b"<html>\n<title> - CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL AGENCIES</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF \n  THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL \n                                AGENCIES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION\n                POLICY, INTERGOVERNMENTAL RELATIONS AND\n                               THE CENSUS\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 24, 2003\n\n                               __________\n\n                           Serial No. 108-100\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n91-648              U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2003\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\nCHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nMARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nDOUG OSE, California                 DENNIS J. KUCINICH, Ohio\nRON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois\nJO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts\nTODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri\nCHRIS CANNON, Utah                   DIANE E. WATSON, California\nADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland\nJOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California\nJOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, \nNATHAN DEAL, Georgia                     Maryland\nCANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of \nTIM MURPHY, Pennsylvania                 Columbia\nMICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee\nJOHN R. CARTER, Texas                CHRIS BELL, Texas\nWILLIAM J. JANKLOW, South Dakota                 ------\nMARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont \n                                         (Independent)\n\n                       Peter Sirh, Staff Director\n                 Melissa Wojciak, Deputy Staff Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n              Philip M. Schiliro, Minority Staff Director\n\n   Subcommittee on Technology, Information Policy, Intergovernmental \n                        Relations and the Census\n\n                   ADAM H. PUTNAM, Florida, Chairman\nCANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri\nDOUG OSE, California                 DIANE E. WATSON, California\nTIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts\nMICHAEL R. TURNER, Ohio\n\n                               Ex Officio\n\nTOM DAVIS, Virginia                  HENRY A. WAXMAN, California\n                        Bob Dix, Staff Director\n                 Chip Walker, Professional Staff Member\n                      Ursula Wojciechowski, Clerk\n           David McMillen, Minority Professional Staff Member\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on June 24, 2003....................................     1\nStatement of:\n    Charbo, Scott, Chief Information Officer, Department of \n      Agriculture................................................   115\n    Cobb, Robert, Inspector General, NASA........................   101\n    Dacey, Robert F., Director, Information Security Issues, \n      General Accounting Office..................................    23\n    Forman, Mark A., Administator for Electronic Government and \n      Information Technology, Office of Management and Budget....    12\n    Frazier, Johnnie E., Inspector General, Department of \n      Commerce...................................................    71\n    Ladner, Drew, Chief Information Officer, Department of \n      Treasury...................................................   126\n    Morrison, Bruce, acting Chief Information Officer, Department \n      of State...................................................   146\nLetters, statements, etc., submitted for the record by:\n    Charbo, Scott, Chief Information Officer, Department of \n      Agriculture, prepared statement of.........................   118\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................    58\n    Cobb, Robert, Inspector General, NASA, prepared statement of.   104\n    Dacey, Robert F., Director, Information Security Issues, \n      General Accounting Office, prepared statement of...........    25\n    Forman, Mark A., Administator for Electronic Government and \n      Information Technology, Office of Management and Budget, \n      prepared statement of......................................    15\n    Frazier, Johnnie E., Inspector General, Department of \n      Commerce, prepared statement of............................    73\n    Ladner, Drew, Chief Information Officer, Department of \n      Treasu128..................................................\n    Miller, Hon. Candice S., a Representative in Congress from \n      the State of Michigan, prepared statement of...............    10\n    Morrison, Bruce, acting Chief Information Officer, Department \n      of State, prepared statement of............................   148\n    Putnam, Hon. Adam H., a Representative in Congress from the \n      State of Florida, prepared statement of....................     5\n\n \n CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF \n  THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL \n                                AGENCIES\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 24, 2003\n\n                  House of Representatives,\n   Subcommittee on Technology, Information Policy, \n        Intergovernmental Relations and the Census,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10 a.m., in \nroom 2154, Rayburn House Office Building, Hon. Adam Putnam \n(chairman of the subcommittee) presiding.\n    Present: Representatives Putnam, Miller, Clay and Watson.\n    Staff present: Bob Dix, staff director; John Hambel, senior \ncounsel; Chip Walker and Lori Martin, professional staff \nmembers; Ursula Wojciechowski, clerk; Suzanne Lightman, fellow; \nBill Vigen and Richard McAdams, interns; Jamie Harper and Kim \nBird, legislative assistants; David McMillen, minority \nprofessional staff member; and Cecelia Morton, minority office \nmanager.\n    Mr. Putnam. A quorum being present, this hearing on the \nSubcommittee on Technology, Information Policy, \nIntergovernmental Relations and the Census will come to order. \nGood morning, and welcome to the second in a planned series of \nhearings addressing the important subject of cyber security.\n    Today we continue our in-depth review of cyber security \nissues affecting our Nation. Specifically this hearing will \nfocus sharply on the efforts within the Federal Government to \nsecure our own computer networks. Our critical infrastructure \nof the cyber kind must have the same level of protection as our \nphysical security if we are to be secure as a Nation from \nrandom hacker intrusions, malicious viruses or, worse, serious \ncyber terrorism.\n    There are several things unique to cyber attacks that make \nthe task of preventing them particularly difficult. Cyber \nattacks can occur from anywhere around the globe, from the \ncaves of Afghanistan to the warfields of Iraq, from the most \nremote regions of the world, or simply right here in our own \nbackyard. The technology used for cyber attacks is readily \navailable and changes continually, and maybe most dangerous of \nall, is the failure of many people critical to securing these \nnetworks and information from attack to take the threats \nseriously, to receive adequate training and to take the steps \nnecessary to secure their networks.\n    A serious cyber attack would have serious repercussions \nthroughout the Nation in a physical sense and in very real \neconomic terms. A recent report under Government Information \nSecurity Reform Act once again demonstrates that we have a long \nway to go in the Federal Government to feel the least bit \nconfident that we have secure computer networks. Before going \ninto more detail about the report, I want to comment briefly \nabout the timing. This latest GISRA report was released this \nMay. It was based on information provided to OMB in September \n2002. This is kind of like being an astronomer and looking in \nthe telescope at the stars, all the while realizing that what \nyou are viewing actually occurred a long, long time ago. We \nneed to find a way to get more real-time reporting, and I want \nto work with OMB on improving the timeliness of their \ninformation.\n    The current GISRA report demonstrates that progress in \ncomputer security at Federal agencies is proceeding slowly, and \nthat simply is no longer acceptable. The OMB report to Congress \nidentified a number of serious weaknesses. Many agencies are \nfacing the same security weaknesses year after year, such as \nthe lack of system-level security plans and certifications and \naccreditations. Some IGs and CIOs from within the same agencies \nhave vastly different views of the state of the agency security \nprograms. Many agencies are not adequately prioritizing their \nIT investments and are seeking funding to develop new systems \nwhile significant weaknesses exist in their legacy systems. Not \nall agencies are reviewing all programs and systems every year \nas required by GISRA. More agency program officials must engage \nand be held accountable for ensuring that the systems that \nsupport their programs and operations are secure. The old \nthinking of IT security as the responsibility of a single \nagency official or the agency's IT security office is out of \ndate, contrary to law and policy, and that significantly \nendangers the ability of these agencies to safeguard their IT \ninvestments.\n    The Departments of Treasury, State and Agriculture all have \nserious problems with their information security. Both the CIOs \nand the IGs of these agencies have concerns. In addition, GAO \nhas indicated a concern with computer security for all three \nagencies in its performance and accountability series.\n    In the fiscal year 2002 GISRA report, the Department of \nAgriculture reported that less than 26 percent of its systems \nwere in compliance with the eight metrics that the OMB \nreported. The agency had 70 material weaknesses in the area of \ninformation security reported by the IG. In addition, according \nto the IG, the agency is not conducting risk assessments of its \nsystems in compliance with either OMB or GISRA's requirements. \nThis year the agency reported an increase in systems operating \nwithout written authority and an increase in systems that do \nnot have up-to-date IT security plans.\n    The Department of State did not report information for the \nfiscal year 2001 GISRA report. It reported three material \nweaknesses for information security for fiscal year 2002. In \nJune 2001, the Department's IG released a report that \nhighlighted a number of areas that State needs to address. They \nincluded assessing vulnerability of systems, conducting \nsecurity control evaluations at least once every 3 years, and \ntesting security controls. State reported in their fiscal year \n2002 report that none of its systems have been certified and \nauthorized, and only 15 percent have an up-to-date IT security \nplan. Finally, State reported that only 11 percent of its \nsystems have contingency plans, and of those, none had ever \nbeen tested.\n    Although the Department of Treasury reported that, in the \n2002 GISRA report, 41 percent of its systems were assessed for \nrisk, its IG reported that Treasury did not use an adequate \nmethodology to determine that risk; therefore, its assessments \nwere not valid under the law. There are also significant \ndiscrepancies in many of the metrics reported in the GISRA \nreport between the Department and its IG. For example, the \nDepartment reported 451 of its systems were reviewed; however, \nthe IG reports that only 204 systems were reviewed. Treasury \nhas also reported 11 material weaknesses related to information \nsecurity.\n    I understand that many of those testifying today are \nrelatively new to their jobs. We are not here today to point \nfingers, although I have serious questions about accountability \nand responsibility for these egregious failures to perform \nminimum requirements. We are here to identify weaknesses or \nroadblocks, find solutions and make progress.\n    In a recent edition of the Federal Times headlined \n``Computer Security Dilemma: Agencies Must Choose--Follow the \nLaw or Fix the Problem,'' several government IT managers \ncomplained that the documentation process set up by Congress \ngives them a choice to document their security problems for \nCongress or to fix them. This attitude is disturbing, to say \nthe least. For most IT managers, the documentation process set \nup by Congress is the only reason they discovered many of their \nsecurity weaknesses. Before the documentation process, many IT \nmanagers couldn't identify their critical systems. Sadly, even \nwith the documentation process required by Congress, many \nsystems are still unidentified. That said, the committee will \ntry and remain open-minded, and if any of the witnesses today \nwould like to support this either/or contention as reflected by \nthe article, we look forward to hearing it.\n    As the subcommittee continues to examine the cyber security \nissue, we see the same recurring theme. Securing these networks \nis not about money or technology, but about management. The \nweaknesses identified are weaknesses that would be \nsignificantly reduced if approved procedures and protocols or \nbest practices were actually followed. For example, GAO still \nconducts audits to this day where they find default passwords \nin place or where systems have not been tested in a production \nenvironment. Patches remain uninstalled on systems for months \nafter known vulnerabilities are identified. These rudimentary \nlapses are not acceptable.\n    There are a number of issues still up for consideration \nbefore the Congress. These include requiring that the common \ncriteria be the standard government-wide; automated \nvulnerability scanning; new levels of accountability; and \nconfronting the issue of CIO retention head on.\n    While some progress is clearly being made at Federal \nagencies, going from an F to a D is not saying a lot. It is my \nhope that the Congress, OMB, the CIOs, the IGs and the GAO can \nwork together to move our level of IT security government-wide \ninto a range where we have some degree of comfort that our \nsystems are secure. We are far from that point today.\n    I would like to thank the witnesses for coming today and \npresenting the valuable testimony. As with all of our hearings, \ntoday's can be viewed live via Webcast by going to \nreform.house.gov and clicking on the link under multimedia.\n    [The prepared statement of Hon. Adam H. Putnam follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.001\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.002\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.003\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.004\n    \n    Mr. Putnam. At this point I would like to yield to the vice \nchairwoman of the subcommittee, the gentlelady from Michigan, \nMrs. Miller.\n    Mrs. Miller. Thank you, Mr. Chairman.\n    In a post-September 11 environment, the Federal Government \nhas been forced to reevaluate its security procedures. The \nlogistics associated with such an attack are huge, and today we \nfocus on the security of Federal information systems.\n    There has been a long-held belief that there should be one \noversight facilitator for the entire Federal Government, \ngovernment chief technology officer in a sense. I think this \nidea has some merit in order to ensure that government-wide \nuniformity occurs. However, one thing is clear, as technology \ncontinues to evolve at quite an astonishing rate, quite \nfrankly, the Federal Government must not be left behind \nutilizing technology and systems designed for a different time \nand different type of threat. For these reasons, I am pleased, \nMr. Chairman, that you have called this hearing so that \nCongress has an opportunity to objectively evaluate security \nmeasures taken by Federal agencies.\n    To be frank, with the active measures that international \nterrorists are taking against our freedoms, I am concerned that \ncertain Federal agencies appear to be lax with their efforts to \nimprove system safeguards. Oversight reports by the GAO and the \nOMB frequently identify areas of concern and countless examples \nof Federal agencies in noncompliance with various laws and \nregulations related to system securities. Incomplete and \ninaccurate reports that are required of Federal agencies, the \napparent inability of agencies to reach their own stated \nperformance goals, and in many cases the blatant and utter \ndisregard of federally mandated requirements are just some of \nthe issues that we face in this regard.\n    Since September 11, Americans have stated in poll after \npoll that homeland security and the war against terror is the \nmost important issue facing our great Nation. I am concerned \nthat individuals within the Federal Government, individuals \nthat Americans trust to protect them and their families, do not \nseem to understand the nature of the cyber threat. However, in \nspite of current problems, the government is faced with a \nhistoric opportunity. With the passage of GISRA and the E-\nGovernment Act of 2002, which includes the FISMA, Federal \nagencies now have the tools and the necessary support to \ndevelop and implement substantial information security reform.