility for the various information situations and 
strategies to protect the defense information infrastructure 
and as appropriate, the national information infrastructure. He 
spent about 33 years in this type of analytic work and has 
received numerous awards for his many contributions in defense 
intelligence communities. We are delighted to have you here. We 
have had great cooperation from the National Security Agency 
and we appreciate the tough job he has and they have. We are 
glad to have you here. Mr. Wolf.
    Mr. Wolf. My name is Dan Wolf and I am NSA's Information 
Assurance Director. I appreciate the opportunity to be here 
today to talk about information technology security as your 
subcommittee considers H.R. 3844.
    My organization is responsible for providing IA 
technologies, services, processes and policies that protect 
national security information systems throughout DOD, the 
intelligence community and related law enforcement agencies. 
While some may suggest that NSA's perspective is too narrow 
because we focus on national security systems, I would like to 
note NSA has been in the business of protecting information 
systems from attack and exploitation since 1953.
    During NSA's nearly 50 years of producing not only policy 
but also in the hard work of developing security products and 
services to implement these policies, we have learned, and I 
believe we agree with many members of this committee that 
successful information security demands aggressive management 
oversight, extensive sharing of best practices and a bedrock 
foundation of proven security standards.
    While I am not in a position to express the 
administration's view of H.R. 3844, I thought it might be 
helpful if I shared NSA's technical experience in these matters 
with you. There are a number of areas in H.R. 3844 where we 
believe improvements can be made based on our experience. My 
written testimony goes into much more detail but I would like 
to briefly highlight four areas.
    The first area is defining and identifying national 
security and mission critical systems. We suggest that the 
proposed definition for identifying national security systems 
in H.R. 3844 might add more confusion to an already complex 
process. We have also learned by analysis of dependence between 
computer systems during the Y2K crisis, that there are many 
similarities found in identifying and protecting mission 
critical systems and national security systems. Therefore, we 
suggest that you consider keeping the original GISRA definition 
of national security systems.
    In a related matter, the provision that directs NIST to 
develop guidelines for identifying an information system as a 
national security system is unnecessary because the national 
security system is already defined in the existing laws.
    The second area is risk assessments and system engineer 
connection management processes. There are many references to a 
risk assessment process in H.R. 3844. It has been our 
experience that useful risk assessments are extremely difficult 
to complete and maintain. This problem gets especially 
dangerous when you consider that although these systems are 
assessed for risk independently, they soon become 
interconnected. We have consistently found one organization's 
risk calculations and assumptions will be very different from 
another unless the process of performing the risk assessment is 
exceptionally well specified and managed.
    We suggest that a standard method for performing risk 
assessments be developed for use throughout the Federal 
Government. It must describe not only the assessment process 
but also define standard methods for characterizing threats, 
defining potential mission failures and include a process for 
ensuring that these baseline risk assessments are periodically 
reevaluated, especially as changes are made in connectivity. 
The quality of risk assessments for our interconnected systems 
must not be left to chance or independent decisions. Otherwise, 
the weakest link in the chain will fail.
    Third, coordinating incident detection and consequence 
management, the defense of Federal and DOD networks against 
cyber attacks requires a robust and time sensitive defense in-
depth approach. NSA's National Security Incidence Response 
Center provides real-time reporting of cyber attack incidences. 
Through around the clock, 7-day-a-week operation, NSIRC 
provides DOD, the intelligence community and the Federal law 
offices with information valuable in identifying and 
encountering cyber attacks. NSA has established a trusted 
relationship with the Fed CIRC. Moreover, we have similar 
relations with the National Infrastructure Protection Center 
and the NIPC and the Department of Defense's Incidence Center, 
the DODCERT. We believe that adding a new Federal Incident 
Management Center as described in the proposed legislation 
would add unnecessary redundancy and decrease both the 
efficiency and effectiveness of our existing processes.
    Fourth, sharing vulnerability information, the technology 
we used today throughout the Government and the private sector 
is a veritable monoculture. For example, this means that 
knowledge of vulnerability discovered in a system at the Labor 
Department could be used by an adversary to attack the computer 
in the Defense Department. While we agree it is extremely 
important for all Federal departments to share vulnerability 
information, we also believe this information must be 
disseminated only through consideration regarding the 
consequences, not just to an organization's internal systems 
but the consequences to all Government systems is vulnerability 
becomes widely known.
    I would like to thank the members of both subcommittees for 
your consistently strong interest and attention to this vital 
area. Your leadership is providing a public service by raising 
the issue of the serious security challenges we are all facing 
in the age of interconnected and interdependent networks.
    This concludes my testimony. I would be happy to answer any 
questions.
    [The prepared statement of Mr. Wolf follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.039
    
    [GRAPHIC] [TIFF OMITTED] T6343.040
    
    [GRAPHIC] [TIFF OMITTED] T6343.041
    
    [GRAPHIC] [TIFF OMITTED] T6343.042
    
    [GRAPHIC] [TIFF OMITTED] T6343.043
    
    [GRAPHIC] [TIFF OMITTED] T6343.044
    
    [GRAPHIC] [TIFF OMITTED] T6343.045
    
    [GRAPHIC] [TIFF OMITTED] T6343.046
    
    [GRAPHIC] [TIFF OMITTED] T6343.047
    
    [GRAPHIC] [TIFF OMITTED] T6343.048
    
    [GRAPHIC] [TIFF OMITTED] T6343.049
    
    Mr. Horn. Thank you.
    Next is a person well known to this subcommittee and the 
Congress, Mr. Benjamin Wu, Deputy Under Secretary of Commerce 
for Technology Administration, Department of Commerce. He was 
very helpful to us in our Y2K computer problems and worked very 
closely with Representative Morella of Maryland in her role on 
the Science Committee as well as in Government Reform. Nice to 
see you again.
    Mr. Wu. Thank you, Chairman Horn, and good morning. Good 
morning to you, Mr. Davis and also Ranking Member Schakowsky.
    On behalf of the Department of Commerce's Technology 
Administration and its National Institute of Standards and 
Technology, I want to share with you our views on Congressman 
Davis' bill, H.R. 3844.
    Let me first commend you, Mr. Chairman, and the entire 
subcommittee for continuing to focus on the critical issue of 
cyber security in the Federal Government. Today's hearing will 
once again remind Federal agencies that cyber security must be 
addressed in a comprehensive manner and on a continuing basis.
    As you mentioned, I had the privilege and the pleasure of 
working with you, Chairman Horn, and also Chairman Davis, as we 
successfully battled the Y2K computer problem which some have 
drawn parallels to the issue of computer security. With Y2K as 
you well know, we knew who the enemy was, we knew how it was 
going to strike, we knew when it was going to attack. We don't 
have that luxury with computer security. That is why it is 
important that we continue to focus on Federal efforts on 
computer security and I am very proud that NIST plays an 
important cyber security role for our Nation.
    We have specific statutory responsibilities for Federal 
agencies under the Computer Security Act of 1987 and also its 
follow on legislation, including GISA. NIST has been tasked by 
Congress to develop standards and guidelines to assist the 
Federal Government in protection of sensitive, unclassified 
systems. These responsibilities supplement NIST's broader 
mission of strengthening the U.S. economy, including proving 
the competitiveness of America's information technology 
industry.
    In support of this mission, NIST conducts standards and 
technology work to help industry produce more secure, yet cost 
effective products which we believe will enhance 
competitiveness in the marketplace. Having more secure products 
available in the marketplace will also benefit Federal agencies 
because they principally use commercial products that construct 
and secure their systems.
    The Computer Security Division in our Information 
Technology Laboratory is the focal point of our cyber security 
program. The Computer Security Division focuses on a few key 
areas: photography standards and applications, security 
research, security management, and security testing. In 
previous testimony before this committee on March 6, the 
Director of NIST, Arden Bement, provided you with a broad 
review of current NIST activities undertaken to fulfill our 
important cyber security responsibilities, so it is not 
necessary to repeat to you what NIST is doing now but I do want 
to discuss with you what NIST would be asked to do if H.R. 3844 
was enacted, as introduced, and offer some comments.
    Under FISMA, NIST would be tasked with a number of 
responsibilities ranging from developing IT standards and 
guidelines, developing security standards and guidelines, 
consulting with other Federal agencies, providing assistance to 
agencies, submitting proposed standards and guidelines to OMB 
for promulgation, conducting security research, developing 
security performance indicators, evaluating private sector 
information, security policies and also reporting annually to 
OMB among others.
    Additionally germane to NIST's key security 
responsibilities, H.R. 3844 would establish an Office for 
Information Security Programs at NIST which the director would 
be responsible for administering. NIST information security 
responsibilities, under FISMA, authorize a $20 million level 
funding for NIST's security program, rename the computer 
security system and Privacy Advisory Board as the Information 
Security Board with new responsibilities, as well as 
eliminating the existing process under limited and specified 
circumstances for agencies to waive the use of mandatory and 
binding security standards.
    The Department believes that overall, the drafters of the 
bill are to be commended for taking a sound and practical 
approach to information security, one that will serve the 
Nation well in the years ahead. The bill appropriately 
maintains existing separation of responsibilities for security 
and sensitive systems, which is a major concern for the IT 
industry.
    Current NIST activities are well aligned with the majority 
of the bill's provisions and additional activities, specific 
assignments and also the envisioned growth of NIST in the cyber 
security program will further strengthen the security of all 
Federal security agency systems. Moreover, the bill will 
promote the consistencies in the protection accorded to similar 
systems and information across the entire Government.
    Let me respectfully offer, however, the Department's 
specific concerns on the bill for the committee's 
consideration. I am mindful of the time constraints I have so 
let me just run over them in general. I would be happy to 
respond to them at a later point in the questions.
    One is proposed transfer authority to issue standards and 
guidelines from the Secretary of Commerce to the Director of 
OMB. We believe that should be reconsidered because the 
Secretary represents industry and that is an inherent function 
of the Secretary.
    In the bill there are also a number of references to the 
standards development role of OMB. We believe that OMB develops 
and issues broad security policy and guidance and this should 
be clarified vis-a-vis what NIST does in collaboration with 
OMB.
    The third concern has to do with the agency's current 
limited ability to waive mandatory and binding standards.
    Finally, the bill would also require that NIST provide OMB 
with an annual report regarding major deficiencies in 
information security at Federal agencies and since NIST's 
responsibilities do not extend to providing day-to-day 
operational security for Federal systems and Federal agencies, 
any such report we believe would be woefully incomplete.
    I want to close by emphasizing that our national commitment 
to improving cyber security must be increased in Federal 
agencies and elsewhere. As Congressman Davis' bill 
reemphasizes, there is much more to be done as we address cyber 
security in the Federal Government. The NIST cyber security 
program has a proven track record of success and stands ready 
to work with you, the committee and other Federal agencies in 
the enhanced role envisioned in FISMA.
    Thank you very much.
    [The prepared statement of Mr. Wu follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.050
    
