[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]




  OUT OF MANY, ONE: ASSESSING BARRIERS TO INFORMATION SHARING IN THE 
                    DEPARTMENT OF HOMELAND SECURITY

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 8, 2003

                               __________

                           Serial No. 108-31

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

88-194              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, 
NATHAN DEAL, Georgia                     Maryland
CANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of 
TIM MURPHY, Pennsylvania                 Columbia
MICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee
JOHN R. CARTER, Texas                CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota                 ------
MARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont 
                                         (Independent)

                       Peter Sirh, Staff Director
                 Melissa Wojciak, Deputy Staff Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
              Philip M. Schiliro, Minority Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 8, 2003......................................     1
Statement of:
    Baroni, Greg, president, global public sector, Unisys Corp.; 
      Steven Perkins, senior vice president, public sector and 
      homeland security, Oracle Corp.; and Mark Bisnow, senior 
      vice president, webMethods, Inc............................   110
    Cooper, Steven, Chief Information Officer, Department of 
      Homeland Security; and Mark Forman, Associate Director, 
      Information Technology, and e-Government, Office of 
      Management and Budget......................................    15
    Dacey, Robert, Director, Information Security Issues and 
      Information Technology Team, General Accounting Office; 
      Randolph C. Hite, Director, Architecture and Systems Issues 
      and Information Technology Team, General Accounting Office; 
      and Charles Rossotti, senior advisor, the Carlyle Group, 
      formerly Commissioner, Internal Revenue Service............    49
Letters, statements, etc., submitted for the record by:
    Baroni, Greg, president, global public sector, Unisys Corp., 
      prepared statement of......................................   114
    Bisnow, Mark, senior vice president, webMethods, Inc., 
      prepared statement of......................................   133
    Cooper, Steven, Chief Information Officer, Department of 
      Homeland Security, prepared statement of...................    17
    Dacey, Robert, Director, Information Security Issues and 
      Information Technology Team, General Accounting Office, 
      prepared statement of......................................    51
    Davis, Chairman Tom, a Representative in Congress from the 
      State of Virginia, prepared statement of...................     4
    Forman, Mark, Associate Director, Information Technology, and 
      e-Government, Office of Management and Budget, prepared 
      statement of...............................................    28
    Perkins, Steven, senior vice president, public sector and 
      homeland security, Oracle Corp., prepared statement of.....   125
    Towns, Hon. Edolphus, a Representative in Congress from the 
      State of New York, prepared statement of...................    13
    Waxman, Hon. Henry A., a Representative in Congress from the 
      State of California, prepared statement of.................     9

 
  OUT OF MANY, ONE: ASSESSING BARRIERS TO INFORMATION SHARING IN THE 
                    DEPARTMENT OF HOMELAND SECURITY

                              ----------                              


                         THURSDAY, MAY 8, 2003

                          House of Representatives,
                            Committee on Government Reform,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:05 a.m., in 
room 2154, Rayburn House Office Building, Hon. Tom Davis of 
Virginia (chairman of the committee) presiding.
    Present: Representatives Tom Davis of Virginia, Shays, 
Duncan, Blackburn, Waxman, Maloney, Cummings, Tierney, Lynch, 
Ruppersberger, and Norton.
    Staff present: Melissa Wojciak, deputy staff director; 
Keith Ausbrook, chief counsel; Jennifer Safavian, chief counsel 
for oversight and investigations; John Hunter and David Young, 
counsels; Robert Borden, counsel/parliamentarian; David Marin, 
director of communications; Scott Kopple, deputy director of 
communications; Ken Feng, investigator/GAO detailee; Teresa 
Austin, chief clerk; Joshua E. Gillespie, deputy clerk; David 
Rapallo, minority counsel; Earley Green, minority chief clerk; 
Jean Gosa, minority assistant clerk; and Cecelia Morton, 
minority office manager.
    Chairman Tom Davis. Good morning. A quorum being present, 
the Committee on Government Reform will come to order.
    I would like to welcome everyone to today's hearing on the 
Department of Homeland Security's efforts to integrate 
information systems and enhance information-sharing. Earlier 
this year, with the establishment of the Department of Homeland 
Security, 22 agencies and more than 170,000 employees, by last 
count, were consolidated under one new department. It would be 
a monumental challenge under any circumstance to integrate the 
disparate information infrastructures of that many government 
agencies manned by that many employees, but given the critical 
mission of this new department to protect the Nation against 
terrorism, this task takes on an unparalleled urgency.
    DHS needs to develop and implement a strategic plan to 
carry out this vital mission, including the ability of the new 
department to obtain, analyze, and timely distribute essential 
and actionable information for Federal, State, and local 
government and private sector use. DHS must also develop and 
implement security and privacy safeguards, a capital planning 
and investment control process, programming, performance 
management, and risk management.
    If a strategic plan to integrate information systems is 
effectively and efficiently implemented, we not only will 
achieve economies of scale, but also be better prepared to 
protect the Nation's physical and cyber infrastructure, secure 
our borders, counteract chemical and biological attacks, and 
respond to terrorist and natural disaster incidents.
    But that is a considerable ``if'' that we are talking 
about. The obstacles facing DHS in effectively integrating 
information functions are formidable. As with the merger of any 
corporate or government entities, there are obvious challenges 
in integrating business functions such as payroll, human 
resources, and communications. But similar to the consolidation 
of the military service branches within the Department of 
Defense in 1947, DHS is faced with the need to integrate 
multiple agencies that have a common security mission, in 
addition to its many non-security functions.
    DHS is further confronted with the task of communicating 
effectively with other Federal, State, and local entities, as 
well as the public. It is particularly critical that 
information be related to our first-responders at the State and 
local level. They are the front lines of our war against 
terrorism, and they need to be adequately informed to protect 
the public.
    These challenges are not solely a factor of the new 
department's size or the magnitude of its mission. The fact is 
DHS inherited information-sharing problems that already existed 
within many of the agencies that now make up the new 
department.
    For example, the General Accounting Office identified 
problems pertaining to terrorist watch lists, which are an 
integral part of our Nation's ability to secure its borders. 
The GAO found that the current approach to developing and using 
watch lists is diffuse and non-standard, and has resulted in 
nine agencies creating 12 different lists, largely because the 
lists were developed and have evolved in response to individual 
agencies' unique mission needs and cultural development.
    The extent to which this information can be shared among 
Federal agencies and between the Federal Government and State 
and local entities is severely constrained by fundamental 
differences in the watch list items. These are by no means the 
only examples of opportunities to improve information-sharing, 
but they illustrate one of the primary reasons for integrating 
agencies that are vital to homeland protection under one 
department.
    The Chief Information Officer in DHS is responsible for 
coordinating information-sharing nationwide and is doing so by 
creating a national enterprise architecture. This common 
element in improving information systems integration, according 
to both GAO and the Office of Management and Budget, seeks to 
ensure that, as the agencies within DHS invest in information 
technology and new management strategies, those strategies and 
technologies serve the overall plan and mission of the 
department as well as the Federal Government.
    With a coordinated strategy for efficient information 
technology acquisition and implementation, mission-essential 
decisions can be based on more accurate information while 
requiring less time. Wise investment in interoperable 
information technology reduces unnecessary spending and 
redundant or stovepipe systems.
    It took almost 40 years for the military service branches 
to be integrated effectively under the Department of Defense. 
With DHS, we simply don't have that kind of time. We are 
talking about protecting our Nation against very real terrorist 
threats. Congress must be assured that information integration 
standards and goals are defined, timely implementation of these 
benchmarks is achieved, and accountability is maintained.
    Last week marked 100 days since the creation of the 
department. I guess they moved into the new headquarters. They 
just got the duct tape off the headquarters about 3 weeks ago, 
or whatever. We know it is a little late in starting. Part of 
that is our fault in the way of passing the bill and taking 
such a long time, but the need is urgent, the challenge 
monumental, and it may be later than we think.
    Today we have assembled an impressive group of witnesses to 
help us understand the current status of information-sharing at 
DHS and its plans for the future. On the first panel we will 
hear from Steven Cooper, the CIO; Mark Forman, the Assistant 
Director of Information Technology and E-Government at the 
Office of Management Budget, and they will focus on the 
department's efforts to integrate information systems at DHS 
and the coordination of those efforts with OMB's governmentwide 
enterprise architecture.
    The second panel will include Robert Dacey and Randolph 
Hite from the GAO, who will discuss GAO's analysis of the 
department's information-sharing integration. Also on that 
panel, the Honorable Charles Rossotti, the former Commissioner 
of the IRS, who will discuss his efforts to consolidate that 
agency's information technology functions.
    In the third panel we will hear from the private sector, 
which is directly involved in the department's development. We 
will hear from Steve Perkins, senior vice president for public 
sector and homeland security for Oracle Corp.; Greg Baroni, 
president of global public sector for Unisys, and Mark Bisnow, 
senior vice president of webMethods.
    I would like to thank all of our witnesses for appearing 
before the committee. I look forward to your testimony.
    [The prepared statement of Chairman Tom Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T8194.001
    
    [GRAPHIC] [TIFF OMITTED] T8194.002
    
    [GRAPHIC] [TIFF OMITTED] T8194.003
    
    Chairman Tom Davis. I am going to yield to my ranking 
member, Mr. Waxman, for his opening statement.
    Mr. Waxman. Thank you very much, Mr. Chairman. Thank you 
for calling this hearing, and I appreciate all the witnesses 
being present.
    The General Accounting Office recently issued a report 
concluding that, 20 months after the attacks of September 11, 
the administration has yet to remedy one of the single most 
significant problems that led to those attacks, the failure to 
share critical terrorist information among Federal, State, 
local, and private entities.
    As we now know, we were unable to prevent the attacks on 
the World Trade Center and the Pentagon in part, because the 
Federal agencies could not or would not share information. Not 
only did the Federal Government as a whole fail to connect the 
dots, but certain agencies wanted to maintain exclusive control 
over those dots.
    One highly publicized example involved was the failure of 
the FBI and the CIA to share terrorist information about two 
suspects living in San Diego in 2001. Although several agencies 
possessed relevant information about the suspects, their 
locations and their contacts, they did not share it with other 
agencies that could have acted on it. To our great dismay, 
these terrorists went on to take part in the September 11 
hijackings.
    Today, however, despite repeated direction by Congress to 
consolidate these watch lists and despite promises by President 
Bush to do so, GAO's report concludes that the administration 
has failed to address this problem. Nine Federal agencies still 
maintain 12 different terrorist watch lists. While seven 
agencies have at least some sort of procedure for sharing 
information, two agencies have no procedure at all. Only half 
of these agencies share information with States, and only one-
fourth share information with private entities.
    According to GAO's investigation, Federal agencies received 
no direction from the White House on this issue. As a result, 
GAO reports that Federal agencies continue to develop their own 
watch lists in isolation from each other, and that information-
sharing remains inconsistent and limited.
    The administration's failure is magnified by the ping-pong 
approach it has taken to addressing this problem. First, the 
President's October 2001 Executive order initially assigned 
responsibility for ensuring the dissemination of terrorist 
information to the White House. Then, in the July 2002 National 
Strategy for Homeland Security, the President directed the FBI 
to take on this job. Then the White House apparently took back 
this function. Now, in the latest volley, officials from the 
new Department of Homeland Security claim they are working on 
it. This is not a recipe for success.
    Perhaps most troubling, Mr. Chairman, is the White House's 
refusal to cooperate with GAO's investigation. When GAO tried 
to contact White House officials about their efforts to 
consolidate watch list information, they did not respond to 
GAO's inquiries.
    As you know, this committee has had difficulties in the 
past with the White House Office of Homeland Security, even 
after Governor Ridge finally agreed to testify before us. This 
latest refusal by the White House continues to impede Congress' 
oversight abilities.
    As a result of the White House's actions, GAO reported that 
it could not determine the substance, status, and schedule of 
any watch list consolidation activities. Mr. Chairman, how are 
we to do our job if the White House refuses to provide any 
information about the substance, the status, or the schedule of 
the administration's actions? I hope this hearing will be able 
to shed some light on these very important issues.
    Mr. Chairman, I want to point out to the witnesses as well, 
we will be reviewing the testimony, and we have had a chance to 
review some of it in advance. I, unfortunately, because of 
scheduling conflicts, won't be here for most of the testimony 
that is given at the hearing.
    Thank you.
    [The prepared statement of Hon. Henry A. Waxman follows:]

    [GRAPHIC] [TIFF OMITTED] T8194.004
    
    [GRAPHIC] [TIFF OMITTED] T8194.005
    
    [GRAPHIC] [TIFF OMITTED] T8194.006
    
    Chairman Tom Davis. Thank you very much, Mr. Waxman.
    Any other members wish to make statements? Mr. Lynch.
    Mr. Lynch. I will pass, Mr. Chairman. Thank you, though.
    [The prepared statement of Hon. Edolphus Towns follows:]
    [GRAPHIC] [TIFF OMITTED] T8194.007
    
    [GRAPHIC] [TIFF OMITTED] T8194.008
    
    Chairman Tom Davis. Well, let's move right on to our first 
panel. As you know, it is the policy of the committee, we swear 
in all witnesses. Will you please rise with me and raise your 
right hands?
    [Witnesses sworn.]
    Chairman Tom Davis. Thank you very much. I think we have 
your total testimony. We have already looked at it. We finished 
a markup at about 11 p.m., and then we went into your testimony 
and we are ready to grill you. So 5 minutes apiece.
    You know the rules. The lights are here, and then we will 
get right into questions.
    Thank you. Mr. Cooper, thanks for being here. We will start 
with you, and then I will go to Mr. Forman.

