[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





 CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF 
  THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL 
                                AGENCIES

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 24, 2003

                               __________

                           Serial No. 108-100

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

91-648              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, 
NATHAN DEAL, Georgia                     Maryland
CANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of 
TIM MURPHY, Pennsylvania                 Columbia
MICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee
JOHN R. CARTER, Texas                CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota                 ------
MARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont 
                                         (Independent)

                       Peter Sirh, Staff Director
                 Melissa Wojciak, Deputy Staff Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
              Philip M. Schiliro, Minority Staff Director

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 DIANE E. WATSON, California
TIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                 Chip Walker, Professional Staff Member
                      Ursula Wojciechowski, Clerk
           David McMillen, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 24, 2003....................................     1
Statement of:
    Charbo, Scott, Chief Information Officer, Department of 
      Agriculture................................................   115
    Cobb, Robert, Inspector General, NASA........................   101
    Dacey, Robert F., Director, Information Security Issues, 
      General Accounting Office..................................    23
    Forman, Mark A., Administator for Electronic Government and 
      Information Technology, Office of Management and Budget....    12
    Frazier, Johnnie E., Inspector General, Department of 
      Commerce...................................................    71
    Ladner, Drew, Chief Information Officer, Department of 
      Treasury...................................................   126
    Morrison, Bruce, acting Chief Information Officer, Department 
      of State...................................................   146
Letters, statements, etc., submitted for the record by:
    Charbo, Scott, Chief Information Officer, Department of 
      Agriculture, prepared statement of.........................   118
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................    58
    Cobb, Robert, Inspector General, NASA, prepared statement of.   104
    Dacey, Robert F., Director, Information Security Issues, 
      General Accounting Office, prepared statement of...........    25
    Forman, Mark A., Administator for Electronic Government and 
      Information Technology, Office of Management and Budget, 
      prepared statement of......................................    15
    Frazier, Johnnie E., Inspector General, Department of 
      Commerce, prepared statement of............................    73
    Ladner, Drew, Chief Information Officer, Department of 
      Treasu128..................................................
    Miller, Hon. Candice S., a Representative in Congress from 
      the State of Michigan, prepared statement of...............    10
    Morrison, Bruce, acting Chief Information Officer, Department 
      of State, prepared statement of............................   148
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     5

 
 CYBER SECURITY: THE STATUS OF INFORMATION SECURITY AND THE EFFECTS OF 
  THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT [FISMA] AT FEDERAL 
                                AGENCIES

                              ----------                              


                         TUESDAY, JUNE 24, 2003

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam, Miller, Clay and Watson.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Chip Walker and Lori Martin, professional staff 
members; Ursula Wojciechowski, clerk; Suzanne Lightman, fellow; 
Bill Vigen and Richard McAdams, interns; Jamie Harper and Kim 
Bird, legislative assistants; David McMillen, minority 
professional staff member; and Cecelia Morton, minority office 
manager.
    Mr. Putnam. A quorum being present, this hearing on the 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order. 
Good morning, and welcome to the second in a planned series of 
hearings addressing the important subject of cyber security.
    Today we continue our in-depth review of cyber security 
issues affecting our Nation. Specifically this hearing will 
focus sharply on the efforts within the Federal Government to 
secure our own computer networks. Our critical infrastructure 
of the cyber kind must have the same level of protection as our 
physical security if we are to be secure as a Nation from 
random hacker intrusions, malicious viruses or, worse, serious 
cyber terrorism.
    There are several things unique to cyber attacks that make 
the task of preventing them particularly difficult. Cyber 
attacks can occur from anywhere around the globe, from the 
caves of Afghanistan to the warfields of Iraq, from the most 
remote regions of the world, or simply right here in our own 
backyard. The technology used for cyber attacks is readily 
available and changes continually, and maybe most dangerous of 
all, is the failure of many people critical to securing these 
networks and information from attack to take the threats 
seriously, to receive adequate training and to take the steps 
necessary to secure their networks.
    A serious cyber attack would have serious repercussions 
throughout the Nation in a physical sense and in very real 
economic terms. A recent report under Government Information 
Security Reform Act once again demonstrates that we have a long 
way to go in the Federal Government to feel the least bit 
confident that we have secure computer networks. Before going 
into more detail about the report, I want to comment briefly 
about the timing. This latest GISRA report was released this 
May. It was based on information provided to OMB in September 
2002. This is kind of like being an astronomer and looking in 
the telescope at the stars, all the while realizing that what 
you are viewing actually occurred a long, long time ago. We 
need to find a way to get more real-time reporting, and I want 
to work with OMB on improving the timeliness of their 
information.
    The current GISRA report demonstrates that progress in 
computer security at Federal agencies is proceeding slowly, and 
that simply is no longer acceptable. The OMB report to Congress 
identified a number of serious weaknesses. Many agencies are 
facing the same security weaknesses year after year, such as 
the lack of system-level security plans and certifications and 
accreditations. Some IGs and CIOs from within the same agencies 
have vastly different views of the state of the agency security 
programs. Many agencies are not adequately prioritizing their 
IT investments and are seeking funding to develop new systems 
while significant weaknesses exist in their legacy systems. Not 
all agencies are reviewing all programs and systems every year 
as required by GISRA. More agency program officials must engage 
and be held accountable for ensuring that the systems that 
support their programs and operations are secure. The old 
thinking of IT security as the responsibility of a single 
agency official or the agency's IT security office is out of 
date, contrary to law and policy, and that significantly 
endangers the ability of these agencies to safeguard their IT 
investments.
    The Departments of Treasury, State and Agriculture all have 
serious problems with their information security. Both the CIOs 
and the IGs of these agencies have concerns. In addition, GAO 
has indicated a concern with computer security for all three 
agencies in its performance and accountability series.
    In the fiscal year 2002 GISRA report, the Department of 
Agriculture reported that less than 26 percent of its systems 
were in compliance with the eight metrics that the OMB 
reported. The agency had 70 material weaknesses in the area of 
information security reported by the IG. In addition, according 
to the IG, the agency is not conducting risk assessments of its 
systems in compliance with either OMB or GISRA's requirements. 
This year the agency reported an increase in systems operating 
without written authority and an increase in systems that do 
not have up-to-date IT security plans.
    The Department of State did not report information for the 
fiscal year 2001 GISRA report. It reported three material 
weaknesses for information security for fiscal year 2002. In 
June 2001, the Department's IG released a report that 
highlighted a number of areas that State needs to address. They 
included assessing vulnerability of systems, conducting 
security control evaluations at least once every 3 years, and 
testing security controls. State reported in their fiscal year 
2002 report that none of its systems have been certified and 
authorized, and only 15 percent have an up-to-date IT security 
plan. Finally, State reported that only 11 percent of its 
systems have contingency plans, and of those, none had ever 
been tested.
    Although the Department of Treasury reported that, in the 
2002 GISRA report, 41 percent of its systems were assessed for 
risk, its IG reported that Treasury did not use an adequate 
methodology to determine that risk; therefore, its assessments 
were not valid under the law. There are also significant 
discrepancies in many of the metrics reported in the GISRA 
report between the Department and its IG. For example, the 
Department reported 451 of its systems were reviewed; however, 
the IG reports that only 204 systems were reviewed. Treasury 
has also reported 11 material weaknesses related to information 
security.
    I understand that many of those testifying today are 
relatively new to their jobs. We are not here today to point 
fingers, although I have serious questions about accountability 
and responsibility for these egregious failures to perform 
minimum requirements. We are here to identify weaknesses or 
roadblocks, find solutions and make progress.
    In a recent edition of the Federal Times headlined 
``Computer Security Dilemma: Agencies Must Choose--Follow the 
Law or Fix the Problem,'' several government IT managers 
complained that the documentation process set up by Congress 
gives them a choice to document their security problems for 
Congress or to fix them. This attitude is disturbing, to say 
the least. For most IT managers, the documentation process set 
up by Congress is the only reason they discovered many of their 
security weaknesses. Before the documentation process, many IT 
managers couldn't identify their critical systems. Sadly, even 
with the documentation process required by Congress, many 
systems are still unidentified. That said, the committee will 
try and remain open-minded, and if any of the witnesses today 
would like to support this either/or contention as reflected by 
the article, we look forward to hearing it.
    As the subcommittee continues to examine the cyber security 
issue, we see the same recurring theme. Securing these networks 
is not about money or technology, but about management. The 
weaknesses identified are weaknesses that would be 
significantly reduced if approved procedures and protocols or 
best practices were actually followed. For example, GAO still 
conducts audits to this day where they find default passwords 
in place or where systems have not been tested in a production 
environment. Patches remain uninstalled on systems for months 
after known vulnerabilities are identified. These rudimentary 
lapses are not acceptable.
    There are a number of issues still up for consideration 
before the Congress. These include requiring that the common 
criteria be the standard government-wide; automated 
vulnerability scanning; new levels of accountability; and 
confronting the issue of CIO retention head on.
    While some progress is clearly being made at Federal 
agencies, going from an F to a D is not saying a lot. It is my 
hope that the Congress, OMB, the CIOs, the IGs and the GAO can 
work together to move our level of IT security government-wide 
into a range where we have some degree of comfort that our 
systems are secure. We are far from that point today.
    I would like to thank the witnesses for coming today and 
presenting the valuable testimony. As with all of our hearings, 
today's can be viewed live via Webcast by going to 
reform.house.gov and clicking on the link under multimedia.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.001
    