    [GRAPHIC] [TIFF OMITTED] T6343.051
    
    [GRAPHIC] [TIFF OMITTED] T6343.052
    
    [GRAPHIC] [TIFF OMITTED] T6343.053
    
    [GRAPHIC] [TIFF OMITTED] T6343.054
    
    [GRAPHIC] [TIFF OMITTED] T6343.055
    
    [GRAPHIC] [TIFF OMITTED] T6343.056
    
    Mr. Horn. We appreciate your testimony and we will get into 
that in the question period shortly.
    Our next witness is Ronald E. Miller, Chief Information 
Officer and Assistant Director, Information Technology Services 
Director, Federal Emergency Management Agency, FEMA. That is a 
very fine agency. Over the last 10 years, they have really put 
their act together and with all the problems that have come 
forth with tornadoes, floods, you name it, they have done great 
work with all of us in the Congress.
    Mr. Miller, you have a very fine record in the military. We 
are glad to see you here.
    Mr. Miller. Thank you, Chairman Horn, Chairman Davis and 
members of the committee.
    I would like to take the opportunity to thank you for 
addressing this very important issue and while I cannot present 
the administration's view, I would like to share both FEMA's 
position on information security and my perspective as the 
security liaison for the CIO Council.
    Very briefly I want to spend a few moments talking about 
FEMA's approach to IT security. It is fairly straightforward. 
As a Federal agency, we are required to deliver mandated 
products and services and we must do so in full compliance with 
laws of the land. That includes the security requirements put 
forth in public laws, executive branch directives, Federal 
standards and agency-specific policies. We view those 
requirements as being the minimum set of security standards 
that we must comply with in the development of our systems, so 
that in that regard we want to include a certain set of steps 
to take for every system we implement. Those steps include 
formally certified system security plan, formal accreditation 
and approval to operate by the appropriate management official, 
tested contingency plans, implemented incident handling 
capabilities, security education awareness program and a 
capital plan for funding security across the systems life 
cycle.
    Our approach is to use a well disciplined capital planning 
and investment process and ensure security costs are 
incorporated into the system development life cycle. Our 
capital planning process is strongly linked to the agency's 
performance plan and goals. Using this approach, we have 
created a framework whereby IT solutions are implemented to 
support prioritized agency mission requirements and security is 
made a part of the IT solution itself. In this manner, we are 
also able to determine that the resources we apply to our IT 
security activities are directly aligned with the agency's 
performance goals.
    With regard to GISRA, there are noticeable improvements in 
the area of IT security because of the enactment of that 
legislation because it helped put management focus on this 
important problem. We still have need for additional progress 
and believe that FISMA is sound and will help.
    The CIO community overall views GISRA as a very positive 
step forward because it codified many of the requirements put 
forth in OMB Circular 30. The codification of those 
requirements signaled a heightened awareness on the part of the 
legislative branch concerning the importance of implementing 
adequate IT security. It also helped to clarify the role of the 
Chief Information Officer as being responsible for implementing 
an adequate IT security program across the agencies. It 
required that a senior official be designated to head IT 
security and that official would report directly to the CIO.
    We find the annual report requirement to be particularly 
useful because it allows us to not only gain a full perspective 
on the state of our security programs, but it also ensures that 
the state of IT security is well documented and understood by 
senior agency managers. In general, we see FISMA as similar to 
GISRA in most regards and we are confident in our abilities to 
implement if enacted.
    There are areas where we believe the bill needs improvement 
and we would like to see it address the following. First, we 
would like to see a stronger link between IT security 
requirements and the capital planning process, stronger 
emphasis on resources for IT security training, the retention 
of IT security professionals, support for day to day security 
efforts and individual accountability for security.
    We need to ensure that capital planning investments include 
consideration for security which is a powerful incentive for 
program officials. We believe we need a work force that is well 
trained and prepared to address the complex issues found in IT 
security and an emphasis should be placed on providing 
resources that provide training to employees responsible for 
implementing these standards.
    We also believe we need to look to retaining the work force 
once we have recruited and trained folks that are skilled in IT 
security. We support the administration's Managerial 
Flexibility Act which would allow Federal agencies the 
flexibility to provide hiring and retention incentives to 
potential employees, including IT security professionals.
    There needs to be overarching support for the day to day 
security efforts across the Federal Government such as CERT, 
the FedCIRC, incident support, patch distribution service is 
just beginning at GSA, training and guidelines and soon. We 
need to hold Federal Government officials individually 
responsible in their performance plans for the implementation 
of security within their programs. OMB has certainly taken a 
step in the right direction with the balanced score card.
    The world has changed in many ways since September 11th and 
I believe that with the concept of electronic government, the 
security requirements are more prevalent now than ever before. 
I am looking forward to working with the committee and each one 
of you in helping the Federal Government address needed 
improvements in Federal IT security.
    Thank you for this opportunity. I look forward to questions 
at the end of the testimony.
    [The prepared statement of Mr. Miller follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.057
    