    STATEMENTS OF STEVEN COOPER, CHIEF INFORMATION OFFICER, 
  DEPARTMENT OF HOMELAND SECURITY; AND MARK FORMAN, ASSOCIATE 
 DIRECTOR, INFORMATION TECHNOLOGY, AND E-GOVERNMENT, OFFICE OF 
                     MANAGEMENT AND BUDGET

    Mr. Cooper. OK, thank you very much and good morning, Mr. 
Chairman and members of the committee. I would like to submit 
my written testimony for the record.
    Chairman Tom Davis. It is all in the record. Thank you.
    Mr. Cooper. OK. Now I would like to offer a brief oral 
statement and share with the committee a little bit of what we 
have been doing since January 24 of this year, when the 
legislation enacted the Department of Homeland Security. I am 
very pleased to appear before the committee to discuss activity 
from that date and to discuss an overview of the role and 
responsibilities that I have as the Chief Information Officer 
of the new Department of Homeland Security.
    Since January, we have been very focused for January, 
February, and most of March, on day one, what we call ``day one 
activities,'' to actually establish the new Department of 
Homeland Security. The new department, actually, the 
headquarters personnel had no facilities. They weren't actually 
employees of the department, and from an information technology 
enablement standpoint, there was an awful lot of work that had 
to be done.
    We actually have done some very major work and accomplished 
some very major things, the first of which and foremost is that 
we had no infrastructure, we had no network, we had no 
capability to communicate among ourselves and with the rest of 
the world. So we did, in time and very short notice, implement 
our wide area network to connect our multiple locations and to 
connect us to the outside world, our sister Federal agencies, 
State and local and tribal governments and, as appropriate, 
enable communications with the critical infrastructure owned by 
the private sector.
    We also implemented our dhs.gov Web site, so that we had a 
way for the public to actually access a little bit of what we 
were doing and understand some of our goals and objectives. 
That is up; that is operational.
    Internally, we implemented a portal to enable our 
headquarters personnel initially, and now the 170,000 employees 
that comprise the new department, to actually be able to 
communicate via an online, DHS online, intranet portal with 
collaboration capability. We implemented desktop capability, 
local area network capability across the multiple facilities 
that we now occupy as a headquarters entity.
    Then, finally, but not least, we actually have enabled e-
mail connectivity across our 170,000 employees, including the 
new agencies that have become part of the department. It is not 
something that is necessarily visible, but it is something that 
took a lot of work and a lot of time.
    Once we accomplished that, our focus reshifted to our 
enterprise architectural activity. We actually had begun an 
awful lot of enterprise architectural activity for homeland 
security when I was in the White House Office of Homeland 
Security, working very closely with the Federal Enterprise 
Architecture Program Office and team, headed by Norm Lorentz 
and Bob Haycock, and working closely with Mark Forman.
    What we have done is to continue to map out the enterprise 
architecture targets, framework, deliverables. Those are 
outlined in my written testimony. I would be happy to respond 
to questions if there are questions related to the detail about 
those things.
    But the enterprise architecture, quite simply, for those 
who may not be as familiar with it, is an architectural 
framework; it is a decisionmaking framework at its highest or 
starting component. It is first and foremost about the business 
strategy.
    From the business strategy, we began with the National 
Strategy for Homeland Security, released by the President last 
summer, to then drive down into the business processes that the 
new department has responsibility for, the functional 
responsibilities like prevention, detection, protection, alerts 
and warnings, incident management, crisis management, 
communication, response, and recovery.
    We identified, and continue to identify, the information 
necessary to carry out these processes and functions. Those 
three components--the strategy, the business layer, and the 
information layer--comprise what we call the business 
architecture. Then behind that or supporting that we have the 
information technology architecture, which automates and 
enables the achievement of business goals, objectives, and 
metrics.
    That information technology architecture is comprised 
primarily of a couple of layers, the first being applications 
and/or decision support systems. These are the various 
automated applications, programs, initiatives that support all 
of the mission capability, enterprise activity.
    Then, last, we have the information technology 
infrastructure upon which all of this rides. The infrastructure 
is pretty much like the electric lights in a building: You flip 
the switch; the lights come on; you're happy. You never see it 
unless it doesn't work. Then we jump in and we fix it.
    I will stop there. Thank you, and I will be responding to 
any questions that you might have.
    [The prepared statement of Mr. Cooper follows:]

    [GRAPHIC] [TIFF OMITTED] T8194.009
    
    [GRAPHIC] [TIFF OMITTED] T8194.010
    
    [GRAPHIC] [TIFF OMITTED] T8194.011
    
    [GRAPHIC] [TIFF OMITTED] T8194.012
    
    [GRAPHIC] [TIFF OMITTED] T8194.013
    
    [GRAPHIC] [TIFF OMITTED] T8194.014
    
    [GRAPHIC] [TIFF OMITTED] T8194.015
    
    [GRAPHIC] [TIFF OMITTED] T8194.016
    
    [GRAPHIC] [TIFF OMITTED] T8194.017
    
    Chairman Tom Davis. Thank you very much.
    Mark, welcome back.
    Mr. Forman. Thank you, Mr. Chairman and members of the 
committee. This is my first hearing as Administrator for E-
Government and Information Technology, under legislation that 
the chairman sponsored. So it is good to be here in that role.
    Chairman Tom Davis. Did you get a pay raise with that?
    Mr. Forman. No.
    Chairman Tom Davis. OK. You got a fancy, new title anyway. 
[Laughter.]
    Mr. Forman. And some additional responsibilities and 
accountabilities.
    Thank you for inviting me to discuss the administration's 
work in homeland security. Mr. Chairman, making organizations 
share information is like trying to glue together thousands of 
puzzle pieces. If the pieces are put together correctly, you 
get a pretty picture. If you just apply the glue without an 
orderly approach to building the puzzle, you could end up with 
something quite messy.
    Bringing together 22 previously separate agencies and 
offices under one department requires more architecting than 
merely gluing together all of their IT. The administration uses 
best practices in e-business and IT management to assist in 
setting priorities and defining an action plan.
    Last June, the President stated, ``Development of a single 
enterprise architecture for the Homeland Security Department 
will result in elimination of the suboptimized, duplicative, 
and poorly coordinated systems and processes that are prevalent 
in government today.''
    Indeed, the administration believes that DHS leadership 
should use enterprise architecture analysis to integrate 
homeland security business processes and organizations, with IT 
being the key enabler. As identified in the National Strategy 
for Homeland Security, Federal homeland security IT investment 
should first improve response time, the time to detect and 
respond to potential threats, and, second, improve 
decisionmaking: making sure that we get the right decisions at 
the right time.
    Achieving significant improvement requires significant 
change in longstanding organizations, their processes, 
information flows, and IT investments. OMB provides guidance 
and works with Federal agencies to ensure that the Federal 
Government applies best practices in IT management. Through 
traditional budget and management processes, we hold all 
agencies accountable for meeting statutory and policy 
requirements.
    Four key elements are: first, enterprise architectures. An 
enterprise architecture describes how an organization performs 
its work using its people, its business processes, data, and 
technology. By aligning organizations, business processes, 
information flows, and technology, enterprise architecture 
tools are used to build a blueprint for improving efficiency 
and effectiveness of an organization. We are actively working 
with the department to ensure that they develop a comprehensive 
enterprise architecture that optimizes existing investments 
inherited from the legacy agencies.
    Second, managing and budgeting IT investments. OMB IT 
management, OMB Circular A-130, and the budget, OMB Circular A-
11, provide guidance on information-sharing on a system-by-
system basis through the agency budget request or business case 
for each IT investment. We are working with all agencies to 
ensure that they appropriately leverage and consolidate their 
IT investments: infrastructure, business management systems, 
and mission-related IT within and across their directorates.
    In particular, the merging of 22 previously separate 
agencies has resulted in the Department of Homeland Security 
inheriting a number of redundant and overlapping IT systems and 
processes. The Director of OMB, in Memoranda M02-12 and M02-13, 
issued guidance under the Clinger/Cohen Act on consolidating 
and integrating IT investments across agencies performing 
homeland security missions. Through the fiscal year 2005 budget 
process, OMB will work with the department to eliminate 
redundant and non-integrated operations, systems, and processes 
for business and mission areas.
    Third, e-government initiatives. As you know, the 
administration has been aggressively working over the past year 
and a half in the development and implementation of 24 
governmentwide Presidential e-government initiatives. 
Implementation of the President's e-government initiatives 
related to homeland security will overcome information-sharing 
difficulties between Federal, State, and local organizations 
and first-responders.
    In addition, many of the other Presidential e-government 
initiatives provide solutions that must be adopted by all 
departments, including the Department of Homeland Security. 
These initiatives include e-authentication as well as new, 
line-of-business consolidation initiatives on public health 
information.
    Two of the President's initiatives I would like to point to 
in particular: Project SAFECOM and Disaster Management, which 
directly support and promote improving information-sharing 
between Federal, State, and local first-responders. I go in 
more detail in my written testimony on the content of those 
specific initiatives.
    As managing partner, DHS is responsible for ensuring the 
accuracy of the business case for these initiatives, submitting 
the business cases to OMB, and ensuring management of the 
project to achieve cost, schedule, and performance goals for 
the implementation of the operations phase.
    The fourth area is the President's Management Agenda. OMB 
monitors agency IT and e-government progress on a regular basis 
through the President's Management Scorecard under the 
expanding e-government score. Because the Department of 
Homeland Security is new, its status is scored as red. Again, I 
discuss that more in my written testimony.
    Let me conclude by saying that achieving true homeland 
security will require IT investments to significantly improve 
response time and decisionmaking. While we recognize the 
department is currently grappling with cultural legacies of 22 
component agencies, we fully expect that DHS leadership will 
continue to build an integrated and interoperable structure, 
resulting in a business-driven enterprise architecture that 
reflects the President's vision of eliminating suboptimized, 
duplicative, and poorly coordinated systems.
    Thank you.
    [The prepared statement of Mr. Forman follows:]