\n    There has been some success, as the government moves \nforward. The work being done at the Department of Commerce is \nreally a great example. And those examples of success should be \nused as a model for other agencies. I certainly look forward to \nworking with you, Mr. Chairman, and the other members of this \ncommittee to assist agencies with their reform objectives. \nThank you.\n    Mr. Putnam. I thank the gentlelady for her interest in \nthese issues and her outstanding work on behalf of the \nsubcommittee.\n    [The prepared statement of Hon. Candice S. Miller follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.005\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.006\n    \n    Mr. Putnam. At this time we will move to witness testimony. \nWitnesses will please rise and raise their right hands for the \noath.\n    [Witnesses sworn.]\n    Mr. Putnam. Note for the record both witnesses responded in \nthe affirmative, and we will move forward with opening \nstatements. I will begin with our first witness for his 5-\nminute statement, Mark Forman. In June 2001, Mr. Forman was \nappointed by President Bush to oversee implementation of the \n21st century information technology throughout the Federal \nGovernment. Mr. Forman is the first person in the Federal \nGovernment to fulfill responsibilities normally associated with \na corporate chief information officer. Under his leadership, \nthe Federal Government has received broad recognition for its \nsuccessful use of technology in the government. He manages over \n$58 billion in IT investments and leads the President's E-\nGovernment Initiative to create a more productive \ncitizencentric government. He is a frequent guest of our \nhearings and always has a very fruitful and candid view of the \ngovernment's progress in all matters related to technology and \nelectronic government.\n    Mr. Forman, you are recognized for 5 minutes. Welcome to \nthe subcommittee.\n\n   STATEMENT OF MARK A. FORMAN, ADMINISTATOR FOR ELECTRONIC \nGOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND \n                             BUDGET\n\n    Mr. Forman. Thank you, Mr. Chairman and Congresswoman \nMiller. Thank you for inviting me to discuss the status of the \nFederal information security and the effects of FISMA at the \ndepartments and agencies. I do look forward to working with you \nto improve the timeliness of our report, and I agree with you \nthat it should come up early as well.\n    I think we have a number of actions at the staff level. We \nhave been working with your staff to accelerate the reporting \nand make sure we are both getting good data on the status. As \nnoted in our report to Congress, progress has been made in \nidentifying and remediating longstanding IT security problems, \nbut there is much work that remains before we can say IT \nsystems are adequately secured in the Federal Government.\n    FISMA requires that Federal agencies report as a material \nweakness any significant deficiency in a policy, procedure or \npractice, and over half of the large agencies have declared at \nleast one material weakness relating to IT security. \nDeficiencies exist in a number of areas, including access \ncontrols, configuration management, security policy and \ntraining. From a government-wide perspective, the most common \nweaknesses include a lack of system-level security plans, \nlegacy systems that are not appropriately secured, and plans of \nactions and milestones that do not include all of the agency \nsystems.\n    Nonetheless, in fiscal year 2002, departments and agencies \nhave made measurable progress in IT security by conducting \nactivities such as risk assessment, security planning, \ncertification and accreditation, training and contingency \nplanning. Of Federal systems in fiscal year 2002, 65 percent \nhave been assessed for risk; 62 percent had an up-to-date \nsecurity plan, 47 percent had been certified and accredited, \nand 55 percent had a contingency plan. We believe that is about \ndouble the status of IT security in 2001. I know the General \nAccounting Office has some difference and would be glad to \ndiscuss that.\n    As noted in our report to Congress, agencies are testing an \nincreasing percentage of their systems for management, \noperational and technical control weaknesses. These weaknesses, \nonce identified, are included in agencies' plans of actions and \nmilestones for prioritization, tracking and correction.\n    The administration is committed to rapid progress, so by \nthe end of this calendar year, all agencies will have a \nrigorous process for developing and implementing plans of \nactions and milestones. As you mentioned this is a management \nissue. And second, 80 percent of the systems will be certified \nand accredited.\n    One reason we believe that IT security can be rapidly \nimproved is that Federal agencies are incorporating security \nconsiderations into their capital planning process. Our \nanalysis shows the percentage of Federal systems with security \ncosts integrated into the life cycle of a system now stands at \n62 percent.\n    Improving Federal information security requires that we \nfocus on enterprise architecture rather than firewalls, \nintrusion detection, vulnerability patches or the latest IT \nsecurity technology. FEA, the Federal Enterprise Architecture, \nreference models will enable better use of standards and \nconfiguration management that we need to secure the Federal \ninformation systems. In addition, improvements in agency \nenterprise architectures will enable CIOs to better ensure that \nsecurity and privacy are properly incorporated into their IT \noperations.\n    To assist agency EA efforts in accordance with the \nresponsibilities under FISMA, the National Institute of \nStandards and Technology recently published draft standards for \nsecurity categorization of Federal information and information \nsystems. This proposed standard will be used by all agencies to \ncategorize systems according to risk. NIST is also drafting \ncompanion guidelines recommending the types of information \nsystems to be included in each category as well as minimum \ninformation security requirements.\n    OMB and the CIO Council have developed a process to rapidly \nidentify and respond to cyber threats and critical \nvulnerabilities. CIOs are advised via conference calls as well \nas e-mails of specific actions needed to protect systems. \nAgencies must then report to OMB on the implementation of \ncountermeasures usually in 24 to 72 hours. As a result of these \nearly alerts, agencies have been rapidly closing \nvulnerabilities that otherwise might have been exploited, and \nthis includes use of patch management services to ensure rapid \napplication of patches.\n    The Federal Information Security Management Act will be \ninstrumental in improving the state of Federal IT security. The \nframework and processes in law and OMB policy highlight the \nimportance of management, implementation evaluation and \nremediation for achieving progress.\n    In closing, the administration is committed to a Federal \nGovernment with secure information systems doing the \nsignificant work of this committee, Federal IGs and the \nagencies. I think we are able to point to real improvements in \ngovernment IT security, but there is much more work to be done. \nThank you.\n    Mr. Putnam. Thank you, Mr. Forman.\n    [The prepared statement of Mr. Forman follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.007\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.008\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.009\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.010\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.011\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.012\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.013\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.014\n    \n    Mr. Putnam. I would like to introduce our second witness \nand welcome our ranking member on the panel to the subcommittee \nhearing. We will move forward with Mr. Dacey's opening \nstatement and then recognize Mr. Clay for his.\n    Mr. Dacey is currently Director of Information Security \nissues at the GAO. His responsibilities include evaluating \ninformation systems security in Federal agencies and \ncorporations, including the development of related \nmethodologies, assessing the Federal infrastructure for \nmanaging information security, evaluating the Federal \nGovernment's efforts to protect our Nation's private and public \ncritical infrastructure from cyber threats, and identifying \nbest security practices at leading organizations and promoting \ntheir adoption by Federal agencies.\n    We welcome you and your insight to the subcommittee and \nappreciate the work that you and GAO have done for us. You are \nrecognized for 5 minutes.\n\n STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY \n               ISSUES, GENERAL ACCOUNTING OFFICE\n\n    Mr. Dacey. Thank you, Mr. Chairman and members of the \nsubcommittee. I am pleased to be here today to discuss efforts \nby Federal agencies and the administration to implement GISRA \nand briefly discuss additional provisions of FISMA, which \npermanently authorized and strengthened GISRA's requirements. I \nwill briefly summarize my written statement, which provides \ndetail on the status and progress of these efforts.\n    This chart illustrates the average fiscal year 2001 and \n2002 performance and related progress for 23 of the largest \nFederal agencies based on 6 selected performance measures \ndetailed in OMB's fiscal year 2002 GISRA report. In summary, \naverage improvements generally ranged from 3 to 10 percentage \npoints for the selected measures. Our analysis excluded data \nfor one agency that were not comparable for both years. \nFurther, our analysis of individual agency reports showed mixed \nagency performance and progress, and that overall many agencies \nhad not implemented security requirements for most of their \nsystems. Nonetheless, the second-year implementation of GISRA \nyielded a number of benefits such as increased management \nattention to information security; important actions by the \nadministration, such as integrating information security into \nthe President's Management Agenda Scorecard; an increase in the \ntypes of information being reported and made available for \noversight; and the establishment of a base line for measuring \nagency performance.\n    Also, in its fiscal year 2002 GISRA report, OMB highlighted \nactions and progress to address previously identified \ngovernment-wide weaknesses as well as planned actions to \naddress newly reported challenges.\n    Overall, GISRA reports continue to highlight that, as we \nhave reported for the last several years, agencies have \nsignificant weaknesses in agency security management programs. \nFor example, developing an effective corrective action plan is \na key element of a security management program to ensure \nremedial action is taken to address significant deficiencies. \nHowever, of the 14 IGs who reported whether their agencies' \ncorrective action plan addressed all significant weaknesses, \nfive reported that their agency's plans did include them, but \nnine reported that they did not include all material \nweaknesses.\n    It is important for agencies to ensure that they have the \nappropriate information security management structures and \nprocesses in place to strategically manage information security \nas well as to ensure the reliability of performance \ninformation. For example, processes to routinely provide an \nagency with reliable, useful and timely information for day-to-\nday management of information security could help to \nsignificantly improve performance. Further, continued \ncongressional and administration oversight will undoubtedly be \nneeded to achieve significant and sustainable results, \nincluding the implementation of new FISMA requirements.\n    FISMA established additional requirements that can assist \nagencies in implementing effective information security \nprograms, help ensure that agencies incorporate appropriate \ncontrols and provide information for administration and \ncongressional oversight. These requirements include the \ndesignation of and the establishment of specific \nresponsibilities for an agency senior information security \nofficer, implementation of minimum information security \nrequirements for agency systems, required agency reporting to \nthe Congress and inventories of major systems.\n    Successful implementation of FISMA is essential to \nsustaining agency efforts to identify and correct weaknesses. \nAs FISMA is implemented, it will be important to continue \nefforts to establish agencywide security management programs; \nto certify, accredit, and regularly test systems to identify \nand correct all vulnerabilities; to complete development of and \ntest contingency plans to ensure that critical systems can \nresume operations after an emergency; to validate agency \nreported information through independent evaluations; and to \nachieve other FISMA requirements.\n    Mr. Chairman and members of the subcommittee, this \nconcludes my statement. I will be pleased to answer any \nquestions that you or other members of the subcommittee may \nhave at this time.\n    Mr. Putnam. Thank you, Mr. Dacey.\n    [The prepared statement of Mr. Dacey follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.015\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.016\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.017\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.018\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.019\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.020\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.021\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.022\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.023\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.024\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.025\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.026\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.027\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.028\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.029\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.030\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.031\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.032\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.033\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.034\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.035\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.036\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.037\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.038\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.039\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.040\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.041\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.042\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.043\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.044\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.045\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.046\n    \n    Mr. Putnam. I would also like to recognize and thank Ms. \nWatson for joining the subcommittee and recognize the ranking \nmember for his opening statement.\n    Mr. Clay, you are recognized for 5 minutes.\n    Mr. Clay. Thank you, Mr. Chairman, for calling this \nhearing. I have asked my staff to put up a poster that is from \nthe last computer security hearing held by the Subcommittee on \nGovernment Efficiency in the 107th Congress. The majority \nstaff, working from the same agency reports that are the basis \nof the OMB report issued last month, created this report card. \nHowever, the story this report details is quite different from \nthe more optimistic tone laid out by the administration.\n    Of the 24 agencies examined, 12 showed no improvement in \ncomputer security, and 11 of those agencies had a grade of F in \nboth 2001 and 2002. Those agencies include the General Services \nAdministration, which had a grade of D both years; the \nDepartments of Agriculture, Defense, Energy, Interior, Justice, \nTransportation, Treasury and Veterans Affairs; the Agency for \nInternational Development; the Office of Personnel Management; \nand Small Business Administration. Other agencies showed \ndramatic decline in grade. For example, the National Science \nFoundation went from a B plus in 2001 to a D minus in 2002. The \nNational Aeronautics and Space Administration went from a C \nminus to a D plus. The Environmental Protection Agency went \nfrom a D plus to a D minus. The Department of State went from a \nD plus to an F. The Federal Emergency Management Agency went \nfrom a D to an F. And the Department of Housing and Urban \nDevelopment went from a D to an F. However, if we look at the \nchart on page 11 of the administration's report, the government \nis improving on nearly every indicator.\n    One conclusion might be that the agencies have done a lot \nof work between last November and now. Unfortunately, this \nreport card and the OMB report are drawn from the exact same \nagency report. Last week I sent my staff over to the Department \nof Transportation, which, according to this report card, is one \nof the failing agencies, and they came back with a report of an \nagency that was making significant improvement in computer \nsecurity. In fact, the Department of Transportation may well be \na leader in implementing the requirements of the Federal \nInformation Security Management Act. I hope today we can learn \nwhy we have such different summaries on the same agency report.\n    And again, thank you, Mr. Chairman, and my thanks to the \nwitnesses for taking their time to be here today.