    [GRAPHIC] [TIFF OMITTED] T6343.058
    
    [GRAPHIC] [TIFF OMITTED] T6343.059
    
    [GRAPHIC] [TIFF OMITTED] T6343.060
    
    [GRAPHIC] [TIFF OMITTED] T6343.061
    
    [GRAPHIC] [TIFF OMITTED] T6343.062
    
    Mr. Horn. Thank you.
    Next is David C. Williams, Inspector General of quite a few 
agencies. He started out, I suspect, being a Special Agent in 
both the U.S. Secret Service but also in U.S. military 
intelligence. He is a recipient of a U.S. Bronze Star and the 
Vietnamese Medal of Honor. We are delighted to have you here.
    I had one question on the Inspector General role with the 
Tax Administration. Was that to deal with the 100,000 people 
that are in IRS or the clients they deal with?
    Mr. Williams. I believe we have a very strong commitment 
toward their clients, the taxpayers and certainly as 
represented through the House and Senate committees. Our 
coverage involves the activities of the Tax Administration, 
which is both the IRS and some policy units inside main 
Treasury.
    Mr. Horn. Great. Go ahead with your summary.
    Mr. Williams. I appreciate the opportunity to appear today 
to provide an Inspector General's perspective.
    Government agencies continue to struggle with the 
appropriate balance between IT security and computing capacity, 
too often with an overwhelming bias toward speed and ease of 
operations. The Government Information Security Reform Act has 
served as an essential beacon urging agencies toward a more 
balanced course. During fiscal year 2001, the GISRA assessments 
identified substantial vulnerabilities across government that 
could threaten the security of information systems. These 
included formal security training and awareness programs for 
all employees were frequently ineffective or nonexistent.
    In the IRS for instance, 70 of 100 employees were willing 
to compromise their passwords during pretext telephone calls by 
IG auditors. No matter how strong other controls may be, 
employees can often be the most vulnerable component of an 
agency's IT security program.
    Specific performance measures were often absent such as the 
effectiveness of efforts to reduce the impact of computer 
viruses. Oversight of contractors was not sufficient and many 
had not received the necessary background clearances. An 
unacceptable number of systems and applications critical to the 
agency missions were not security certified or accredited. 
System intrusion incidents were not consistently reported and 
shared throughout the Government to assist agencies to 
proactively identify and combat hacking. Security controls 
often seem to be an after thought in IT budget investment 
decisions and senior managers often assumed little 
responsibility for IT security within their programs, deferring 
entirely to small security offices.
    To increase the likelihood of success, agencies need to be 
held accountable for their security programs. Some agencies 
appear to view the GISRA annual reporting process as a pro 
forma exercise. To assure GISRA effectiveness funding requests 
for IT initiatives should be contingent on the integration of 
adequate security controls. To assist agencies in adhering to 
GISRA and H.R. 3844 provisions, we offer the following 
suggestions to improve the consistency in conducting and 
reporting information security assessments and investigations.
    Certain terminology should be clarified to avoid confusion 
in reporting. Terms such as programs, systems, networks, 
mission critical and mission essential are subject to varying 
interpretations. Agency officials should be required to use the 
NIST IT security assessment framework. Agency and IG reporting 
requirements should be integrated to reduce duplication of 
effort. The OMB should provide implementation and guidance at 
the beginning of each reporting year. Annual submissions should 
contain a conclusions section on agency compliance with the law 
and its overall information security posture.
    The IG should be required to evaluate whether agencies have 
a process that incorporates information security into their 
enterprise architectures. Reporting intrusion incidents to Fed 
CIRC should not be limited to national security incidents but 
should also include threats to critical infrastructure as was 
the case during the Y2K initiative.
    Importantly, agencies should identify the IG or another law 
enforcement agency that will investigate intrusions and refer 
them for prosecution.
    In conclusion, while it is still early in the GISRA 
implementation process, we are optimistic that if enforced, 
GISRA and its successor legislation will ultimately succeed in 
strengthening information security throughout the government.
    I would be happy to answer questions at the appropriate 
time.
    [The prepared statement of Mr. Williams follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.063
    
    [GRAPHIC] [TIFF OMITTED] T6343.064
    
    [GRAPHIC] [TIFF OMITTED] T6343.065
    
    [GRAPHIC] [TIFF OMITTED] T6343.066
    
    Mr. Horn. Thank you.
    Our last presenter before the questioning is James Dempsey, 
Deputy Director, Center for Democracy and Technology. You have 
a very rich background and I note here that with a Professor 
David Cole. What university was he with?
    Mr. Dempsey. Georgetown University.
    Mr. Horn. You did this book on ``Terrorism and the 
Constitution, Sacrificing Civil Liberties in the Name of 
National Security.'' The second edition is out, so you are a 
well designed author with a second edition in 2002 as well as 
journal articles, and a background of Yale and Harvard Law 
School.
    When I was at Harvard, we used to say there was a great 
operation at Yale but they would come to Harvard for an 
education. So you covered both, you and the Bush family have 
covered all of them.
    You are a member of the District of Columbia Bar. Tell us a 
bit about the Center for Democracy and Technology.
    Mr. Dempsey. Good morning, Mr. Chairman, Chairman Davis and 
Congresswoman. Thank you very much for inviting us to testify 
this morning on the important issue of the security of Federal 
Government computer systems.
    The Center for Democracy and Technology is a non-profit, 
public interest organization. Our goals include enhancing 
privacy protections for individuals and preserving and 
promoting the democratic potential of the Internet. We work 
closely with industry and with policymakers to develop balanced 
policy solutions to the information technology issues that face 
both the Government and the private sector. We focus much of 
our attention on the Internet because we believe that, more 
than any other medium, it has characteristics that are uniquely 
supportive of democratic values. The Internet has the power to 
enhance the delivery of Government services, to provide cost 
efficiencies for government, businesses and individuals, and to 
facilitate interaction between the Government and its citizens.
    Hanging over that and potentially threatening that 
potential is the vulnerability of computer networks, which also 
affects fundamental government operations and the private 
sector, and the economy as well.
    Unlike the gentlemen who testified before me who are very 
much in the trenches dealing with this issue, I am going to 
take, if I could, a somewhat broader perspective, looking at 
the issue of government information system security in a 
somewhat broader context.
    I want to congratulate you, Chairman Horn, and Chairman 
Davis, for your leadership in addressing this issue in a 
comprehensive and serious way. I commend you for bringing 
forward H.R. 3844 to build on the important progress of GISRA.
    My basic message today is that, in developing and 
implementing policy solutions for the security deficiencies 
that exist in government computer systems, it is imperative to 
recognize and preserve the open, innovative, and interactive 
nature of the medium and to use that to promote the government 
objectives that all of these agencies are so nobly trying to 
advance.
    In creating a standard, setting policy for government 
computer systems, we urge you to draw upon the expertise of the 
private sector. Chairman Davis referred to the importance of 
having flexibility and to recognize the speed with which this 
technology is developing, and to buildupon developments within 
the private sector where systems designers and managers are 
grappling with these same issues of balancing security, 
efficiency, privacy and openness.
    On the point of privacy particularly,k we believe that it 
needs to be a part of the equation of computer security. If you 
look at any of the legislation and the fair information 
principles going back to the 1970's, privacy and security 
always went hand in hand.
    I have four basic suggestions or comments on the 
legislation today. One is to focus on government computer 
systems not information per se. The question of management of 
government information generally, its security, disclosure, 
privacy, is a very complicated subject. With lots of 
legislation, while clearly what we are talking about today is 
the unique challenges, threats and difficulties posed by 
networked computer systems. Yet if you look at the legislation, 
it refers to information and information systems. I think all 
of the focus here at the table is on information systems which 
pose these unique, documented vulnerabilities and the need for 
some top down leadership within the Government to get the 
Government's security house in order. That should be the focus 
and I think unintentionally perhaps the legislation is a little 
misleading in that regard.
    Second, is to recognize and promote a balanced approach. 
Security needs to be dealt with in tandem with privacy, 
openness and efficiency, which are the four interests I think 
the goal is to balance. In looking at the legislation as it is 
drafted, I don't think that balancing point comes through 
clearly enough.
    Third, it is necessary, particularly at this time, to 
preserve and enhance within the executive branch a privacy 
advisory function. The bill would amend the charter of the 
Computer Systems Security and Privacy Advisory Board as I read 
it to remove privacy from the jurisdiction of that body and at 
this time, I think it is very important to have within and 
available to the Federal Government an advisory function that 
looks at the privacy implications of computer system design and 
other information issues facing the Government.
    Fourth, just to repeat the point about working with, and 
consulting with a broad range of interests within the private 
sector where there is obviously a tremendous amount of energy 
and attention being given to these computer security issues. 
These are the people designing the systems. Some of the same 
problems and vulnerabilities that the Government is grappling 
with are recognized in the private sector as well.
    We would look forward to working with you. I look forward 
to answering your questions. Thank you again for inviting COT 
to testify today.
    [The prepared statement of Mr. Dempsey follows:]