    [GRAPHIC] [TIFF OMITTED] T8194.018
    
    [GRAPHIC] [TIFF OMITTED] T8194.019
    
    [GRAPHIC] [TIFF OMITTED] T8194.020
    
    [GRAPHIC] [TIFF OMITTED] T8194.021
    
    [GRAPHIC] [TIFF OMITTED] T8194.022
    
    [GRAPHIC] [TIFF OMITTED] T8194.023
    
    [GRAPHIC] [TIFF OMITTED] T8194.024
    
    Chairman Tom Davis. Thank you. Let me just start the 
questioning.
    I mean you are trying to integrate 22 component agencies, 
but some of these agencies are miserable failures stand alone. 
INS is just a mess. I think we saw some of that in September 
11. I have looked at it, talked with contractors. What is our 
strategy there? I know it is now different agencies. How long 
is that going to take and how much will it cost, do you think? 
Do you have a figure on that yet or is it a little premature?
    Mr. Cooper. Chairman Davis, I don't have a figure yet. What 
we have begun are formal program reviews. My focus is very 
heavy on the information technology component.
    We are working through these as rapidly as we can. We are 
running them in priority order, meaning the priority dictated 
by the business community, our business leadership, the Under 
Secretaries, Deputy Secretary; and then, as guided by Secretary 
Ridge.
    We have about 20 or 25 of the highest priority initiatives 
over the next several weeks, and as rapidly as we can we will 
come back and offer additional information, additional insight 
gleaned from these program reviews.
    Chairman Tom Davis. One thing that has impressed me about 
the way we've handled this is initially, when you get different 
agencies like this and you're trying to solve problems, 
traditionally Government has just sent a lot of money out the 
door, contractors working without really taking a look at the 
requirements that we have, taking a look at how it is going to 
integrate. We have been a little slow to start. I don't think 
there is any question about that.
    I don't think it is too early to give a grade, and people 
get impatient, you know, but it is a smarter way to go. At the 
end of the day, I think our moneys would be spent smarter and 
we will get a better system. At least that is my impression 
from the way things are being handled. Is that fair, do you 
think?
    Mr. Cooper. Yes, I agree. One of my concerns is that I 
think if we simply begin to, if you will forgive the 
expression, kind of throw money at the problem before we 
clearly understand where are the highest priorities, where are 
the best opportunities for integration, where are the greatest 
opportunities for us to realize value, I think we run the 
possibility of wasting some of that money and some of that 
effort.
    Chairman Tom Davis. Absolutely. Absolutely. I know a lot of 
companies out in my district that are a little impatient. They 
have geared up for this. A lot of them have some very 
innovative solutions they want to offer. But I think you are 
smart to sit back and make sure we have an integrated plan on 
how it is all going to fit together, that you have set your 
priorities.
    You stated in your testimony that the ``as-is'' 
architecture is about 70 percent complete at this time, and the 
inventory of your ``as-is'' applications is also about 70 
percent complete. You expect to have both the ``as-in'' 
architecture and inventory completed by next month? Is that 
roughly----
    Mr. Cooper. The end of June----
    Chairman Tom Davis. The end of June?
    Mr. Cooper [continuing]. Is our target date now.
    Chairman Tom Davis. Now? Are you completing the process? As 
you go through this, can you tell us what you found in any 
redundant systems and give us any examples?
    Mr. Cooper. We have already begun to identify some 
opportunities. For example, in our infrastructure component, we 
have certainly identified that we have multiple physical 
networks, for example. The question is, how many of those do we 
actually need? What is the optimal number?
    We would like to actually move toward one unclassified 
network. Now that is going to take a little bit of time, but 
over the next probably 18 to 24 months that should be something 
that I think we can address.
    So an example is to begin to consolidate the number of 
unclassified networks that we have. Another example: In our 
management types and administrative types of applications, 
human resources, financial management, some of the 
administrative and management applications, we certainly don't 
need the 20-plus human resources applications that existed 
legitimately, not because anybody did anything wrong, but 
because each agency required a human resource capability. Then 
that was, indeed, automated.
    But, as a new, single department, we have an opportunity to 
consolidate it. We are working closely with OMB and under their 
guidance. So those are some examples of opportunities.
    Another example is actually in what we call the mission-
critical space. There are a number of organizations and 
agencies that had, for example, alert and warning types of 
applications. So one legitimate opportunity is to evaluate, 
might there be some advantage and some value and, admittedly, 
some cost savings if we move from a dozen alert and warning 
types of applications to perhaps a smaller number? It might not 
be one, but it certainly might be two or three, as opposed to a 
dozen.
    Chairman Tom Davis. Well, the next phase, then, would be 
the ``to-be'' architecture?
    Mr. Cooper. Yes.
    Chairman Tom Davis. And you state the initial plan will be 
completed in August 2003. Can you elaborate on what the ``to-
be'' architecture, what it will encompass, and what do you mean 
by the ``initial plan?''
    Mr. Cooper. OK.
    Chairman Tom Davis. It would be, I mean, when will it be 
finally complete, examples of that?
    Mr. Cooper. When we say a ``to-be'' architecture, what we 
are really talking about is the desired state or the target 
state for how we do business; what are our objectives; what are 
our goals; what are our measurements, our metrics. Let me use 
an example out of Border and Transportation Security.
    As we look across the business processes that comprise how 
people and cargo enter the United States and then leave the 
United States, one of the opportunities is to re-engineer that 
business process, take a holistic look across all of the 
separate agencies that came into the department, each with its 
own process, look at them kind of side by side, and look for a 
seamless, end-to-end, horizontal process that really addresses 
the movement of people, beginning with a visa application 
process and continuing all the way through when they actually 
enter the United States, travel in the United States, and then 
leave the United States.
    Our desired-state architecture would actually re-engineer 
that process. At a macro level, it would now repaint a picture. 
The desired state differs from the existing state. We then can 
take the gap and make determinations about, how do we move from 
where we are to where we want to be? That is what we then call 
our migration strategy or our road map, and we expect to have 
the first release of our road map by the end of the fiscal 
year, by the end of September 2003.
    Chairman Tom Davis. Thank you. Thank you very much.
    Mr. Lynch.
    Mr. Lynch. Thank you, Mr. Chairman.
    Mr. Cooper and Mr. Forman, I want to thank you for coming 
before the committee and helping us with our work. In another 
configuration, this committee is responsible with an ongoing 
investigation of the FBI, and Chairman Davis is doing a 
wonderful job on that, along with our ranking member, Mr. 
Waxman.
    Now what we have learned in that investigation of the FBI--
and I don't mean to single them out, but that is the agency we 
are investigating--we have found a couple of things. No. 1, 
when an agency's task and directive is to operate in secrecy, 
and when an agency is encouraged and directed under law and 
regulation to operate in secrecy, it is against the culture, 
No. 1, to share information. So we are working against a very 
strong culture of--I mean, obviously, if you want things to be 
secret, you don't share information.
    Second, the thing we have also seen at the FBI, and it 
exists at other agencies, is that so much of the culture there 
is based on career advancement, that if you are an FBI agent, a 
supervisor, and you are undertaking an investigation, a very 
important one, whether it involves organized crime or terrorist 
activity, you want to advance your career. The last thing you 
want to do is share that information that you have that might 
be important to your success with another competing agency.
    So we have a culture here that is directly opposed to the 
free sharing of information, and I worry for the American 
people, not only because of the flat-out atrocities that I have 
seen within the FBI, but also because our national security, 
especially after September 11, requires the sharing of this 
information.
    Now I appreciate all the work you are doing on technology, 
but this is a human fault in our system. I have two questions.
    My first question to either of you gentlemen would be: What 
are we doing to encourage information-sharing and a change in 
that culture of secrecy and obsessive control of information 
within these agencies? Anytime you are ready.
    Mr. Cooper. Let me begin. One of the things that we are 
doing that we have actually found has helped, and is helping, 
break down some of the cultural biases against sharing, we have 
created a couple of, what we call, integrated teams. We have 
pulled people together from across the various intelligence 
communities, intelligence members, including the FBI, to first 
agree upon a shared vision, and with the shared vision, we can 
then set kind of goals and objectives around, if we have this 
shared vision and if it does require the sharing of information 
held within each member of the community, how then might we be 
able to share that information in order to support that common 
goal or objective.
    We have had some good dialog. We have been able to actually 
reach agreement, and that agreement has actually now taken the 
form of Memorandums of Understanding and Memorandums of 
Agreement signed between and among the FBI and other Federal 
departments and Federal agencies at the business level, the 
leadership level, that set this forth in writing and do commit 
those agencies to working together to share information, in 
compliance with that shared vision.
    Mr. Lynch. Let me ask you, do the memoranda, do they 
include any specific incentive for agents to share information 
or any specific penalties if they do not share information that 
should be shared?
    Mr. Cooper. The memoranda that I have seen do not contain 
that specific information.
    Mr. Lynch. OK. Well, until we get to that root problem, I 
think that all this other stuff is just window-dressing. That 
is the core of our problem right there, is the secrecy and the 
unwillingness of people to share information. If you are not 
getting at that problem, all the new computers and all the 
networks in the world, they are not going to help us. We are 
going to be before this committee again someday asking how come 
we didn't all know about, you know, some type of threat.
    OK. That being the case, I want to point out just to the 
GAO report which was----
    Chairman Tom Davis. The gentleman's time has expired, but I 
will let him finish up here. I will let you make this final 
comment here.
    Mr. Lynch. Thank you, Mr. Chairman. Thank you.
    One question, and you can do with it what you will. The GAO 
report talks about these terrorist lists, and it seems like 
every agency has one. We have very little coordination in terms 
of consolidating or agreeing on these terrorist/criminal watch 
lists. The GAO report, at page 28, has a very dismal assessment 
on how these agencies are actually coordinating on this 
specific point, and this is a good example; in spite of 
congressional direction and executive direction to get their 
act together and coordinate their lists and decide a concerted 
approach, it has not happened.
    It has been 20 months since September 11, and I know that 
you work with the White House and related offices. I was 
wondering why, after 20 months, we don't have an effective 
response to this particular situation.
    Mr. Cooper. I believe that the current state is much, much 
better than it was 20 months ago. There is a working group. 
That working group is now guided by the TTIC, T-T-I-C, 
Terrorist Threat Integration Center. We are a member of that 
working group. The members of the intelligence community are 
members of that working group. The FBI is a member of that 
working group. It is an example of a working group that I just 
referred to.
    I think, literally for the first time in history, there are 
documents that are being circulated for signature that do 
contain some very specific examples and requirements around the 
sharing of information. Let me actually pull one paragraph out 
of the Memorandum of Understanding that is being shaped that 
speaks to data bases and the integration of these data bases, 
``The parties agree to establish procedures and mechanisms to 
provide the Department of Homeland Security, as appropriate and 
practicable, other covered entities with access to data bases 
containing covered information. To this end, parties shall 
establish a working group within 30 days of the date of this 
agreement.'' That is kind of what is underway now.
    So we are actually spelling out in writing that everyone 
will kind of sign up to the mechanisms that I think will get us 
to the integration that we are talking about.
    Mr. Lynch. I want to thank you again, Mr. Cooper and Mr. 
Forman, for your good work. Could I ask you, might we get a 
copy of that memorandum, not on the record but for our review?
    Mr. Cooper. Certainly, I think this is under the guidance 
of the TTIC. So, if I may respond, check with them and then 
respond?
    Mr. Lynch. That would be great. Thank you very much. Thank 
you, Mr. Chairman.
    Chairman Tom Davis. I thank the gentleman. The vice 
chairman of the committee, Mr. Shays.
    Mr. Shays. I thank the gentleman. I really have to work to 
get into this issue, but I think it is hugely important. 
Probably my biggest disappointment with the Department of 
Defense is most of our IT stuff has turned out not to work out 
as well as we wanted. We spent a fortune.
    I am interested to know, how is the Department of Homeland 
Security incorporating data and systems architectures for 
external entities like DOD, CIA, FBI in the design of DHS 
objective systems. I mean, what are we doing? I would like both 
of you to be able to answer that for me.
    Mr. Forman. Let me start out, if I may, because one of my 
not only initiatives, but now accountable responsibilities to 
this committee is to put in place the governance process and 
that enterprise architecture framework for the Federal 
Government.
    There is no question that we are living through a change in 
technology that ties directly to the way we manage the Federal 
Government. We can't, as you pointed out, rely on hooking 
together a lot of data bases or computers to fix what is 
fundamentally a broken business architecture.
    In fact, I would have to say most of the work done over the 
last 2 years has been on that architecture in this area, 
leading to the Department of Homeland Security Act that was 
signed, and now the department has begun, up and running. Now 
it takes a lot of work.
    There are decisions that are going to be made, not just by 
this department, the Department of Homeland Security, but by 
the Justice Department, the Department of Health and Human 
Services. Here, again, I refer to my testimony. In our gusto to 
respond to initiatives, take public health information networks 
as a perfect example, we now have 18 new systems in the 
President's budget that was requested in response to 
congressional action on bioterrorism networks. I view it as my 
job to make sure that we now don't invest in the 19th system 
because we have this fragmented structure that turns into 
multiple computers on people's desks in the health information 
centers at the county level and hospitals.
    This architecting issue is real and relates to roles and 
responsibilities of multiple organizations. So we have to get 
the business model right, and that ties to processes.
    There are responsibilities for Federal CIOs under the 
Clinger/Cohen Act and under the E-Government Act of 2002, but 
this is going to take a lot of engagement from Members of 
Congress, from this committee's leadership position, through 
the appropriations process, as well as senior political 
officials in each of the departments to understand how to work 
together.
    Fundamentally, we are talking about business processes that 
did not exist and, hence, information systems we are trying to 
hook together that were built for different purposes. That has 
to be done in a rigorous architecting process.
    Mr. Shays. Mr. Forman, let me ask you, is it an advantage 
that we are reorganizing into a Department of Homeland 
Security? Does this give us opportunities or just made life 
more difficult for us?
    Mr. Forman. It is a requirement. We could not do this 
without appointing an organization. We couldn't have people, 
given their current roles and responsibilities under statutory 
requirements, merely sharing information without somebody in 
charge of making decisions on the basis of that information, 
and, hence, the need for the Department of Homeland Security 
fills an important gap in our world, we would say, the business 
architecture and the reality. Nobody had those roles and 
responsibilities before creation of the department.
    Mr. Shays. Thank you. Mr. Cooper.
    Mr. Cooper. One of the things that we are doing to add a 
little bit more specificity, deliberately and consciously, to 
kind of reach out to other Federal agencies, we have begun the 
development of joint exhibit 300's to submit to OMB in a couple 
of specifics. Let me give you some real examples.
    Wireless technology and the use of wireless technology for 
interoperability, this also now reaches out to State and local, 
tribal government as well. By teaming together with, for 
example, the Department of Justice and the Department of 
Treasury, we are kind of the lead three agencies in this, and 
by crafting a joint exhibit 300, we are actually putting 
together a plan that encompasses capability that already exists 
as well as the need for new capability that we might identify 
that call all of us to work together collaboratively and submit 
this, then, to OMB, so that we are actually bringing forward a 
more powerful opportunity to request funding and support and 
reach out across the Federal environment.
    Two other key areas that we are doing this in: One is in 
intelligence information, meaning we are specifically looking 
at all of the applications, not just within the Department of 
Homeland Security, that might pull together; we can 
consolidate; we can integrate.
    A third area is in the area of identity credentialling. 
There are a number of initiatives that are underway across 
several Federal agencies. We are trying to pull those together, 
so that we can basically do this once in an optimal manner and 
then move forward together.
    Mr. Shays. Thank you, Mr. Chairman.
    Chairman Tom Davis. Thank you. Mr. Ruppersberger.
    Mr. Ruppersberger. Yes, sure, thank you for being here. 
Look, this is an exercise that we are all moving forward with; 
we are learning a lot. We need to learn from our mistakes. As 
has been stated before, there is an issue as it relates to 
culture, the need-to-know basis in all the agencies.
    There is so much information and things that we can talk 
about, and I have 5 minutes. So I am going to throw out a 
couple of questions and then be quiet. That way, I won't be 
penalized for going over my 5 minutes.
    Basically, I am going to address some of the questions from 
a local and State issue, and I think that one of the main 
issues that we are dealing with now is how we work that 
communication level between the different areas. Terrorism is 
unlike other types of investigations where a lot of times 
``need to know'' is very important.
    I think the three areas, and there are three topics and 
issues that I think are extremely important as far as 
consistent procedures, and that would be, No. 1, information-
sharing. Information-sharing, in my opinion--or I would like 
your opinion--on how we develop a workable plan to share the 
data throughout the necessary channels.
    Also, the second issue is knowledge management. Knowledge 
management determines what should be done with information once 
an agency or department gets this information.
    The third would be data mining. Data mining is basically 
receiving the data, storage, and the ability to retrieve that 
information.
    Now, from a local perspective, I represent the Baltimore 
region. I was a former county executive. So I have had a lot of 
communications with the former police chief and still police 
chief of Baltimore County. Some of his issues are that he 
thinks communication has improved within the last year, but 
still there is not specifics of origins of information they 
receive, not allowed to evaluate the quality of threats or 
leads as it relates to them. It is coming down almost as a 
mandate.
    Two, local investigators--in the same area--local 
investigators might determine the information is too glossed-
over to be useful, and this is kind of frustrating.
    The FBI and others are trying to be more up front, but the 
information is just not accurate or timely. Sometimes you get 
notice, you get more from what you read in the newspaper than 
you do from those agencies. So the timeliness of that data, the 
information.
    Third, immigrants are not in a data base. They need that 