\n    [The prepared statement of Hon. Wm. Lacy Clay follows:]\n    [GRAPHIC] [TIFF OMITTED] T1648.047\n    \n    Mr. Putnam. I thank the gentleman from Missouri and would \nrecognize the gentlelady from California for her opening \nstatement, if she would like to make one.\n    Ms. Watson. Mr. Chairman, thank you. I don't have an \nopening statement, but I am looking at the details of the \nreport card, and the question comes--and this is from GAO. \nApparently they have described the shortfall. My question to \nanyone on the panel is why don't we see more progress, more \nupward movement in the security, and what accounts for these \nlow grades, the grades of F?\n    Mr. Putnam. If it is OK, Ms. Watson, we will give them a \nheads up. We will lead off with Mrs. Miller and then come back.\n    At this time I recognize the vice chairwoman of the \nsubcommittee Mrs. Miller for the first round of questions. You \nare recognized for 5 minutes.\n    Mrs. Miller. Thank you, Mr. Chairman, I will be a few \nmoments here, but I am new to the Congress and obviously new to \nthe subcommittee, but I have to say that looking at that report \ncard is rather startling when we think about the piece of \neducational legislation, No Child Left Behind. Fortunately we \nare not being graded on that kind accountability with where we \nare, but as a former elected official at the local level, State \nlevel, dealing with audits for the last 25 years, any time I \nwould see the term ``material weakness,'' you know, your heart \nwould begin to pound. Material weakness is a bad thing, \nobviously.\n    And, Mr. Forman, I think you mentioned--I was taking some \nnotes--over half of all the government agencies are reporting. \nWas that just in the last go-around, reporting material \nweaknesses in information security? And is that operational \naudits that are being conducted, performance evaluations?\n    Mr. Forman. These were part of the financial management \naudits where it is required, and I think, as the chairman \npointed to, a good example of that would have been the Treasury \nDepartment. That was one area where as part of the reviews of \nthe reports from the IG and the CIOs, at that time Assistant \nSecretary for Management Ed Kingman noticed the significant \ngap, tracked it down, and indeed recognized that would be a \nreportable or should be considered as a reportable material \nweakness, and I think properly handled it at that point.\n    Mrs. Miller. You know, when you do certification, I think \nthat starts with accountability. It appears as though we have \nsome difficulty in the Federal Government of retaining CIOs. \nYou have a revolving door going with some of these CIOs. Is \nthis something that Congress could assist you in addressing? \nCould you tell us a little bit to why we have that situation? \nYou have to have a point person, and you have to have \naccountability if we are losing some of our brain trusts there \nand the institutional knowledge is going out the door with \nthem. What can we do there?\n    Mr. Forman. Officially we are looking at this as part of \nthe skills gap assessment, Clinger-Cohen reports that never \nwere really done, the Ego Vac site, we would like to make sure \nthe agencies do that, and as well the agencies should modernize \nthose reports. The Ego Vac did have rather strong human capital \nwork force reporting. And we in the budget passed back to the \nagencies and said that those reports must come into OMB this \nSeptember. So I think sometime in the fall would be appropriate \nafter we have had time to look at those reports.\n    Traditionally the issues that have come up are money-\nrelated, and the administration did ask for the performance \nfund. I think that will help a tremendous amount.\n    Now on a less than official side, the personal note, we are \ntrying to drive an awful lot of transformation through the \nagencies, and these have become some of the most stressful \njobs. The area is--and you will hear from some of the folks \nthat are driving major changes. The areas that need the most \nchange, like computer security, forces an awful lot of \nmanagement reform. I think the chairman was exactly correct. \nThis is very much a management issue, and I am not quite sure \nyet how you keep people from burning out, although that is \nsomething we are going to have to start looking at more and \nmore, because we do need this magnitude of change, and we can't \nlet that stop as the people change. We have to figure out how \nwe deal a little better with the stress, because I would not \nlike us to slow down on some of the transformation in this \nimportant area in particular.\n    Mrs. Miller. Just a note on that, the burn-out in those \nkinds of jobs is not particularly inherent to the Federal \nGovernment. You find it throughout the inventory really now \nbecause there is so much stress.\n    Looking at some of the States that are really on the \nleading edge of utilizing technology, they are all struggling \nwith the same thing that the Federal Government is, is \nretaining those kinds of individuals so they don't lose them \noff into the private sector.\n    But you talked about money in those kinds of things, and in \nthe GISRA report you are saying approximately 500 systems are \nsort of at risk again with the security weaknesses and \napparently subject to having some of their funding withheld. Is \nthat an appropriate thing for us to be doing as a Congress? I \nmean, we want to encourage improvement in this report card \ncertainly, and we don't want to be a rat holding the taxpayers' \nmoney. On the other hand, how does all of that work, with you \ndoing your performance evaluations and withholding dollars from \nthe agencies?\n    Mr. Forman. The framework is investment justification. We \ncall it the business case, and the way it works is that there \nare a number of criteria that we know if we don't adequately \naddress before the project really starts to ramp up, chances \nare we will be picking up the pieces in the end. The way that \nplays out in cyber security is that it costs us a lot more to \ngo back and fix the security problems of the systems that are \ndeployed. Had this been correctly addressed early on in the \nprogram, it would have been done much more effectively and at a \nlower cost. So our policy position has been until that gets \nbuilt in from the beginning, we don't want the system to go \nforward because we know it increases both the risk and the cost \nof the system.\n    Mrs. Miller. When you are making those kinds of \ndeterminations about withholding funding, how do you interact \nwith the Congress as far as talking to the appropriators and \nthose kinds of things? And is there some sort of exemption they \ncould get if they show you measurable performance increase?\n    Mr. Forman. There are a set of criteria. It is based on \nNIST standards and OMB guidance, A-130, that we use, and \ngenerally that is part of the budget process discussed with the \nagencies via Circular A-11, the basic document used to put the \nbudget together. That is associated with what is called an \napportionment process, which is a financial term of art for how \nappropriations dollars are managed, and that is worked through \nwith the appropriators.\n    I will say the understanding of all that as it relates to \nIT varies from agency to agency because so much of the IT \nbudget is not explicitly appropriated. It is funded out of \nworking capital. There are salaries and expenses.\n    Mrs. Miller. Just a quick question.\n    Mr. Putnam. We are going to have to wrap up this first \nround if that is OK, Mrs. Miller.\n    And Mr. Clay is glad to defer to Ms. Watson, so you get \nanother crack at it, and you are recognized for 5 minutes.\n    Ms. Watson. Thank you, Mr. Chair.\n    I guess if I read the GAO report, I would have my questions \nanswered, but listening very closely, I hear you really have a \npersonal management resource factor that gets in the way of \nmaking more progress. Can you expound a bit?\n    Mr. Forman. First of all, let me say about the grade, I \nthink there are two aspects of this: Where are you in terms of \nstatus, and how much progress are you making. And I will tell \nyou in terms of progress, there is clear progress. We have laid \nout an 80 percent target, to move from 60 percent to 80 percent \nthis year, and very much I am accountable. I am the person to \nhold me accountable. It helps me hold the agency accountable \nfor that. So I am the person that has signed up to the Congress \nto make sure we achieve that under FISMA and the EGO VAC. And \nyou will see some of the CIOs, there is a commitment throughout \nthe administration making the progress, and the management \ncommitment from the leadership level is key to making this a \nsuccess. I am fairly comfortable we are making progress. We are \ntracking that quarterly, and you will be getting data to see \nthat as well.\n    On the status side, whether it is an F or D minus, I would \nask that you not grade us on a bell curve, that you hold us to \nstandard academic levels of success.\n    Ms. Watson. Let me just ask, what is the source of this \ngrading chart?\n    Mr. Dacey. Let me jump in a minute. The grades were given \nby the committee essentially based upon, for fiscal 2002, the \nGISRA reports that were provided by the various agencies. The \ncommittee weighted those responses and came up with a composite \ngrade, and that yielded the scores. The prior year was based \nupon some--the work on 2001 from the GISRA report. So it is \npretty much coming from the GISRA reports and the various \nperformance measures and information that are reported therein.\n    Ms. Watson. What kind of progress have you made since this \ncame out in November 2002 up to what you have today?\n    Mr. Dacey. One of the challenges is measuring that \nprogress, and that is something the chairman mentioned in his \nopening statement, and that is the need to be looking at more \nfrequent reporting, and Mark might talk about some of the \nquarterly reporting they are moving to for FISMA in the first \nyear. But I think that is a key element. As I said in my oral \nstatement, it is going to be important for agencies to really \nbuild this into a systematic process so they are getting \ninformation to regularly manage information security along with \nother IT and other areas that they manage. And it is going to \nbe important to build those systems, so that GISRA and FISMA \nreporting are an outgrowth of those systems, not the primary \ndirection for gathering the data to include in the reports. And \nsome of that is going to happen, but I think that an important \nelement to make this succeed is to really have that management \nprocess in place and some of this information regularly coming \nto agencywide management CIOs and so forth, and they have the \nright responsibilities and authorities to move forward and make \nsure that security's improved.\n    In terms of the overall issue you mentioned in your initial \nquestion, I think it's going to be important, as I said, to \nmake sure we have security management programs in place. And \nthat's the management structure at the top and commitment by \nleadership to these things, because it does come down to a \nmanagement issue to make sure that technology is properly \nimplemented.\n    Ms. Watson. Have we appropriated the funds to be able to \nput management personnel in the right place?\n    Mr. Dacey. There's a process, and Mr. Forman may want to \nspeak, but it's part of the process of requesting budgets and \nso forth and so on. They do request what they need. And Mr. \nForman might want to expand upon that a little more.\n    Mr. Forman. Virtually all the agencies have chief \ninformation security officers. What really is, I think, the \nheart of getting the Federal Government more secure is what we \nare doing with the infrastructure, networks, \ntelecommunications, the basic competing platforms that we're \nusing. We have tried to, in this year's budget process, \nsignificantly empower the CIOs. It gets to an esoteric risk \nlevel the way we are managing IT in the Federal Government, but \nwe use a business case. And last year we had hundreds of \nprojects. The rule of thumb in security is the more systems you \nhave, the harder it is to make sure they're secure. You want to \nintegrate and consolidate infrastructure.\n    Ms. Watson. Let me cut through this. You are talking \ninsider language. Do you have the necessary resources to \norganize in a way that will guarantee greater security at a \ntime when the technology has gone above the line, and people \ncan hack in and expose information, reveal information that can \nbe very harmful and damaging? And particularly when I look at \nNASA and other security systems, I get really worried. Have we \ndone all we can for you, or is it that you are having \nchallenges in organizing and placing--you know, how do we get \nto the problem and show progress? That's my interest.\n    Mr. Forman. I think we're fine with resources. We've added \na significant amount of resources.\n    Ms. Watson. And the challenge is?\n    Mr. Forman. It is a lot of work, and it takes time. The \nolder the systems, less security was built in, the more you \nfind when you do the audit of the system, and then there is \nwork to fix that.\n    Ms. Watson. So it's the timing of trying to improve these \nsluggish systems and bring them up to top operation capacity.\n    Mr. Forman. And we continue to modernize. By the same token \nwe continue to modernize. And I believe we've learned our \nlesson as a government that if you do not work in security \nbefore you start the system, it's going to take you longer and \ncost you more to fix it at the back end. So we're trying to fix \nthe things that are out there, the so-called legacy systems. \nBut we have made good progress in building in--before we move \nforward, making sure security is built in and hence \nCongresswoman Miller's questions.\n    Ms. Watson. Thank you, Mr. Chairman.\n    Mr. Putnam. Let me follow up on Ms. Watson's question. \nFederal Times ran an article, essentially highlighting some of \nthe excuses that agencies have used for not being in \ncompliance. And the FAA said this: ``We have told OMB that we \ncan't be in compliance for a while. We don't have the money to \nboth secure our systems and document we have done so.'' Do you \nbuy that, Mr. Forman?\n    Mr. Forman. No.\n    Mr. Putnam. Later in the article, an anonymous information \nsecurity specialist from a social service agency stated, \n``someone at our parent department told OMB we would have it \ndone in July. We can't get it done right by then, so we will \nthrow together some documentation and make it look like we \ndid.'' They go on to say that same information security \nspecialist at the social service agency points out that even if \nthey had the money to do the assessments, they do not have the \nauthority to make local offices cooperate. ``They have their \nown funding and don't report to us. When I call them and ask \nfor this or that, they just ignore me,'' the specialist said.\n    Have you received reports that were so off or so inaccurate \nor so hastily put together that you believe that they \ndeliberately put something together to meet an artificial \ndeadline but knowingly submitted something that was not \naccurate or complete?\n    Mr. Forman. I think the Treasury situation that you alluded \nto in your opening statement is very clear documentation that \nhappens. It is so important to have the independent review by \nthe ITs come concurrent with the report from the CIOs. There \nare so many pressures. I know funding issues. We cannot allow \nourselves to make this into a paperwork exercise. And so the \naudit is incredibly important to us.\n    On the other hand, what I would say is the market is \nstepping up. There are an awful lot of automated tools out \nthere that reduce the cost. And the other thing is NIST is in \nthe second iteration of a tool kit that assists agencies in \nclassifying. The lower the risk of the system or the fact that \nmay be disconnected in the Internet means that there are \ncheaper and faster ways to get the certification and \naccreditation done. And that is laid out in the new set of NIST \nguidelines.\n    Mr. Putnam. Everybody seems to agree this is a management \nissue. So what are the consequences for someone with that \nresponsibility who would submit such a report?\n    Mr. Forman. Well, I can't say in blanket how this works. I \nwould ask you to keep in mind the reason that the CIO at the \nState Department did change out, and while I can't speak to all \nthe specifics and the details here, there's no question that \nthe State Department acted partly in response to the IG report \nthat indicated lack of progress in IT security. We downgraded \nthe score on the scorecard--progress, that is, and that had a \nsubstantial impact, ultimately resulting, I believe, is my \npersonal belief, in restructuring greater emphasis in some very \ntough management decisions including allocation of funding that \nweren't being taken before.\n    Mr. Putnam. Mr. Dacey, how widespread do you believe that \nthis attitude is, that it's just another congressional report, \njust another paper that is supposed to be filed, its fine \nwhether its done or not?