    [GRAPHIC] [TIFF OMITTED] T6343.067
    
    [GRAPHIC] [TIFF OMITTED] T6343.068
    
    [GRAPHIC] [TIFF OMITTED] T6343.069
    
    Mr. Horn. Thank you.
    We now yield 10 minutes to the gentleman from Virginia to 
begin the questioning.
    Mr. Davis. My intent for the Incident Center was not to 
create multiple centers or to duplicate existing centers, but 
to ensure that there be at least one governmentwide center and 
that it have a strong statutory mandate to provide effective 
instant response and assistance to all agencies.
    The bill makes it very clear that it is up to OMB to ensure 
that such a center is established. Does anyone have a problem 
with the Federal Government having a strong central information 
security incident response?
    Mr. Williams. Not only do I not have a problem, I think it 
is a very good idea. At this point, we don't have a very mature 
process for identifying the kinds of incidents to be forwarded, 
we are still feeling our way through dissemination and with 
regard to dissemination of the information once we gather and 
analyze it. There is not necessarily a strong, consistent way 
of dealing with the incidents once we identify them. We don't 
want them just to pass, we want to aggressively move against 
them where the intrusion has been illegal.
    We need something like this. This is pointed in the right 
direction, it is a void and I am for it.
    Mr. Forman. I think clearly as indicated in my testimony, 
that is the direction we have been moving within the executive 
branch in how we have been using FedCIRC and the capabilities 
they have been building. The corollary to creating the 
organization is the process and that is what is really lacking. 
We need to not just think about the annual reporting and risk 
management process. When you deal at the incident level, you 
deal basically within 24 hours as a cycle of time. That means 
we have to have a very streamlined, fast and responsive process 
to the vulnerabilities and the threats. It is a 3 x 3 matrix of 
potential risks, vulnerabilities, and responses the agencies 
have to look at.
    This is clearly one of the areas where we definitely agree. 
Things need to be done and I would go so far as to say, not 
just in the organization itself, but in the type of 
streamlining process, reporting response requirements. There 
should be some guidance.
    Mr. Wolf. In my testimony, I stated that we have several 
centers set up and we interact with them on a routine basis. I 
think it is important that you emphasize in terms of what gets 
reported and the processes of how all that gets put together.
    Mr. Dempsey. Just one comment. I think the prior 
administration stubbed its toe on this issue to some extent 
when it talked about the FIDNET intrusion detection monitoring 
system and put that forward without adequately considering the 
privacy issues that posed. I think that is a classic example of 
how privacy should be built into decisionmaking and development 
processes because I think while there is tremendous merit to a 
centralized information security incident center, some of the 
issues of intrusion detection do raise obvious privacy issues 
that need to be addressed or otherwise the thing is going to 
run into criticism and potential problems again.
    Mr. Miller. From the perspective of an agency, my hope is 
that we have a center of excellence to support what we are 
trying to do in the area of IT security. It may be more of a 
process issue than an organizational issue, but the bottom line 
for us is that we need help in getting that kind of support. If 
we can bring the resources of the Federal Government together 
in such a way that they can provide us with that center of 
excellence we can report to, that we can get advice and counsel 
from in security matters, and that we can get some form of 
assistance when we have a critical incident, then that is 
always helpful for us. We don't have enough resources to do it 
on our own.
    Mr. Davis. Mr. Wu, will NIST be able to quickly develop the 
standards and guidelines called for in the bill? Some skeptics 
have shared concern that NIST is just not up to the task. What 
do you think?
    Mr. Wu. NIST is prepared and willing to take on any 
responsibilities that would be delineated if H.R. 3844 were to 
be enacted. We would be working in conjunction with OMB but 
also we would be working with industry.
    One concern, however, is the NIST resources. I think you 
are correct in stating that the current NIST resources may be 
overtaxed with some of the responsibilities under FISMA, but 
given the importance of the computer security issue, we would 
hope that Congress would be kind and look forward to an 
appropriation that would be a sufficient amount for NIST to 
take on other responsibilities. But the technical expertise, 
the energy, and the enthusiasm to take on these 
responsibilities is there at NIST.
    Mr. Davis. You understand we are not looking for a specific 
technical standard that could be quickly outdated and obsolete. 
We are looking for more specific guidelines and benchmarks to 
take some of the subjectivity and guesswork out of the process 
of determining whether an agency has truly done a good job 
addressing these information security risks.
    Mr. Wu. NIST is very engaged in the voluntary consensus 
standards organization process. NIST has worked very closely 
with industry to make sure that industry concerns are 
represented and NIST also works with the general public as well 
and will continue to work with those stakeholders, OMB, and the 
other Federal agencies.
    Mr. Davis. Mr. Dacey, one of the significant differences 
between FISMA and GISRA can be found in the way that FISMA 
proposes to define national security systems. As you know, 
GISRA added a third category to the traditional two-part 
formulation of national security systems and called it 
debilitating impact systems. GISRA then includes this third 
category in an exemption in allowing these systems to be 
excluded from GISRA's information security risk management 
requirements. Could you expand on this and discuss some of the 
history and policies involved?
    Mr. Dacey. The issues related to, that have to do with 
that, require you look at the FISMA bill in its entirety. One 
of the provisions in there is the requirement for establishment 
of risk levels and minimum standards at those various risk 
levels. FISMA would include all non-national security systems 
in the consideration of that area. So those would be considered 
at various risk levels and appropriate minimum standards.
    One of the concerns that had been expressed during the 
GISRA implementation was how do you define debilitating impact 
systems and how will they be treated in the process. They were 
excluded, as you said, from some of the other areas of GISRA 
and the provisions of GISRA. This would basically put into 
place the requirements over those systems that were formerly 
debilitating impact but also would allow those to be considered 
in terms of risk assessment and various specified levels of 
risk.
    Mr. Davis. I am also interested in the distinctions between 
national security and non-national security systems. In his 
prepared statement, Mr. Wolf said there is very little 
diversity in the underlying technology and therefore, the 
security vulnerabilities found in national security systems as 
compared with other Federal systems. It sounds to me like the 
steps needed to protect national security systems are the same 
as for non-national security systems. Would you agree with 
that?
    Mr. Dacey. I would agree with the observations that the 
technologies that are used in both systems have converged and 
are essentially the same types of technologies. Certainly in 
the national security systems, they are fairly hardened and 
strengthened in terms of the level of security placed on them. 
However, we have a lot of sensitive information, too, in the 
Federal Government that may require similar levels of 
protection in the system.
    I think in terms of standards, ideally, there would be a 
coordination between national security and non-national 
security systems. I think some of the same types of 
technologies and controls would be relevant to both and in 
considering the different risk levels for non-national security 
systems, particularly at the top end with the more secure 
needs, those could be very consistent with national security 
requirements.
    Mr. Wolf. If I could add one comment, the technologies are 
very similar. The one thing I would add is that with national 
security systems, you do have a higher level encryption, 
stronger encryption than you are dealing with in some of the 
diplomatic and military activities. So there is a difference 
there.
    Mr. Davis. Mr. Dempsey, let me ask you a question. I think 
we are all concerned with protecting privacy, trying to strike 
the right balance between national security, critical 
information security and privacy interests of citizens. Would 
you agree one of the biggest threats to privacy interest today 
is the fact that hackers and other unauthorized individuals can 
break into government information systems and access this 
personal, sensitive information?
    Mr. Dempsey. I think that is an important piece of the 
privacy problem. I think that goes to the complementarity 
between privacy and security.
    Mr. Davis. We put walls around a lot of that information so 
that no one should see it who shouldn't get it and yet a hacker 
breaks in.
    Mr. Dempsey. Exactly, and I agree with that. I think some 
of the interests at stake also in terms of privacy involve the 
right of individuals under the Privacy Act to access personally 
identifiable information that is in the hands of the 
Government. On the one hand, the goal of privacy is to preserve 
confidentiality but also under the rubric of privacy we have a 
broader set of fair information principles, which include the 
concept of access. That is part of the balance that I was 
talking about.
    I agree with you entirely that one of the goals here is not 
only to protect government operations but also to protect the 
huge amount of personal information the government has.