information if they stop someone. That is extremely an 
important issue, I think.
    The National Crime Information Center/exit registration 
system is not connected to what they need in the field.
    Now I also represent Baltimore City. Mayor Martin O'Malley, 
who is very active with the--what; is it major city mayors--and 
he is up front on the issue of where we need to go and what 
their concerns are.
    No. 1 I think is the security clearance. There are certain 
people within his organization/administration that have not 
been approved or received it. So when there is information that 
might have to deal with a fire department or if the mayor 
himself might receive information, he is not able to get that 
and to be able to analyze it and take the steps to where they 
need to move.
    So some type of data base compatibility also is an issue. 
There is no way to search and post information within and 
between jurisdictions. An example: Someone who was stopped in 
New Jersey about taking pictures of bridges, now why wouldn't 
Philadelphia, Baltimore, and Washington maybe receive that 
information?
    Responsibility/authority, Federal agency authority and 
clear. Locals get conflicting information from Customs, 
Immigration. Kind of no clearinghouse. We need to focus on the 
consistency of the information.
    A Federal alert system of value; warnings, in his opinion--
this isn't mine--are useless; get more from media than the 
Department of Homeland Security at the local level. Unspecified 
threats more important to cities and outlying areas. That is 
his opinion. He does have the Port of Baltimore and a major 
city area.
    Now I am throwing that out because I think that there is a 
lot to talk about here, and we can't accomplish it in a 5-
minute situation. But it is a culture. There is a foundation 
that we are trying to create. I see, personally, a lot more 
cooperation, but there is still that culture of ``need to 
know.'' A lot of times you need to know that.
    I happen to be on the Intelligence Committee, and there is 
nothing we can talk about there. So that is a culture, but it 
is a necessary situation until it is retrieved.
    A lot of comments. Could you please respond to some of the 
issues that I raised?
    Mr. Cooper. I think, first of all, that you are absolutely 
on target with the content and the points that you are raising. 
We are, in some form or another, addressing almost everything 
that you have outlined here. At the moment, we are not as far 
along in some of these areas as others. Again, this is complex, 
as you, yourself, have indicated.
    We have it underway, and our focus has started on the 
information-sharing. We feel that we have to get the basics in 
place before, for example, we can move to kind of the higher 
level of knowledge management and before we can really take 
advantage of some of the tools and capabilities related to data 
mining capability from an information technology standpoint.
    But, specifically around information-sharing and 
information-integration, we have a number of pilot initiatives 
underway where we have reached out to State and local 
government, where we actually are putting connectivity in 
place, albeit in a pilot manner at the moment, to share 
information in a two-way flow, both from State and local 
government and appropriate authorities, members of the first-
responder community to us, and then in turn----
    Mr. Ruppersberger. And, by the way, I would agree because a 
lot of your leads come from the local, from the street, so to 
speak.
    Mr. Cooper. Absolutely, yes, sir.
    Mr. Ruppersberger. So it needs to go both ways----
    Mr. Cooper. Yes, sir.
    Mr. Ruppersberger [continuing]. And then be analyzed.
    Mr. Cooper. It absolutely does.
    Mr. Ruppersberger. That is probably one of the biggest 
issues, is analyzing information.
    Mr. Cooper. Yes.
    Mr. Ruppersberger. As we even know with September 11, we 
have the technology and the ability to receive a lot of it, but 
it is analyzing that information.
    Mr. Cooper. Yes, absolutely. A lot of this activity is 
being guided by our Information Analysis and Infrastructure 
Protection Directorate, which, as you know, is one of the new 
directorates that was established by the legislation.
    So we are also being challenged a bit by a startup. In 
other words, there weren't existing entities as part of our 
incoming agencies that had full responsibility and a 
significant amount already in place. It is underway. We are 
making progress.
    In addition, we are also including State and local 
representation in our enterprise architecture work. This is 
another mechanism by which we actually can hear and validate 
from the local communities, from the State communities, from 
the first-responder communities, what is it that they believe 
are the highest priority processes and, in turn, they are 
working with us to actually re-engineer and improve these 
processes.
    Once that work is completed along the schedule that I 
outlined, we then, in turn, can begin to apply information 
technology tools, methods, and techniques to more rapidly 
integrate and achieve information-sharing.
    Chairman Tom Davis. The gentleman's time has expired.
    Mr. Ruppersberger. Can I ask just one question or comment?
    Chairman Tom Davis. Sure.
    Mr. Ruppersberger. Thank you. It is a big issue that we are 
dealing with. I think something that has worked in the past, 
and I would just like your comments on this, and it was used by 
the FBI when they started to get involved in the narcotics 
enforcement, where you would have strike forces involving FBI, 
DEA, local, and State. In order to break a culture, it seems to 
me that a lot of it is trust and working together, so that a 
strike force concept develops those relationships. A lot of it 
is relationships.
    I mean, you see right there that there are certain FBI 
offices that might not get along with certain locals in one 
jurisdiction but they do in another. I think that is something 
that maybe we should look at, as we are developing how to break 
down this barrier of information and getting the information 
out so it is useful or coming both ways. I just would like your 
comments, whether you think that strike force--and maybe we 
shouldn't use the words ``strike force,'' but that is what 
worked in the past, and I think it still is working.
    Mr. Cooper. I certainly agree. In fact, we actually have 
followed your recommendation, and we have, although not a lot 
in number, we have a couple of those strike force types of 
teams.
    One example is in our enterprise architecture work, where 
we really do have a working group comprised of State and local 
Chief Information Officers and/or their designated 
architectural representatives, subject matter experts, who are 
working side by side with the Federal teams that are involved 
to establish a true national enterprise architecture for 
homeland security that is aligned with our Federal enterprise 
architecture, guided by OMB. So that is one example.
    Another example is we have a number of--admittedly, this is 
in the information technology arena--but we have a number of 
technical working groups that are actually local, State, in a 
couple of cases private sector involvement, along with our 
Federal subject matter experts, to actually define things like 
some of our technical standards around data-sharing and 
information-sharing.
    So we have taken your advice. We actually have a couple of 
these in motion.
    Mr. Ruppersberger. Thank you. Mr. Chairman, if you don't 
mind, I am going to try to make this an issue between the State 
and local and the Federal Government in this information.
    Chairman Tom Davis. Mr. Tierney.
    Mr. Tierney. Thank you, Mr. Chairman. I thank the witnesses 
for being here this morning to try to help us.
    Just in looking through this and realizing that we were 
trying to develop some watch lists at one point in time, and 
having some difficulty deciding who was responsible for that, 
Mr. Cooper, you have been in both different branches of this. I 
was a little disturbed with GAO's report when they indicated 
that the White House was unresponsive to its queries about what 
was going on with the consolidation of lists and with the 
exchange of information.
    Today, who is responsible, ultimately, for putting together 
these systems? Is it the White House Office of Homeland 
Security or is it the Department of Homeland Security or is it 
somewhere in between?
    Mr. Cooper. At the moment, it is a coalition that includes 
the Department of Homeland Security, the Terrorist Threat 
Integration Center, the FBI, and the Department of State, and 
members of the intelligence community.
    Mr. Tierney. Now who of that group is in charge?
    Mr. Cooper. They are at work. It is being guided by the 
TTIC, T-T-I-C, the Terrorist Threat Integration Center. That 
business group is at work to actually define the process and 
the governance by which your question can be answered.
    Mr. Tierney. You're kidding me? All this time after 
September 11, 2001, we are sitting here saying the White House 
doesn't accept responsibility for this; the Department of 
Homeland Security doesn't accept responsibility for this. Some 
bureaucracy of an amalgamation of different agencies, whatever, 
is getting to the point where they are now trying to sit down 
and decide who is going to be in charge? Where is the 
leadership in that?
    Mr. Cooper. I think the leadership is working together to 
further define and refine a true process for an integrated 
watch list activity.
    Mr. Tierney. You say that with a straight face, which I 
think is admirable, but, I mean, does that disturb you 
somewhat, that this is the point we are at?
    Mr. Cooper. It is the point that we are at, and I think 
that shortly we will have definitive answers.
    Mr. Tierney. Can you define ``shortly'' for me?
    Mr. Cooper. Can I get back to you?
    Mr. Tierney. OK. [Laughter.]
    Chairman Tom Davis. It is above his pay grade.
    Mr. Tierney. Well, no, I am not trying to be difficult with 
the witness. You understand I am not trying to be difficult 
with you; I am trying to get an answer on this.
    Mr. Cooper. No, I understand. Part of it is our fault----
    Mr. Tierney. Our chairman indicates that it is above your 
pay grade.
    Mr. Cooper. Yes. I am honestly not trying to duck the 
question, but----
    Mr. Tierney. No, I understand.
    Mr. Cooper [continuing]. But I am not in the lead on this 
particular activity. Therefore, I think it would be imprudent 
of me to actually speak on behalf of the group that is doing 
the work.
    Mr. Tierney. All right. Fair enough. I am just stunned, I 
guess, to think that, you know, originally, we had the White 
House Office set up. It seems to have some rationale to 
continue to function. I mean it seems to me to be a great 
rationale to have from the White House somebody in charge of 
pulling together not just the Department of Homeland Security, 
but those agencies that aren't within the Department of 
Homeland Security.
    I was one who criticized that consolidation for not 
including the FBI and the CIA, for this very reason. To find 
out now that we are, 2 years later almost, and this still isn't 
done, to me is just staggering. I think that there is an 
absolute abdication of leadership here from the White House and 
people that could be doing it. Maybe it is the vacancy in that 
position that creates part of the problem, although I notice 
that the President still is seeking funding for 2004 for an 
agency that doesn't seem to have leadership and doesn't seem to 
be doing what I thought was one of the primary responsibilities 
that were given to it.
    Mr. Forman. I don't think it is quite fair to say that 
there is no leadership. I thought the leadership was quite 
clear in the President's budget this year, how he outlined it 
in the State of the Union, TTIC, the Terrorist Threat 
Integration Center.
    There is no question that we have to get the agencies to 
work together. That takes identification of business process 
and across organization, very similar to what we see in 
industry with the matrix unit today.
    So to say that any one department should be accountable for 
working with other departments, I understand that perfectly. 
This has to cut across departments because there are multiple 
players that have to be involved. There are different business 
processes that will run----
    Mr. Tierney. That is exactly the point, isn't it: that in 
order for different agencies cutting across an area to work 
together, there has to be somebody leading it who gives them 
the authority and the will to cut across and deal with one 
another? So I take exception to your offering up here of your 
opinion, which I appreciate, but I am going to tell you, I take 
real exception to it.
    This is an abject failure in leadership because a leader 
would have taken what is probably one of our principal concerns 
here and put somebody in charge of making sure there was 
coordination on this effort and making a determination of how 
that information was going to be shared. We wouldn't be sitting 
here looking, almost 2 years later, and realizing that we still 
don't have the kind of communication systems between these 
agencies that should have been resolved.
    We have had a position that has been vacant for a period of 
time, where it still seems to reside, although the White House, 
for some inexplicable reason, won't deal with the GAO and give 
them any answers or information. So it makes it difficult for 
us to do our oversight functions.
    So not only does there appear to be a lack of leadership, 
it appears to be a lack of cooperation with Congress in trying 
to get the oversight that could help us define how that 
leadership ought to be directed and how we could get to the 
bottom of this problem.
    So I appreciate your kibitzing there on that, but I just 
strongly disagree with you. It is a lack of leadership, and I 
hope that this committee or bureaucracy, whatever that has been 
set up to resolve this issue, moves quickly. I think, 
preferably, it could have been done with one person making a 
firm decision and giving some direction.
    But thank you.
    Chairman Tom Davis. Thank you. Mrs. Blackburn.
    Mrs. Blackburn. Thank you, Mr. Chairman. I am kind of 
sitting down here between two seats, I think.
    I apologize that I had to miss much of your testimony. I 
was over in the Judiciary Committee in a hearing there.
    But I did want to step in. I think I am one of these 
committee members that has been increasingly frustrated as we 
look at the lack of interaction between the public and private 
sector in integrated technologies and interactive technologies 
and in the incredible amount of money that is spent without a 
resolution to having systems that talk to one another.
    I am going to pick up where Mr. Ruppersberger kind of left 
off there. He was talking with you about having an interface 
with your local, State, and Federal Government and involving 
your local and State governments in some input as you look at 
developing your enterprise architecture, and the overlay, the 
template that you are going to work from on this.
    Then you started touching on it and stopped off. So let's 
carry the rest of this conversation.
    You talked a little bit about your tech working groups and 
mentioned that you had some private sector input into those 
groups. So let's go back to that, and let me ask you how you 
are integrating the private sector into this process in 
developing the enterprise architecture. From the get-go, are 
you looking at doing this as a template that will be from the 
top down that will help interface all of your local and State 
agencies?
    Mr. Cooper. Initially, what we are actually trying to do is 
gain some input as we work through to our first release, this 
road map, this migration strategy that I had mentioned earlier, 
which we are on target to release at the end of September, as 
we head into October of this year.
    We are doing a couple of things. First of all, we are 
reaching out through some of the information technology 
associations like the Information Technology Association of 
America or the Private Sector Council or the Industry Advisory 
Council, organizations and associations like that. So that we 
basically can pose questions or areas of interest to the 
associations and ask them, ``Would you, please, now ask your 
membership to give us some type of feedback or comment as 
appropriate?'' We are doing that as we move between now and 
September.
    We then intend, as we release our initial version of our 
work in September, that will go out; that will be widely 
released to the private sector and to State and local 
governments, so that we then can work with them to validate, 
improve, edit, recorrect, adjust, align, whatever, as 
appropriate. So that, in fact, we then collaboratively produce 
a more effective enterprise architecture.
    Mrs. Blackburn. OK, so September is when you are looking at 
being your initial presentation?
    Mr. Cooper. Yes, Ma'am.
    Mrs. Blackburn. OK. As you work through this process, your 
timeline going forward from that, when do you think that you 
will have a workable rollout, something----
    Mr. Cooper. Actually, the September rollout will be a 
workable rollout. We will begin to use that rollout for 
decisionmaking.
    Mrs. Blackburn. All right.
    Mr. Cooper. We will continue to refine it.
    Mrs. Blackburn. OK, continue? OK. And then what, as you 
have talked to the different agencies and associations, what 
type response are you getting? What type of innovation or ideas 
are you seeing come forward?
    Mr. Cooper. Very positive. We have had a significant number 
of members of those organizations provide input and approach 
us, directly approach my office and members of my office to 
offer ideas, to offer suggestions. As rapidly and as 
effectively as we can, we are trying to absorb as much of that 
comment and incorporate it. We are trying to listen. We are 
trying to buildupon the good ideas that we are receiving.
    Mrs. Blackburn. Before my time expires, an estimation of 
total cost, do you have that?
    Mr. Cooper. For the enterprise architecture activity----
    Mrs. Blackburn. Yes.
    Mr. Cooper [continuing]. Between now and September? It is 
estimated at about $3 million for this fiscal year.
    Mrs. Blackburn. OK, and are you all developing, more or 
less, a group of lessons learned or best practices that can be 
applied to other agencies?
    Mr. Cooper. In concert with our work, we are trying to kind 
of record those as effectively as we can. We are working with 
the Federal CIO Council Best Practices Committee and being 
guided both by them, but also trying to collect what we learn, 
so that we then can disseminate it out across the Federal 
environment.
    Mrs. Blackburn. Excellent. Thank you.
    Mr. Forman. If I may just add onto that, it is important to 
understand that the Federal enterprise architecture is based on 
a component-based model. That is the way the industry is moving 
today on both the IT side and where the large corporations are 
moving.
    That is essentially what people would call ``plug-and-
play.'' We require that for all departments to be involved. At 
the Federal level, the CIO Council, the National Association of 
State CIOs, and several local government groups are jointly 
involved in defining that. We have financed the State 
architecture work by NASCIO, National Association of State 
CIOs, explicitly so we can make this link up together.
    Mrs. Blackburn. I appreciate that, but I am one of those 
freshman that came from a State senate, where it was not 
uncommon to spend $100 million a year on interactive 
technologies or on IT in general, some program that doesn't 
work, doesn't talk to the other.
    The lessons learned from September 11 were that your first-
responders can't communicate, and you have a situation of, 
who's on first? So those confidences and the knowledge that you 
are working not only with different levels of government, but 
with the private sector, and that you are building a basis of 
best practices to move forward, is good to know.
    Mr. Forman. I appreciate that.
    Chairman Tom Davis. Thank you very much. I want to thank 
the first panel for your questions. Some members are going to 
have some written questions, and we may have some followups. 
But I think you have been very forthright about it. I think we 
have shared with you some of our concerns that you share with 
us, and we appreciate the job you are doing.
    We will move on to the second panel at this point. We have 
a great panel. We have Robert Dacey, the Director of 
Information Security Issues, and Randolph Hite, the Director of 
Architecture and System Issues at the General Accounting 
Office.
    We are also honored to have Charles Rossotti, the former 
Commissioner of the Internal Revenue Service, where he had a 
distinguished record there, as he had in private business 
before he came here. He is currently a senior advisor for the 
Carlyle Group.
    If you all would make your way to the front?
    Mr. Rossotti, thank you. I understand you flew in from 
California to do this, and we just really appreciate having you 
here.
    If you could stay on your feet, I am going to swear you in.
    [Witnesses sworn.]
    Chairman Tom Davis. Thank you. We will start with the GAO 
representatives. We have your total statement. You can take up 
to 5 minutes, and then we can get right into the questions.
    The light in front is green, and then it is orange with a 
minute to go, and when it is red, you can try to sum up. Your 
total statements are in the record.
    Mr. Rossotti, I understand you are going to ad lib it up 
there. We are just happy to have you here. Thank you very much.
    Why don't we start with you, Mr. Dacey.