\n    Mr. Dacey. Mr. Chairman, I am not aware of any instances \nwhere we know that reports have been intentionally prepared \nwith improper data or data that's not accurate. At the same \ntime, in looking at FISMA and its implementation, I think it \nwill be important in the long term, as Mr. Forman suggested, \nthat we have an independent audit process that starts to begin \nto look at those performance measures and do auditing on the \nperformance measures, which is not currently required, and \nthink about that as part of that process. I think that would \ngive more credibility to the numbers. It would also make it \nclear to people in the agencies that someone was going to be \nauditing the numbers and lessen the likelihood of people \npreparing statements that might not be accurate.\n    Mr. Putnam. You said there is no indication of anyone \nhaving deliberately done it. But clearly, you just didn't fall \noff the turnip truck. Somebody has been quoted by a reporter \nsaying this. It's probably indicative of something more \nwidespread, don't you suspect?\n    Mr. Dacey. I suspect without any cross-checks that there is \ngreat pressure to report such information. That could have \nhappened, sure. But again, it gets backs to the issue I think \nFISMA is a basic process that will work. We really need to put \nin place a process to make sure those numbers are accurate. \nThey are self-reported so that the numbers you see in our chart \nand in OMB's testimony are self-reported numbers inherently not \naudited in any way, shape or form other than some information \nwe have on inventories which was specifically asked for in the \nOMB requirements. I think that will always be a challenge \nunless we put in some kind of effort that is going to assure \nboth the agency, the administration and Congress that these \nnumbers that are being reported are accurate. Until that \nhappens, there is a possibility that their reporting could be \ninaccurate.\n    Mr. Putnam. I will abide by my own time element and \nrecognize the ranking member, Mr. Clay, for 5 minutes.\n    Mr. Clay. Thank you, Mr. Chairman.\n    I'd like each of the witnesses to explain for me the \ndifference between the report card prepared by former Chairman \nHorn and the OMB report before us today. Which is correct, and \nhas the government improved since 2001 in the OMB reports, or \nis the government still failing and going from bad to worse as \nthe subcommittee reported last year?\n    Mr. Forman. I think there are substantial improvements. I \ncan go through from the data some differences that I would have \nin the grades. But let me just say, there are some agencies \nthat are doing really well. And if you scored a 60 percent as \na--if you were generous and you scored that as a D, at best, \nmost of the agencies would get a D. It's not good enough. It's \njust not flat good enough. We need to be up in the 80 or 90 \npercent range, or A and B range. And that has to be the \nstandard. We can talk about how much progress that we made or \nnot, but for me a progress from an F to a D is not enough. It's \njust not simply good enough.\n    Mr. Dacey. I would like to point out again that this is the \nsame basic information both for the GISRA report from OMB, our \ntestimony and all the grades. So the most recent data we have \nGovernmentwide is September 2002 data, and that gets back to \nthe point where there is a consistency. The grades are the way \nin which the committee assessed and weighted the responses in \nthe GISRA report. What we have presented and what has been \nincluded in OMB's report is some of the statistics and averages \nthat are included in there for the same measures. It is a \nmatter of looking at the same information in slightly different \nways. It gets back to how do we know from September 2002 until \ntoday whether we have made improvements, and the point is we \ndon't really have good reporting processes in place to get that \ninformation on a more timely basis. Right now the next set of \ninformation we will get is September 2003.\n    Mr. Clay. In your testimony last fall, you indicated all 24 \nagencies had significant weaknesses in program management in \nboth 2001 and 2002, and only 2 agencies improved performance in \naccess control. Would you agree that shows little or no \nprogress?\n    Mr. Dacey. It shows some progress, but we still have \nserious problems. Again, we have had general progress at least \nin reported information across all the categories. The \nchallenge is, as Mr. Forman indicated, whether it is F or D, we \nstill have a long way to go to get to where we need to be. Yes, \nthat is in the report, and that is probably still the case, and \nthat is one of the areas that I think is particularly important \nthat you have these structures in place for the agencies to \nmanage information security.\n    FISMA started to provide some of that by creating \ninformation security officers and coming up with a set of \nrequirements for them in the agencies. And I believe most of \nthe agencies now have a designated information security--if not \nall--have a designated security information officer.\n    We also--there's a need to have this process in place to \nreport. Again, we don't have specific information, but I \nbelieve a lot of the information for GISRA reporting came from \nefforts to accumulate that information for the purpose of GISRA \nreporting and not as part of a routine process that management \nwas getting the information to use to manage their security \nprogram. I think that has to change to be effective.\n    Mr. Clay. Well, in the OMB report, they list six areas of \ngovernment-wide security weaknesses and then report that the \ngovernment shows improvement over 2001. Do you agree with that \nassessment?\n    Mr. Dacey. I agree with the characterization in OMB's \nreport with respect to the actions that have been taken. It's \nconsistent with what we have seen in doing our work as well. So \nthere has been action taken in each of those areas.\n    And five new areas, or five areas that are newly reported, \nI think those are areas that we knew there were some challenges \nin the past; but identification of five new areas and action \nplans, is important to try to address those in going forward.\n    Mr. Clay. Mr. Forman, according to your report, there are \nonly 8,000 reporting systems in the Federal Government. Now, I \nfind that difficult to believe. Can you explain to the \ncommittee what that number represents and what systems are not \nincluded in that count?\n    Mr. Forman. Generally these are combinations of \napplications that work together to perform a function. So, do \nwe have more than 8,000 systems? Probably. The number of \nreporting went up in 2002 compared to fiscal year 2001. I \nsuspect it will go up again this year.\n    But, that said, we know there are many more applications \nthan that number. It's just agencies under the definition in \nGISRA are allowed to bundle together applications and call that \na system. This is the best reporting we've had.\n    I think, for security purposes, that makes sense, because \nthey are generally used by the same group of people, tied to \nthe same network, and work together to support a business \nprocess. At the end of the day, you want to secure all the \ninformation around a business process, and you want to make \nsure that's secure, that business process can keep operating \neven if it's attacked. So I'm fairly comfortable with the \ndefinition that Congress came up with for GISRA. I think it \nexists fairly the same, except for national security systems, \nall training in FISMA. But the focus is appropriate.\n    Mr. Clay. Thank you both for your answers.\n    Thank you, Mr. Chairman.\n    Mr. Putnam. Thank you, Mr. Clay.\n    Mrs. Miller, do you have another round of questions?\n    Mrs. Miller. Just one.\n    You know, I'm looking at this blue chart over there from \nthe GAO about performance measures and those kinds of things. \nMr. Dacey, can you give me a little more specific about what \nkind of performance evaluations you actually do? I can hardly \nsee the bottom. Give me an example of what kind of performance \nmeasures. I mean, we keep talking about this is a management \nproblem, apparently not a financial resource situation; it's a \nmanagement problem. So just what kinds of things do you \nactually look at to measure this performance evaluation?\n    Mr. Dacey. Let me talk about that a minute. And hopefully \nyou have something that looks like this up on your desk area \nthat you can see better.\n    In any case, these are six of the areas that were included \nin OMB's report. And what we put together in the chart was to \ntry to really reflect the change from year to year, from 2001 \nto 2002, and on average for 23 of the largest agencies. Again, \nas I said before, the information that goes into these is a \nwhole series of performance measures that were required by OMB \nin reporting on the second year GISRA implementation. And these \nhave been important, because they really are establishing a \nbaseline and a basis for comparison from year to year. And this \nis the first year we have comparative information government-\nwide that we can look at.\n    These are six of the many performance measures that were \nrequired to be reported. These particular ones I think are \nsomewhat illustrative because it gets to some of the critical \nchallenges that we have. If you look at the first column on \nrisk assessment, that's whether the agencies have assessed risk \nin their systems to know what level risk they are accepting and \noperating them.\n    The second is a security plan in place----\n    Mrs. Miller. Let me just ask you about the risk.\n    Mr. Dacey. Sure.\n    Mrs. Miller. What kind of risk assessments, for instance? I \ndon't want to go through the whole thing, but just in that \nparticular column there. What kind of risk assessments do you \nactually do? I mean, risk of terrorists? I mean, some guy with \na laptop in a cave in Afghanistan being able to get into one of \nthe systems in DOD? And are the evaluations for risk \nassessments uniform throughout these last two report cards and \nas we are entering September now?\n    Mr. Dacey. Well, I think--I guess my observations on risk \nassessments would be, they're supposed to include the threats \nto the system. And that's the normal process. We actually have \na best practices report we issued on risk assessment; it's \nsomething that OMB requires to be done. The format and \nstructure of them has a lot--some flexibility built into how \ndetailed they are. So I couldn't say that every agency does it \nthe same way. But what this number represents is the number of \nsystems that those agencies reported that they had assessed \nrisk for, and that's what those columns represent, both the \ngold for 2001 and the blue for 2002.\n    Mrs. Miller. So risk of the type of information that you \nare gathering? Risk of the type of access that individuals \nwould have to it? Risk of security of that information, those \nkind of things?\n    Mr. Forman. And then the final aspect of that is risk that \nyou wouldn't--the agency wouldn't be able to complete its \nmission if either the information was stolen, disrupted, or the \nsystem processing was shut off.\n    Mr. Dacey. As part of that process, just to point out, one \nof the provisions of FISMA is to actually come up with risk \nlevels. I think that can help a lot, because that will \nstandardize the process by which agencies assess risks and can \ncommunicate more effectively between each other and within the \nagency as to when they are hooking systems together and what \nthe risk levels are. So I think that would be an important \nimprovement. Right now, the risk assessment is a little more \nsubjective, not that it won't be somewhat subjective, but at \nleast it will have a structure that is proposed by NIST as part \nof the FISMA law.\n    Mrs. Miller. Thank you, Mr. Chairman.\n    Mr. Putnam. Thank you, Mrs. Miller. Now I'd like to ask \neach of you: does every agency currently have an acceptable \nbusiness continuity plan?\n    Mr. Forman. Generally we look at that down to the system \nlevel. And the answer is, no. That there are big gaps in some \nagencies and really good success in other agencies. That's part \nof the data that is tracked and I think was in our report. I \nwould ask you not only to take a look at the agencies that have \na valid contingency plan, but also what I think we need to do \none step further that has been tested and validated, very \nsimilar to the work that we had to do with the year 2000 \ncontingency plans.\n    Mr. Putnam. OK. While we are talking about that, in Mr. \nDacey's testimony, he said that less than 50 percent of the \ncontingency plans at 19 out of 24 agencies have been tested. \nLess than half have been tested. So does that mean that those \nplans might not work?\n    Mr. Dacey. Yeah. I think that really signifies that--until \nyou test it, you don't know it will work, in fact. And there \nare two issues here. The other number that we have is also the \nfact that there are a significant number of systems for which \nthey don't have contingency plans. I think it is reported now \nat about 50 percent, 55 percent, just have the plans to start \nwith; and then the second step is testing those plans to be \nsure that they would be effective in case of an emergency.\n    I think that is a critical area, because absent some of \nthese other controls in other areas, particularly for critical \nsystems, it would be very vital to make sure that those systems \ncould be recoverable in case some of these other weakness areas \nwere exploited and the system availability was lost.\n    Mr. Putnam. Nobody ever wants to say that one agency or \ndepartment is more important than another one. But in terms of \nthe ramifications of having a contingency plan or a disaster \nmanagement plan, are the agencies that are most at risk and \nmost critical to national security or homeland security the \nones who have tested? Has the Social Security Administration \ntested their contingency plans, and Defense not? Has Homeland \nSecurity, has FEMA?\n    Mr. Forman. It's a mix. And you will find the data in the \ntable. You will see, for example, you are absolutely right. \nSocial Security has tested their contingency plans. They are in \npretty good shape. By the same token, FEMA did not test their \ncontingency plans.\n    Mr. Putnam. So the Emergency Management Agency has no \nemergency management plan?\n    Mr. Forman. They have the plans for--as of the end of last \nyear they had some of the plans. They don't have enough plans. \nAnd, moreover, they haven't tested the ones they have. There is \nsignificant work that needs to be done here.\n    Mr. Putnam. Let's talk about patches very briefly in my \nremaining time. Then we are going to move to the second panel. \nPatch management is critical to information security. It goes a \nlong way toward protecting our systems from viruses and other \nattacks. The PAD-C, the patch authentication and dissemination \ncapability, will provide a system to Federal agencies to manage \nthe patching of their systems. How far along are we in that? \nHow are the agencies participating? Are they responding to \nOMB's encouragement?\n    Mr. Forman. I don't believe I have the exact numbers on how \nmany agencies have signed up. They continue to get more \nagencies to sign up. This is, again, part of our concept of buy \none, choose many. Patches are obviously to use a software code. \nAnd to the extend that people have common software--and we have \nan awful lot of common software in the government--it's better \nto buy that patch once and then have an automated way to \ndistribute it. So that's why we invested in this patch \nmanagement, buy-one, choose-many concept.\n    I need to get back to you on exactly how many agencies, and \nI will do that.\n    Mr. Putnam. Do you want to add something, Mr. Dacey?\n    Mr. Dacey. I don't have the information right in front of \nme, but a fair number of agencies have signed up for PAD-C. I \nforget the number. It might be in our testimony. OK. I don't \nhave that with us today. We can certainly get back to you on \nthat. But it is an important area because it does provide a \ncentral source for patches that have been tested and \nauthenticated and placed out there. I think one of the key \nissues in patch management is that even with that, agencies \nneed to have a process to ensure that these patches are \ninstalled and installed properly and don't break other parts of \nthe system. And so they need to take efforts to put that in \nplace. And NIST has some draft guidance out in how to do patch \nmanagement that is very informative.\n    Mr. Putnam. Well, the committee has submitted a letter to \nthe secretaries of the departments, their IGs and CIOs, \nrequesting more frequent updates of information and given them \nAugust 1 as a deadline for the update. And we will also be \npicking up where Mr. Horn left off with the score cards this \nfall. I think that our first panel will note that this is \nbipartisan frustration with this, with the inadequate progress \non the part of the Federal agencies, and we will continue to \nmonitor this very closely.\n    My parting question would be this: are the differences in \nreports due to different interpretations of what the law \nrequires or a genuine disagreement over the level of \ninformation security that exists at the agencies?\n    Mr. Dacey. Just for clarification. Difference in which \nreports are you referring to, Mr. Chairman?\n    Mr. Putnam. Different interpretations of the FISMA, GISRA \nrequirements, or to a genuine disagreement over the status of \ninformation security between the IGs.\n    Mr. Dacey. Between the IGs and the agencies?\n    Mr. Putnam. Yes.