    Mr. Davis. Mr. Williams, with your extensive experience in 
law enforcement and IRS, can you share some of your concerns 
about the seriousness and the threat our Government is facing 
in the information security area without disclosing too much, 
the types of problems? That is what we are trying to get at 
with this.
    Mr. Williams. The threat is serious. We also have the 
difficulty of this emerging area being one in which we are 
constantly sort of preparing for the last war, the last attack, 
rather than being able to look at a completely mature industry 
and begin to do some dynamic forward looking things. The things 
that concern us and things we have encountered involve the 
destruction of information.
    We recently caught a contractor who was being discharged 
who planted a logic bomb inside three of our servers. We were 
able to halt that but had that gone through, an enormous amount 
of information would have been lost.
    Mr. Davis. Does the contractor get debarred for that, are 
they being appropriately sanctioned?
    Mr. Williams. The person received 3 years in prison.
    Mr. Davis. How about the contractor?
    Mr. Williams. The contractor was unaware of the incident. 
We did an extensive lessons learned with the contractor but 
they appeared to have been as much victimized.
    Mr. Davis. Can you explain what a logic bomb is?
    Mr. Williams. It was a device triggered when the computer 
reached a certain capacity which would allow the person time to 
escape and distance himself from the event. At that point 
through a system of algorithms, shutdowns and destruction would 
automatically begin in a remote fashion while the person was 
separated. I am sure there are some other people who are really 
good at it but I think that is about how it works.
    In addition to the destruction of material, which is more 
visible, is the theft of material. I am not sure without our 
shields being up, we really even know how many times we are 
being raided and sensitive information is being taken. Just at 
the IRS, and there is the full spectrum of agencies, we have 
the private financial data of 128 million Americans, there is 
market sensitive data on there, proprietary data. Those are 
things of value.
    Another type of crime is altering the data in order to gain 
something of value, in order to have benefits brought to 
someone that either doesn't exist or doesn't deserve it, or 
forgiveness of an IRS obligation, manipulating it to wipe out 
the debt.
    Those are some of the different flavors of vulnerability 
that we have.
    Mr. Davis. Mr. Chairman, I think my time is up.
    Mr. Horn. We are glad to extend the time. It is your bill, 
we are just trying to get it moving.
    Mr. Davis. I am satisfied for now.
    Mr. Horn. Let us ask the whole panel then, what do you see 
as the primary challenges to developing and implementing the 
minimum security standards required by the bill? When we 
discussed this in the last few days with the staff, I was 
particularly interested in the Commerce and NIST bit on various 
standards. I would like Mr. Wu to give me an idea of typical 
standards we ought to be thinking about.
    Mr. Wu. There are a number of standards, encryption 
standards, interoperability standards, all very critical to 
maintaining an effective computer security infrastructure.
    Mr. Horn. What else?
    Mr. Wu. Our NIST technical and cyber security team have 
been working with those in industry to identify the remaining 
standards and other standards that exist and other issues, 
trying to be forward thinking to try to be able to find out or 
figure out what vulnerabilities there may be in advance and 
what we should be looking forward to.
    Mr. Horn. And you have a role in that and we need to know 
what are the levels of the standards, what is the impact in 
terms of security? Or is it just reacting to some particular 
case.
    Mr. Wu. No, it seems clear that when we have major 
information technology glitches, such as Love Bug and other 
viruses, that impact not just our Nation but the world, that we 
need to be much more forward thinking and that we are too 
reactive. It is important for NIST, as well as the industry, to 
work together to try to be as responsive, to look at the 
vulnerabilities, to intercept them in advance. We work with the 
other Federal agencies to do that as well.
    Mr. Davis. Mr. Wolf, what is your thinking on this, on the 
standards and are they needed and in what direction should they 
be developed?
    Mr. Wolf. I think standards are very, very important. We 
need to make sure we cover the waterfront in terms of all the 
areas that need the standards and I think my partner on the 
committee here mentioned some of those. We need to make sure 
they get implemented. I think that is probably one of the 
toughest things in terms of standards out there, do people 
actually make use of it? And it goes along with the assessment 
that you have in your bill where you talk about the 
assessments, where you are actually doing security assessment. 
If you have a set of standards, how do you make sure people are 
actually implementing them? How do you do an assessment to see 
that is happening? And how do you do the reporting to make sure 
that happens?
    We look at various hacking incidents we see in FedCIRC and 
in many cases, it is because people haven't implemented 
standards, haven't implemented patches, things like that.
    Mr. Horn. It was mentioned earlier that the encryption 
would require greater standards than others. What would be the 
difference between a domestic agency and an intelligence 
foreign affairs agency, would it make much difference in terms 
of what NIST is going to undertake which is various types of 
standards, could that be used to cross areas? How many simple 
standards are there that go across the whole executive branch?
    Mr. Wolf. I would say there are certainly things NIST is 
doing that apply across the Government. There are probably some 
additional things you would want to do in the national security 
arena that are probably a little stricter, because of the 
nature of the data being handled, the Internet connections, the 
internetting, things like that.
    Mr. Horn. That makes some common sense. Do you believe we 
should continue to manage national security systems separately 
from the Federal information systems?
    Mr. Wolf. I think you need to set a set of standards, I 
think they need to be comprehensive but in some cases, when you 
are talking national security, there may be reasons why they 
cannot be implemented because of the national security 
environment in terms of what we are doing. So I think there are 
some distinctions there. Standards are important, they need to 
be comprehensive but not necessarily dictating they are always 
used. There needs to be that case, where because of national 
security, there is a reason you are not going to implement them 
and maybe you propose an alternate set of standards for the 
national security which may be stricter or may have some 
differences because of national security environment.
    Mr. Horn. What interests me is can we keep this going with 
OMB having the responsibility on behalf of the President and we 
are not looking for jobs up here on Capitol Hill, we have 
plenty to do. The question will be how do we know and how do 
inspectors general, in particular, know when they are being 
sandbagged within a particular agency because nobody can talk 
to them?
    Mr. Wolf. I am afraid I am not qualified to answer that 
question. In terms of the role NSA has in terms of defining 
what are good security practices across the board, we are very 
active with NIST in those. In terms of enforcing those in 
various government agencies, we are not able to do that. We 
certainly can define what they should be.
    Mr. Horn. Mr. Forman, is the best way to see if the CIA is 
going along with the type of security situation and to take a 
look at it of either leaving it to the Inspector General at CIA 
or you are going to do it? Or do you just turn NSA loose on 
them to see they really have done what OMB would want so you 
don't have another Ames or whatever? There ought to have been a 
lot of things that they haven't done.
    Mr. Forman. While I am always loathe to recommend more 
bureaucracy, I think this is an area where we want to make sure 
we are taking a good, cost-effective approach, but we ought to 
err on the side of risk-diversity. We are forever hearing terms 
about standards in areas where, technically, they don't mean 
the same thing as a standard.
    We recently produced, last November, the advanced 
encryption standard, which is a product of NIST but really a 
product as much as any of the standards we have, leading edge, 
a function of where industry is going, the national security 
community, and civilian agencies. It is a fine standard, a 
technology standard.
    I differentiate that from saying what is our standard for 
middle ware or what is our standard for a Web applications 
server. Those are more what I would consider to be components. 
The nexus that we have there, the process that we are rolling 
out, combines the CIO Architecture Committee, which I think you 
will see, have an increasingly important role in terms of 
understanding and agreeing to the architecture components, and 
there is now in circulation a framework for doing that.
    I think Ron's role as the CIO Council Security Liaison, 
integrating within the Cyber Board executive branch committee 
which NSA also sits as a member, is another critical part of 
that puzzle, pulling together the key issues to focus.
    So we know we will have that focusing, we will get that 
more rapid approach to different types of standards as well as 
the architecture components. The next step then is how do you 
police that? We will do some by the budget process, and I think 
that is key, but there is a set of analytical capabilities as 
Ron mentioned, that center for excellence, that also has to 
focus the audit work, inform and accelerate that standard 
setting process.
    I think as you heard before, there is some good language in 
FISMA, and I think the suggestions in the testimony and answers 