  STATEMENTS OF ROBERT DACEY, DIRECTOR, INFORMATION SECURITY 
  ISSUES AND INFORMATION TECHNOLOGY TEAM, GENERAL ACCOUNTING 
 OFFICE; RANDOLPH C. HITE, DIRECTOR, ARCHITECTURE AND SYSTEMS 
  ISSUES AND INFORMATION TECHNOLOGY TEAM, GENERAL ACCOUNTING 
   OFFICE; AND CHARLES ROSSOTTI, SENIOR ADVISOR, THE CARLYLE 
     GROUP, FORMERLY COMMISSIONER, INTERNAL REVENUE SERVICE

    Mr. Dacey. Mr. Chairman and members of the committee, we 
are pleased to be here today to discuss the integration of 
information-sharing functions at the Department of Homeland 
Security. As you requested, I will briefly summarize our 
written statement, which provides details on the department's 
information-sharing responsibilities, challenges, and key 
management issues.
    The Homeland Security Act of 2002 brought together 22 
diverse organizations and created a new Cabinet-level 
department to help prevent terrorist attacks in the United 
States, to reduce the vulnerability of the United States to 
terrorist attacks, and to minimize damage and assist in 
recovery from attacks, should they occur. Achieving the complex 
mission of the department requires the ability to effectively 
share a variety of information among its own entities and with 
other Federal entities, State and local governments, the 
private sector, and others.
    For example, the department needs to be able to access, 
receive, and analyze substantial amounts of law enforcement 
intelligence and other threat, incident, and vulnerability 
information from both Federal and non-Federal sources; to 
analyze such information, to identify and assess the nature and 
scope of terrorist threats; to administer the Homeland Security 
Advisory System, and provide specific warning information and 
advice on appropriate protective measures and countermeasures; 
to share information both internally and externally with 
agencies and law enforcement on such things as goods and 
passengers inbound to the United States and individuals who are 
known or suspected terrorists or criminals, and to share 
information among emergency responders in preparing for and 
responding to terrorist attacks and other emergencies.
    The GAO has made numerous recommendations over the last 
several years related to information-sharing functions which 
have now been transferred to the department. For example, 
although improvements have been made, further efforts are 
needed to address several information-sharing challenges to the 
Government's Critical Infrastructure Protection [CIP], efforts.
    These challenges include: developing a comprehensive and 
coordinated national CIP plan to facilitate information-sharing 
that clearly delineates the roles and responsibilities of 
Federal and non-Federal entities, defines interim objectives 
and milestones, sets timeframes for achieving them, and 
establishes appropriate performance measures.
    Second, developing fully productive information-sharing 
relationships within the Federal Government and between the 
Federal Government and State and local governments and the 
private sector.
    The third challenge is improving the Federal Government's 
capabilities to share appropriate, timely, and useful warnings 
and other information concerning both physical and cyber 
threats with Federal entities, State and local governments, and 
the private sector, and providing appropriate incentives for 
non-Federal entities to increase information-sharing with the 
Federal Government and enhance other CIP efforts.
    In addition, GAO recently identified challenges in 
consolidating and standardizing watch list structures and 
policies which are essential to effectively sharing information 
on suspected terrorists and criminals.
    The success of homeland security also relies on 
establishing effective systems and processes to facilitate 
information-sharing among and between government entities and 
the private sector. Through our work, we have identified 
potential information-sharing barriers, critical success 
factors, and other key management issues that the department 
should consider as it establishes such systems and processes.
    For example, as part of information technology management, 
which we have discussed earlier today, the department should 
develop and implement an enterprise architecture to integrate 
the many existing systems and processes required to support its 
mission and to guide the department's investments in new 
systems in the coming years.
    Two, to develop and implement discipline system acquisition 
and investment management processes to effectively select, 
control, and evaluate IT system projects.
    And, three, to ensure effective information security to 
protect the sensitive information that the department maintains 
and develop secure communications networks to safely transmit 
information.
    Other key management issues include developing a 
performance focus, integrating staff from different 
organizations, and ensuring that the department has properly 
skilled staff and ensuring effective agency oversight.
    Mr. Chairman, this concludes my statement. We would be 
happy to answer any questions that you or members of the 
committee may have.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T8194.025
    