\n    Mr. Dacey. That's an interesting question. There were a \nnumber of IGs that did disagree, and I think OMB in fact in \ntheir report pointed out that was one of the new challenges \nthat needs to be really looked at and addressed. And Mr. Forman \nmight speak more to that. That's an area at least that's \nhighlighting where there are differences that go back to the \nFISMA model and talk about the agency and the IG both working \ntogether and the agency providing some validation of that \ninformation.\n    So I think it's good that we are pointing out where there \nare differences, and it's also a need then to followup on those \ndifferences and find out why they exist. I don't know that we \nhave any information on why the differences exist. In some \ncases it may be just differences of thought or differences in \nthe systems that were looked at. I do know that when we deal \nwith some of these issues from our audit perspective at GAO, \nthere's not always unanimity in how you interpret the results \nof your reviews. And a lot of our discussion goes around what \ndoes this really mean, how serious of an issue is it. So there \nalso--there can be differences of opinion as well.\n    Mr. Putnam. Do you want to add anything, Mr. Forman?\n    Mr. Forman. First of all, let me say that we do have some \ndata in followup to your past question on the patch management \ncontract. There are 37 agencies that subscribe to that today. \nWhat I need to do in getting back to you is find out how many \nare Cabinet-level agencies versus small agencies. Obviously, \nthe small agencies really like to use the shared approaches.\n    I think that actually the debate is good on what is a \ncovered system and the amount of risk. To have the IG have that \nindependent view and say this system is actually more mission \ncritical or it is more important to the agency's mission than a \nCIO may say, really reveals to us something about the \npositioning of the CIO. And generally, as in some of the \nexamples you cited, I notice that the CIO may not have the \nappropriate status that, sure, maybe in the agency to come \nforward and say a system is badly performing. They may be kept \nout because of the differences between the IT organizations and \nthe bureau program offices.\n    So, I think, first of all, it's not necessarily bad to have \nthe disagreement. And, second, it is very important that the IG \nstay aggressive in this area so that it can reveal to us where \nare the areas to look.\n    Mr. Putnam. Thank you very much for your testimony.\n    At this time we will dismiss panel one and seat panel two \nand move as quickly as possible. Thank you very much, Mr. \nForman and Mr. Dacey. The committee will recess for 3 minutes.\n    [Recess.]\n    Mr. Putnam. We will go ahead and seat the second panel and \nreconvene the subcommittee hearing.\n    I would like to welcome our second panel of witnesses. As \nis the custom of the subcommittee, we will swear in this panel. \nI would ask that if you have personnel joining you today who \nwill be assisting you in answering, that they will also rise \nand be sworn at this time. Please stand and raise your right \nhands.\n    [Witnesses sworn.]\n    Mr. Putnam. Note for the record that all of the witnesses \nand their supporting cast responded in the affirmative.\n    We will move right to panelists' testimony. I begin with \nJohnnie Frazier. Mr. Frazier was appointed to the position of \nInspector General at the Department of Commerce in 1999. The \nPresidential appointment capped more than three decades of \ndistinguished service at the Department in a variety of \nleadership roles. During his tenure as IG, Mr. Frazier has \nsignificantly strengthened that office's strategic agenda to \nreflect the most pressing priorities for the Department and the \nNation. For example, he has directed key audits and \ninvestigations of security weaknesses in Commerce's computer \nnetworks information systems and personnel policies. He has \ninitiated assessments of emergency preparedness plans at \ncommerce facilities and prompted examinations of export \nsafeguards on sensitive U.S. technology. He has precisely \ndefined the IG's direction for the near future around a set of \ncore priorities that strategically target emerging audit and \ninspection areas of need.\n    We welcome you to the subcommittee, and recognize you for 5 \nminutes for your testimony.\n\nSTATEMENT OF JOHNNIE E. FRAZIER, INSPECTOR GENERAL, DEPARTMENT \n                          OF COMMERCE\n\n    Mr. Frazier. Mr. Chairman and members of the subcommittee, \nI am pleased to appear before you today to provide the IG's \nperspective on IT security in the Department of Commerce. You \nknow, although IT security and data have long been among the \nDepartment's most critical assets, ensuring their security, \nunfortunately, was not a high priority for the Department \nbefore GISRA.\n    When I first testified on IT security 2 years ago, I had \nfew favorable observations to share. The Department was \nstriving to improve, but our work at that point revealed \npervasive security weaknesses that placed sensitive IT security \nsystems at serious risk. As a result, we identified IT security \nas one of the top 10 management challenges facing Commerce. And \nwhile much progress has been made, it still remains high on my \ntop 10 list.\n    OMB's fiscal year 2002 report to the Congress on Federal IT \nsecurity noted that progress is evident and that the government \nis heading in the right direction. I am pleased to report that \nCommerce, too, has made progress and is heading in the right \ndirection; but this department, like many others I'm sure, must \novercome a history of much neglect. As Commerce's CIO put it, \nthe Department has been coming from behind.\n    Our IG GISRA evaluations over the past few years have often \nfound the same basic weaknesses at Commerce that OMB has found \nthroughout the government. First and probably foremost, we have \nseen the problems, the progress, and the potential that \nsurround senior management's attention to IT security. Before \nGISRA, IT security was simply not on the radar screen of senior \nCommerce management. Through the Secretary and Deputy \nSecretary's efforts, and quite candidly their bully pulpit, \nsenior managers are increasingly coming to understand that they \nare responsible for IT security.\n    Our independent observations on security education and \nawareness previously highlighted this as an area of neglect. \nAgain, the Department has responded. Today, all employees and \ncontractors receive security awareness training. But \nspecialized training for personnel with significant IT security \nresponsibilities remains inadequate.\n    A third major area centers on the importance of management \nreligiously integrating funding and IT security into Commerce's \ncapital planning and investment control process. While the \nDepartment has substantially increased its control over IT \ninvestments, it often still struggles to adequately plan IT \nsecurity controls and costs for every system.\n    Our ongoing independent evaluation is also showing that the \nDepartment has improved its capability to detect, report, and \nshare information on vulnerabilities. Before GISRA, only 4 of \nCommerce's 14 operating units had a formal incident response \ncapability. Now, all Commerce operating units have such \ncapability.\n    Another matter of particular note to us is the importance \nof ensuring that contractor services are adequately secure. Our \nreview of 40 of the Department's IT service contracts found \nthat contract provisions to safeguard sensitive systems and \ninformation were either insufficient or nonexistent. Why, you \nask? Little Federal or departmental guidance or policy in this \narea.\n    On the Federal level, a proposed Federal acquisition clause \nfor IT security is currently under review by the FAR Council. I \nbelieve this clause will be beneficial government-wide. And I \nam personally pleased that our IG contracting expert, Karen \nDePerini, who first identified the contract problem at \nCommerce, is co-chair of the OMB issue group that recommended \nthis clause and is identifying methods to improve security in \ncontracts. And last, but by no means least, aggressive \nschedules for IT performance measures are having an impact on \nall parties involved in the IT security effort.\n    It should be noted here, however, that although security \nplans have been required for Federal IT systems since the \nComputer Security Act of 1987, when I testified 2 years ago, \nnearly two-thirds of the Department's systems lacked risk \nassessments, almost half did not have a security plan, and more \nthan 90 percent were not certified or accredited. The \nDepartment is vigorously addressing these serious deficiencies.\n    The Department's focus can best be seen by looking at its \nperformance measures for system certification and \naccreditation. According to the Department, between fiscal \nyears 2000 and 2003, the percentage of systems certified and \naccredited increased from a mere 8 percent to 77 percent of its \nroughly 600 systems.\n    At the same time, I must caution that performance measures \ndo not tell the whole story. Overaggressive schedules can \nactually weaken the process. Our evaluation suggests that \naggressive timeframes have often resulted in premature \ncertification and accreditation, where risk assessments, \nsecurity plans, testing, evaluation, and review have been \ninadequate or sacrificed altogether.\n    In closing, I am proud that the independent evaluations \nrequired of the IGs play a uniquely valuable role in confirming \nthe substance and quality of critical processes and control and \nin helping ensure that the job is done right. Unfortunately, \nour resource limitations have not allowed us to do such things \nas validate the specific details of the Department's annual IT \nsecurity report. Likewise, we have not been able to perform \nvulnerability assessments and penetration testing of \nnonfinancial systems that would demonstrate whether \nvulnerabilities exist and intrusions may occur.\n    I cannot overemphasize how critical it is that the rigor \nand integrity of IT security processes be maintained; \notherwise, we will have paper security but lack true security. \nThank you.\n    Mr. Putnam. Thank you very much, Mr. Frazier.\n    [The prepared statement of Mr. Frazier follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.048\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.049\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.050\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.051\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.052\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.053\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.054\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.055\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.056\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.057\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.058\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.059\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.060\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.061\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.062\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.063\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.064\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.065\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.066\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.067\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.068\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.069\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.070\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.071\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.072\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.073\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.074\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.075\n    \n    Mr. Putnam. At this time I would like to recognize Robert \nCobb. Following nomination by President Bush and confirmation \nby the Senate, Robert Cobb took office as NASA's Inspector \nGeneral in April 2002. Mr. Cobb, in his capacity as a member of \nthe President's Council on Integrity and Efficiency, serves as \nthe Chair of that organization's Information Technology \nRoundtable, which promotes a coordinated approach to \ninformation technology issues among inspectors general across \nthe executive branch. He also serves as an observer to the \nColumbia Accident Investigation Board, which is examining the \nFebruary 2003 loss of the space shuttle Columbia and her crew.\n    Mr. Cobb was previously associate counsel to the President. \nIn this role, he handled administration of the White House \nethics program under the supervision of the counsel to the \nPresident, and was responsible for the administration of the \nconflict of interest and financial disclosure clearance process \nfor candidates for nomination to Senate-confirmed positions. \nPrior to joining the Office of the Counsel to the President, \nMr. Cobb worked for almost 9 years at the U.S. Office of \nGovernment Ethics.\n    We welcome you. You are recognized for 5 minutes.\n\n       STATEMENT OF ROBERT COBB, INSPECTOR GENERAL, NASA\n\n    Mr. Cobb. Thank you, Chairman Putnam, Ranking Member Clay, \nVice Chair Miller. Thank you for the opportunity to discuss \ninformation security at NASA and the impact of GISRA and FISMA \non the agency's information security program. The Office of \nInspector General is committed to helping the agency improve IT \nsecurity through our ongoing program of IT audits and \ninvestigations. I will discuss three areas: the current state \nof NASA IT security, our audit of the information NASA \nsubmitted to OMB under GISRA in fiscal year 2002, and our plans \nto audit the information submitted by NASA under FISMA in 2003.\n    First, I want to highlight some of the unique challenges \nassociated with securing NASA's IT resources. The NASA vision \nand mission concern challenges for scientific exploration and \ndiscovery. NASA pursues these challenges with a broad array of \nprograms, including research and development in aeronautics, \nspace exploration, and space flight. Needless to say, these \nendeavors require a complex range of IT systems.\n    As context and setting for NASA's IT security challenges, \nNASA carries out a civilian mission where the distribution of \ninformation about scientific exploration, discovery, and \nachievement is practiced by the agency and expected and desired \nby the public. NASA is a highly visible agency, with many \nreadily available Web sites, and thus is a natural target for \nthose seeking to illegally access government systems. NASA's IT \nsecurity program is reliant on the participation and dedication \nof all employees, contractors, and other partners with access \nto NASA information. NASA, like every other agency, faces a \nchallenge in convincing its work force that IT security is a \nprimary rather than a secondary responsibility.\n    The OIG has examined the state of NASA's IT security, and \nwe identified it as a significant management challenge in our \nDecember 2002 report to the Administrator. IT's security \nactivities at NASA have historically been carried out on a \ndecentralized basis. This has resulted in a lack of full \ninteroperability among the systems. NASA is moving toward a \none-NASA concept, with a greater centralization and \nintegration. However, as long as NASA's governance structure is \nsuch that center CIOs and center security officials report to \ncenter directors--who are program officials--rather than to \nNASA's CIO and chief security officer, a fully integrated \napproach to IT security will be practically impossible at NASA.\n    As part of our work, we conduct audits of information \nsecurity and perform investigations of the criminal misuse of \nNASA IT systems. Our recent activities have addressed a broad \nspectrum of security problems. There are examples from our \nongoing investigations where inadequate IT security, such as \nweak password controls, resulted in unauthorized access to \nsignificant amounts of NASA data that was sensitive, but \nunclassified. The agency is aware of these cases and \nacknowledges that serious compromises have occurred.\n    In our audit work, we have reported on issues including \ninadequate security training for system administrators, an \ninconsistently applied program for ensuring security of \nsensitive systems, inadequate security plans for NASA's IT \nsystems, and an inadequate incident response capability.\n    It's important to note that NASA has been responsive to our \nwork and that corrective actions are planned or are underway to \naddress key IT security challenges. Our 2002 GISRA submission \nreflected the results of 26 final reports and several ongoing \nassignments related to IT security at NASA. Our submission also \nreflected IT security-related work performed by the agency's \nindependent accountants as part of their annual review of \nNASA's financial statements.\n    Additionally, we verified and validated the status of \nweaknesses identified in NASA's Fiscal Year 2002 Plans of \nActions and Milestones. The agency generally incorporated our \nsuggestions into their final version that they submitted to \nOMB.\n    Our fiscal year 2002 GISRA efforts were limited to \nunclassified systems because NASA did not have the national \nsecurity information systems reviewed in accordance with GISRA \nrequirements.