to the questions will focus that a bit more. At the end of the 
day, I think you are looking at a couple of key elements here, 
how fast can we make this process work and some end results. 
Not only are we seeing increased vulnerabilities because those 
are going to increase just because we are detecting more, but 
are you seeing people taking advantage or hackers taking 
advantage of those both within, the internal threat, and the 
external threat in a way that causes mission critical problems, 
loss of privacy.
    I think the bill should lay out very clearly what are the 
criteria, what are the results that will measure? Is it loss of 
privacy? I think that is a fine one, it is in some of the 
legislation already and it would be good to focus it in FISMA. 
Is there loss of mission critical capability or downtime? If 
you lay out the guidance and the measures I think that will 
help us in focusing the oversight and the standard setting 
process through components.
    Mr. Horn. Mr. Dacey, what does the General Accounting 
Office think about the various standards that might be put 
forth under this bill? The question is, does it help with doing 
it or if it isn't, why even have it?
    Mr. Dacey. We think standards are important. I think one of 
the challenges to your original question is to provide some 
level of standardization but yet build in sufficient 
flexibility to make sure we don't make bad decisions and put in 
things we don't really need. I think that will be the challenge 
in implementing it.
    I think there are a couple of things I would like to focus 
on here. In FISMA, it sets up a requirement which is general 
good practice, that you should assess your risk and develop 
security controls commensurate with that risk. As part of that 
process, FISMA then goes on to establish a requirement for risk 
levels and standards for those various risk levels. Let me talk 
briefly about risk levels and standards.
    In terms of the risk levels, it is clear and it has been 
said on the panel here, we really need to have an effective and 
efficient process for assessing risk. It is a very important 
aspect because if we don't do that properly, we are not going 
to have the right controls in place to protect our systems.
    It is also important to consider how you go about doing 
that. FISMA comes up with levels of risk. That could be a very 
feasible approach I think to categorizing the types of risks 
and systems and the various ways you could build that around. I 
think that would be part of the deliberative process to 
consider how those would best be established.
    I think they are important too when we talk about 
connectivity because we are talking about right now pretty 
broad spread connectivity within agencies, between agencies, 
between the Federal Government and State and local and with the 
private sector. I think ultimately we need to be considering 
what is the level of risk in those systems and do we want to 
have them connected together. That would be one way which this 
could go through the process.
    You wouldn't want to be connecting openly a high risk 
system with a low risk system because a low risk system would 
have less safeguards and those safeguards could potentially be 
breached and gain access to the more sensitive system and that 
is typically what we do when we do our work in trying to get 
into Federal systems with the agency's knowledge. We get into 
systems that are simple to get into and use that ability to 
advance our privileges and gain access to some very sensitive 
information.
    In terms of standards, I think there may be some 
definitional issues. One of the concerns is the word standard 
oftentimes evokes a certain amount of rigidity or 
inflexibility. I don't think that should be the intent of 
standards under FISMA. I have been doing auditing for about 25 
years and we use auditing standards. I audited small shops, I 
have audited the Federal Government with its $2 trillion of 
revenue. We use the same standards, not the same procedures but 
the same standards nonetheless and it has worked pretty well 
and it is generally applicable. That is the kind of standard I 
think I would refer to.
    I think they are important for several reasons. I think 
they clarify expectations. I think they are a good criteria to 
measure how effective security is, as well as to manage 
performance or measure performance over time. I think it 
provides a certain consistency if we have standard levels of 
risk, that we have some nomenclature to share within the 
Federal Government as well as those we choose to hook up to our 
systems as to what level of risk we want them to respond to. In 
fact, in some of our more secure systems, there are 
requirements before you hook up to the systems. You have to 
meet certain minimum security requirements or you don't play 
the game. I think there are some examples already where that is 
being used to say we need certain standards to deal with that.
    GAO's approach has to address all these. When we do our 
audits, there aren't universal, governmentwide standards 
necessarily and that is a challenge to us. But what we find 
oftentimes is that there is a core set of standards or 
requirements that are pretty universally agreed upon. I don't 
think we have found anyone who said if you are going to have 
passwords, you probably ought to say fault passwords should be 
removed because everybody knows what they are and if they get 
in the system, they can break right in.
    Also, you could argue that maybe you shouldn't have 
passwords if you are going to use passwords to say ``Redskins'' 
or ``password'' as the password. Those are the types of things 
in which I think there is a lot of agreement. There are 
probably some other standards that there is some reasonable 
difference between knowledgeable people as to whether it should 
be a requirement or not. I think that could be considered again 
in the structure of a standard-setting process.
    I think there are some other side-benefits to standards. I 
think if we are going to have some consistent training across 
the Federal Government, which I think is one of the goals of 
the administration, I think it is a very important goal to the 
extent you have some standards to build that around. To be 
training people on the same thing would be very important.
    We also have a lot of people running these systems that 
have worked very hard and to the extent you can provide them 
some information rather than have them independently try to 
determine what level of security they should employ would be 
beneficial.
    Last, in terms of tools, I think that is another important 
area, we need better automated tools. Many of those tools 
currently look for certain things in the systems. I think if 
you agree upon what those things are you want to look at, tools 
can be built rather readily to test for those types of 
conditions in those systems.
    Mr. Horn. We look on the General Accounting Office to be 
the sort of umpire on behalf of Congress. What are the benefits 
and disadvantages of shifting responsibility for promulgating 
standards and moving it from the Secretary of Commerce to the 
Director of Office of Management and Budget? How do you feel 
about that one?
    Mr. Dacey. If you go back in terms of prior legislation, 
there certainly has been the involvement of both NIST and OMB 
in development of standards and oversight of responsibilities 
for those standards' I think starting with the Computer 
Security Act and going on. What FISMA would do would be to 
align those responsibilities with OMB, who is directly 
responsible for the oversight and coordination of the agency 
information security. That is where it would place that. I 
think that is a good matter for discussion. Obviously we have 
some differing views and I think that ought to be considered in 
any final legislation.
    Mr. Wu. As I mentioned in my opening statement, we believe 
that should be a matter for reconsideration. The Director of 
OMB issues broad information security policy and guidelines to 
agencies complemented by detailed security standards and 
guidelines which NIST develops.
    The proposed process presents an opportunity for delay as 
additional senior managerial approvals are going to be required 
up the bureaucracy. As we fight the war on terrorism, we 
believe we should be thinking about how to streamline the 
development and issuance of new security standards while still 
maintaining the important process of public review and comment. 
Since NIST activities are more directly linked to industry and 
the Secretary of Commerce represents business and industry and 
commerce, we believe it is more appropriate for that role to 
remain with the Secretary and not with OMB.
    Mr. Horn. What criteria would you use to determine if a 
standard is mandatory or non-mandatory? How would you go about 
that?
    Mr. Wu. Quite frankly, I am not sure how we are going to 
make that determination but we would have a plan in place. I 
don't think it is necessarily going to be a uniform 
determination but done more on an ad hoc basis, in consultation 
with the experts and our cyber security team.
    Mr. Forman. Mr. Chairman, the process we have laid out in 
my prepared statement with the cyber boards, executive branch 
committee, lays it out, a cost-benefit, risk-based approach, 
very similar to how one might say you should insure yourself 
because that is in essence what we are trying to achieve here. 
So cost-benefits, risks, specifics of that situation, I think 
is what is going to drive that determination, certainly the 
guidance that cyber board will provide to NIST and NIST 
supporting us on that board.
    Mr. Horn. Can you provide, Mr. Wu, an example of a minimum 
standard the National Institute of Standards and Technology 
would make mandatory?
    Mr. Wu. As I said, I am not clear as to the determination 
on what would be defined as mandatory. We can get back to you 
on that in consultation with our cyber security team.
    Mr. Horn. One would be the password to get at the basic 
machine or the software or whatever. Then the question, what 
kind of watching does the control authority, OMB and you, 