    [GRAPHIC] [TIFF OMITTED] T1648.002
    
    [GRAPHIC] [TIFF OMITTED] T1648.003
    
    [GRAPHIC] [TIFF OMITTED] T1648.004
    
    Mr. Putnam. At this point I would like to yield to the vice 
chairwoman of the subcommittee, the gentlelady from Michigan, 
Mrs. Miller.
    Mrs. Miller. Thank you, Mr. Chairman.
    In a post-September 11 environment, the Federal Government 
has been forced to reevaluate its security procedures. The 
logistics associated with such an attack are huge, and today we 
focus on the security of Federal information systems.
    There has been a long-held belief that there should be one 
oversight facilitator for the entire Federal Government, 
government chief technology officer in a sense. I think this 
idea has some merit in order to ensure that government-wide 
uniformity occurs. However, one thing is clear, as technology 
continues to evolve at quite an astonishing rate, quite 
frankly, the Federal Government must not be left behind 
utilizing technology and systems designed for a different time 
and different type of threat. For these reasons, I am pleased, 
Mr. Chairman, that you have called this hearing so that 
Congress has an opportunity to objectively evaluate security 
measures taken by Federal agencies.
    To be frank, with the active measures that international 
terrorists are taking against our freedoms, I am concerned that 
certain Federal agencies appear to be lax with their efforts to 
improve system safeguards. Oversight reports by the GAO and the 
OMB frequently identify areas of concern and countless examples 
of Federal agencies in noncompliance with various laws and 
regulations related to system securities. Incomplete and 
inaccurate reports that are required of Federal agencies, the 
apparent inability of agencies to reach their own stated 
performance goals, and in many cases the blatant and utter 
disregard of federally mandated requirements are just some of 
the issues that we face in this regard.
    Since September 11, Americans have stated in poll after 
poll that homeland security and the war against terror is the 
most important issue facing our great Nation. I am concerned 
that individuals within the Federal Government, individuals 
that Americans trust to protect them and their families, do not 
seem to understand the nature of the cyber threat. However, in 
spite of current problems, the government is faced with a 
historic opportunity. With the passage of GISRA and the E-
Government Act of 2002, which includes the FISMA, Federal 
agencies now have the tools and the necessary support to 
develop and implement substantial information security reform.
    There has been some success, as the government moves 
forward. The work being done at the Department of Commerce is 
really a great example. And those examples of success should be 
used as a model for other agencies. I certainly look forward to 
working with you, Mr. Chairman, and the other members of this 
committee to assist agencies with their reform objectives. 
Thank you.
    Mr. Putnam. I thank the gentlelady for her interest in 
these issues and her outstanding work on behalf of the 
subcommittee.
    [The prepared statement of Hon. Candice S. Miller follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.005
    
    [GRAPHIC] [TIFF OMITTED] T1648.006
    
    Mr. Putnam. At this time we will move to witness testimony. 
Witnesses will please rise and raise their right hands for the 
oath.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record both witnesses responded in 
the affirmative, and we will move forward with opening 
statements. I will begin with our first witness for his 5-
minute statement, Mark Forman. In June 2001, Mr. Forman was 
appointed by President Bush to oversee implementation of the 
21st century information technology throughout the Federal 
Government. Mr. Forman is the first person in the Federal 
Government to fulfill responsibilities normally associated with 
a corporate chief information officer. Under his leadership, 
the Federal Government has received broad recognition for its 
successful use of technology in the government. He manages over 
$58 billion in IT investments and leads the President's E-
Government Initiative to create a more productive 
citizencentric government. He is a frequent guest of our 
hearings and always has a very fruitful and candid view of the 
government's progress in all matters related to technology and 
electronic government.
    Mr. Forman, you are recognized for 5 minutes. Welcome to 
the subcommittee.

   STATEMENT OF MARK A. FORMAN, ADMINISTATOR FOR ELECTRONIC 
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND 
                             BUDGET

    Mr. Forman. Thank you, Mr. Chairman and Congresswoman 
Miller. Thank you for inviting me to discuss the status of the 
Federal information security and the effects of FISMA at the 
departments and agencies. I do look forward to working with you 
to improve the timeliness of our report, and I agree with you 
that it should come up early as well.
    I think we have a number of actions at the staff level. We 
have been working with your staff to accelerate the reporting 
and make sure we are both getting good data on the status. As 
noted in our report to Congress, progress has been made in 
identifying and remediating longstanding IT security problems, 
but there is much work that remains before we can say IT 
systems are adequately secured in the Federal Government.
    FISMA requires that Federal agencies report as a material 
weakness any significant deficiency in a policy, procedure or 
practice, and over half of the large agencies have declared at 
least one material weakness relating to IT security. 
Deficiencies exist in a number of areas, including access 
controls, configuration management, security policy and 
training. From a government-wide perspective, the most common 
weaknesses include a lack of system-level security plans, 
legacy systems that are not appropriately secured, and plans of 
actions and milestones that do not include all of the agency 
systems.
    Nonetheless, in fiscal year 2002, departments and agencies 
have made measurable progress in IT security by conducting 
activities such as risk assessment, security planning, 
certification and accreditation, training and contingency 
planning. Of Federal systems in fiscal year 2002, 65 percent 
have been assessed for risk; 62 percent had an up-to-date 
security plan, 47 percent had been certified and accredited, 
and 55 percent had a contingency plan. We believe that is about 
double the status of IT security in 2001. I know the General 
Accounting Office has some difference and would be glad to 
discuss that.
    As noted in our report to Congress, agencies are testing an 
increasing percentage of their systems for management, 
operational and technical control weaknesses. These weaknesses, 
once identified, are included in agencies' plans of actions and 
milestones for prioritization, tracking and correction.
    The administration is committed to rapid progress, so by 
the end of this calendar year, all agencies will have a 
rigorous process for developing and implementing plans of 
actions and milestones. As you mentioned this is a management 
issue. And second, 80 percent of the systems will be certified 
and accredited.
    One reason we believe that IT security can be rapidly 
improved is that Federal agencies are incorporating security 
considerations into their capital planning process. Our 
analysis shows the percentage of Federal systems with security 
costs integrated into the life cycle of a system now stands at 
62 percent.
    Improving Federal information security requires that we 
focus on enterprise architecture rather than firewalls, 
intrusion detection, vulnerability patches or the latest IT 
security technology. FEA, the Federal Enterprise Architecture, 
reference models will enable better use of standards and 
configuration management that we need to secure the Federal 
information systems. In addition, improvements in agency 
enterprise architectures will enable CIOs to better ensure that 
security and privacy are properly incorporated into their IT 
operations.
    To assist agency EA efforts in accordance with the 
responsibilities under FISMA, the National Institute of 
Standards and Technology recently published draft standards for 
security categorization of Federal information and information 
systems. This proposed standard will be used by all agencies to 
categorize systems according to risk. NIST is also drafting 
companion guidelines recommending the types of information 
systems to be included in each category as well as minimum 
information security requirements.
    OMB and the CIO Council have developed a process to rapidly 
identify and respond to cyber threats and critical 
vulnerabilities. CIOs are advised via conference calls as well 
as e-mails of specific actions needed to protect systems. 
Agencies must then report to OMB on the implementation of 
countermeasures usually in 24 to 72 hours. As a result of these 
early alerts, agencies have been rapidly closing 
vulnerabilities that otherwise might have been exploited, and 
this includes use of patch management services to ensure rapid 
application of patches.
    The Federal Information Security Management Act will be 
instrumental in improving the state of Federal IT security. The 
framework and processes in law and OMB policy highlight the 
importance of management, implementation evaluation and 
remediation for achieving progress.
    In closing, the administration is committed to a Federal 
Government with secure information systems doing the 
significant work of this committee, Federal IGs and the 
agencies. I think we are able to point to real improvements in 
government IT security, but there is much more work to be done. 
Thank you.
    Mr. Putnam. Thank you, Mr. Forman.
    [The prepared statement of Mr. Forman follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.007
    
    [GRAPHIC] [TIFF OMITTED] T1648.008
    
    [GRAPHIC] [TIFF OMITTED] T1648.009
    
    [GRAPHIC] [TIFF OMITTED] T1648.010
    
    [GRAPHIC] [TIFF OMITTED] T1648.011
    
    [GRAPHIC] [TIFF OMITTED] T1648.012
    
    [GRAPHIC] [TIFF OMITTED] T1648.013
    
    [GRAPHIC] [TIFF OMITTED] T1648.014
    
    Mr. Putnam. I would like to introduce our second witness 
and welcome our ranking member on the panel to the subcommittee 
hearing. We will move forward with Mr. Dacey's opening 
statement and then recognize Mr. Clay for his.
    Mr. Dacey is currently Director of Information Security 
issues at the GAO. His responsibilities include evaluating 
information systems security in Federal agencies and 
corporations, including the development of related 
methodologies, assessing the Federal infrastructure for 
managing information security, evaluating the Federal 
Government's efforts to protect our Nation's private and public 
critical infrastructure from cyber threats, and identifying 
best security practices at leading organizations and promoting 
their adoption by Federal agencies.
    We welcome you and your insight to the subcommittee and 
appreciate the work that you and GAO have done for us. You are 
recognized for 5 minutes.

 STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY 
               ISSUES, GENERAL ACCOUNTING OFFICE

    Mr. Dacey. Thank you, Mr. Chairman and members of the 
subcommittee. I am pleased to be here today to discuss efforts 
by Federal agencies and the administration to implement GISRA 
and briefly discuss additional provisions of FISMA, which 
permanently authorized and strengthened GISRA's requirements. I 
will briefly summarize my written statement, which provides 
detail on the status and progress of these efforts.
    This chart illustrates the average fiscal year 2001 and 
2002 performance and related progress for 23 of the largest 
Federal agencies based on 6 selected performance measures 
detailed in OMB's fiscal year 2002 GISRA report. In summary, 
average improvements generally ranged from 3 to 10 percentage 
points for the selected measures. Our analysis excluded data 
for one agency that were not comparable for both years. 
Further, our analysis of individual agency reports showed mixed 
agency performance and progress, and that overall many agencies 
had not implemented security requirements for most of their 
systems. Nonetheless, the second-year implementation of GISRA 
yielded a number of benefits such as increased management 
attention to information security; important actions by the 
administration, such as integrating information security into 
the President's Management Agenda Scorecard; an increase in the 
types of information being reported and made available for 
oversight; and the establishment of a base line for measuring 
agency performance.
    Also, in its fiscal year 2002 GISRA report, OMB highlighted 
actions and progress to address previously identified 
government-wide weaknesses as well as planned actions to 
address newly reported challenges.
    Overall, GISRA reports continue to highlight that, as we 
have reported for the last several years, agencies have 
significant weaknesses in agency security management programs. 
For example, developing an effective corrective action plan is 
a key element of a security management program to ensure 
remedial action is taken to address significant deficiencies. 
However, of the 14 IGs who reported whether their agencies' 
corrective action plan addressed all significant weaknesses, 
five reported that their agency's plans did include them, but 
nine reported that they did not include all material 
weaknesses.
    It is important for agencies to ensure that they have the 
appropriate information security management structures and 
processes in place to strategically manage information security 
as well as to ensure the reliability of performance 
information. For example, processes to routinely provide an 
agency with reliable, useful and timely information for day-to-
day management of information security could help to 
significantly improve performance. Further, continued 
congressional and administration oversight will undoubtedly be 
needed to achieve significant and sustainable results, 
including the implementation of new FISMA requirements.
    FISMA established additional requirements that can assist 
agencies in implementing effective information security 
programs, help ensure that agencies incorporate appropriate 
controls and provide information for administration and 
congressional oversight. These requirements include the 
designation of and the establishment of specific 
responsibilities for an agency senior information security 
officer, implementation of minimum information security 
requirements for agency systems, required agency reporting to 
the Congress and inventories of major systems.
    Successful implementation of FISMA is essential to 
sustaining agency efforts to identify and correct weaknesses. 
As FISMA is implemented, it will be important to continue 
efforts to establish agencywide security management programs; 
to certify, accredit, and regularly test systems to identify 
and correct all vulnerabilities; to complete development of and 
test contingency plans to ensure that critical systems can 
resume operations after an emergency; to validate agency 
reported information through independent evaluations; and to 
achieve other FISMA requirements.
    Mr. Chairman and members of the subcommittee, this 
concludes my statement. I will be pleased to answer any 
questions that you or other members of the subcommittee may 
have at this time.
    Mr. Putnam. Thank you, Mr. Dacey.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.015
    
    [GRAPHIC] [TIFF OMITTED] T1648.016
    
    [GRAPHIC] [TIFF OMITTED] T1648.017
    
    [GRAPHIC] [TIFF OMITTED] T1648.018
    
    [GRAPHIC] [TIFF OMITTED] T1648.019
    
    [GRAPHIC] [TIFF OMITTED] T1648.020
    
    [GRAPHIC] [TIFF OMITTED] T1648.021
    
    [GRAPHIC] [TIFF OMITTED] T1648.022
    
    [GRAPHIC] [TIFF OMITTED] T1648.023
    
    [GRAPHIC] [TIFF OMITTED] T1648.024
    
    [GRAPHIC] [TIFF OMITTED] T1648.025
    
    [GRAPHIC] [TIFF OMITTED] T1648.026
    
    [GRAPHIC] [TIFF OMITTED] T1648.027
    
    [GRAPHIC] [TIFF OMITTED] T1648.028
    
    [GRAPHIC] [TIFF OMITTED] T1648.029
    
    [GRAPHIC] [TIFF OMITTED] T1648.030
    
    [GRAPHIC] [TIFF OMITTED] T1648.031
    
    [GRAPHIC] [TIFF OMITTED] T1648.032
    
    [GRAPHIC] [TIFF OMITTED] T1648.033
    
    [GRAPHIC] [TIFF OMITTED] T1648.034
    
    [GRAPHIC] [TIFF OMITTED] T1648.035
    
    [GRAPHIC] [TIFF OMITTED] T1648.036
    
    [GRAPHIC] [TIFF OMITTED] T1648.037
    
    [GRAPHIC] [TIFF OMITTED] T1648.038
    
    [GRAPHIC] [TIFF OMITTED] T1648.039
    
    [GRAPHIC] [TIFF OMITTED] T1648.040
    
    [GRAPHIC] [TIFF OMITTED] T1648.041
    
    [GRAPHIC] [TIFF OMITTED] T1648.042
    
    [GRAPHIC] [TIFF OMITTED] T1648.043
    
    [GRAPHIC] [TIFF OMITTED] T1648.044
    
    [GRAPHIC] [TIFF OMITTED] T1648.045
    
    [GRAPHIC] [TIFF OMITTED] T1648.046
    
    Mr. Putnam. I would also like to recognize and thank Ms. 
Watson for joining the subcommittee and recognize the ranking 
member for his opening statement.
    Mr. Clay, you are recognized for 5 minutes.
    Mr. Clay. Thank you, Mr. Chairman, for calling this 
hearing. I have asked my staff to put up a poster that is from 
the last computer security hearing held by the Subcommittee on 
Government Efficiency in the 107th Congress. The majority 
staff, working from the same agency reports that are the basis 
of the OMB report issued last month, created this report card. 
However, the story this report details is quite different from 
the more optimistic tone laid out by the administration.
    Of the 24 agencies examined, 12 showed no improvement in 
computer security, and 11 of those agencies had a grade of F in 
both 2001 and 2002. Those agencies include the General Services 
Administration, which had a grade of D both years; the 
Departments of Agriculture, Defense, Energy, Interior, Justice, 
Transportation, Treasury and Veterans Affairs; the Agency for 
International Development; the Office of Personnel Management; 
and Small Business Administration. Other agencies showed 
dramatic decline in grade. For example, the National Science 
Foundation went from a B plus in 2001 to a D minus in 2002. The 
National Aeronautics and Space Administration went from a C 
minus to a D plus. The Environmental Protection Agency went 
from a D plus to a D minus. The Department of State went from a 
D plus to an F. The Federal Emergency Management Agency went 
from a D to an F. And the Department of Housing and Urban 
Development went from a D to an F. However, if we look at the 
chart on page 11 of the administration's report, the government 
is improving on nearly every indicator.
    One conclusion might be that the agencies have done a lot 
of work between last November and now. Unfortunately, this 
report card and the OMB report are drawn from the exact same 
agency report. Last week I sent my staff over to the Department 
of Transportation, which, according to this report card, is one 
of the failing agencies, and they came back with a report of an 
agency that was making significant improvement in computer 
security. In fact, the Department of Transportation may well be 
a leader in implementing the requirements of the Federal 
Information Security Management Act. I hope today we can learn 
why we have such different summaries on the same agency report.
    And again, thank you, Mr. Chairman, and my thanks to the 
witnesses for taking their time to be here today.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]
    [GRAPHIC] [TIFF OMITTED] T1648.047
    