\n    During fiscal year 2003, my office continues to conduct a \nseries of IT security-related audits and assessments and will \nincorporate the results of this work into our FISMA submission. \nWe will also followup on our 2002 GISRA report. Later this year \nwe plan to start an audit of NASA policies to protect \nsensitive, but unclassified information.\n    The requirements of GISRA and FISMA are having a positive \neffect on IT security at NASA. The legislation and related OMB \nguidance provided NASA with a framework for more effectively \nmanaging IT security. Because GISRA, and now FISMA, hold agency \nheads responsible for IT security, NASA senior management is \nmore focused on it. The legislation also requires the agency to \nconsider the view of the Office of Inspector General and to \ndeal with the issues raised in our independent evaluations, \nand, in my view, this has also had a positive impact on the \nagency.\n    Last, I would like to note that in the NASA OIG, we have an \nexceptional team of IT auditor, specialists and computer crimes \nprofessionals. Because of the investment the OIG has made in \nthis area, we have been able to provide leadership in the IT \narea to the IG community through my chairing of the IT \nRoundtable of the President's Council on Integrity and \nEfficiency. Through this roundtable, the NASA OIG has sought to \npromote the sharing of best practices in IT audits and \ninvestigations. This concludes my statement.\n    Mr. Putnam. Thank you very much, Mr. Cobb.\n    [The prepared statement of Mr. Cobb follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.076\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.077\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.078\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.079\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.080\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.081\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.082\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.083\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.084\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.085\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.086\n    \n    Mr. Putnam. We have a large panel, and I would ask that \neveryone be respectful of our 5-minute time limit.\n    I now introduce Scott Charbo. Agriculture Secretary Ann \nVeneman named Scott Charbo as Chief Information Officer at the \nU.S. Department of Agriculture in August 2002. As CIO, Mr. \nCharbo is responsible for the overall management of USDA's \ninformation resources and IT assets, overseeing more than 4,000 \nIT professionals and $1.7 billion in physical assets. He comes \nto the CIO position from the USDA Farm Service Agency where he \nserved as director of the Office of Business and Program \nIntegration since July 2002. He was responsible for planning, \ndeveloping, and administering the agency's programs and \npolicies, and provided direction in the areas of economic and \npolicy analysis, appeals and litigation, strategic management, \nand corporate operations, outreach programs, and strategic \nplanning and leadership in the agency's citizen-centered E-\ngovernment initiatives.\n    Welcome to the subcommittee. You are recognized.\n\n     STATEMENT OF SCOTT CHARBO, CHIEF INFORMATION OFFICER, \n                   DEPARTMENT OF AGRICULTURE\n\n    Mr. Charbo. Thank you, Mr. Chairman. With your permission, \nI will submit my testimony.\n    At the Department of Agriculture, I am responsible for \ncomputer systems that support billions of dollars in annual \nprogram benefits. Information stored on these systems include \nFederal payroll data and market-sensitive crop, commodity, and \nfarm data, information on food stamps and food safety and \nproprietary research data. This information is one of USDA's \ngreatest assets.\n    Mr. Chairman, we at USDA are doing a better job initiating \nchange and managing information in IT security at USDA; \nhowever, our size, decentralized organization, and the wide \narray of hardware and software in use, combined with the \nmagnitude of today's cyber threats, mean that we have a \ntremendous amount of work remaining to reduce the risk to our \ninformation assets to an acceptable level.\n    Historically, each USDA agency and office funded and \nmanaged its own IT investments independent of other \norganizations in the department. Likewise, security controls \nemployed to protect these investments have been selected \nindependently. This decentralized management structure has \ncreated an environment where some USDA agencies have addressed \nthe issues of security and risk while others have not.\n    Today, assuring a high level of information security in \nevery USDA agency is a critical issue of USDA's management. \nRepresentative of this commitment, we have begun holding our \nsenior executives accountable by including a performance \nmeasure in their annual performance plan directly tied to \nimplementing their FISMA plan of action milestones report. With \nfunds from Congress, we are continuing to build a central cyber \nsecurity program that is providing our agencies with uniformed \npolicies, guidance tools, and program management. We are \nsetting clear cyber security goals and then assisting agencies \nin meeting them. Through our IT capital planning investment \ncontrol process, we are also doing a better job integrating \nsecurity in all phases of our IT project life cycle, from \ninitial planning to system retirement. This story of good \nprogress and change with much more work to do is representative \nof our numbers.\n    In 2004, USDA plans to spend about 68 million to protect \nour information assets. This represents an increase of 6 \npercent over the 64 million in securities spending estimates in \nfiscal year 2003. In the past year, six agencies completed risk \nassessments of their cyber security programs from qualified \nsecurity contractors, with an additional four now underway. \nSimilarly, nine USDA organizations created independent security \nrisk assessments on 26 separate systems. Many others are \ncurrently in the process of completing assessments. Over the \npast 2 years, we have deployed intrusion detection and \nantivirus software across the Department. Just this month we \nheld a training session for agency IT staff on how to deploy \nthe Department's latest patch management software solution. By \ndeploying patch management software, we will ensure the most \nrecent releases of software patches.\n    Finally, our USDA FISMA and plan of action and milestones \nreport currently shows that we are taking 1,405 distinct \nactions to address 243 program and system-level weaknesses. \nWhile the numbers we report go up and down as threats to our \nsystems change, I am confident we will see progress in our \nPOA&M report.\n    At USDA, we are fortunate to have a strong senior \ninformation security officer and staff who drive our \ninformation and IT security efforts. They are the ones who \ndeserve the credit.\n    Mr. Chairman, in your invitation to this hearing, you asked \nto discuss the actions that we are taking to remedy the \ndeficiencies in both our GISRA and financial reporting. I will \nfocus my comments on the highest-priority initiatives.\n    Information assurance starts with employee education and \nawareness. We are spending--spreading the word across USDA \nthrough online courses like the government standard GoLearn.gov \nclassroom training, and numerous technical and management \nforums.\n    Recognizing the importance of this issue, the Secretary and \nI are personally addressing these concerns at our subcabinet \nmeetings and during regular briefings for our agency heads. We \nare making good progress establishing executable business \nresumption and recovery plans for critical information systems. \nAt USDA, we are finalizing a standard certification \naccreditation methodology and process for our agencies to \nverify and attest that information security functions as \nrequired.\n    As I mentioned earlier, we revised our IT capital planning \ninvestment control guidance to ensure system owners address \nsecurity at all stages of an IT project's life cycle.\n    I would also like to mention one modernization project that \nis critical to strengthening cyber security at USDA. We are \nredesigning our long distance telecommunication network to \nsupport the growing demand for E-government services, once \nimplemented. Our\nsystem will greatly improve our ability to verify the integrity \nand confidentiality of data transmitted over the network.\n    Thank you for the opportunity to be here, Mr. Chairman. \nThank you.\n    Mr. Putnam. Thank you very much.\n    [The prepared statement of Mr. Charbo follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.087\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.088\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.089\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.090\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.091\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.092\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.093\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.094\n    \n    Mr. Putnam. I now recognize Mr. Ladner. Drew Ladner was \nappointed Chief Information Officer of the U.S. Treasury \nDepartment in March 2003. He is responsible for managing the \nTreasury's $2.5 billion information technology strategy and \nbudget, serving as Treasury's official lead on E-government \ninitiatives, and providing policy direction and oversight of \nthe Department's security programs. Welcome to the \nsubcommittee. You are recognized.\n\nSTATEMENT OF DREW LADNER, CHIEF INFORMATION OFFICER, DEPARTMENT \n                          OF TREASURY\n\n    Mr. Ladner. Thank you, Mr. Chairman.\n    Mr. Chairman, Ranking Member Clay, thank you for the \nopportunity to appear today to discuss the state of Treasury's \nIT security as well as the actions underway for remediating the \nDepartment's material weaknesses. The continued leadership of \nthe chairman and the members of the subcommittee is essential \nif we are to improve IT security and accountability not only at \nTreasury but across the Federal Government.\n    The present state of Treasury's IT security requires \nimprovement to achieve our objective: closing all IT-related \nmaterial weaknesses as identified by GISRA's fiscal year 2002 \nreview process. As of March 31, 2003, the Department had 14 \nmaterial weaknesses. These included nine at the Internal \nRevenue Service, three at the Financial Management Service, one \nat the Mint, and one at the Departmental Offices.\n    To bolster IT security, Treasury has taken a number of \nactions to date to resolve outstanding issues addressed by the \nTreasury Inspector General and the Treasury Inspector General \nfor Tax Administration.\n    First, Treasury has implemented an aggressive oversight and \ncompliance program for IT security. During fiscal year 2003, \nreviews will have been completed for all of the bureau's IT \nsecurity programs to establish a baseline for future annual \nreviews. This is the first time that the Department has \nconducted a complete review of the IT security programs.\n    Second, to maximize implementation success and \naccountability, Treasury has set specific goals to improve \nsecurity with the use of performance measures, including the 80 \npercent to which Mark Forman alluded previously.\n    Third, a combined Federal Information Security Management \nAct 2003 data call has just been instituted by the Treasury \nCIO, IG, and TIGTA. This joint data call is expected to remedy \nthe inconsistency to which the chairman referred earlier in \nreporting numbers in the last two surveys performed under \nGISRA.\n    Fourth, Treasury has taken further action to ensure the \nprotection of our critical infrastructure cyber assets.\n    Fifth, to augment the FISMA requirement for periodic \nsecurity training, Treasury has scheduled an IT security \nconference for the bureau's IT security managers and staffs. \nThis conference will include high-level training sessions and \ntargeted technical sessions focused on Treasury's IT security \nissues, along with promoting new CD-ROM and Internet-accessible \ntraining opportunities.\n    Treasury is committed to identifying the root causes of \nunacceptable IT security and putting in place the structures, \nprocesses, and systems that will ensure the Department has a \nstrong security regime. Let me describe several initiatives \nbriefly that are key.\n    First of all, as soon as I began as Treasury CIO, I decided \nthat my first priority as Treasury CIO would be IT governance. \nPursuant to the Clinger-Cohen Act, the CIO's mission is to \nensure that the Department wisely steward the funds of our \ntaxpayer citizens on technology systems so that we can deliver \nultimately valuable E-government services and other services. \nEstablishing the right structures, processes, and systems of \nsound IT governance not only provides for sound planning and \nbudget allocation, but also necessitates incorporating security \nconsiderations into our capital planning and investment \ncontrols. It's a cardinal rule in business operations that the \nquality of a design has a disproportionate impact on the life \ncycle cost of the system. If Treasury's systems are not secure \nwhen we develop and deploy, the Department leaves itself \nvulnerable until deficiencies are remediated and taxpayer \ndollars are not stewarded to boot.\n    An additional benefit is that Treasury increasingly aligns \nits IT operations with Department goals and objectives, \nachieving a more integrated, cohesive, and institutionalized \nsecurity regime across Treasury.\n    In short, achieving a strategic, robust, and integrated \nsecurity regime will be limited if our capital planning \ninvestment control process does not share those same \ncharacteristics.\n    In addition to the new IT governance regime, we are working \nvery hard on the enterprise architecture that also achieves the \ngoals that Mark Forman described previously. This will provide \nus a baseline for planning our security regime as well.\n    Third, proactive interagency collaboration on IT security \nprovides additional evidence of the institutionalization of \nTreasury's IT security. The measures thereof are included in my \nsubmitted statement.\n    In the Office of the CIO, our mission is to steward \nTreasury's information resources with integrity and \nprofessionalism. I remain committed to doing that and working \non everything we can do to ensure that your goals and this \ncommittee's on IT security are stewarded as well. Thank you \nvery much.\n    Mr. Putnam. Thank you very much.\n    [The prepared statement of Mr. Ladner follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.095\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.096\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.097\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.098\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.099\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.100\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.101\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.102\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.103\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.104\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.105\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.106\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.107\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.108\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.109\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.110\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.111\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.112\n    \n    Mr. Putnam. I would like to recognize Bruce Morrison. Mr. \nMorrison assumed his duties as Acting Chief Information Officer \nin the Bureau of Information Resource Management in December \n2002. Previously Mr. Morrison was Deputy Chief Information \nOfficer for Operations in the Bureau of Information Resource \nManagement. Mr. Morrison is a career senior Foreign Service \nofficer. During his 26-year career, he has held a succession of \ninformation management positions, including serving as dean of \nthe School for Applied Information Technology in the Foreign \nService Institute. We look forward to your testimony. You are \nrecognized for 5 minutes. Welcome to the subcommittee.\n\nSTATEMENT OF BRUCE MORRISON, ACTING CHIEF INFORMATION OFFICER, \n                      DEPARTMENT OF STATE\n\n    Mr. Morrison. Thank you, Mr. Chairman, and Ranking Member \nClay. I am honored to be here and appreciate the opportunity to \ndiscuss information security at the Department of State. While \nwe are not where we would like to be in cyber security, I can \nreport on the initial stages of improving our program.\n    We at the State Department have the highest level of \nsupport and attention from Secretary Powell and Under Secretary \nfor Management Green. Secretary Powell considers information \ntechnology to be a strategic component in implementing U.S. \nforeign policy.\n    Let me summarize IT security at State. We have long had a \nstrong perimeter defense, with technical, physical, and \npersonnel controls, including an antivirus program, firewalls, \nintrusion detection, and incident reporting. However, we \nrealize that a sound cyber security program is built upon a \ndefense-in-depth strategy that includes management controls as \nwell as technical and operational measures. What we have lacked \nin the past is a comprehensive management structure and a \nserious systems authorization program.\n    It is a new day at State, with the convergence of several \nevents bringing a fresh approach and commitment to cyber \nsecurity.