partially in that, and that would be it seems to me one of the 
obvious.
    Mr. Wu. That would be one but I don't have a definitive 
list for you. We can try to provide that for you if you like 
and to the committee.
    Mr. Horn. I understand that NIST has developed mandatory 
standards in the area of cryptography. What has been your 
experience in implementing those standards within the Federal 
agency? Have you developed mandatory standards in other areas 
or just in the ones with encryption?
    Mr. Wu. Right now, my understanding is that it is only with 
encryption. We have had a lot of success working with OMB and 
the other agencies with AES, advanced encryption standard. We 
look forward to continuing with that collaboration under that 
framework and structure.
    Mr. Horn. Is the 1988 Secretary of Commerce delegation of 
authority to waive Federal information processing standards to 
the agency still in effect?
    Mr. Wu. I personally don't know that answer but we can get 
back to you.
    Mr. Horn. We will put it in the record at this point.
    Mr. Wu. I have been told the answer is yes.
    Mr. Horn. That it has waived Federal information processing 
standards to the agency heads and that is still in effect. OK.
    The problem often comes up over time, like 100 years, that 
it is very difficult for a member of the Cabinet to work with 
his other members of the Cabinet and they will listen to OMB 
and might not listen to good old Joe or Susie who are doing 
something. That is one of the things we look at and wonder who 
will do what.
    Mr. Forman, what type of standards and guidelines has the 
CIO Council developed?
    Mr. Forman. Let me differentiate standards versus 
guidelines. The CIO Council was established by Executive Order, 
it is not created in statute. The Executive Order has OMB as 
the Chair of the council and directs the council to provide 
recommendations and advice to OMB on IT issues and that the 
members share best practices across the agencies. It really has 
had no policy guidance or standard setting authority.
    In that regard, one of the changes I put in place being the 
Director of the Council is to actually get them focused on some 
standardized processes or procedures or approaches. Let me give 
you some examples and then I will talk about security. Let us 
refer to these as guidelines to make it clear.
    One is the Enterprise Architecture Management System, a 
tool that was developed for tracking and leveraging the 
component based framework we have been deploying.
    The second is the Federal Enterprise Architecture 
Framework. Basically, this is the way now that we back up with 
a scorecard and the budgeting process to get agencies to 
clearly identify the linkage between their IT investment and 
the mission of the agencies driving through to business cases.
    There is a corollary tool to that, ITIPS, the IT Investment 
Portfolio System. Now each agency is supposed to use and put in 
place a capital planning process. This is a tool and between 
those two tools that are the guidelines laid out by the CIO 
Council, we are now able to get the information in and start to 
analyze the architecture we have built in the Federal 
Government. We are not to the point where we can define it yet.
    The Federal Enterprise Architecture Framework document is 
getting to that point. We have laid in terms of a governance 
structure with that is a role for the Architecture Committee. 
They will come to agreement on components, this approach is 
essentially the CIO's all coming agreement and they are doing 
it for a number of reasons, not the least of which is money, 
leveraging their investments to get more out of industry by 
moving those component points, to be able to take advantage of 
Web services and some of those are emerging in the security 
arena.
    The fourth area I would say we have a decent example of a 
guideline is in the work force training arena. Security is a 
key component of that. I think the CIO Council training 
components and the framework laid out for CIO University Center 
is widely regarded even in industry. We see more industry take 
up of that agenda than government employees.
    Those are the types of things that are appropriate. We are 
leveraging NIST very highly in the security arena. For example, 
taking the benchmarking or the analytical guidelines, I 
wouldn't quite call those standards that were developed over 
the last year, and that serves--and everybody has agreed to use 
that--as the basis for the GISRA work. It allows us a 
standardized approach if you will, but not the same as the 
Federal information processing standards which are technical 
standards.
    Mr. Horn. What types of standards and guidelines has the 
Chief Information Officer Council developed and if so, do they 
go through OMB primarily to get those functions across or do 
they have any authority to spread the guidelines, if you will?
    Mr. Forman. They do refer them to OMB and we work, like in 
those four examples, by incorporating those into two basic OMB 
circulars. We can obviously issue other guidance, but the 
predominant way you will see this is through the A-11 Circular 
and the A-130 Circular. Again, that is what I would consider 
guidance or guidelines as opposed to standards.
    I think you will see this get integrated much quicker by 
the CIOs agreeing to those architecture components and going 
back and putting that into their architecture. We will see that 
through their IT investments and the architecture results they 
have to submit to OMB but at the end of the day, this is about 
managing change. What we are seeing, I believe, is formalizing 
the Clinger-Cohen approach on the roles and responsibility of 
the CIOs.
    I will give you an example of what I am talking about. As 
you know, we have an issue in the Justice Department on 
leveraging the technology to make the management changes. 
Recently they hired a very well qualified CIO and made that 
person a direct report to the Attorney General with the full 
fledged authorities, architecture included, laid out under the 
Clinger-Cohen Act.
    So coming to agreement using the technology insight from 
both NSA and NIST, the results coming out of the Cyber Board 
Executive Committee, firming up those agreements by that 
Architecture Committee, and then we provide the oversight to 
make sure when we review the architecture and the business 
cases that indeed they are complying to those guidelines.
    Mr. Horn. The current bill removes OMB specific authority 
to approve agency security plans. Do you believe that authority 
should be restored?
    Mr. Forman. I think, as I understand the bill and what is 
currently in GISRA, is the approval of the security programs 
and we have to differentiate between the security programs and 
the plan of actions and milestones. There, I think, is actually 
where the Director of OMB should focus. We know and are getting 
terrific insight from the IGs, from the reviews GAO is doing 
and our strong relationship there, and indeed from some of the 
CIOs' risk assessments.
    To have us prove the fact that there was a problem, I don't 
think gets us anywhere. The focus on approving the plans of 
action and milestones is the appropriate approach and I think 
that is what is laid out in the bill.
    Mr. Horn. With GISRA, with expiring in November of this 
year, and the OMB estimating that the fiscal year 2003 funding 
for the information security will be $4.2 billion, is it 
reasonable to expect the Congress to wait until September or 
later to learn whether agencies are taking the appropriate 
corrective actions to address their information security 
weaknesses?
    Mr. Forman. I think it is really a question of the 
oversight and governance structure you have. I think what we 
are moving to with your subcommittee is a quarterly review of 
our progress. That is certainly the approach we have moved to 
in OMB. The approach I am going to adhere to is a quarterly 
review of agency progress.
    Mr. Horn. That is when we went through the Y2K bit, that is 
exactly where we got and went to. It started out with almost 
once a year and then to two times a year and then Dr. Raines in 
particular understood all this and we got to quarterly. I think 
that makes sense so everybody knows we want to look in that 
quarterly operation because Congress might look at it.
    How does the committee, Mr. Wolf, the Committee on National 
Security Systems which has set minimum standards for the 
protection of national security systems and if so, what is your 
experience in implementing these requirements?
    Mr. Wolf. I think the committee has been very active since 
it was formed. It replaces one of the earlier committees that 
started in 1990. There are over about 100 policies that have 
been issued; some of those include some standards. The 
standards I think are fairly rigorously enforced in the 
national security environment, so I think it has been very 
effective. I think it has addressed many areas where standards 
are needed, been very active. So I think it has been very 
successful.
    In terms of looking at some of the policies, the rest of 
the Federal Government might look at some of those policies as 
at least a start in terms of policies in some areas where they 
might not have been addressed so far.
    Mr. Horn. Has the National Security Agency developed a 
standard for risk assessments and management that is used for 
national security systems?
    Mr. Wolf. We have some templates. I am not sure to the 
detail that we have those developed but we have some templates 
that we use. There is I believe a DOD standard also.
    Mr. Horn. How did NSA approach the evaluations of national 
security systems under the Government Information Security 
Reform Act? How has it gone?
    Mr. Wolf. I am not sure I can answer that question. We will 
have to get back to you on that one. Again, our role is sort of 
an advisor in the agency. We are not the actual agency that 
does that evaluation.
    Mr. Horn. OK. What guidance did NSA provide to agencies 
with national security systems? Did NSA work with the Director 
of Central Intelligence to coordinate evaluations or guidance 