    [GRAPHIC] [TIFF OMITTED] T8194.026
    
    [GRAPHIC] [TIFF OMITTED] T8194.027
    
    [GRAPHIC] [TIFF OMITTED] T8194.028
    
    [GRAPHIC] [TIFF OMITTED] T8194.029
    
    [GRAPHIC] [TIFF OMITTED] T8194.030
    
    [GRAPHIC] [TIFF OMITTED] T8194.031
    
    [GRAPHIC] [TIFF OMITTED] T8194.032
    
    [GRAPHIC] [TIFF OMITTED] T8194.033
    
    [GRAPHIC] [TIFF OMITTED] T8194.034
    
    [GRAPHIC] [TIFF OMITTED] T8194.035
    
    [GRAPHIC] [TIFF OMITTED] T8194.036
    
    [GRAPHIC] [TIFF OMITTED] T8194.037
    
    [GRAPHIC] [TIFF OMITTED] T8194.038
    
    [GRAPHIC] [TIFF OMITTED] T8194.039
    
    [GRAPHIC] [TIFF OMITTED] T8194.040
    
    [GRAPHIC] [TIFF OMITTED] T8194.041
    
    [GRAPHIC] [TIFF OMITTED] T8194.042
    
    [GRAPHIC] [TIFF OMITTED] T8194.043
    
    [GRAPHIC] [TIFF OMITTED] T8194.044
    
    [GRAPHIC] [TIFF OMITTED] T8194.045
    
    [GRAPHIC] [TIFF OMITTED] T8194.046
    
    [GRAPHIC] [TIFF OMITTED] T8194.047
    
    [GRAPHIC] [TIFF OMITTED] T8194.048
    
    [GRAPHIC] [TIFF OMITTED] T8194.049
    
    [GRAPHIC] [TIFF OMITTED] T8194.050
    
    [GRAPHIC] [TIFF OMITTED] T8194.051
    
    [GRAPHIC] [TIFF OMITTED] T8194.052
    
    [GRAPHIC] [TIFF OMITTED] T8194.053
    
    [GRAPHIC] [TIFF OMITTED] T8194.054
    
    [GRAPHIC] [TIFF OMITTED] T8194.055
    
    [GRAPHIC] [TIFF OMITTED] T8194.056
    
    [GRAPHIC] [TIFF OMITTED] T8194.057
    
    [GRAPHIC] [TIFF OMITTED] T8194.058
    
    [GRAPHIC] [TIFF OMITTED] T8194.059
    
    [GRAPHIC] [TIFF OMITTED] T8194.060
    
    [GRAPHIC] [TIFF OMITTED] T8194.061
    
    [GRAPHIC] [TIFF OMITTED] T8194.062
    
    [GRAPHIC] [TIFF OMITTED] T8194.063
    
    [GRAPHIC] [TIFF OMITTED] T8194.064
    
    [GRAPHIC] [TIFF OMITTED] T8194.065
    
    [GRAPHIC] [TIFF OMITTED] T8194.066
    
    [GRAPHIC] [TIFF OMITTED] T8194.067
    
    [GRAPHIC] [TIFF OMITTED] T8194.068
    
    [GRAPHIC] [TIFF OMITTED] T8194.069
    
    [GRAPHIC] [TIFF OMITTED] T8194.070
    
    [GRAPHIC] [TIFF OMITTED] T8194.071
    
    [GRAPHIC] [TIFF OMITTED] T8194.072
    
    [GRAPHIC] [TIFF OMITTED] T8194.073
    
    [GRAPHIC] [TIFF OMITTED] T8194.074
    
    Chairman Tom Davis. Thank you very much.
    Mr. Hite, are you there for questions?
    Mr. Hite. Yes, sir, we have one combined oral statement.
    Chairman Tom Davis. OK, that is great.
    Welcome back before this committee, and thanks again for 
the job you did at IRS. We are happy to have you here.
    Mr. Rossotti. I am happy to share some observations based 
on my own experience at the IRS and previously at AMS. I would 
like to note that I have no special knowledge of the problems 
facing the Department of Homeland Security. Therefore, since 
every situation is unique, my observations are not intended or 
are not suggested as specific recommendations for DHS.
    I do know that bringing together and transforming the work 
of large, fragmented organizations is a very difficult, costly, 
and in some ways a risky endeavor. I must say that Secretary 
Ridge and Mr. Cooper and their colleagues have taken on a very 
difficult job on behalf of the country. We need to give them 
all the support that we can.
    When Congress passed the IRS reform bill, it directed major 
changes in the IRS, and there were a lot of questions raised at 
the time as to whether all the attention and time and money 
that was being focused on such a big transformation would 
really ever pay off as compared with just let's focus on some 
specific problems and get them fixed right away. A legitimate 
question, but I believe that the answer is, yes, it is possible 
to bring together previously fragmented organizations to share 
practices and systems, and the power of doing that is enormous, 
far greater than can be ever achieved by just short-term focus 
on specific issues. That is why major businesses are always 
merging and divesting and reinventing themselves.
    In the case of the IRS, when the reform was passed in 1998, 
the IRS was still organized largely in the pattern of the 
1950's with about 47 or so district service centers and regions 
that all operated semi-independently. There were, at least 
officially, 15 different information technology departments and 
very few standards across them. There was no single e-mail, 
voicemail system, no security standards, and taxpayer data was 
frequently very fragmented.
    Today, it is almost 5 years later, and we certainly cannot 
claim that all of those problems have been solved, but many of 
them have been addressed and partially corrected through such 
things as a top-to-bottom reorganization, development of an 
enterprise architecture along the lines of what Mr. Cooper was 
talking about, standardization of much technology platforms and 
products, and beginning to replace legacy systems. Service to 
taxpayers, as GAO has reported, substantially improved.
    Now there is still a great deal of work to be done. My 
successor, Mr. Everson, who was just confirmed, will have 
plenty to do during his 5-year term, but I think there is no 
question any longer that the payoff for doing this kind of an 
integration program really is great and, therefore, it is 
possible. So I just say that because that is the most basic 
question of all: Is this whole thing even worth it and can it 
work? My statement is, yes, it can, as long as we recognize the 
challenges involved.
    Now I will just offer a few observations about some of the 
things, without, again, claiming that they are specific to DHS 
because I don't know. It is very important to address the 
organizational issues at every level. At one level Congress has 
addressed them by setting up the Department of Homeland 
Security, but within the department, I am sure, without knowing 
the specifics, there are many organizational issues in the 
department, and not the least those related to IT.
    Within the IRS reorganization, we made the decision to 
bring together, to reorganize the entire agency, to reduce the 
number of operating units very substantially, the four major 
operating units, and one IT unit that serviced the entire 
agency under one CIO. This may not be right for DHS, but I am 
simply suggesting that I think that it is very important to 
think through at every level how the organization is going to 
work, because that is what controls in the long run the money; 
that is what controls the incentives; that is what controls 
people, people and the way that they work.
    Second, I heard Mr. Cooper talking about his enterprise 
architecture. I would like to lend my support to that idea as 
being extremely important, and I will particularly note the 
importance of what I believe he called his business 
architecture. We had the same idea at the IRS. It was basically 
the idea of looking at how business is done, how work is done 
today, versus how it is going to be done in the future.
    We developed those kind of designs for all the major 
functions, such as how returns would be processed, how 
collection would be done, how customer service would be done, 
and laid those out, not in extreme detail, but with enough 
meaningful information, so that people could see that it really 
was going to be different. Now it takes years to get to that 
point, but I think, just as he said in his testimony, it is 
extremely useful right at the beginning because it helps to 
screen out projects that are not contributing to the general 
direction you want to go and, on the other hand, to identify 
the opportunities for those that are. That essentially is one 
of the major kinds of decisions that need to be made.
    I will say that doing that kind of high-level business 
architecture in a meaningful way is a big commitment of top 
management time, of the leadership. It is not an easy thing to 
do, but I think it is a step that is important.
    I heard, Mr. Chairman, you giving encouragement to the idea 
of stepping back and thinking these things through before, in 
effect, just rolling right away, but to try to address specific 
things, and I could only lend my experience that is, in fact, 
wise counsel.
    Within the IT field itself, there is considerable value, we 
found, to establishing standards for certain technologies as 
quickly as possible, such as, for example, basic desktop and 
laptop operating systems, office automation tools, messaging 
software, some of the mid-range servers. These kinds of 
platform softwares and basic softwares, to the extent that they 
can be established quickly, can just by themselves tend to 
increase the ability to share information and actually to 
reduce costs, recognizing that there is a one-time cost and 
investment that is required to get there. I think to the extent 
that those opportunities are found by Mr. Cooper and his 
colleagues, they would be good things to try to move ahead on 
quickly.
    With respect to stakeholders, the IRS, of course, has many. 
Just about everybody is a stakeholder of the IRS: taxpayers, 
employees, tax preparation agencies, government committees. 
Obviously, homeland security, as was noted in the testimony, 
has many State and local governments and other places; so does 
the IRS.
    One of the lessons that I think we learned through all the 
change that we were implementing was that it worked a lot 
better for us when we actually got these stakeholders in right 
at the beginning of our process, when we were beginning to 
think through these things and shared with them, even though it 
wasn't complete, our thinking and got their input and continued 
to interact with them and engage with them rather intensively 
through the process, as compared with what we sometimes did, 
and it didn't work as well, which was to sit there, develop our 
plan, and then explain it to them and hope that they would 
react to it and buy it.
    I think there are two reasons for it. One is it is just 
human nature: People react better to things that they are 
involved in, that they think they are involved in constructing. 
But, also, you just find out more. You know, no one is smart 
enough to know all these things, even if you have the best 
experts, and it just helps to get that input. It does make for 
some more complex management problems when you are managing all 
these stakeholders while you are trying to manage your internal 
changes, but we found that it worked better.
    And, finally, just a word for those such as perhaps members 
of this committee that are going to be evaluating progress in 
these major programs, and I do have to say that it is very 
important to have realistic expectations. Clearly, you want to 
have accountability and you want to see progress, but I must 
say that it is important that be done in a realistic way in 
order to support the efforts as opposed to perhaps not 
supporting them.
    Specifically, I think that it, frankly, is not realistic to 
really expect any major change program such as the IRS went 
through, DHS is going through, to lay out detailed plans, you 
know, here's what we are going to do every quarter for the next 
3 or 4 years and schedules along that line. There just isn't 
any way to get enough information to do that accurately.
    What it is realistic to do is to expect that you have this 
architecture, this vision of where you are going, and then to 
lay out some next steps that are immediate next steps that say 
these are the next steps we are going to take, and to see 
whether those steps are successfully executed and then how the 
plan is adjusted after that. I mean, I would recommend that way 
of thinking in how to evaluate this as compared with a vision 
that there is a 5-year plan and you check off everything that 
is going to happen for 5 years, because I don't believe it is 
possible to do that and it really is more misleading than it is 
helpful.
    That concludes my testimony, Mr. Chairman.
    Chairman Tom Davis. Thank you very much. I am going to 
start the questioning with Mrs. Blackburn.
    Mrs. Blackburn. Thank you. Thank you, Mr. Chairman.
    Mr. Rossotti, let's see, did I understand you correctly 
that you reorganized 40 different independent divisions? Would 
you restate that again?
    Mr. Rossotti. Yes. The reorganization, part of the 
transformation at the IRS, this was incorporated in the reform 
bill. It gave us the authority to do this.
    The IRS, back since the fifties, was organized into what 
were called districts and service centers. These were, 
essentially, independent, relatively semi-independent units 
that ran the IRS, and then there was a regional and other 
headquarters that supported them.
    When I got there, there were 33 districts, 10 service 
centers, 4 regions, and then some other units. As part of this 
reorganization, those were eliminated; those were abolished. In 
their place, what we ended up with was--and I am 
oversimplifying this a little--four major units that were 
organized around taxpayers, one for individual taxpayers, one 
for small business, one for large business, and one for tax 
exempt. Each of those four has nationwide responsibility to do 
everything to service those taxpayers, and in the process we 
eliminated several layers of management and streamlined things.
    Then each of those units, or many of them, had their own 
information technology, and so on and so forth. That is part of 
what led to all the fragmentation. So all that was pulled out, 
and there is now two support organizations in the IRS, one 
agencywide information technology organization which has the 
responsibility of providing all information technology services 
to the other operating units. They are, in effect, customers, 
and there are service-level agreements that lay out what those 
standards are. There is another support organization that does 
all the other support services, such as personnel, procurement, 
facilities, equal employment opportunity, those kinds of 
services.
    Mrs. Blackburn. OK, and you brought this into one major IT 
unit, correct?
    Mr. Rossotti. Yes, we did. We did that in phases.
    Mrs. Blackburn. Yes.
    Mr. Rossotti. It was not done all at once, but it was done 
in phases.
    Mrs. Blackburn. All right, over a period of how many years?
    Mr. Rossotti. About 5 years. It has basically been 5 years.
    Mrs. Blackburn. Over a 5-year period of time that you got 
it down to one major IT unit?
    Mr. Rossotti. Right.
    Mrs. Blackburn. Did you have a CIO----
    Mr. Rossotti. Yes.
    Mrs. Blackburn [continuing]. Overseeing this unit?
    Mr. Rossotti. Yes.
    Mrs. Blackburn. You did? OK.
    Mr. Rossotti. Now I want to say I am not suggesting that 
that is what ought to be done--I really have to be careful here 
because each situation is unique. I think that made sense for 
the IRS. I really can't say whether that is the right answer. I 
just don't know.
    Mrs. Blackburn. Well, I will tell you, my hat is off to you 
if you could do it. I would have been pulling my hair out.
    Mr. Rossotti. Well, I did; I had more hair when I started. 
[Laughter.]
    Mrs. Blackburn. Well, maybe I shouldn't have used that 
example. [Laughter.]
    But, you know, it seems like quite a task----
    Mr. Rossotti. It was.
    Mrs. Blackburn [continuing]. When you are looking at going 
through that.
    Now let me ask you this, and this would be a question for 
both you and Mr. Dacey: What do you see as the vulnerability, 
for implementing a single enterprise architecture for homeland 
security? How would you respond to that?
    Mr. Rossotti. Oh, I'm sorry. Are you addressing me?
    Mrs. Blackburn. Yes, either of you or for both of you. I 
would like to get your thought on that, in having just one 
major IT unit, and then what redundancies should be built into 
that in case of an attack? You know, what kind of safeguards 
would you put into that type of system?
    Mr. Rossotti. Well, let me not try to answer it with 
homeland security, because, in honesty, it really requires a 
great deal of specific knowledge to come to those answers, and 
I really don't know about homeland security.
    I think in the case of the IRS, the issues that you get 
into--the redundancy issue, let me come back to that one--I 
don't think is actually that much of a concern, because one of 
the things that we did as part of this was to plan in what 
redundancy we needed. We didn't need 13 computing centers. We 
didn't need that much, but we needed three. So we ended up 
having three really good ones.
    I believe, with that question, the business recovery at the 
IRS today is better than it was before, because we sat down and 
planned it, rather than just saying, ``Here's how many we had 
because that is how many we had.'' So that problem can be 
solved.
    The difficulty you have in trying to go, if you are talking 
about reorganizing into one unit, is that while you are 
reorganizing it is very costly; it takes time. There are balls 
that get dropped. There is a lot of friction that develops 
during the process of doing that. We had that. We had setbacks.
    I would say that the committee ought to be prepared that, 
if the Homeland Security Department really does everything it 
says it is going to do, don't be surprised if there are some 
things that go one step back before they go two steps forward. 
I mean, you just really have to be prepared for that.
    So that is the problem. I think if you can get to the 
endpoint, you have some very powerful benefits, but there are 
big transitional issues.
    Mr. Hite. If I could add to that, I think your question has 
two parts. One deals with the challenges and the 
vulnerabilities as part of a single enterprise architecture, 
and then the other one deals with a single IT organization. 
They are actually two different things.
    The enterprise architecture talks about the department as a 
whole, as a single entity. It takes a holistic view to how to 
optimize the mission and responsibilities of the department as 
a whole.
    As part of architecting your enterprise and going through 
that process, it is done in a very structured, deliberate, 
thoughtful way. Part of that thought goes into, how do we 
secure the enterprise? Part of that would be, how do we build 
in the necessary redundancy into the systems and our processes 
to ensure that we are secure and our information is secure?
    Regarding the other issue about whether or not there should 
be a single IT organization, I would agree with Charles that it 
depends on the situation. Based on the dialog that we have had 
thus far with the department, I am not sure if it is clear yet 
as to what model it intends to employ. That will be a major 
decision point and one we will want to stay abreast of and the 
committee will want to stay abreast of, because it has major 
implications for how you go about implementing IT management 
across the department.
    Chairman Tom Davis. Thank you.
    That is the bells. The gentlelady's time has expired. We 
have four votes, but we don't vote for 15 minutes. Why don't we 
go on for 10 minutes and try to get the panel through, if I 
can.
    Mr. Ruppersberger.
    Mr. Ruppersberger. The first thing, Mr. Rossotti, I agree 
with you on the shareholders/stakeholders, whatever, from the 
beginning process.
    You know, it is a very difficult issue we are dealing with. 
First, you have to resolve the Federal agency issues and 
communication. Then you have the State and local that we have 
referred to before.
    One of the things that we haven't talked about here today, 
and especially because at the State and local level sometimes 
you might not have the sophisticated people in the 
communications area that will be working with law enforcement, 
the issue of training. Have we implemented anything as it 
relates to training both from a Federal or a State and local 
level to try to deal with some of the problems that we are 
talking about?
    Mr. Rossotti. I think I would have to ask GAO to answer. I 
really don't know.
    Mr. Hite. Your question speaks to specifically, what has 
the department done?
    Mr. Ruppersberger. Well, I am just asking about training. 
Do we have it? Do we have any plans for it? And it relates to 
the stakeholder issue, too, but as part of the elements of 
resolving this issue, it seems to me, we need to have training.
    Mr. Hite. Absolutely. I agree 100 percent.
    Mr. Ruppersberger. So, therefore, do we have that 
implementation? Do we have a plan for that? Is it happening 
now? Maybe it is not. That is why I am asking the question, but 
it is an issue that should be addressed.
    Mr. Dacey. I don't think we are familiar with what the 
department's plans are in that area except for IT. We have some 
information with respect to their IT personnel. They are trying 
to assess what their skill sets are, indeed.
    But, in terms of the broader issues with personnel and 
training, we are not familiar with what the department is 
doing. We will check back with our other resources in our 
office and get back to you.
    Mr. Ruppersberger. Well, I mean, it is an issue I think 
that hasn't been addressed.
    Mr. Dacey. Right, but it is certainly important.
    Mr. Hite. If I could just add one thing to that, I mean, we 
recognize in GAO as part of our responsibilities for evaluating 
the department's effort, the only way it is going to get things 
done is through people, process, and technology. Human capital 
is a major contributor to this. We do have ongoing evaluative 
work within GAO dealing with the human capital issue at the 
department.
    Mr. Ruppersberger. And you're right, the technology is 
extremely important, but technology integration, too, again, 
getting back to the Federal, State, and local issue that we 
have to deal with here. Then, again, also, if you are going to 
be dealing, getting back to the training, dealing with the 
issue not only in technology, but in investigation and law 
enforcement, there is another major issue that we all need to 
focus on, homeland security, whatever it be, FBI, CIA, and that 
is the analysis of information and, again, training.
    Because I am sure that we don't have the individuals now 
that can be used for the analysis. Analyst is becoming a very 
important position, and it is something we need, again, to 
focus on. I hope we consider that.
    Also, Mr. Rossotti, I think you talked about flexibility. 
This is an ongoing process. I agree with you that this is the 
United States of America; the only way we are going to solve a 
lot of these issues is teamwork. We have to learn from our 
mistakes. It is our job to point out the mistakes; hopefully, 
to educate and to fix those mistakes for the future. It is 
something that is extremely important.
    So thank you.
    Chairman Tom Davis. Thank you.
    Mr. Dacey, let me ask you, are there any vulnerabilities in 
implementing a single enterprise architecture?
    Mr. Dacey. Some of the issues, which I think Randy had 
spoken about a little earlier, are that it is important to have 
an enterprise architecture across the entire entity.
    Chairman Tom Davis. Should redundancies be built in in case 
of an attack?
    Mr. Dacey. In terms of attacks, I think security is an 
issue which certainly needs to be built into the enterprise 
architecture, but at the same time the department I think faces 
heightened risks for their information security in general 
which need to be dealt with also in the short term as it goes 
forward.
    You are connecting 22 previously unconnected entities, some 
of which may have connections back to their old parent 
organization. You are connecting State and local organizations, 
the private sector. You are developing a massive network, and 
if it is not properly constructed and secure, you are going to 
have risk from the standpoint of the weakest link in there 
could cause security challenges to the entire network. That is 
certainly a challenge.
    Also, it is going to handle classified and sensitive data. 
The users are going to have to really be identified and 
authenticated because they are going to be given only levels or 
certain levels of information, depending upon where they are 
and who they are. So you are going to have to discriminate 
between what access they have.
    Also, actually, it could become a very likely target, or 
probably is, actually, in terms of hackers, terrorist groups, 
or others who might be trying to probe into it as we speak. So 
I think there are some big challenges in putting together this 
whole system from a security standpoint which need to be dealt 
with.
    Chairman Tom Davis. GAO is continuing to monitor DHS's 
progress, aren't they? I mean in implementing the enterprise 
architecture and strategic, is that your current plan? Or do we 
need to give you further direction?
    Mr. Hite. We have ongoing work, actually, for you, Mr. 
Chairman, looking at enterprise architecture management across 
the entire Federal Government. The department is part of that 
work.
    Chairman Tom Davis. The department is so critical because, 
No. 1, of the nature of its business at this point. Second, it 
is late; it is a late start. Part of it is our fault. It took a 
long time passing its parts and, as we talked before, making 
sure you understand your requirements before you go at it.
    But, I mean, we all agree it is a lot slower than we had 
hoped, given the nature of the threat. So we want to give it 
special emphasis as it gets started, and not get in the way, 
but we need to oversee and make sure it is being done 
appropriately.
    Mr. Hite. Absolutely. Just prior to this hearing, when I 
was talking to Steve Cooper, he brought up again the offer that 
I had made to him earlier, that we sit down and talk to him 
about how he is going about this and be able to offer real-time 
reaction to it.
    Chairman Tom Davis. Mr. Rossotti, thanks again for being 
with us. You had to bring back a lot of different cultures and 
blend them together, and the key here is they have some 
probably more diverse cultures than you did----
    Mr. Rossotti. Absolutely.
    Chairman Tom Davis [continuing]. In terms of the groups. I 
mean, they are bringing in some agencies whose IT systems, some 
of them are pretty good stovepipes; some of them were bad even 
as stovepipes.
    What are the keys to success in general in fostering and 
institutionalizing a behavior and practice, and how do you use 
IT to utilize that?
    Mr. Rossotti. Well, I think that in some ways it is 
actually simpler than sometimes people think. I mean, it is a 
little more tangible maybe than just the general notion of 
culture.
    And I put down this way: Basically, I think you have to 
address two things from people's point of view. One, is how are 
they going to keep getting their job done? People in the 
Federal Government actually want to do the job. When somebody 
says, ``I know how to do the job this way,'' now there is 
something different, a new system, a new way, it sounds great, 
but, you know, ``This is what I know how to do.'' If they can 
become more comfortable with how they are actually going to get 
their job done, which means bringing them into the process or 
their representatives into the process as part of the design, I 
think their acceptance level is greater.
    The second thing they want to know is, ``What is going to 
happen to me? Am I still going to have a job?''
    Chairman Tom Davis. That is sometimes the first thing they 
want to know.
    Mr. Rossotti. Well, it could be, but I will put the two on 
equal footing for the purpose of this hearing. But really both 
are important because, even if people know they are going to 
have a job, they get very, very worried if they feel, they 
really do, that I am going to be still out there trying to do 
whatever it is I am supposed to do and I am not going to know 
how to do it. You know, people are very worried about that, as 
well as their own personal job security.
    Now, I mean, to the extent that people are going to be 
displaced, then there has to be a process to deal with that, 
but I think probably in most cases you are not really going to 
just actually displace most of the people. What you are going 
to do is maybe change the way they work.
    So, to the extent that they can be brought in and it could 
be clear what is going to stay the same and what is going to 
change, so that people know what to expect, you know, you could 
break down a lot of barriers. I mean, that basically is what it 
boils down to, to me. You have to, in a practical, tangible 
way, not only in theory, bring people along to understand what 
is going to happen to me. If it is going to change, fine. OK, 
then I should know that. Second, how do I get comfort that I am 
still going to be able to do my job.
    What they really are thinking is, you know, somebody up 
there has a great idea that is going to make it a lot better, 
and it is going to have a new system. It will be integrated. 
But, basically, they are going to be up there, and when things 
go wrong down here, I am going to be the guy that has to talk 
to the taxpayer or the person that is coming across the border, 
or whatever it is, and I am going to be the one that is going 
to end up holding the bag. That is what is going through their 
mind, in my experience, and not without some legitimacy, by the 
way, because they are still going to be out there talking to 
people when things go wrong.
    So, to the extent that you can bring people involved and 
get them involved, and you can, in a concrete, tangible way, 
answer those two questions, I think you can make a lot of 
progress.
    Chairman Tom Davis. Thank you. Panel, thank you very much.
    Any other questions?
    [No response.]
    Chairman Tom Davis. Thank you very much. We appreciate your 
being here. As I said, your entire statement is in the record. 
I will dismiss this panel, and you are free to go.
    We are going to take a recess. It will probably be about a 
half an hour because we have four votes over on the House 
floor, and we will reconvene back here. Mr. Shays may chair the 
meeting at that point, depending on some other obligations I am 
trying to work through.
    But we thank everybody for staying with us. Thank you very 
much.
    [Recess.]
    Mr. Shays [presiding]. Sorry to keep our third panel 
waiting.
    At this time let me announce our third panel: Mr. Greg 
Baroni, president, global public sector, Unisys Corp.
    Mr. Steven Perkins, senior vice president, public sector 
and homeland security, Oracle Corp., and Mr. Mark Bisnow, 
senior vice president, webMethods, Inc.
    Gentlemen, at this time it is our policy to swear you in. 
If you would stand, I will swear you in.
    [Witnesses sworn.]
    Mr. Shays. Thank you. Note for the record our witnesses 
have all responded in the affirmative.
    Mr. Perkins, you may start. Excuse me, I meant Mr. Baroni. 
I think we will do it as we called you.
    Gentlemen, let me apologize for keeping you waiting. We had 
a little bit of a question as to who was supposed to be here. 
Thank you.
    Go ahead.

  STATEMENTS OF GREG BARONI, PRESIDENT, GLOBAL PUBLIC SECTOR, 
  UNISYS CORP.; STEVEN PERKINS, SENIOR VICE PRESIDENT, PUBLIC 
 SECTOR AND HOMELAND SECURITY, ORACLE CORP.; AND MARK BISNOW, 
            SENIOR VICE PRESIDENT, WEBMETHODS, INC.