\n    First, GISRA, and then, FISMA focused top management \nattention on cyber security. Second, we have new cyber security \nleadership at State. I stepped into the position of acting CIO \n6 months ago. Additionally, there is a new Assistant Secretary \nfor Diplomatic Security with whom we collaborate closely.\n    Finally, OMB very helpfully mandated that we authorize all \nsystems by the fourth quarter of 2004.\n    Our new organization is giving birth to a new cyber \nsecurity culture and is producing results. We have a new Office \nof Information Assurance headed by a senior officer reporting \ndirectly to me. This office handles IT security policy, program \nmanagement, performance measures, risk management, and \nreporting. There is increased departmentwide cyber security \nfocus, as all offices are now involved to some degree in cyber \nsecurity through the plans of action and milestones process and \nawareness programs. As I mentioned, there is an excellent \nrapport and collaboration between the Chief Information Officer \nand the Bureau of Diplomatic Security on all aspects of cyber \nsecurity. Similarly, a cooperative partnership exists with the \nChief Financial Officer on Critical Infrastructure Protection \nand the information technology budget.\n    We have a senior-level multidisciplinary cyber security \nadvisory group. There is a close working relationship with the \nOffice of the Inspector General. In biweekly meetings with the \nInspector General, we discuss a variety of cyber security \nissues, with FISMA requirements and systems authorization \ntaking center stage.\n    State has recently established an E-government program \nboard chaired by Under Secretary for Management Green to manage \nall IT funds. Information assurance experts now review every IT \nsystem budget request to assure that appropriate security \nconsiderations are budgeted and executed. Very significantly, \nwe have developed a certification and authorization plan. It \nwas submitted to OMB in March, fully funded in mid-April. We \nare on track with the plan, with 10 percent of our systems \ndone, and a goal of 33 percent by August 2003, and 100 percent \nby August 2004.\n    We are taking specific steps to institutionalize cyber \nsecurity management and practices, enhancing policies, \ndeveloping a cyber security program management plan, \nintegrating security into planning, and providing training. New \nsystems are addressing security from the outset. Our future \nbudget request will include security costs. Regular awareness \nsessions for all users, and mandatory training for security \npractitioners will assist in institutionalizing cyber security.\n    In summary, we are still at the early stages of creating a \ncomprehensive cyber security program, but we have made great \nstrides over the past few months. This progress contributed to \nour PMA scores going from red to yellow to green.\n    I appreciate the opportunity to talk before the committee.\n    Mr. Putnam. Thank you, Mr. Morrison. You timed it \nperfectly, too.\n    [The prepared statement of Mr. Morrison follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1648.113\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.114\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.115\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.116\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.117\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.118\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.119\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.120\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.121\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.122\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.123\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.124\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.125\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.126\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.127\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.128\n    \n    [GRAPHIC] [TIFF OMITTED] T1648.129\n    \n    Mr. Putnam. I want to read for you what I read to the first \npanel out of an article from the Federal Times, from an \ninformation security specialist in an anonymous social service \nagency. They state, ``Someone at our parent department told OMB \nwe would have it done in July. We can't get it done right by \nthen, so we will throw together some documentation and make it \nlook like we did.''\n    That never happens in any of your departments. Does it?\n    Mr. Frazier. Of course it happens. Of course it happens. \nNotwithstanding the anonymity of the person who stated that, we \nknow that people try to meet these artificial deadlines, and in \nthe process, they--haste makes waste. And it happens.\n    Mr. Putnam. Anyone else wish to jump out there?\n    Mr. Cobb. I think that it's not that they are necessarily \npreparing a fraudulent set of paperwork or that's necessarily \noccurring. Instead it's a question of thoroughness. \nSpecifically, how thorough are the examinations, planning, \ntesting, and the different elements of the security plans.\n    Mr. Putnam. Mr. Ladner.\n    Mr. Ladner. My view is that the process will continue to be \ncompromised until there is a plan that not only addresses the \nobjectives that are set out by the statutes which we have to \ncomply with, but that we go the extra mile. And so what we are \ndoing at Treasury is to certainly hit our numbers on CIA, \ncertainly hit the other objectives, but ensure that we actually \nhave a security governance process and plan in place.\n    Second, I think that the process will continue to be \ncompromised if we view it in static terms instead of dynamic. \nWhat I mean by that, is that we need to be able to have real-\ntime visibility into what's happening at, in our case, the \nbureau level so that we can see on an ongoing basis what the \nnumbers are. And I think over time the data quality will \nimprove, so that we reduce the probability of individuals being \nable to toss over the wall data and reports that are less than \naccurate.\n    Mr. Putnam. I'm told that it's been 3 years since agencies \nwere told to complete their inventory of systems, and that has \nnot yet been fully completed. Is that correct?\n    Mr. Morrison. One of the first things that I did after \ntaking over as CIO was to complete an inventory of systems \nusing OMB and National Institute of Standards and Technology \nguidelines. So it is true that was only done at the State \nDepartment this year.\n    Mr. Putnam. So we've had 3 years of artificial deadlines. \nThat's fairly dynamic, and it took 3 years to get there.\n    What about Treasury?\n    Mr. Ladner. Whether it's ensuring that we have a good \nsecurity program or ensuring that, for example, Treasury is \ndelivering services at low cost--at high service levels--to our \nbureaus from our large network, we need to make sure that we \nunderstand what infrastructure we have. And so we have directed \nthe bureaus to participate in a Treasury-wide total cost of \nownership review, which will enable us to know what we have and \ntherefore be able to drive enterprise architecture and the \nability to drive the security programs much more effectively. \nSo we will have that probably within several months, by fall.\n    Mr. Putnam. We look forward to seeing it in the fall. But \nthat will still be substantially beyond when it was to be \ncompleted. Correct?\n    Mr. Ladner. That's my understanding based on what I've \nlearned in the last 3 months. That's correct.\n    Mr. Putnam. OK. What about Ag?\n    Mr. Charbo. We are in the process as well of looking at \nwhat systems we have and where they are. We have 576 IT \nprojects. Our focus right now is to consolidate those down to a \nmore manageable level. Let's retire those that are legacy, \nlet's retire them, move on, identify those under redevelopment, \nbring those into the planning and investment process so that \nsecurity, as Mark discussed earlier, can be placed up front \nwhere it is more cost effective and easier to manage.\n    Mr. Putnam. Mr. Charbo, you came from FSA, so I am going to \npick on you first. In the article the same unnamed person said, \nin expressing their frustration not having appropriate \nauthority, ``they have their own funding and don't report to \nus. When I call them and ask for this or that report, they just \nignore me.''\n    Is that something that you found in your role at FSA, that \nyou had difficulty getting the different branches around the \ncountry to take your requests seriously?\n    Mr. Charbo. From a security perspective, that is somewhat \nbetter managed at FSA within the Department. Most of that \nfunding is being placed under the common computing environment \nbudget which is a centralized budget for the service center \nagencies. So we have a better handle on how the security is \nbeing done in those agencies within the service center, FSA \nincluded.\n    Mr. Putnam. So that's not a problem at FSA. Is it a problem \nin other parts of the department?\n    Mr. Charbo. I won't deny that at times it is difficult to \nget information out of agencies, yes. And when we experience \nthat, my position is to go to the Deputy Secretary, the \nadministrators, or directly to the Secretary if we need \nmovement. And I've been getting that support when we do that.\n    Mr. Putnam. Anyone else wish to add to that or comment on \nthat?\n    Mr. Morrison. I think the State Department made a big step \nforward this year by organizing an E-government program board \nthat now governs the entire IT budget. That was a very \nnecessary step to carry out the act.\n    Mr. Frazier. Mr. Chair, at Commerce, one of the biggest \nbattles that we've fought, but I think one of the battles that \nwas absolutely essential, was to make certain that all of the \nindividual agency CIOs reported to, at least for part of their \nmanagement responsibility, to the Department's CIO. And so \nthose individual bureau CIOs now have more authority to \noverride some of the concerns, override even their program head \nif they disagree with him. So that is something that has, I \nthink been absolutely critical to improving the process at \nCommerce where you have the individual CIOs reporting to a head \nCIO at the departmental level.\n    Mr. Ladner. In my first month at Treasury, we created with \nthe Treasury Budget Office, a Technology Investment Review \nBoard that reviews all IT investments across Treasury. And so I \nthink that, as bureaus understand both from a statutory \nstandpoint as well as an end-user standpoint that we have to \nhave security considerations integrated into the budget \nprocess, that increasingly that close collaborative \nrelationship is being created.\n    Mr. Putnam. Mr. Cobb, you have heard Mr. Frazier's \ntestimony expressing some concern about artificial deadlines or \noverly aggressive schedules that would cause people to \npotentially cut corners in their quest to get certified or \naccredited. NASA has worked rather hard to improve its \nperformance and has made some progress. How did you ensure that \nthe agency's desire to make that progress didn't lead to \nskimping on the work of correcting vulnerabilities?\n    Mr. Cobb. Well, our audit strategy has been primarily aimed \nat looking at specific systems, and as I mentioned we've done \n26 audits last year of specific systems. Some were agency-wide. \nAnd I took note of the biweekly meetings at State.\n    We don't have those biweekly meetings and we should have \nthem; because, for example, we didn't see NASA's executive \nsummary until a week before they submitted the GISRA report. So \nwe were not on top of the reports of improvement of the NASA \nprograms and NASA's assessments of its systems, by the time we \nfiled our GISRA report. The way in which we are going to get \nafter that is by assessing exactly how thorough NASA was in \ntheir systems analyses. In addition, we're going to continue to \ndo our aggressive auditing of NASA systems to determine the \nthoroughness of their systems' analyses and we will try to \nverigy their results through sampling.\n    Mr. Putnam. You have heard the recurring theme that this is \na management issue or a technology issue, it's not a money \nissue. Mr. Ladner, your IG stated that there is a general \nfeeling that some bureaus, ``appeared to view the GISRA annual \nreporting process as a pro forma exercise.'' In your GISRA \nreport to OMB, 8 of the 10 current material weaknesses in IT \nsecurity were repeats from 2001.\n    Mr. Morrison, your IG stated that the lack of security \nplanning and missions is the result of, ``insufficient guidance \nfrom the Department, and a general belief that IT information \nsecurity is less important than other elements of security.''\n    Mr. Charbo, your IG at USDA said, ``The Department did not \nhave security plans in place for all its major applications and \ngeneral support systems, had not planned for contingency, had \nnot certified security controls in place and authorized \nprocessing for all of its systems. Nor had the Department \nidentified all of its mission-essential infrastructure, \nconducted risk assessments, or prepared mitigation plans on the \nidentified risks.''\n    What are you all going to do to change the culture at your \ndepartments?\n    Mr. Charbo. We have been doing this in a process where the \nfirst thing is discovery. We feel that we've identified the \nprojects on the IT basis by doing a few things. One is we've \nlowered our waiver process of how departments and agencies \nwithin USDA can spend their dollars for IT so that we can \nidentify where is the money going and what things are being \ndone with this. We've also incorporated that into the \ninvestment process with OMB, the 300 business case analysis \nwhich now requires two key things for this. One is project \nmanagement skills. Even though we have a project identified, \nthat does not mean it's going to get delivered on time, on \nbudget, and meeting the requirements that the system was \nintended to do.\n    We now have a process in place that we believe will do \nthat, and that is requiring a name, an accountable person with \nthe skills to deliver that project on time on budget and with \nthe requirements. Security is a major component. Given all the \nrequirements in that document, if security is lacking, it will \nnot go forward. We will not approve that investment moving \nforward. We have also made our senior executives accountable \nunder a security grading process that we have within the chief \ninformation officers. We've started monthly meetings with \nadministrators.\n    Typically what we do is we have to identify what have you \nspent on security rather than it being a definite budgeted line \nitem for security. So we are talking more of a proactive than \nreactive, which, in a lot of the cases, the reports represent. \nIt's just trying to find out what has been done rather than \nwhere we are going. We have identified where do we want to be \nin the next year. Within our office through July, we have \nidentified, on a quarterly basis, where we want to be with \nsecurity. We have done that with our e-government areas, our \nnetwork management and several key areas within the IT area of \nthe Department of Agriculture.\n    Mr. Putnam. Mr. Ladner and Mr. Morrison.\n    Mr. Ladner. At Treasury, I mentioned our focus on the \ncapital planning process. We believe that is absolutely \ncritical if we are going to get change across the Department. \nOne of the actions we've taken in the last 3 months is to \ncreate, for the first time, an office of policy and planning \nthat pulls together the IT government's enterprise architecture \nand our tracking of E-Government services so we can integrate \nsecurity--not in a silo-like fashion--but truly across all of \nour functions and across the Department. Second, we have \ndeployed a PKI, a public key infrastructure, and we are looking \nforward to having a framework with specific examples where we \ncan move the ball forward in improving our security. And I \nthink that where the bureaus see the CIO and the CIO leadership \nactively engaged in spending time on improving our security, I \nthink that sends a very strong signal.\n    For example, last week the Bureau of Engraving and Printing \naffixed, for the first time in our Department, a digital \nsignature to a form. We are actively trying to not only improve \nsecurity but also essential PKI vehicles. I am very involved in \nthat and I think that sends a very strong signal to the rest of \nthe bureaus.\n    I would also add, in addition to what Scott said about \naccountability, that at the IRS where security has been an \nissue with regard to reports, they are working very hard with \nmy office to address and to fix our exhibit 300's issue. And I \nthink at the end of the day, we can't wave the flag on progress \nunless we have really made progress and that's the test of \nfixing the 300's. In addition, the IRS is holding their \nmanagers accountable for fixing their security issues on those \n300's and I think that's a real sign. Getting to your question \non the cultural dimension, we're in fact making progress on the \ncultural dimension--but there's a long way to go.\n    Mr. Morrison. Mr. Chairman, Under Secretary Green is \nleading aggressively on the IT security issue. I'm engaged \ndirectly with the other assistant secretaries. I'm happy to say \nthat in the last two quarters, we now have over 90 percent of \nthe State Department bureaus engaged in the plans of action and \nmilestone process. As my colleagues have mentioned, it's \nvitally important that security become an integral element of \nthe budget process, which we achieved this spring. So in \nsummary, it's a slow painful process, but we are making \nprogress at changing the culture.