    Mr. Putnam. I thank the gentleman from Missouri and would 
recognize the gentlelady from California for her opening 
statement, if she would like to make one.
    Ms. Watson. Mr. Chairman, thank you. I don't have an 
opening statement, but I am looking at the details of the 
report card, and the question comes--and this is from GAO. 
Apparently they have described the shortfall. My question to 
anyone on the panel is why don't we see more progress, more 
upward movement in the security, and what accounts for these 
low grades, the grades of F?
    Mr. Putnam. If it is OK, Ms. Watson, we will give them a 
heads up. We will lead off with Mrs. Miller and then come back.
    At this time I recognize the vice chairwoman of the 
subcommittee Mrs. Miller for the first round of questions. You 
are recognized for 5 minutes.
    Mrs. Miller. Thank you, Mr. Chairman, I will be a few 
moments here, but I am new to the Congress and obviously new to 
the subcommittee, but I have to say that looking at that report 
card is rather startling when we think about the piece of 
educational legislation, No Child Left Behind. Fortunately we 
are not being graded on that kind accountability with where we 
are, but as a former elected official at the local level, State 
level, dealing with audits for the last 25 years, any time I 
would see the term ``material weakness,'' you know, your heart 
would begin to pound. Material weakness is a bad thing, 
obviously.
    And, Mr. Forman, I think you mentioned--I was taking some 
notes--over half of all the government agencies are reporting. 
Was that just in the last go-around, reporting material 
weaknesses in information security? And is that operational 
audits that are being conducted, performance evaluations?
    Mr. Forman. These were part of the financial management 
audits where it is required, and I think, as the chairman 
pointed to, a good example of that would have been the Treasury 
Department. That was one area where as part of the reviews of 
the reports from the IG and the CIOs, at that time Assistant 
Secretary for Management Ed Kingman noticed the significant 
gap, tracked it down, and indeed recognized that would be a 
reportable or should be considered as a reportable material 
weakness, and I think properly handled it at that point.
    Mrs. Miller. You know, when you do certification, I think 
that starts with accountability. It appears as though we have 
some difficulty in the Federal Government of retaining CIOs. 
You have a revolving door going with some of these CIOs. Is 
this something that Congress could assist you in addressing? 
Could you tell us a little bit to why we have that situation? 
You have to have a point person, and you have to have 
accountability if we are losing some of our brain trusts there 
and the institutional knowledge is going out the door with 
them. What can we do there?
    Mr. Forman. Officially we are looking at this as part of 
the skills gap assessment, Clinger-Cohen reports that never 
were really done, the Ego Vac site, we would like to make sure 
the agencies do that, and as well the agencies should modernize 
those reports. The Ego Vac did have rather strong human capital 
work force reporting. And we in the budget passed back to the 
agencies and said that those reports must come into OMB this 
September. So I think sometime in the fall would be appropriate 
after we have had time to look at those reports.
    Traditionally the issues that have come up are money-
related, and the administration did ask for the performance 
fund. I think that will help a tremendous amount.
    Now on a less than official side, the personal note, we are 
trying to drive an awful lot of transformation through the 
agencies, and these have become some of the most stressful 
jobs. The area is--and you will hear from some of the folks 
that are driving major changes. The areas that need the most 
change, like computer security, forces an awful lot of 
management reform. I think the chairman was exactly correct. 
This is very much a management issue, and I am not quite sure 
yet how you keep people from burning out, although that is 
something we are going to have to start looking at more and 
more, because we do need this magnitude of change, and we can't 
let that stop as the people change. We have to figure out how 
we deal a little better with the stress, because I would not 
like us to slow down on some of the transformation in this 
important area in particular.
    Mrs. Miller. Just a note on that, the burn-out in those 
kinds of jobs is not particularly inherent to the Federal 
Government. You find it throughout the inventory really now 
because there is so much stress.
    Looking at some of the States that are really on the 
leading edge of utilizing technology, they are all struggling 
with the same thing that the Federal Government is, is 
retaining those kinds of individuals so they don't lose them 
off into the private sector.
    But you talked about money in those kinds of things, and in 
the GISRA report you are saying approximately 500 systems are 
sort of at risk again with the security weaknesses and 
apparently subject to having some of their funding withheld. Is 
that an appropriate thing for us to be doing as a Congress? I 
mean, we want to encourage improvement in this report card 
certainly, and we don't want to be a rat holding the taxpayers' 
money. On the other hand, how does all of that work, with you 
doing your performance evaluations and withholding dollars from 
the agencies?
    Mr. Forman. The framework is investment justification. We 
call it the business case, and the way it works is that there 
are a number of criteria that we know if we don't adequately 
address before the project really starts to ramp up, chances 
are we will be picking up the pieces in the end. The way that 
plays out in cyber security is that it costs us a lot more to 
go back and fix the security problems of the systems that are 
deployed. Had this been correctly addressed early on in the 
program, it would have been done much more effectively and at a 
lower cost. So our policy position has been until that gets 
built in from the beginning, we don't want the system to go 
forward because we know it increases both the risk and the cost 
of the system.
    Mrs. Miller. When you are making those kinds of 
determinations about withholding funding, how do you interact 
with the Congress as far as talking to the appropriators and 
those kinds of things? And is there some sort of exemption they 
could get if they show you measurable performance increase?
    Mr. Forman. There are a set of criteria. It is based on 
NIST standards and OMB guidance, A-130, that we use, and 
generally that is part of the budget process discussed with the 
agencies via Circular A-11, the basic document used to put the 
budget together. That is associated with what is called an 
apportionment process, which is a financial term of art for how 
appropriations dollars are managed, and that is worked through 
with the appropriators.
    I will say the understanding of all that as it relates to 
IT varies from agency to agency because so much of the IT 
budget is not explicitly appropriated. It is funded out of 
working capital. There are salaries and expenses.
    Mrs. Miller. Just a quick question.
    Mr. Putnam. We are going to have to wrap up this first 
round if that is OK, Mrs. Miller.
    And Mr. Clay is glad to defer to Ms. Watson, so you get 
another crack at it, and you are recognized for 5 minutes.
    Ms. Watson. Thank you, Mr. Chair.
    I guess if I read the GAO report, I would have my questions 
answered, but listening very closely, I hear you really have a 
personal management resource factor that gets in the way of 
making more progress. Can you expound a bit?
    Mr. Forman. First of all, let me say about the grade, I 
think there are two aspects of this: Where are you in terms of 
status, and how much progress are you making. And I will tell 
you in terms of progress, there is clear progress. We have laid 
out an 80 percent target, to move from 60 percent to 80 percent 
this year, and very much I am accountable. I am the person to 
hold me accountable. It helps me hold the agency accountable 
for that. So I am the person that has signed up to the Congress 
to make sure we achieve that under FISMA and the EGO VAC. And 
you will see some of the CIOs, there is a commitment throughout 
the administration making the progress, and the management 
commitment from the leadership level is key to making this a 
success. I am fairly comfortable we are making progress. We are 
tracking that quarterly, and you will be getting data to see 
that as well.
    On the status side, whether it is an F or D minus, I would 
ask that you not grade us on a bell curve, that you hold us to 
standard academic levels of success.
    Ms. Watson. Let me just ask, what is the source of this 
grading chart?
    Mr. Dacey. Let me jump in a minute. The grades were given 
by the committee essentially based upon, for fiscal 2002, the 
GISRA reports that were provided by the various agencies. The 
committee weighted those responses and came up with a composite 
grade, and that yielded the scores. The prior year was based 
upon some--the work on 2001 from the GISRA report. So it is 
pretty much coming from the GISRA reports and the various 
performance measures and information that are reported therein.
    Ms. Watson. What kind of progress have you made since this 
came out in November 2002 up to what you have today?
    Mr. Dacey. One of the challenges is measuring that 
progress, and that is something the chairman mentioned in his 
opening statement, and that is the need to be looking at more 
frequent reporting, and Mark might talk about some of the 
quarterly reporting they are moving to for FISMA in the first 
year. But I think that is a key element. As I said in my oral 
statement, it is going to be important for agencies to really 
build this into a systematic process so they are getting 
information to regularly manage information security along with 
other IT and other areas that they manage. And it is going to 
be important to build those systems, so that GISRA and FISMA 
reporting are an outgrowth of those systems, not the primary 
direction for gathering the data to include in the reports. And 
some of that is going to happen, but I think that an important 
element to make this succeed is to really have that management 
process in place and some of this information regularly coming 
to agencywide management CIOs and so forth, and they have the 
right responsibilities and authorities to move forward and make 
sure that security's improved.
    In terms of the overall issue you mentioned in your initial 
question, I think it's going to be important, as I said, to 
make sure we have security management programs in place. And 
that's the management structure at the top and commitment by 
leadership to these things, because it does come down to a 
management issue to make sure that technology is properly 
implemented.
    Ms. Watson. Have we appropriated the funds to be able to 
put management personnel in the right place?
    Mr. Dacey. There's a process, and Mr. Forman may want to 
speak, but it's part of the process of requesting budgets and 
so forth and so on. They do request what they need. And Mr. 
Forman might want to expand upon that a little more.
    Mr. Forman. Virtually all the agencies have chief 
information security officers. What really is, I think, the 
heart of getting the Federal Government more secure is what we 
are doing with the infrastructure, networks, 
telecommunications, the basic competing platforms that we're 
using. We have tried to, in this year's budget process, 
significantly empower the CIOs. It gets to an esoteric risk 
level the way we are managing IT in the Federal Government, but 
we use a business case. And last year we had hundreds of 
projects. The rule of thumb in security is the more systems you 
have, the harder it is to make sure they're secure. You want to 
integrate and consolidate infrastructure.
    Ms. Watson. Let me cut through this. You are talking 
insider language. Do you have the necessary resources to 
organize in a way that will guarantee greater security at a 
time when the technology has gone above the line, and people 
can hack in and expose information, reveal information that can 
be very harmful and damaging? And particularly when I look at 
NASA and other security systems, I get really worried. Have we 
done all we can for you, or is it that you are having 
challenges in organizing and placing--you know, how do we get 
to the problem and show progress? That's my interest.
    Mr. Forman. I think we're fine with resources. We've added 
a significant amount of resources.
    Ms. Watson. And the challenge is?
    Mr. Forman. It is a lot of work, and it takes time. The 
older the systems, less security was built in, the more you 