    Mr. Baroni. Mr. Chairman and members of the committee here, 
thank you for the opportunity to appear before you to discuss 
Unisys' interaction with the Department of Homeland Security 
with regard to its information-gathering and-sharing functions.
    Although Unisys is under contract to several of the 
agencies that make up the new department, our major effort to 
date is the management and implementation of the Transportation 
Security Administration's Information Technology Managed 
Services [ITMS], Program, a large-scale IT infrastructure and 
applications implementation.
    My testimony today will focus on TSA's mission and vision 
as it pertains to transportation security, with its initial 
mission being aviation security; ITMS, as an example of best 
practices in both procurement and technology services; how 
Unisys, as a world-class IT partner supports TSA's mission and 
vision; the partnership between Unisys and TSA; the Unisys 
relationship to the department's development and implementation 
of an enterprise architecture, and, finally, some cost benefits 
and efficiencies.
    The Transportation Security Administration officially 
became part of the Department of Homeland Security in March 
2003. TSA is tasked with ensuring the safe transport of people 
and commerce throughout the Nation's transportation systems, 
beginning with air travel.
    TSA's Chief Information Officer, Pat Schambach, has stated 
that, in order to accomplish its transportation security 
mission in the most efficient and effective fashion, TSA, and 
by extension DHS, must rely heavily on information-sharing in a 
solid technological platform on which to operate.
    Fulfillment of TSA's transportation security mission and 
vision is based in part on the ability of the department and 
TSA to share information; establish and maintain communications 
between the Federal work force at transportation centers such 
as airports and seaports, and TSA command-and-control centers 
such as headquarters, the Office of National Risk Assessment, 
and data centers.
    The department and TSA's ability to effectively share 
information and provide communications is dependent on its 
ability to deploy a state-of-the-art information technology 
infrastructure for voice, data, and communication that connects 
all relevant activities and locations.
    The first phase of this transportation security plan 
focuses on aviation. When complete, it connects the Nation's 
429 commercial airports, the Office of Federal Security 
Directors, and TSA command-and-control organizations.
    A little background on Unisys: Unisys is a world-class IT 
provider headquartered in Blue Bell, PA with 37,000 employees, 
$6 billion in revenue, and a presence in more than 100 
countries; 1,400 of our employees are located in northern 
Virginia, which is the headquarters of our Global Public Sector 
Unit.
    In August 2002, Unisys and its team of experienced 
partners, including IBM and DynCorp, were selected to implement 
TSA's ITMS program and immediately began work. Team Unisys is 
focused on helping TSA accomplish its mission and is dedicated 
to taking the steps necessary to understand TSA's critical 
business issues.
    Let's talk about ITMS. TSA, as the sole, newly created 
component of the Department of Homeland Security, is in a 
unique position to adapt best practices in both IT 
implementation, such as a Web-based operational strategy that 
supports OMB's e-government principles, and a procurement 
strategy, such as the Managed Services Program under which 
Unisys and its world-class team of IT partners provide the full 
range of IT infrastructure services as well as application 
development, implementation, and management.
    The ITMS program incorporates best practices in IT 
contracting, technology, and operations. It is performance-
based, as it has a mission-oriented framework, embraces 
performance metrics, and provides for performance-oriented 
incentives and disincentives. It not only incorporates the 
concept of best value, but also provides a utility model which 
outlines the responsibilities of both contractor and the 
customer.
    Capabilities of ITMS: Under this program, Team Unisys 
provides a full range of IT infrastructure services as well as 
application development and implementation to TSA headquarters 
employees, the Nation's 429 commercial airports, and the 
Federal Security Directorate sites, in addition to 21 Air 
Marshall field offices.
    This includes providing equipment such as desktops, 
laptops, servers, voice-over-Internet phones, cell phones, 
pagers, land mobile radios, and hand-held devices. It also 
includes local area networks and wide area networking at TSA 
headquarters and airport locations, as well as the use of a 
hosting center to run specific and enterprise-wide 
applications.
    Examples of applications Unisys and its team are hosting 
for TSA include the public-facing Web site, the internal 
employee Internet, e-mail, and a host of specialized 
applications to support mission functions.
    The TSA strategy for IT deployment initially called for 
three phases referred to as ``red,'' ``white,'' and ``blue,'' 
and I will just note here that my testimony, my written 
testimony, goes into much more detail with regard to these 
efforts. So, for the purposes of my testimony here orally, I am 
going to kind of summarize.
    The initial or red phase focused on the deployment of 
initial infrastructure to headquarters and the hosting center, 
as well as deploying essential computing and communications 
equipment to field airport locations. The red phase, as we 
describe it, is essentially complete.
    The second or white phase consists of providing robust and 
secure LAN/WAN connectivity between field airport locations and 
the TSA hosting center. That effort is underway today, and we 
are in the early stages of it.
    The blue phase represents a time at which TSA will be able 
to leverage deployed IT, or information technology, with both 
business model and process re-engineering to achieve new 
efficiencies and effectiveness for transportation security.
    In addition to the services being provided directly to TSA, 
DHS has leveraged ITMS, the vehicle, by tasking Team Unisys to 
stand up the IT infrastructure at its headquarters locations, 
including desktop equipment and local area network support. 
Team Unisys also is hosting DHS's public-facing Web site in the 
same hosting center and using the same infrastructure, or 
leveraging that same infrastructure, that we established and 
are using for TSA.
    Let me talk quickly about the relationship to DHS and the 
enterprise architecture. The Clinger/Cohen Act requires the use 
of a rigorous enterprise architecture blueprint to enable 
systems modernization. Recently, OMB provided guidance on EA 
through release of reference models that enable information-
sharing and reduce IT stovepipes.
    Additionally, GAO has indicated that the development and 
effective use of an enterprise architecture is crucial to 
successfully achieving an organization's mission and 
objectives. Absent such a blueprint, an organization may find a 
lack of integration among business operations and supporting 
information technology resources that could lead to burdensome 
inefficiencies and redundancies.
    One of our major tasks is to develop TSA's enterprise 
architecture consistent with the department's overarching EA 
strategy. To do so, we have combined the best of OMB's 
reference models, GAO's maturity models, and the Federal CIO 
Council's Federal Enterprise Architecture Framework [FEAF], 
along with our own best practices that focus on business 
strategy and business drivers.
    Additionally, we have implemented an enterprise 
architecture management system----
    Mr. Shays. Mr. Baroni, let me just ask you, just give me a 
sense of how much longer you feel you need to be going.
    Mr. Baroni. About a minute and a half.
    Mr. Shays. OK. Let me just tell you the challenge. The 
challenge is we may not have another member to take my place, 
and about 4 minutes to 1 p.m., I have to leave. I want to make 
sure we do get into some key points.
    Mr. Baroni. OK.
    Mr. Shays. And I apologize to all three of you for that. 
There is just a little mixup as to how we were going to handle 
this. You are an important panel, but if we can try to deal 
with it--OK?
    Mr. Baroni. OK, I will quickly go through here then.
    Mr. Shays. Thank you.
    Mr. Baroni. The department has established an Enterprise 
Architecture Working Committee comprised of representatives 
from its component agencies. Team Unisys works directly with 
TSA, the TSA representative, and is sharing our best practices 
with that committee.
    The department has also adopted that use that I referenced 
earlier as the repository for its enterprise architecture 
artifacts and has asked us to develop their IT investment 
portfolio system.
    I will just move on to cost savings and efficiencies now. 
The concepts of IT integration and cost savings have been at 
the core of everything we are doing, and that has been assigned 
by TSA to Team Unisys. These concepts were initially driven by 
the Investment Review Board, established last fall by the then-
Office of Homeland Security and the Office of Management and 
Budget.
    For instance, TSA and Team Unisys have established a very 
deliberate process to review the capabilities and 
infrastructure in place at each airport that has a presence of 
both the Immigration and Naturalization Service [INS], and the 
U.S. Customs Service before we deploy any new infrastructure on 
behalf of TSA. The purpose of this process is to identify any 
potential opportunities to share space, equipment, and 
infrastructure that could drive down the cost for each agency.
    In summary here, consistent with the President's Management 
Agenda, TSA's ITMS program is an end-to-end IT infrastructure 
contract for the application of IT life-cycle management. A 
major focus of ITMS implementation has been to design a 
blueprint of its technology requirements and establish a 
disciplined process for making IT investments.
    TSA is focusing on real cost savings for the American 
taxpayer by ensuring the IT infrastructure investment decisions 
are coordinated among the co-located agencies in the field.
    That concludes my testimony, and I will be happy to answer 
any questions you and/or any of the committee members may have.
    [The prepared statement of Mr. Baroni follows:]

    [GRAPHIC] [TIFF OMITTED] T8194.075
    
    [GRAPHIC] [TIFF OMITTED] T8194.076
    
    [GRAPHIC] [TIFF OMITTED] T8194.077
    
    [GRAPHIC] [TIFF OMITTED] T8194.078
    
    [GRAPHIC] [TIFF OMITTED] T8194.079
    
    [GRAPHIC] [TIFF OMITTED] T8194.080
    
    [GRAPHIC] [TIFF OMITTED] T8194.081
    
    [GRAPHIC] [TIFF OMITTED] T8194.082
    
    Mr. Shays. Thank you.
    The next two witnesses can use the same amount of time. 
With my interruption, it was 11 minutes. But it is important to 
put those things on the record. So you can decide whether you 
want to have statements or some questions and dialog. I will be 
here. So you can have 10 and 10, whatever.
    Mr. Perkins, you are next.
    Mr. Perkins. Thank you, Mr. Vice Chairman. I will try to 
edit this on the fly.
    Mr. Shays. But get it on the record.
    Mr. Perkins. Thank you very much.
    Mr. Shays. Just as long as you realize what we have here.
    Mr. Perkins. And I would hope that the written testimony 
could be incorporated in the record as well.
    Mr. Shays. It will be in the record.
    Mr. Perkins. Thank you very much.
    Again, my name is Steve Perkins. I am senior vice president 
responsible for Oracle's public sector in the United States and 
our homeland security as well for Oracle Corp.
    Just on a personal note, as a long-time Connecticut 
resident, it is delightful to appear before you.
    Mr. Shays. Thank you. You may have 12 minutes. [Laughter.]
    Mr. Perkins. Thank you very much.
    As you may know, Oracle was created 26 years ago to help 
the intelligence community manage its most sensitive 
information. Today, Oracle is the largest enterprise software 
company in the world, providing information management software 
and expertise to firms that include 98 of the Fortune 100 and 
hundreds of departments and agencies in Federal, State, and 
local governments.
    Mr. Shays. The only thing I know is, had I invested stock 
with you that many years ago, I wouldn't be sitting here. 
[Laughter.]
    Mr. Perkins. Not part of my prepared remarks, but yes.
    In addition to the corporate customers we work with, we are 
also very active with the Department of Homeland Security. In 
fact, all 22 of the agencies of the department use Oracle's 
technology.
    So, given our market position, we are part of the Nation's 
critical information infrastructure, and since September 11 
have spent a good bit of time working with them to better 
secure those systems.
    Mr. Vice Chairman, I don't believe anyone could overstate 
the magnitude of the information-sharing challenge facing 
Secretary Ridge, Steve Cooper, and the entire Homeland Security 
team. Since the formal creation of the department last March, 
the department has been working very hard to stand itself up in 
the areas of personnel, administration, and technology, and to 
pull the 22 disparate organizations, and its 190,000 people, 
together. While this certainly isn't the largest of the 
commercial mergers, in a dollar sense it certainly is the most 
complex one I have ever seen in my experience.
    Information we believe is one, if not the most, powerful 
weapon we have against terrorism. Strangely, when you watch the 
news shows, there seems to be a focus on a lack of information; 
we don't have enough information. I believe the problem is 
exactly the opposite; we have an abundance of information, and 
our challenge is to integrate that information, to make sense 
out of it, and make it actionable. Real data is found in these 
relationships, not in the data itself, and that certainly is 
one of the lessons that we learned, unfortunately, on September 
11.
    We are very pleased that Steve Cooper, the CIO for DHS, is 
looking to establish this enterprise architecture in accordance 
with OMB policy, and we are advocates of this approach. We 
believe the architecture can serve as a blueprint for 
information-sharing vertically with State and local and Federal 
organizations as well as horizontally within the 22 agencies 
and with the other groups at the Federal level as well.
    That is one of the key challenges we are working on with 
the Transportation Security Administration and our partner, 
Unisys Corp. TSA is going to be in a position to receive a 
tremendous amount of information. Its challenge will be to 
assess that information and make it actionable.
    They are using our technology in the areas of incident 
management and case tracking to better manage this. They are 
also using our technology to support a public portal, so the 
citizens can report concerns about public transportation. We 
think the architecture that they are using there can be an 
example for the application of enterprise architecture at the 
DHS level.
    The most significant barrier to information-sharing, in our 
view, and an opportunity to apply standards, lies in the 
concerns raised by organizations, both public and private, 
about the potential of their data to be exposed to insecure 
systems. There are well-established standards for securing and 
auditing these data.
    In the United States they are managed by NIAP, or National 
Information Assurance Partnership. Oracle is one of a few 
companies that actually builds security capability into the 
products as opposed to bolting it on after the fact. In fact, 
we go the extra step of having our software independently 
evaluated against standards like the Common Criteria.
    I believe that Federal agencies, who represent the largest 
buying entities for commercial products, can play a significant 
role in the marketplace by making information assurance through 
independent evaluation ubiquitous.
    In January 2000, a committee within the National Security 
Agency proposed standards which have been embodied in NSTISSP 
No. 11, a policy that calls for independent evaluations of 
information assurance products purchased by the Federal 
Government. This policy has been recently adopted by the 
Department of Defense in their evaluation and embodied in last 
year's defense authorization bill by Congress.
    I bring it to the committee's attention because we believe 
DHS should adopt this policy for their procurements. We think, 
as a byproduct of the money that will be spent on homeland 
security, and without additional cost, we can lock down the 
entire information infrastructure.
    In short, if DHS insists that that capability exists in 
commercial products, others like Oracle will build it in, and 
everyone who buys it anywhere in that vertical infrastructure 
will have it available. Whether it is information security 
enterprise architecture or industry standards, we think it is 
very important for DHS to continue the outreach programs that 
they started. I enjoyed Mrs. Blackburn's question on that 
subject.
    When Steve Cooper was part of the Office of Homeland 
Security at the White House, I thought he had a very effective 
outreach program. We encourage them to continue it. Obviously, 
the complexities of setting the department up are very time-
consuming, but we think it is critical.
    So, in conclusion, Mr. Vice Chairman, I believe the 
department is making sound, measurable progress on information 
engineering and integration. Congress, as policy leaders, can 
best assist DHS by defining appropriate policies to guide 
Federal, State, and local organizations down a common path for 
information-sharing.
    Thank you again for the opportunity to testify, and we look 
forward to questions.
    [The prepared statement of Mr. Perkins follows:]

    [GRAPHIC] [TIFF OMITTED] T8194.083
    
    [GRAPHIC] [TIFF OMITTED] T8194.084
    
    [GRAPHIC] [TIFF OMITTED] T8194.085
    
    [GRAPHIC] [TIFF OMITTED] T8194.086
    
    [GRAPHIC] [TIFF OMITTED] T8194.087
    
    Mr. Shays. Thank you, Mr. Perkins, and I appreciate your 
help here.
    Mr. Bisnow.
    Mr. Bisnow. Thank you, Mr. Chairman, and thanks for the 
opportunity to appear this morning on behalf of webMethods, 
which is a leading maker of integration software. I am really 
here to tell you about the experience of a small company 
dealing with the Department of Homeland Security.
    My name is Mark Bisnow, and, yes, I am the one who does the 
corny radio commercials for webMethods, where I run our 
Government Operations Unit. We like to think there is a method 
to my madness, as I make fun of acronyms and techno-babble on 
the public airwaves. We have actually reached a point in 
American history where, for the first time, the word 
``integration,'' though that is still too arcane a term to use 
in polite company, can at least be understood conceptually, if 
you remove strange words like ``back-end,'' ``enterprise,'' 
``legacy,'' ``scalability.''
    When I remind people that the September 11 terrorists went 
up to the counters at United and American, used their real 
names, but weren't recognized even though they were on 
government watch lists, a light bulb goes off and they realize 
the importance of integrating data bases. Or when I ask people 
if they ever called their bank and the voice menu says to punch 
in your account number, and you do so, and then you are 
transferred and a human being answers and they ask you for your 
account number again, and you say, ``Didn't I just give you 
that?'' And the person at the other end says, ``Oh, that's 
another system in our company, and they're not connected.'' 
Well, let me put it this way: Even my mom now understands what 
we do at webMethods.
    If we can harness the interest and understanding of 
ordinary Americans like my mom, we can create a powerful 
information-sharing revolution in America. Someday our 
grandchildren will think it is all very funny that computer 
systems didn't talk to each other. In fact, they probably just 
won't believe it.
    But at the moment they don't talk to each other, and it is 
actually not very funny. Nowhere is the imperative for 
integration clearer than in homeland security, not just the 
mission of stopping terrorists, but how about just getting the 
daily functions of the department to work together and hum?
    I have been around town a long time, and when you talk 
about merging 170,000 people and 22 agencies, you are talking 
about a lot of B-H-A-Sy. That is the acronym for ``big, hairy 
accounting systems,'' not to mention ``big, hairy financial 
systems,'' ``human resources systems,'' and the like.
    Of course, it just so happens that is what webMethods does. 
We are a company of nearly 1,000 people, based in Fairfax, with 
50 offices in 18 countries throughout the world. We make 
commercial, off-the-shelf software that, in our view, is 
cheaper, faster, more reliable, and more secure than the old-
fashioned way of hiring lots of human beings to come in and 
write software code to connect different systems.
    Instead, we provide a single software platform that all the 
different systems and data bases plug into. We do this for 
FedEx, Dell, 3M, Office Depot, Apple, Verizon, Best Buy, 
Freddie Mac, the Army, EPA, and about 1,000 other household-
name companies and government organizations.
    So how does a relatively small company like ours, no matter 
how great its product, get into a big agency like the 
Department of Homeland Security? Well, I wish it were like 
going to Carnegie Hall and all it takes is practice, but, no, 
that is not enough. If it were a matter of having vast, world-
class practice and experience, DHS would be ringing our phone 
off the hook. The fact is it is not easy, and here are some 
reasons why.
    First, those heroic people at DHS have a million other 
things to do. Thank heavens, they don't stop every moment to 
listen to every vendor, but we would like to think that 
integration is about as high a priority as you can get and that 
they will be looking for the best technology. So I keep hoping 
that, when I check my voicemail each day, there will be an 
urgent message waiting from Steve Cooper.
    Second, relatively small companies like ours depend on 
relationships with giant prime contractors who agencies, first 
and foremost, deal with, not with small companies like ours. We 
depend on those big companies.
    So have I forgotten to mention how wonderful a company 
Unisys is? [Laughter.]
    I think Oracle is a good company, but Unisys is a great 
company. [Laughter.]
    Third, the government is a bit of an IBM shop on the 
civilian side. Even though top analysts may say that our 
software is superior in our particular niche, never 
underestimate the bureaucratic appeal of the deniability you 
get if there is ever a problem and you can say, ``Hey, man, I 
bought IBM,'' but we're stubborn and know that someday they 
will also say that about webMethods.
    Fourth, there is still something called architecture being 
established, and, of course, you wouldn't start building a 
house and buying components without a blueprint.
    Finally, there isn't a lot of money sloshing around yet. 
That is where this fine committee and Congress come in, but 
that is above my pay grade to comment.
    But, on the bright side, there are now some pilot programs, 
and we do hope to participate in those. We are lucky that, in 
general, when our software is evaluated, people love it and we 
get contracts. So if I had one thing to suggest to DHS, it 
would be that there should be more proactive evaluation of 
specific technology like ours. I suspect that DHS actually 
agrees, and when the dust settles from the merger, maybe there 
will be.
    Mr. Chairman, integration is not just a subject for 
techies. It has huge implications for our economy, foreign 
policy, and homeland security. This committee will leave an 
extraordinary legacy if it gets ordinary Americans to 
understand the power for good that information-sharing, AKA 
``integration,'' can have in our daily lives, making government 
run more efficiently and helping to prevent terrorism.
    The Department of Homeland Security is the best imaginable 
laboratory and showcase for this revolution. As an integration 
company, we at webMethods are excitedly hoping that the example 
it sets will be a great one.
    We are deeply indebted to this committee for trying to make 
that happen, and we stand ready to help. Thank you again for 
the invitation.
    [The prepared statement of Mr. Bisnow follows:]