\n    Mr. Putnam. Mr. Clay, you're recognized.\n    Mr. Clay. Thank you, Mr. Chairman. Mr. Frazier, the \nDepartment of Commerce accounts for much of the improvement in \nthe OMB table. The subcommittee's report card shows only modest \nimprovement at the Department between 2001 and 2002. Can you \nexplain the difference, and which do you believe is the more \naccurate reflection of the situation at the Department?\n    Mr. Frazier. I guess I could start with a quote from \nsomething my grandmother used to say to me: ``You know, we are \nnot where we should be and where we want to be, but thank God \nwe're not where we used to be.'' So I think there is a mind-set \nin the Department that recognizes that we have made tremendous \nprogress. But I have to tell you, we still have a long way to \ngo. I don't want to speak for what GAO says or even what the \nDepartment CIO says, I'll just speak for what my systems \nevaluators have found. Every time they have gone into an area \nthat has supposedly been certified and has been accredited, \nthey have found problems that continue.\n    Here I will quote Ronald Reagan: ``trust but verify.'' \nThere is usually this mind-set that because somebody tells you \nsomething, it must be true, and that is not always the case. \nAnd I don't think there is any intent to deceive as much as it \nis as let's get this done and let's get that done. And as we go \nback and start to verify and see that there are still gaps, we \nhave also been tremendously impressed with how responsive the \nDepartment has been to deal with our issues.\n    And so now you begin to see that they are saying before we \nsend this forward, maybe we ought to go out and do some testing \nand do some validating. So I think that the explanation is that \nwe still have a ways to go. We have made progress. But part of \nit is in the mind-set. I think the Chair has hit it a number of \ntimes on the head by saying that the management philosophy has \nchanged. Take this seriously.\n    The Secretary is making sure that people are held \naccountable for this. One area that I remain concerned with is \nthat I see that the managers, the CIOs have gotten the message. \nI still have concerns as to whether the folks on the front \nlines have gotten the message. I can't tell you how many times \nwe have gone back to tell a CIO of a particular bureau who \nthinks this is one of their model systems. And I say let me \nshow what we have found. And of course they become very \ndisappointed. So there is still a great deal of work to be done \nbut I have to tell you that significant progress has been made. \nBeing one of the folks that has been around a little while and \nagain when I was here 2 years ago, it was such a dismal report. \nSo I can take pride in saying that a lot has happened, but we \nstill have a long way to go.\n    Mr. Clay. Thank you for that response. Mr. Cobb, NASA \naccounts for most of the rest of the improvement in the table. \nThe subcommittee's report card shows a decline in performance \nin that Department between 2001 and 2002. Can you explain that \ndifference and which do you believe is the more accurate \nreflection of the situation at NASA?\n    Mr. Cobb. Well, I think the variance in the views between \nthe IG's and CIO's may be due to the differences in \ninterpretating of the data. I think that's the same reason that \nyou have a different story between how the subcommittee views \nthe meaing of data and how OMB views the data.\n    My impression from what I have seen in the 1 year that I \nhave been the NASA IG is that NASA is doing much better than \nwhen I came in. The reason is because the senior levels of \nmanagement and the CIO's office, have acknowledged the fact \nthat they have serious problems. They have had a number of \nmanagement changes in the CIO's office. They have a lot of \nplans and programs that are underway. The verdict is out on \nwhether or not they're going to effectively meet the challenges \nof IT security.\n    But certainly, in terms of the cultural change and what \nthey have not done, is make the center CIO's report to the \nCIO's NASA has 10 or so centers that report to the center \ndirectors. The CIO doesn't write their evaluation. I think NASA \nis doing much better. They're focusing on the problems and we \nkeep beating the drum right behind them.\n    Mr. Clay. How are the front line workers implementing these \napplications and systems?\n    Mr. Cobb. NASA has a very large number of systems and \nrelated systems' NASA reports. But there may be systems and \napplications of systems that information managers don't even \nknow about. The scientific community, in terms of the front \nlines, are very mission-oriented, and I don't think that they \nview their mission is IT security. I think their mission is \ndoing incredible scientific endeavors. And I would absolutely \nagree that the biggest challenge that any CIO has is how to get \nthe entire organization inculcated with a concept that IT \nsecurity is a primary responsibility rather than a secondary \nresponsibility.\n    Mr. Clay. Thank you.\n    Mr. Morrison, the State Department was one of the agencies \nwhose grade went down from 2001 to 2002. Can you explain that \ndecline?\n    Mr. Morrison. I wasn't the Chief Information Officer at \nthat time, but I was there. I think that OMB summed it up very \nwell that the Department lost its focus on IT security and \nallowed itself to concentrate more on other matters. We \ncertainly don't dispute the findings of the OIG or the \njudgments of GAO or OMB.\n    Mr. Clay. Mr. Charbo and Ladner, both of your agencies \nreceived failing grades in both 2001 and 2002. Can you explain \nwhy your agencies have not adequately addressed computer \nsecurity over this period? Start with you, Mr. Ladner.\n    Mr. Ladner. Like Mr. Morrison, I am fairly new, about 3 \nmonths, so my understanding from what my briefings have been is \nthat the structures and processes and systems simply weren't in \nplace to facilitate an enterprise-wide view of security, which \nis absolutely critical. And so, for example, at the IRS, where \na number of the security issues have been, what the IRS has \ndone is to transition more from a facilities based approach to \nan enterprise wide based approach.\n    So this is something that now we are pushing both now on a \nTreasury-wide basis as well as at the bureau level.\n    Mr. Clay. Mr. Charbo.\n    Mr. Charbo. I guess just this one time we won't say much \nabout consistency in the grades. From my perspective, I am not \nlooking back at those. We are very focused on where we want to \ngo. Using the FISMA report, we have identified over 1,400 tasks \nthat we need to do to correct the 243 weaknesses that we have, \nrather than just, on a quarterly basis or an annual basis, \ncoming back and trying to say OK, where are we now? We are \ntaking ownership of those to reduce those. We have identified \nfolks in every agency within the Department of who owns \nresponsibility within those systems to correct it. And our \nvision is to reduce those numbers in half on the next mark if \nwe can, identify the funds that we need in order to do that and \nmove forward with those.\n    Mr. Clay. And that process is occurring now.\n    Mr. Charbo. That process is occurring right now.\n    Mr. Clay. Thank you very much for all of your answers. I \nappreciate it.\n    Mr. Putnam. Thank you, Mr. Clay. This panel has made \nseveral references to personal drive affecting their \ndepartments, the leadership, the priority, the sense of urgency \nthat you have brought as fresh leadership in this area. My \nconcern is that we have not institutionalized this as a \npriority in the departments, and that a year from now, when we \nhave someone else sitting here, they say I have only been on \nthe job 3 months or 6 months. I wasn't here for the last FISMA \nor GISRA report. And I know different ones of you have alluded \nto this, but what are the last institutional changes that you \nare deploying that will guarantee that regardless of who \noccupies your position, these information security measures \nwill become a part of the culture all the way down to the front \nline level?\n    Mr. Frazier, do you want to jump out there?\n    Mr. Frazier. It is an interesting observation. You remember \nwhen you started earlier this morning, you read the quote from \nThe Federal Times, and you were talking about documentation and \nsomeone had said that we don't think documentation is that \nimportant, we can either document something or we can get the \nwork done. Well, here's where I disagree with that: That \nstatement is absolutely wrong. Because when you document \nsomething, you leave a record so that it doesn't matter whether \nI am sitting as the CIO today and John Doe is sitting there \nnext week. You have a base line. When something hasn't been \ndocumented, we haven't put it down.\n    Every time a new CIO comes in, they are starting from \nscratch, so we don't make the kinds of progress that we should \nbe building upon. Every time a new CIO comes in, there is a new \nplan that says let's really get this under control. And this is \ndifficult work. One of my staff gave me a cartoon that said IT \nsecurity is like a stubborn mule. You know, making progress \nwith it is something that's very difficult but you shouldn't \nhave to reinvent the wheel every time. So it's the documenting \nit so that you begin to institutionalize the process, so \nthere's a frame of reference that we know where we were and all \nof us can talk on the same page, if you will.\n    I think that's one of the important steps that should be \ntaken. So I go back to that and I think that is indicative of \nthe kinds of things that have to happen.\n    Mr. Putnam. What about the attitudes of people you have to \nwork with who think it is an either/or tradeoff?\n    Mr. Frazier. We were lucky. I'll tell you that about 2 \nyears ago when I came up to testify, we were highly critical of \nthe Department. The new Deputy Secretary had just been on the \njob for less than 3 days and he was dragged before the \ncommittee to respond to Bob Dacey's report and my report, and I \nmean, they just ripped him apart. In the process, he left that \nmeeting, called me into his office, and said, ``What do we need \nto do to get this turned around?'' So we have had the kind of \ncooperation that has made a tremendous difference, and it's \nbecause I think that he saw how serious the Congress was about \nthis issue in that it wasn't something that was going to go \naway.\n    And in the process he has instilled in his managers--we do \nsome incredible work at Commerce, but people have to understand \nif you don't have systems and things that are secure, you put \nall of those programs at risk in the process. That message is \nout there, and it's out there and making a difference.\n    Mr. Putnam. We are going to make sure that message gets to \nthe FAA who made the comment. Anyone else?\n    Mr. Morrison. I think that the FISMA Act itself, as well as \nOMB's Presidential management agenda process has gone a long \nways toward institutionalizing IT security. It certainly has \nfocused top management attention on this matter. We've made \nfundamental changes in our budget process and frankly, there's \nnothing like having to report every quarter, or in my case, I \nhave to report to the Under Secretary for management, both in \nwriting and orally every month. And there's nothing like having \nto report frequently and regularly to focus your attention on \ncorrecting problems. And I think that this framework that's \nprovided by the act and by OMB is not going to go away, if I go \naway.\n    Mr. Ladner. The reason that change is enduring is that \nthere are structures, processes and systems in place that are \nhard to change, and that's why our first step was IT \ngovernance. So I think that if we want people on the front \nlines to believe that their actions, or lack thereof, have an \nimpact, we have to tie resource allocation to performance. And \nthat's what IT governance and security governance ensures.\n    Clearly there's a long way to go on this front, but our \ngoal at the Treasury Department is to articulate a framework \nwhich we have, and then pick out instances where we are showing \nthat the lack of performance results in resource reallocation. \nAnd that's the kind of change that we believe will be more \nenduring.\n    Mr. Charbo. If I could point out a few of the firsts that \nwe have done that will carry on, regardless of who sits in the \nChair that I sit in right now. We have released some governance \npolicy around security. It's quite a load to the agencies. \nHowever, we are putting people in place and contracts in place \nto help support them in correcting their security needs. We've \nalso started a configuration management and policy board to \nmanage the configurations across the Department. We are testing \nour business systems, the ability to recover. We're doing that \nat FSA, at NRCS, Rural Development, the National Finance \nCenter.\n    First time now we are consistently testing these on a timed \nbasis, so it's not just once when somebody asks whether or not \nwe're doing it, but it's on a regular cycle now that we're \ntesting those, and that's more and more systems that we're \ndoing it as well. We have also initiated a department-wide \nprocess to identify what the plans are. Where one system is \ndependent on another, if that system goes down, others may go \ndown. We're interested in those threats.\n    So we have initiated some process to connect those dots, \nidentify the trees that we need to initiate in the event of a \ncrisis. We have also changed our investment board around so now \nthat security is a key component in all of the investments \nwithin USDA. The CIO owns those projects, positioning those \nprojects within that investment board. On April 1, we released \nour first enterprise architecture vision of where we would like \nto see the investments move in the Department of Agriculture as \nwell.\n    And last, we're training folks in project management. We've \ninitiated a number of classes. Those classes are done in \nvarious locations throughout the country to provide us the \nquality folks that we need to deliver on some of these things. \nI believe those will continue, whether or not I'm in the chair \nthat I currently sit in.\n    Mr. Putnam. Mr. Cobb, do you have anything to add?\n    Mr. Cobb. I would agree with that. I think that FISMA is \nproviding our IG office with the tools to get after the agency \nin terms of making sure that their programs are compliant with \nwhat you would expect from a robust IT security system. One \nconcern I have about the structure of GISRA and FISMA is the \nextent to which the act requires independent evaluations of the \nsystem as a whole. Also, whether the system, from an umbrella \nstandpoint, is actually accomplishing the objective of \nprotecting information.\n    I would like to have my office work toward conducting a \nreview of the policies to see whether or not they are \nsubstantively working. And the other big point that gets back \nto that front line is that it is critical to inculcate all \nFederal employees on the importance of IT security. There may \nbe an avenue for legislating training requirements to make sure \nthat this message is communicated. However, I'll leave that to \nspeculation at this point.\n    Mr. Putnam. We look forward to hearing your conclusion when \nyou reach it, and we'll let that be the final word for the \nsecond panel. You know, it seems that the Federal Government \nnever really learned its lesson on physical security or \nperimeter security and enforced protection until after Beirut, \nand Oklahoma City and Khobar Towers and the U.S.S. Cole, and we \nnever really learned our lessons on aviation security until \nafter September 11. And it seems terribly frustrating that what \nit would appear is that it will take a digital September 11 or \ndigital Pearl Harbor or some catastrophic cyber attack for \npeople to get the message that this is important, that this is \na priority, not just in some egghead CIO's office, but all the \nway down to the front line as part of their daily \nresponsibilities.\n    And I think that is the part that is incredibly \nfrustrating. We hear an awful lot of connecting the dots and \nlearning from the mistakes of the past. As it relates to cyber \nthreats, there is very little indication that anyone takes the \nthreat seriously. I want to thank our witnesses for their \ncontribution to our efforts in understanding this issue better, \nand I look forward to your continuing cooperation as we move \ntoward greater coordination and more progress in improving our \nFederal Government's information security. I also want to thank \nMrs. Miller, Ms. Watson and Mr. Clay for their participation \nand leadership on the subcommittee.\n    In the event that there may be additional questions that we \ndid not get to today, the record will remain open for 2 weeks \nfor submitted questions and answers. Thank you all very much \nand the subcommittee stands adjourned.\n    [Whereupon, at 12:25 p.m., the subcommittee was adjourned.]\n    [Additional information submitted for the hearing record \nfollows:]\n\n[GRAPHIC] [TIFF OMITTED] T1648.130\n\n[GRAPHIC] [TIFF OMITTED] T1648.131\n\n[GRAPHIC] [TIFF OMITTED] T1648.132\n\n[GRAPHIC] [TIFF OMITTED] T1648.133\n\n\x1a\n</pre></body></html>\n"