find when you do the audit of the system, and then there is 
work to fix that.
    Ms. Watson. So it's the timing of trying to improve these 
sluggish systems and bring them up to top operation capacity.
    Mr. Forman. And we continue to modernize. By the same token 
we continue to modernize. And I believe we've learned our 
lesson as a government that if you do not work in security 
before you start the system, it's going to take you longer and 
cost you more to fix it at the back end. So we're trying to fix 
the things that are out there, the so-called legacy systems. 
But we have made good progress in building in--before we move 
forward, making sure security is built in and hence 
Congresswoman Miller's questions.
    Ms. Watson. Thank you, Mr. Chairman.
    Mr. Putnam. Let me follow up on Ms. Watson's question. 
Federal Times ran an article, essentially highlighting some of 
the excuses that agencies have used for not being in 
compliance. And the FAA said this: ``We have told OMB that we 
can't be in compliance for a while. We don't have the money to 
both secure our systems and document we have done so.'' Do you 
buy that, Mr. Forman?
    Mr. Forman. No.
    Mr. Putnam. Later in the article, an anonymous information 
security specialist from a social service agency stated, 
``someone at our parent department told OMB we would have it 
done in July. We can't get it done right by then, so we will 
throw together some documentation and make it look like we 
did.'' They go on to say that same information security 
specialist at the social service agency points out that even if 
they had the money to do the assessments, they do not have the 
authority to make local offices cooperate. ``They have their 
own funding and don't report to us. When I call them and ask 
for this or that, they just ignore me,'' the specialist said.
    Have you received reports that were so off or so inaccurate 
or so hastily put together that you believe that they 
deliberately put something together to meet an artificial 
deadline but knowingly submitted something that was not 
accurate or complete?
    Mr. Forman. I think the Treasury situation that you alluded 
to in your opening statement is very clear documentation that 
happens. It is so important to have the independent review by 
the ITs come concurrent with the report from the CIOs. There 
are so many pressures. I know funding issues. We cannot allow 
ourselves to make this into a paperwork exercise. And so the 
audit is incredibly important to us.
    On the other hand, what I would say is the market is 
stepping up. There are an awful lot of automated tools out 
there that reduce the cost. And the other thing is NIST is in 
the second iteration of a tool kit that assists agencies in 
classifying. The lower the risk of the system or the fact that 
may be disconnected in the Internet means that there are 
cheaper and faster ways to get the certification and 
accreditation done. And that is laid out in the new set of NIST 
guidelines.
    Mr. Putnam. Everybody seems to agree this is a management 
issue. So what are the consequences for someone with that 
responsibility who would submit such a report?
    Mr. Forman. Well, I can't say in blanket how this works. I 
would ask you to keep in mind the reason that the CIO at the 
State Department did change out, and while I can't speak to all 
the specifics and the details here, there's no question that 
the State Department acted partly in response to the IG report 
that indicated lack of progress in IT security. We downgraded 
the score on the scorecard--progress, that is, and that had a 
substantial impact, ultimately resulting, I believe, is my 
personal belief, in restructuring greater emphasis in some very 
tough management decisions including allocation of funding that 
weren't being taken before.
    Mr. Putnam. Mr. Dacey, how widespread do you believe that 
this attitude is, that it's just another congressional report, 
just another paper that is supposed to be filed, its fine 
whether its done or not?
    Mr. Dacey. Mr. Chairman, I am not aware of any instances 
where we know that reports have been intentionally prepared 
with improper data or data that's not accurate. At the same 
time, in looking at FISMA and its implementation, I think it 
will be important in the long term, as Mr. Forman suggested, 
that we have an independent audit process that starts to begin 
to look at those performance measures and do auditing on the 
performance measures, which is not currently required, and 
think about that as part of that process. I think that would 
give more credibility to the numbers. It would also make it 
clear to people in the agencies that someone was going to be 
auditing the numbers and lessen the likelihood of people 
preparing statements that might not be accurate.
    Mr. Putnam. You said there is no indication of anyone 
having deliberately done it. But clearly, you just didn't fall 
off the turnip truck. Somebody has been quoted by a reporter 
saying this. It's probably indicative of something more 
widespread, don't you suspect?
    Mr. Dacey. I suspect without any cross-checks that there is 
great pressure to report such information. That could have 
happened, sure. But again, it gets backs to the issue I think 
FISMA is a basic process that will work. We really need to put 
in place a process to make sure those numbers are accurate. 
They are self-reported so that the numbers you see in our chart 
and in OMB's testimony are self-reported numbers inherently not 
audited in any way, shape or form other than some information 
we have on inventories which was specifically asked for in the 
OMB requirements. I think that will always be a challenge 
unless we put in some kind of effort that is going to assure 
both the agency, the administration and Congress that these 
numbers that are being reported are accurate. Until that 
happens, there is a possibility that their reporting could be 
inaccurate.
    Mr. Putnam. I will abide by my own time element and 
recognize the ranking member, Mr. Clay, for 5 minutes.
    Mr. Clay. Thank you, Mr. Chairman.
    I'd like each of the witnesses to explain for me the 
difference between the report card prepared by former Chairman 
Horn and the OMB report before us today. Which is correct, and 
has the government improved since 2001 in the OMB reports, or 
is the government still failing and going from bad to worse as 
the subcommittee reported last year?
    Mr. Forman. I think there are substantial improvements. I 
can go through from the data some differences that I would have 
in the grades. But let me just say, there are some agencies 
that are doing really well. And if you scored a 60 percent as 
a--if you were generous and you scored that as a D, at best, 
most of the agencies would get a D. It's not good enough. It's 
just not flat good enough. We need to be up in the 80 or 90 
percent range, or A and B range. And that has to be the 
standard. We can talk about how much progress that we made or 
not, but for me a progress from an F to a D is not enough. It's 
just not simply good enough.
    Mr. Dacey. I would like to point out again that this is the 
same basic information both for the GISRA report from OMB, our 
testimony and all the grades. So the most recent data we have 
Governmentwide is September 2002 data, and that gets back to 
the point where there is a consistency. The grades are the way 
in which the committee assessed and weighted the responses in 
the GISRA report. What we have presented and what has been 
included in OMB's report is some of the statistics and averages 
that are included in there for the same measures. It is a 
matter of looking at the same information in slightly different 
ways. It gets back to how do we know from September 2002 until 
today whether we have made improvements, and the point is we 
don't really have good reporting processes in place to get that 
information on a more timely basis. Right now the next set of 
information we will get is September 2003.
    Mr. Clay. In your testimony last fall, you indicated all 24 
agencies had significant weaknesses in program management in 
both 2001 and 2002, and only 2 agencies improved performance in 
access control. Would you agree that shows little or no 
progress?
    Mr. Dacey. It shows some progress, but we still have 
serious problems. Again, we have had general progress at least 
in reported information across all the categories. The 
challenge is, as Mr. Forman indicated, whether it is F or D, we 
still have a long way to go to get to where we need to be. Yes, 
that is in the report, and that is probably still the case, and 
that is one of the areas that I think is particularly important 
that you have these structures in place for the agencies to 
manage information security.
    FISMA started to provide some of that by creating 
information security officers and coming up with a set of 
requirements for them in the agencies. And I believe most of 
the agencies now have a designated information security--if not 
all--have a designated security information officer.
    We also--there's a need to have this process in place to 
report. Again, we don't have specific information, but I 
believe a lot of the information for GISRA reporting came from 
efforts to accumulate that information for the purpose of GISRA 
reporting and not as part of a routine process that management 
was getting the information to use to manage their security 
program. I think that has to change to be effective.
    Mr. Clay. Well, in the OMB report, they list six areas of 
government-wide security weaknesses and then report that the 
government shows improvement over 2001. Do you agree with that 
assessment?
    Mr. Dacey. I agree with the characterization in OMB's 
report with respect to the actions that have been taken. It's 
consistent with what we have seen in doing our work as well. So 
there has been action taken in each of those areas.
    And five new areas, or five areas that are newly reported, 
I think those are areas that we knew there were some challenges 
in the past; but identification of five new areas and action 
plans, is important to try to address those in going forward.
    Mr. Clay. Mr. Forman, according to your report, there are 
only 8,000 reporting systems in the Federal Government. Now, I 
find that difficult to believe. Can you explain to the 
committee what that number represents and what systems are not 
included in that count?
    Mr. Forman. Generally these are combinations of 
applications that work together to perform a function. So, do 
we have more than 8,000 systems? Probably. The number of 
reporting went up in 2002 compared to fiscal year 2001. I 
suspect it will go up again this year.
    But, that said, we know there are many more applications 
than that number. It's just agencies under the definition in 
GISRA are allowed to bundle together applications and call that 
a system. This is the best reporting we've had.
    I think, for security purposes, that makes sense, because 
they are generally used by the same group of people, tied to 
the same network, and work together to support a business 
process. At the end of the day, you want to secure all the 
information around a business process, and you want to make 
sure that's secure, that business process can keep operating 
even if it's attacked. So I'm fairly comfortable with the 
definition that Congress came up with for GISRA. I think it 
exists fairly the same, except for national security systems, 
all training in FISMA. But the focus is appropriate.
    Mr. Clay. Thank you both for your answers.
    Thank you, Mr. Chairman.
    Mr. Putnam. Thank you, Mr. Clay.
    Mrs. Miller, do you have another round of questions?
    Mrs. Miller. Just one.
    You know, I'm looking at this blue chart over there from 
the GAO about performance measures and those kinds of things. 
Mr. Dacey, can you give me a little more specific about what 
kind of performance evaluations you actually do? I can hardly 
see the bottom. Give me an example of what kind of performance 
measures. I mean, we keep talking about this is a management 
problem, apparently not a financial resource situation; it's a 
management problem. So just what kinds of things do you 
actually look at to measure this performance evaluation?
    Mr. Dacey. Let me talk about that a minute. And hopefully 
you have something that looks like this up on your desk area 
that you can see better.
    In any case, these are six of the areas that were included 
in OMB's report. And what we put together in the chart was to 
try to really reflect the change from year to year, from 2001 
to 2002, and on average for 23 of the largest agencies. Again, 
as I said before, the information that goes into these is a 
whole series of performance measures that were required by OMB 
in reporting on the second year GISRA implementation. And these 
have been important, because they really are establishing a 