for the evaluation of intelligence systems?
    Mr. Wolf. We certainly are given input, yet, again, as an 
advisor.
    Mr. Horn. It is the Director of CIO that has that 
authority?
    Mr. Wolf. Yes.
    Mr. Horn. Let me ask you, Mr. Miller, about FEMA. You 
recommend that the bill be revised to strengthen the link 
between IT security requirements and the capital planning 
process. What specific revisions to the bill would you 
recommend to strengthen the link between them?
    Mr. Miller. First of all, OMB has taken some steps to 
ensure that when we do our funding documents, our 300-Bs, that 
there is a security tie to it. I think tying the approval of IT 
spending to a demonstrable security plan, not just saying we 
are going to spend money on security but actually having a plan 
you can demonstrate you have processes and procedures in place, 
would be a powerful incentive because from the CIO perspective, 
we have to persuade our program officials, the folks actually 
benefiting from these systems, that there is a reason why 
security should be factored into their equations.
    Within FEMA, we are trying to implement a process by which 
we don't spend a dime or allocate a person or time to a project 
until they have addressed the security issue among others. That 
process has caused a lot of interesting responses but we 
believe it is the right thing to do.
    The key there is to make sure that people just don't pay 
lip service to security and the 300-Bs, that they can actually 
demonstrate there is someone thing behind it when they say they 
are addressing security.
    Mr. Horn. Mr. Williams, in your role as an Inspector 
General, what challenges do the IGs face in integrating an 
annual independent evaluation into their audit workload?
    Mr. Williams. As with anything, the prototype consumed 
about three or four times the amount it will on an annual 
basis. I don't know that it was a great difficulty for the IGs. 
It was certainly something that we were pleased to see come and 
we appreciated the role that we played.
    It is very important that we stay in touch with the 
advances and challenges on the security side. This is a role 
that allows us to do that without being overly intrusive. It is 
an important part of the entire process in GISRA. I think it is 
one we embrace. Where there is need for advanced or temporary 
skills, we can get that through contractors as the department 
does as well.
    Beyond that, I don't know that it represents any sort of 
formidable challenge. I think it has been something we have 
appreciated.
    Mr. Horn. Mr. Dempsey, you suggest as an interim measure 
that agencies should adopt a widely accepted set of standards 
developed by the private sector. Can you provide some examples 
of those?
    Mr. Dempsey. It takes me a little bit outside my direct 
area of expertise, I have to admit. I know that there is the 
so-called common criteria standards which have been developed 
that address computer security issues. I think that there are 
others in industry who are much more familiar with those than 
I. I can certainly flesh that out for you and give you some 
examples of work that has been done in the private sector that 
would contribute to the Government's efforts.
    Mr. Horn. We would welcome those.
    Mr. Dempsey. We have to do so.
    Mr. Horn. I want to put in the statement of the ranking 
member, Ms. Schakowsky at the opening and we will put that 
after Mr. Davis' opening.
    She has two points here that I think are very important. 
She says, ``There does seem to be one significant hole in this 
legislation. As we learned in confronting the Y2K problem, we 
cannot be sure all of the systems are fixed until we know where 
they all are. The first thing most agencies had to do to 
prepare for the turn of the millennium was to create an 
inventory of all computer systems and then assess the risk 
posed by the failure of each of those systems. It is a 
commentary on computer security that no such inventory 
existed.'' Is that correct?
    Mr. Forman. That is the corollary on why the CIO Council 
was adopted the enterprise architecture management system to 
build that inventory.
    Mr. Horn. She says, ``When we mark up the bill''--Mr. Davis 
might want to listen to this--``I intend to offer an amendment 
that would first require all agencies to maintain a current 
inventory of systems. Second, I will require that agencies 
develop and include in the security report a plan that 
establishes a system whereby every system will be tested over a 
5-year period. With a current inventory and scheduled testing, 
we will be closer to security being a routine and not a unique 
government function.'' I think those are pretty good comments.
    Let us go right down the line with your thinking about 
that.
    Mr. Wolf. I would add one comment. It is not only the 
inventory of all those systems, but it is how they are 
interconnected and whether or not they have implemented the 
standards and what standards they have implemented so you know 
what you are really talking to.
    We have a very active red team and you rattle the windows 
of a house and you only have to find one window that is open 
and that is the one place where they haven't implemented the 
standard or put in the patch. It is not only an inventory of 
all systems, but how they are interconnected and what they have 
done in terms of standards.
    Mr. Williams. Probably an emerging area that ought to also 
be considered is a corollary, the establishment of new 
gateways. We are discovering that some of the gateways are not 
to expand the e-government and other kinds of good initiatives. 
They are not always apprising the CIO of the existence of the 
gateway and the gateways aren't always being tested for 
intrusions and vulnerabilities.
    I think the point the Congresswoman makes is a good one but 
I would add that to it as well. That is probably the one where 
we have seen most recent vulnerabilities emerging.
    Mr. Miller. I want to second what he said because I think 
it is very important. Awareness is where we begin in the area 
of security and just as an example, in our agency we discovered 
during a vulnerability assessment that we had over 500 servers 
in an agency of 2,500 people. We weren't aware of them, so 
right away we have all these potential entry points to our 
network that we didn't know about.
    We have initiated an audit of all FEMAs IT assets and that 
starts this month and goes until we find everything. Key to 
that is having our Director's full support which he has given 
us, so we won't have people trying to hide things under their 
desks. We will find them and once we know where they are, we 
can start the process of holding people accountable for them in 
the area of security.
    Mr. Wu. As you alluded, the success of Y2K wasn't just that 
we battled back the Millennium Bug but also that we were able 
to engage in the first ever exercise in which we had a Federal 
inventory of our IT infrastructure. This was also being 
replicated in the private sector as well.
    The inventory is only the first step of trying to assess 
what our critical needs are and what the demands are. I think 
the inventory could prove to be very useful.
    Mr. Horn. I agree with you completely. The fact was we 
asked that the hardware and the software be inventoried if you 
are going to come up to the Congress for money and you deserve 
to have it in a lot of those agencies. I would think that would 
be worth doing. We did have a list that was put together by a 
lot of the CIOs and when Mr. Gingrich was here as Speaker, he 
was quite interested in this sort of thing, so we were able to 
give the appropriators the ``go'' signal which is green up here 
as opposed to some systems I have seen where the Xerox just 
doesn't give a nice color to it. I think that is what we need 
if we are going to solve some of this problem. It is going to 
take money and hopefully we will get that going.
    I now yield to the gentleman from northern Virginia and the 
world across the Potomac. He has a great bill here. Any 
questions you to ask?
    Mr. Davis. No, I think I am OK. I really appreciate the 
panel coming today and sharing your observations. I hope we can 
make it a better bill and I think between Chairman Horn, myself 
and the leadership, we intend to move this pretty quickly. We 
would look forward to any additional input you can offer.
    Mr. Horn. I want to thank the subcommittees involved in 
this. In back of me is J. Russell George, staff director and 
chief counsel for our subcommittee. He is a nominee of the 
President of the United States to be a fellow IG, you might see 
him, but first we have to get him confirmed. He has been a 
great leader in this for years now.
    Also, Bonnie Heald, deputy staff director and 
communications director. On my left is a very able person, 
Claire, who is our professional staff on loan from the American 
Political Science Association, and has done a wonderful job. 
Henry Wray, I think most of you know, our senior counsel, 
worked with the Senate and we tied him up, got him across the 
Rotunda and he now works for us, and he is doing a great job. 
Then Earl Pierce, professional staff, and Justin Paulhamus is 
the majority clerk.
    We thank today the court reporters, Mary Ross, and with Mr. 
Davis, you have Chip Nottingham and Teddy Kidd from the 
Subcommittee on Technology and Procurement Policy.
    We thank them all.
    Gentlemen, I appreciate what you put on the record today. 
Keep at it.
    [Whereupon, at 12 p.m., the subcommittee was adjourned, to 
reconvene at the call of the Chair.]
    [The prepared statement of Hon. Janice D. Schakowsky and 
additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T6343.070

[GRAPHIC] [TIFF OMITTED] T6343.071

[GRAPHIC] [TIFF OMITTED] T6343.072

[GRAPHIC] [TIFF OMITTED] T6343.073

[GRAPHIC] [TIFF OMITTED] T6343.074

[GRAPHIC] [TIFF OMITTED] T6343.075

[GRAPHIC] [TIFF OMITTED] T6343.076

[GRAPHIC] [TIFF OMITTED] T6343.077

[GRAPHIC] [TIFF OMITTED] T6343.078

[GRAPHIC] [TIFF OMITTED] T6343.079

[GRAPHIC] [TIFF OMITTED] T6343.080

[GRAPHIC] [TIFF OMITTED] T6343.081

[GRAPHIC] [TIFF OMITTED] T6343.082