    [GRAPHIC] [TIFF OMITTED] T8194.088
    
    [GRAPHIC] [TIFF OMITTED] T8194.089
    
    [GRAPHIC] [TIFF OMITTED] T8194.090
    
    Mr. Shays. Thank you. You all are a wonderful panel. Let me 
just try to understand a few things, first off.
    Mr. Perkins, you have a contract, your company has a 
contract with DHS as we stand right now. A number of them or 
one?
    Mr. Perkins. We have many contracts. We worked with most of 
the 22 agencies prior to their becoming part of the department. 
So we do now.
    Mr. Shays. OK, I want to come back to that because this is 
a wonderful opportunity to see how the system is going to work.
    How about you, Mr. Baroni.
    Mr. Baroni. We have several contracts with the various 
agencies, but the main contract we have is the one I referenced 
in my testimony, ITMS.
    Mr. Shays. And that was a contract established before DHS 
or after?
    Mr. Baroni. Established, technically, before DHS, yes.
    Mr. Shays. OK. And, Mr. Bisnow.
    Mr. Bisnow. None.
    Mr. Shays. None. Now it is interesting to think of a 
company with 1,000 employees as being relatively small, but, 
you know, I thought you were going to be telling me about how 
you work in the kitchen, and so on. I mean you are a pretty 
established company here.
    Mr. Bisnow. We are one-thirty-seventh of their size.
    Mr. Shays. Right. So it means you are more nimble, more 
flexible, and so on. I don't feel sorry for you.
    Bottom line: What I would love to know, but I am intrigued 
by it, Mr. Perkins, walk me through--you are in a wonderful 
position to describe the benefits or the challenges of bringing 
22 into 1, because you have worked with different parts. And, 
Mr. Baroni, are you in some cases--I am getting the sense that 
you are interacting, your two companies are interacting and 
sharing certain responsibilities.
    Let me just throw these questions out now. Have we in some 
cases made some of these contracts moot in the sense that one 
supersedes another or it doesn't make sense anymore now that we 
are integrated, and so on? So who wants to begin?
    Mr. Perkins. Let me start with your first question about 
the integration of the departments. I do think we are in a 
unique position because we have been working on the information 
technology problems of the agencies, and now of the department, 
and they come in two classes. I think it is important to 
differentiate those as we think about making progress.
    The set of problems on the business side, if you will, are 
around programs. That deals with threat lists and managing 
those threat lists and responding to them. There is another set 
on the back office side, if you will, or kind of the 
operational side. And we participate in both.
    On the operational side, we see a tremendous opportunity 
for synergy, integration and consolidation. How many financial 
systems do you need, etc? And there is an opportunity to do 
that. I would encourage us to proceed with all energy on that 
side.
    Mr. Shays. Let me just interrupt you. So in the case of 
your having a number of contracts now with just one department, 
are you going through and recommending that you don't need to 
pursue this contract? Are you coming back and suggesting that, 
instead of doing this with three different parts, that you do 
one, one thing, with many parts?
    Mr. Perkins. Yes, we have been working with the individual 
CIOs since the formation of the department was proposed on how 
they might integrate systems that they have running on Oracle 
technology, either business systems or program systems that run 
our data base technology, how they can integrate those, how 
they can communicate, how they can consolidate for more 
efficient business operations, and better information. We work 
with those regularly. Those CIOs participate at a CIO Council 
level with Steve Cooper. We think we have an ability to 
communicate and participate in that discussion.
    Mr. Shays. Do you want to jump in?
    Mr. Baroni. Sure. As it relates to the question you asked 
about the contract and the contract vehicles, our belief is 
that the one that we established with TSA is a best practices 
contract vehicle. So our preference is to see as many of the 
folks use that, meaning vendors and contractors, use that 
vehicle in order to do business with the Department of Homeland 
Security.
    Now take, for example, the work we are doing with Oracle, 
where we actually negotiated a license agreement with them, 
with extensibility to all of the departments of Homeland 
Security. So that there would be just one vehicle for acquiring 
that. So that is just one example of how you could actually get 
away or reduce the number of contract vehicles out there.
    Mr. Shays. I am coming to you in a second, Mr. Bisnow, but 
let me just ask you this. This may seem a little off the 
subject, but very much an interest of mine.
    You were working with these different agencies with people 
that technically could be consolidated under one department, 
information folks in different agencies now coming to one. Are 
you starting to see that happen, and do you see some benefits 
here?
    Mr. Baroni. What we are seeing right now is that the 
agency, or I should say the department, is putting the plans 
together around that. We heard that in Steve Cooper's 
testimony. But the plan is to look for opportunities, as driven 
by re-engineered business processes, by rethought-through 
business models, where they can optimize resource-sharing and 
the leverage of information technology investments.
    So those are the goals: The improvement of Federal--I 
should say the optimization of the use of Federal resources.
    Mr. Shays. Mr. Bisnow, given that you are a candid person, 
as you are hearing this dialog, what is going through your 
mind?
    Mr. Bisnow. I guess you can't repeal the laws of human 
nature. People want contracts, and they----
    Mr. Shays. So am I to infer in that we should be starting 
over again, saying, you know, new department; let's cancel all 
the old stuff and let's start fresh?
    Mr. Bisnow. Probably not, because, my experience is usually 
that causes a whole set of unexpected problems, but I am no 
expert on that.
    Mr. Shays. OK. I have a feeling you are.
    Mr. Perkins. If I might----
    Mr. Shays. Sure.
    Mr. Perkins. May I just comment on that?
    Mr. Shays. Yes.
    Mr. Perkins. I think one of the things that I have been 
very impressed with in the department is the openness and the 
persistence of their outreach, not just to companies like 
Oracle or Unisys or others who have an institutional position 
that can help them accelerate the transformation, but out to 
smaller companies who have component technologies that can play 
a role either in integration or have biometric technologies or 
those kinds of things. I think there has been a decided 
outreach, and I think there is a real need for us to reinforce 
that outreach and the openness of that outreach, because there 
are terrific technologies out there that need to be 
incorporated into the solutions.
    Mr. Shays. My committee, the National Security 
Subcommittee, oversees Defense and the State Department. We 
have added in now Homeland Security. But we had a real giant of 
a gentleman from California. He used to do the management in 
information systems. So we kind of all deferred to him over the 
last few years, no longer, Congressman Horn.
    What has been a gigantic disappointment for us, as we have 
looked at information systems in DOD, has been that one after 
another have not succeeded. Then we have new management folks, 
and so on.
    One of the questions I would love to ask you is: Is the 
Government at somewhat a disadvantage because it has folks 
that, one, come in and out, and, two, frankly, are not paid all 
that much? In other words, are they up against--is the pay 
structure of Government such that we are disadvantaged at 
getting people with the latest skills, etc?
    Mr. Perkins. I think, if I might, there certainly is an 
expectation gap, if we think about the Department of Defense 
and the uniformed person coming in, with their ability to go 
home and buy things over the Web and their ability to go on the 
base and do the same thing are dramatically different. So that 
expectation differs.
    I don't think it is a capability issue, though, in 
transformation. There clearly is an issue of persistence of 
senior leadership, particularly on the defense side, as you 
have rotations in administrations and forced rotation in 
command structure as well.
    I think the only thing that will make that be successful, 
in my view, is a transformation of business process to lead 
technology. We heard Steve Cooper talk about that today and 
Mark Forman talked about it also.
    If all we see is the systems change and the process stay 
the same, and the organization to support them stay the same, 
we know we have made no progress. We probably spent a lot of 
money, but we have made no progress.
    I think that kind of business transformation has to be led. 
I have been around the government marketplace for 26 years. I 
see a real interest and persistence in doing that. It is going 
to take a while to do. Oracle has gone through a transformation 
on our own. We are in about our third year of it, and we saved 
$1 billion in our operating base, but it is hard, even for a 
company of Oracle's scale, to do that. So I think there is an 
opportunity to do it, but we have to start with business change 
first.
    Mr. Baroni. Can I pick up on his comment there?
    Mr. Shays. Yes, sir.
    Mr. Baroni. To your direct question, I would say, as I look 
at the government systems and compensation structures, I would 
say they are completely arcane and they lack competitiveness 
with the private sector. That is why I think that the 
government has to have a marriage with the private sector in 
order to accomplish their mission.
    Mr. Shays. Well, they clearly need that, and I understand 
that, but I guess what I am wondering is, in that negotiation 
process and the oversight process that the government is doing, 
we hire out; you do the job. Are we able to match the skill 
with the private sector to be able to bring out the best in the 
private sector, etc? And that is kind of what I am wondering. I 
am getting the sense that we are somewhat, but the turnover is 
the big challenge.
    Mr. Baroni. I think, yes, you definitely face turnover 
issues. But I think, from what I have seen--and, obviously, my 
experience has been focused in on TSA and their ITMS efforts, 
and I have actually had a hands-on perspective there. My 
perspective is that, if you look at the aging work force, you 
don't need allegiance. The government doesn't need to have 
allegiance of folks out there any longer trying to do all these 
different functions.
    But by hiring strong folks that can stay within the Federal 
Government and carry out the program management and oversight 
responsibilities of these efforts, then they are going to be 
able to--and you need fewer of them--then you are going to be 
more successful in overseeing these contractor efforts.
    Mr. Shays. Thank you.
    Mr. Bisnow, I want to ask you this: you really started 
out--and, obviously, speaking to someone with my minimal level 
of technical skills here----
    Mr. Bisnow. From one to another.
    Mr. Shays. No, I don't believe that. Otherwise, I don't 
want to ask you the question. [Laughter.]
    OK. No, but the point that you were basically making is 
that our systems need to be able to talk with each other. 
Implicit in your comment to me was, it is not going to take a 
rocket scientist to do that, and why aren't we doing it? So, 
one, am I right in assuming that is what you are saying? Then 
my second question is, why aren't we doing it?
    Mr. Bisnow. You bet it is easy. You bet, it is 
technologically easy.
    Mr. Shays. OK.
    Mr. Bisnow. And it is a red herring when people say, ``Oh, 
that's just so complicated.'' We do it every day on the 
commercial side for lots of big companies.
    The problem is--I hate to throw it back into your court--
policy and politics. You know, do people want to share 
information? Do they want to change? There is lots of vested 
interest in the status quo. It is human nature.
    But, you know, to try to connect that with your last 
question about, do we pay people enough, you know, sometimes 
people can be paid in psychic income. One thing that on 
occasion is very exciting about working in government--and I 
have worked in government--is if you think you are sitting on 
top of a really cool revolution and that what you are doing 
really matters.
    Mr. Shays. Right.
    Mr. Bisnow. I think that if people began to see that this 
has a practical impact, and everybody, instead of hating the 
government, says, ``Oh, wow, this is great. We taxpayers are 
getting our money's worth,'' and ``Oh, wow, there haven't been 
any terrorist acts and it's because we've gotten good 
information and nabbed people,'' I think if I were a part of a 
CIO's office, I would take great pride in that. I would be 
telling people at dinner, ``Wow, you know, I worked on this and 
that's why you guys are happy out there.''
    So I would think about paying, you know, really focusing on 
the excitement of the revolution that is in front of us, and 
not getting caught up in all the trees.
    Mr. Shays. Well, I have an exciting activity. I am supposed 
to have a press conference with McCain and Feingold at 1 p.m., 
in the Russell Building on campaign finance reform, something 
we have worked on a long time. There would be many things that 
would keep me here, but that is one thing that is going to move 
me away.
    Is there any last thing that we need to put on the record? 
Mr. Perkins, anything that you just want to make sure----
    Mr. Perkins. I would just refer back to my remarks. I think 
there is opportunity to encourage, through the money that is 
already being spent for homeland security, the adoption of a 
policy like NSTISSP No. 11, an independent evaluation of a 
security capability of products you are going to buy anyway. If 
you do that, you will encourage companies, and require 
companies like Oracle already does and others, to build that 
into the core of their products, and that becomes available 
when it is bought by a utility company or a financial services 
company or a municipal police department.
    And as a byproduct of all this money spent, we will lock 
down the critical infrastructure not just for homeland 
security, but for cyber terrorism. I think we should think of 
peacetime dividends for some of these investments as well.
    Mr. Shays. Thank you.
    Mr. Baroni.
    Mr. Baroni. My comments are concluded, and I just want to 
respect your desire to get over to vote.
    Mr. Bisnow. Thank you.
    Mr. Shays. Thank you. I don't usually miss something for a 
press conference, but this is somewhat exceptional.
    Let me thank you all and say the record will be open for 2 
weeks. There may be some questions our staff needs to ask you 
to respond to and that you may want to put on the record.
    With that, I am going to adjourn this hearing and run out. 
Thank you.
    [Whereupon, at 1:02 p.m., the committee was adjourned, to 
reconvene at the call of the Chair.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T8194.091

[GRAPHIC] [TIFF OMITTED] T8194.092

[GRAPHIC] [TIFF OMITTED] T8194.093

[GRAPHIC] [TIFF OMITTED] T8194.094

[GRAPHIC] [TIFF OMITTED] T8194.095

[GRAPHIC] [TIFF OMITTED] T8194.096