baseline and a basis for comparison from year to year. And this 
is the first year we have comparative information government-
wide that we can look at.
    These are six of the many performance measures that were 
required to be reported. These particular ones I think are 
somewhat illustrative because it gets to some of the critical 
challenges that we have. If you look at the first column on 
risk assessment, that's whether the agencies have assessed risk 
in their systems to know what level risk they are accepting and 
operating them.
    The second is a security plan in place----
    Mrs. Miller. Let me just ask you about the risk.
    Mr. Dacey. Sure.
    Mrs. Miller. What kind of risk assessments, for instance? I 
don't want to go through the whole thing, but just in that 
particular column there. What kind of risk assessments do you 
actually do? I mean, risk of terrorists? I mean, some guy with 
a laptop in a cave in Afghanistan being able to get into one of 
the systems in DOD? And are the evaluations for risk 
assessments uniform throughout these last two report cards and 
as we are entering September now?
    Mr. Dacey. Well, I think--I guess my observations on risk 
assessments would be, they're supposed to include the threats 
to the system. And that's the normal process. We actually have 
a best practices report we issued on risk assessment; it's 
something that OMB requires to be done. The format and 
structure of them has a lot--some flexibility built into how 
detailed they are. So I couldn't say that every agency does it 
the same way. But what this number represents is the number of 
systems that those agencies reported that they had assessed 
risk for, and that's what those columns represent, both the 
gold for 2001 and the blue for 2002.
    Mrs. Miller. So risk of the type of information that you 
are gathering? Risk of the type of access that individuals 
would have to it? Risk of security of that information, those 
kind of things?
    Mr. Forman. And then the final aspect of that is risk that 
you wouldn't--the agency wouldn't be able to complete its 
mission if either the information was stolen, disrupted, or the 
system processing was shut off.
    Mr. Dacey. As part of that process, just to point out, one 
of the provisions of FISMA is to actually come up with risk 
levels. I think that can help a lot, because that will 
standardize the process by which agencies assess risks and can 
communicate more effectively between each other and within the 
agency as to when they are hooking systems together and what 
the risk levels are. So I think that would be an important 
improvement. Right now, the risk assessment is a little more 
subjective, not that it won't be somewhat subjective, but at 
least it will have a structure that is proposed by NIST as part 
of the FISMA law.
    Mrs. Miller. Thank you, Mr. Chairman.
    Mr. Putnam. Thank you, Mrs. Miller. Now I'd like to ask 
each of you: does every agency currently have an acceptable 
business continuity plan?
    Mr. Forman. Generally we look at that down to the system 
level. And the answer is, no. That there are big gaps in some 
agencies and really good success in other agencies. That's part 
of the data that is tracked and I think was in our report. I 
would ask you not only to take a look at the agencies that have 
a valid contingency plan, but also what I think we need to do 
one step further that has been tested and validated, very 
similar to the work that we had to do with the year 2000 
contingency plans.
    Mr. Putnam. OK. While we are talking about that, in Mr. 
Dacey's testimony, he said that less than 50 percent of the 
contingency plans at 19 out of 24 agencies have been tested. 
Less than half have been tested. So does that mean that those 
plans might not work?
    Mr. Dacey. Yeah. I think that really signifies that--until 
you test it, you don't know it will work, in fact. And there 
are two issues here. The other number that we have is also the 
fact that there are a significant number of systems for which 
they don't have contingency plans. I think it is reported now 
at about 50 percent, 55 percent, just have the plans to start 
with; and then the second step is testing those plans to be 
sure that they would be effective in case of an emergency.
    I think that is a critical area, because absent some of 
these other controls in other areas, particularly for critical 
systems, it would be very vital to make sure that those systems 
could be recoverable in case some of these other weakness areas 
were exploited and the system availability was lost.
    Mr. Putnam. Nobody ever wants to say that one agency or 
department is more important than another one. But in terms of 
the ramifications of having a contingency plan or a disaster 
management plan, are the agencies that are most at risk and 
most critical to national security or homeland security the 
ones who have tested? Has the Social Security Administration 
tested their contingency plans, and Defense not? Has Homeland 
Security, has FEMA?
    Mr. Forman. It's a mix. And you will find the data in the 
table. You will see, for example, you are absolutely right. 
Social Security has tested their contingency plans. They are in 
pretty good shape. By the same token, FEMA did not test their 
contingency plans.
    Mr. Putnam. So the Emergency Management Agency has no 
emergency management plan?
    Mr. Forman. They have the plans for--as of the end of last 
year they had some of the plans. They don't have enough plans. 
And, moreover, they haven't tested the ones they have. There is 
significant work that needs to be done here.
    Mr. Putnam. Let's talk about patches very briefly in my 
remaining time. Then we are going to move to the second panel. 
Patch management is critical to information security. It goes a 
long way toward protecting our systems from viruses and other 
attacks. The PAD-C, the patch authentication and dissemination 
capability, will provide a system to Federal agencies to manage 
the patching of their systems. How far along are we in that? 
How are the agencies participating? Are they responding to 
OMB's encouragement?
    Mr. Forman. I don't believe I have the exact numbers on how 
many agencies have signed up. They continue to get more 
agencies to sign up. This is, again, part of our concept of buy 
one, choose many. Patches are obviously to use a software code. 
And to the extend that people have common software--and we have 
an awful lot of common software in the government--it's better 
to buy that patch once and then have an automated way to 
distribute it. So that's why we invested in this patch 
management, buy-one, choose-many concept.
    I need to get back to you on exactly how many agencies, and 
I will do that.
    Mr. Putnam. Do you want to add something, Mr. Dacey?
    Mr. Dacey. I don't have the information right in front of 
me, but a fair number of agencies have signed up for PAD-C. I 
forget the number. It might be in our testimony. OK. I don't 
have that with us today. We can certainly get back to you on 
that. But it is an important area because it does provide a 
central source for patches that have been tested and 
authenticated and placed out there. I think one of the key 
issues in patch management is that even with that, agencies 
need to have a process to ensure that these patches are 
installed and installed properly and don't break other parts of 
the system. And so they need to take efforts to put that in 
place. And NIST has some draft guidance out in how to do patch 
management that is very informative.
    Mr. Putnam. Well, the committee has submitted a letter to 
the secretaries of the departments, their IGs and CIOs, 
requesting more frequent updates of information and given them 
August 1 as a deadline for the update. And we will also be 
picking up where Mr. Horn left off with the score cards this 
fall. I think that our first panel will note that this is 
bipartisan frustration with this, with the inadequate progress 
on the part of the Federal agencies, and we will continue to 
monitor this very closely.
    My parting question would be this: are the differences in 
reports due to different interpretations of what the law 
requires or a genuine disagreement over the level of 
information security that exists at the agencies?
    Mr. Dacey. Just for clarification. Difference in which 
reports are you referring to, Mr. Chairman?
    Mr. Putnam. Different interpretations of the FISMA, GISRA 
requirements, or to a genuine disagreement over the status of 
information security between the IGs.
    Mr. Dacey. Between the IGs and the agencies?
    Mr. Putnam. Yes.
    Mr. Dacey. That's an interesting question. There were a 
number of IGs that did disagree, and I think OMB in fact in 
their report pointed out that was one of the new challenges 
that needs to be really looked at and addressed. And Mr. Forman 
might speak more to that. That's an area at least that's 
highlighting where there are differences that go back to the 
FISMA model and talk about the agency and the IG both working 
together and the agency providing some validation of that 
information.
    So I think it's good that we are pointing out where there 
are differences, and it's also a need then to followup on those 
differences and find out why they exist. I don't know that we 
have any information on why the differences exist. In some 
cases it may be just differences of thought or differences in 
the systems that were looked at. I do know that when we deal 
with some of these issues from our audit perspective at GAO, 
there's not always unanimity in how you interpret the results 
of your reviews. And a lot of our discussion goes around what 
does this really mean, how serious of an issue is it. So there 
also--there can be differences of opinion as well.
    Mr. Putnam. Do you want to add anything, Mr. Forman?
    Mr. Forman. First of all, let me say that we do have some 
data in followup to your past question on the patch management 
contract. There are 37 agencies that subscribe to that today. 
What I need to do in getting back to you is find out how many 
are Cabinet-level agencies versus small agencies. Obviously, 
the small agencies really like to use the shared approaches.
    I think that actually the debate is good on what is a 
covered system and the amount of risk. To have the IG have that 
independent view and say this system is actually more mission 
critical or it is more important to the agency's mission than a 
CIO may say, really reveals to us something about the 
positioning of the CIO. And generally, as in some of the 
examples you cited, I notice that the CIO may not have the 
appropriate status that, sure, maybe in the agency to come 
forward and say a system is badly performing. They may be kept 
out because of the differences between the IT organizations and 
the bureau program offices.
    So, I think, first of all, it's not necessarily bad to have 
the disagreement. And, second, it is very important that the IG 
stay aggressive in this area so that it can reveal to us where 
are the areas to look.
    Mr. Putnam. Thank you very much for your testimony.
    At this time we will dismiss panel one and seat panel two 
and move as quickly as possible. Thank you very much, Mr. 
Forman and Mr. Dacey. The committee will recess for 3 minutes.
    [Recess.]
    Mr. Putnam. We will go ahead and seat the second panel and 
reconvene the subcommittee hearing.
    I would like to welcome our second panel of witnesses. As 
is the custom of the subcommittee, we will swear in this panel. 
I would ask that if you have personnel joining you today who 
will be assisting you in answering, that they will also rise 
and be sworn at this time. Please stand and raise your right 
hands.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that all of the witnesses 
and their supporting cast responded in the affirmative.
    We will move right to panelists' testimony. I begin with 
Johnnie Frazier. Mr. Frazier was appointed to the position of 
Inspector General at the Department of Commerce in 1999. The 
Presidential appointment capped more than three decades of 
distinguished service at the Department in a variety of 
leadership roles. During his tenure as IG, Mr. Frazier has 
significantly strengthened that office's strategic agenda to 
reflect the most pressing priorities for the Department and the 
Nation. For example, he has directed key audits and 
investigations of security weaknesses in Commerce's computer 
networks information systems and personnel policies. He has 
initiated assessments of emergency preparedness plans at 
commerce facilities and prompted examinations of export 
safeguards on sensitive U.S. technology. He has precisely 
defined the IG's direction for the near future around a set of 
core priorities that strategically target emerging audit and 
inspection areas of need.
    We welcome you to the subcommittee, and recognize you for 5 
minutes for your testimony.

STATEMENT OF JOHNNIE E. FRAZIER, INSPECTOR GENERAL, DEPARTMENT 
                          OF COMMERCE

    Mr. Frazier. Mr. Chairman and members of the subcommittee, 
I am pleased to appear before you today to provide the IG's 
perspective on IT security in the Department of Commerce. You 
know, although IT security and data have long been among the 
Department's most critical assets, ensuring their security, 
unfortunately, was not a high priority for the Department 
before GISRA.
    When I first testified on IT security 2 years ago, I had 
few favorable observations to share. The Department was 
striving to improve, but our work at that point revealed 
pervasive security weaknesses that placed sensitive IT security 
systems at serious risk. As a result, we identified IT security 
as one of the top 10 management challenges facing Commerce. And 
while much progress has been made, it still remains high on my 
top 10 list.
    OMB's fiscal year 2002 report to the Congress on Federal IT 
security noted that progress is evident and that the government 
is heading in the right direction. I am pleased to report that 
Commerce, too, has made progress and is heading in the right 
direction; but this department, like many others I'm sure, must 
overcome a history of much neglect. As Commerce's CIO put it, 
the Department has been coming from behind.
    Our IG GISRA evaluations over the past few years have often 
found the same basic weaknesses at Commerce that OMB has found 
throughout the government. First and probably foremost, we have 
seen the problems, the progress, and the potential that 
surround senior management's attention to IT security. Before 
GISRA, IT security was simply not on the radar screen of senior 
Commerce management. Through the Secretary and Deputy 
Secretary's efforts, and quite candidly their bully pulpit, 
senior managers are increasingly coming to understand that they 
are responsible for IT security.
    Our independent observations on security education and 
awareness previously highlighted this as an area of neglect. 
Again, the Department has responded. Today, all employees and 
contractors receive security awareness training. But 
specialized training for personnel with significant IT security 
responsibilities remains inadequate.
    A third major area centers on the importance of management 
religiously integrating funding and IT security into Commerce's 
capital planning and investment control process. While the 
Department has substantially increased its control over IT 
investments, it often still struggles to adequately plan IT 
security controls and costs for every system.
    Our ongoing independent evaluation is also showing that the 
Department has improved its capability to detect, report, and 
share information on vulnerabilities. Before GISRA, only 4 of 
Commerce's 14 operating units had a formal incident response 
capability. Now, all Commerce operating units have such 
capability.
    Another matter of particular note to us is the importance 
of ensuring that contractor services are adequately secure. Our 
review of 40 of the Department's IT service contracts found 
that contract provisions to safeguard sensitive systems and 
information were either insufficient or nonexistent. Why, you 
ask? Little Federal or departmental guidance or policy in this 
area.
    On the Federal level, a proposed Federal acquisition clause 
for IT security is currently under review by the FAR Council. I 
believe this clause will be beneficial government-wide. And I 
am personally pleased that our IG contracting expert, Karen 
DePerini, who first identified the contract problem at 
Commerce, is co-chair of the OMB issue group that recommended 
this clause and is identifying methods to improve security in 
contracts. And last, but by no means least, aggressive 
schedules for IT performance measures are having an impact on 
all parties involved in the IT security effort.
    It should be noted here, however, that although security 
plans have been required for Federal IT systems since the 
Computer Security Act of 1987, when I testified 2 years ago, 
nearly two-thirds of the Department's systems lacked risk 
assessments, almost half did not have a security plan, and more 
than 90 percent were not certified or accredited. The 
Department is vigorously addressing these serious deficiencies.
    The Department's focus can best be seen by looking at its 
performance measures for system certification and 
accreditation. According to the Department, between fiscal 
years 2000 and 2003, the percentage of systems certified and 
accredited increased from a mere 8 percent to 77 percent of its 
roughly 600 systems.
    At the same time, I must caution that performance measures 
do not tell the whole story. Overaggressive schedules can 
actually weaken the process. Our evaluation suggests that 
aggressive timeframes have often resulted in premature 
certification and accreditation, where risk assessments, 
security plans, testing, evaluation, and review have been 
inadequate or sacrificed altogether.
    In closing, I am proud that the independent evaluations 
required of the IGs play a uniquely valuable role in confirming 
the substance and quality of critical processes and control and 
in helping ensure that the job is done right. Unfortunately, 
our resource limitations have not allowed us to do such things 
as validate the specific details of the Department's annual IT 
security report. Likewise, we have not been able to perform 
vulnerability assessments and penetration testing of 
nonfinancial systems that would demonstrate whether 
vulnerabilities exist and intrusions may occur.
    I cannot overemphasize how critical it is that the rigor 
and integrity of IT security processes be maintained; 
otherwise, we will have paper security but lack true security. 
Thank you.
    Mr. Putnam. Thank you very much, Mr. Frazier.
    [The prepared statement of Mr. Frazier follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.048
    
    [GRAPHIC] [TIFF OMITTED] T1648.049
    
    [GRAPHIC] [TIFF OMITTED] T1648.050
    
    [GRAPHIC] [TIFF OMITTED] T1648.051
    
    [GRAPHIC] [TIFF OMITTED] T1648.052
    
    [GRAPHIC] [TIFF OMITTED] T1648.053
    
    [GRAPHIC] [TIFF OMITTED] T1648.054
    
    [GRAPHIC] [TIFF OMITTED] T1648.055
    
    [GRAPHIC] [TIFF OMITTED] T1648.056
    
    [GRAPHIC] [TIFF OMITTED] T1648.057
    
    [GRAPHIC] [TIFF OMITTED] T1648.058
    
    [GRAPHIC] [TIFF OMITTED] T1648.059
    
    [GRAPHIC] [TIFF OMITTED] T1648.060
    
    [GRAPHIC] [TIFF OMITTED] T1648.061
    
    [GRAPHIC] [TIFF OMITTED] T1648.062
    
    [GRAPHIC] [TIFF OMITTED] T1648.063
    
    [GRAPHIC] [TIFF OMITTED] T1648.064
    
    [GRAPHIC] [TIFF OMITTED] T1648.065
    
    [GRAPHIC] [TIFF OMITTED] T1648.066
    
    [GRAPHIC] [TIFF OMITTED] T1648.067
    
    [GRAPHIC] [TIFF OMITTED] T1648.068
    
    [GRAPHIC] [TIFF OMITTED] T1648.069
    
    [GRAPHIC] [TIFF OMITTED] T1648.070
    
    [GRAPHIC] [TIFF OMITTED] T1648.071
    
    [GRAPHIC] [TIFF OMITTED] T1648.072
    
    [GRAPHIC] [TIFF OMITTED] T1648.073
    
    [GRAPHIC] [TIFF OMITTED] T1648.074
    
    [GRAPHIC] [TIFF OMITTED] T1648.075
    
    Mr. Putnam. At this time I would like to recognize Robert 
Cobb. Following nomination by President Bush and confirmation 
by the Senate, Robert Cobb took office as NASA's Inspector 
General in April 2002. Mr. Cobb, in his capacity as a member of 
the President's Council on Integrity and Efficiency, serves as 
the Chair of that organization's Information Technology 
Roundtable, which promotes a coordinated approach to 
information technology issues among inspectors general across 
the executive branch. He also serves as an observer to the 
Columbia Accident Investigation Board, which is examining the 
February 2003 loss of the space shuttle Columbia and her crew.
    Mr. Cobb was previously associate counsel to the President. 
In this role, he handled administration of the White House 
ethics program under the supervision of the counsel to the 
President, and was responsible for the administration of the 
conflict of interest and financial disclosure clearance process 
for candidates for nomination to Senate-confirmed positions. 
Prior to joining the Office of the Counsel to the President, 
Mr. Cobb worked for almost 9 years at the U.S. Office of 
Government Ethics.
    We welcome you. You are recognized for 5 minutes.

       STATEMENT OF ROBERT COBB, INSPECTOR GENERAL, NASA

    Mr. Cobb. Thank you, Chairman Putnam, Ranking Member Clay, 
Vice Chair Miller. Thank you for the opportunity to discuss 
information security at NASA and the impact of GISRA and FISMA 
on the agency's information security program. The Office of 
Inspector General is committed to helping the agency improve IT 
security through our ongoing program of IT audits and 
investigations. I will discuss three areas: the current state 
of NASA IT security, our audit of the information NASA 
submitted to OMB under GISRA in fiscal year 2002, and our plans 
to audit the information submitted by NASA under FISMA in 2003.
    First, I want to highlight some of the unique challenges 
associated with securing NASA's IT resources. The NASA vision 
and mission concern challenges for scientific exploration and 
discovery. NASA pursues these challenges with a broad array of 
programs, including research and development in aeronautics, 
space exploration, and space flight. Needless to say, these 
endeavors require a complex range of IT systems.
    As context and setting for NASA's IT security challenges, 
NASA carries out a civilian mission where the distribution of 
information about scientific exploration, discovery, and 
achievement is practiced by the agency and expected and desired 
by the public. NASA is a highly visible agency, with many 
readily available Web sites, and thus is a natural target for 
those seeking to illegally access government systems. NASA's IT 
security program is reliant on the participation and dedication 
of all employees, contractors, and other partners with access 
to NASA information. NASA, like every other agency, faces a 
challenge in convincing its work force that IT security is a 
primary rather than a secondary responsibility.
    The OIG has examined the state of NASA's IT security, and 
we identified it as a significant management challenge in our 
December 2002 report to the Administrator. IT's security 
activities at NASA have historically been carried out on a 
decentralized basis. This has resulted in a lack of full 
interoperability among the systems. NASA is moving toward a 
one-NASA concept, with a greater centralization and 
integration. However, as long as NASA's governance structure is 
such that center CIOs and center security officials report to 
center directors--who are program officials--rather than to 
NASA's CIO and chief security officer, a fully integrated 
approach to IT security will be practically impossible at NASA.
    As part of our work, we conduct audits of information 
security and perform investigations of the criminal misuse of 
NASA IT systems. Our recent activities have addressed a broad 
spectrum of security problems. There are examples from our 
ongoing investigations where inadequate IT security, such as 
weak password controls, resulted in unauthorized access to 
significant amounts of NASA data that was sensitive, but 
unclassified. The agency is aware of these cases and 
acknowledges that serious compromises have occurred.
    In our audit work, we have reported on issues including 
inadequate security training for system administrators, an 
inconsistently applied program for ensuring security of 
sensitive systems, inadequate security plans for NASA's IT 
systems, and an inadequate incident response capability.
    It's important to note that NASA has been responsive to our 
work and that corrective actions are planned or are underway to 
address key IT security challenges. Our 2002 GISRA submission 
reflected the results of 26 final reports and several ongoing 
assignments related to IT security at NASA. Our submission also 
reflected IT security-related work performed by the agency's 
independent accountants as part of their annual review of 
NASA's financial statements.
    Additionally, we verified and validated the status of 
weaknesses identified in NASA's Fiscal Year 2002 Plans of 
Actions and Milestones. The agency generally incorporated our 
suggestions into their final version that they submitted to 
OMB.
    Our fiscal year 2002 GISRA efforts were limited to 
unclassified systems because NASA did not have the national 
security information systems reviewed in accordance with GISRA 
requirements.
    During fiscal year 2003, my office continues to conduct a 
series of IT security-related audits and assessments and will 
incorporate the results of this work into our FISMA submission. 
We will also followup on our 2002 GISRA report. Later this year 
we plan to start an audit of NASA policies to protect 
sensitive, but unclassified information.
    The requirements of GISRA and FISMA are having a positive 
effect on IT security at NASA. The legislation and related OMB 
guidance provided NASA with a framework for more effectively 
managing IT security. Because GISRA, and now FISMA, hold agency 
heads responsible for IT security, NASA senior management is 
more focused on it. The legislation also requires the agency to 
consider the view of the Office of Inspector General and to 
deal with the issues raised in our independent evaluations, 
and, in my view, this has also had a positive impact on the 
agency.
    Last, I would like to note that in the NASA OIG, we have an 
exceptional team of IT auditor, specialists and computer crimes 
professionals. Because of the investment the OIG has made in 
this area, we have been able to provide leadership in the IT 
area to the IG community through my chairing of the IT 
Roundtable of the President's Council on Integrity and 
Efficiency. Through this roundtable, the NASA OIG has sought to 
promote the sharing of best practices in IT audits and 
investigations. This concludes my statement.
    Mr. Putnam. Thank you very much, Mr. Cobb.
    [The prepared statement of Mr. Cobb follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.076
    
    [GRAPHIC] [TIFF OMITTED] T1648.077
    
    [GRAPHIC] [TIFF OMITTED] T1648.078
    
    [GRAPHIC] [TIFF OMITTED] T1648.079
    
    [GRAPHIC] [TIFF OMITTED] T1648.080
    
    [GRAPHIC] [TIFF OMITTED] T1648.081
    
    [GRAPHIC] [TIFF OMITTED] T1648.082
    
    [GRAPHIC] [TIFF OMITTED] T1648.083
    
    [GRAPHIC] [TIFF OMITTED] T1648.084
    
    [GRAPHIC] [TIFF OMITTED] T1648.085
    
    [GRAPHIC] [TIFF OMITTED] T1648.086
    
    Mr. Putnam. We have a large panel, and I would ask that 
everyone be respectful of our 5-minute time limit.
    I now introduce Scott Charbo. Agriculture Secretary Ann 
Veneman named Scott Charbo as Chief Information Officer at the 
U.S. Department of Agriculture in August 2002. As CIO, Mr. 
Charbo is responsible for the overall management of USDA's 
information resources and IT assets, overseeing more than 4,000 
IT professionals and $1.7 billion in physical assets. He comes 
to the CIO position from the USDA Farm Service Agency where he 
served as director of the Office of Business and Program 
Integration since July 2002. He was responsible for planning, 
developing, and administering the agency's programs and 
policies, and provided direction in the areas of economic and 
policy analysis, appeals and litigation, strategic management, 
and corporate operations, outreach programs, and strategic 
planning and leadership in the agency's citizen-centered E-
government initiatives.
    Welcome to the subcommittee. You are recognized.

     STATEMENT OF SCOTT CHARBO, CHIEF INFORMATION OFFICER, 
                   DEPARTMENT OF AGRICULTURE

    Mr. Charbo. Thank you, Mr. Chairman. With your permission, 
I will submit my testimony.
    At the Department of Agriculture, I am responsible for 
computer systems that support billions of dollars in annual 
program benefits. Information stored on these systems include 
Federal payroll data and market-sensitive crop, commodity, and 
farm data, information on food stamps and food safety and 
proprietary research data. This information is one of USDA's 
greatest assets.
    Mr. Chairman, we at USDA are doing a better job initiating 
change and managing information in IT security at USDA; 
however, our size, decentralized organization, and the wide 
array of hardware and software in use, combined with the 
magnitude of today's cyber threats, mean that we have a 
tremendous amount of work remaining to reduce the risk to our 
information assets to an acceptable level.
    Historically, each USDA agency and office funded and 
managed its own IT investments independent of other 
organizations in the department. Likewise, security controls 
employed to protect these investments have been selected 
independently. This decentralized management structure has 
created an environment where some USDA agencies have addressed 
the issues of security and risk while others have not.
    Today, assuring a high level of information security in 
every USDA agency is a critical issue of USDA's management. 
Representative of this commitment, we have begun holding our 
senior executives accountable by including a performance 
measure in their annual performance plan directly tied to 
implementing their FISMA plan of action milestones report. With 
funds from Congress, we are continuing to build a central cyber 
security program that is providing our agencies with uniformed 
policies, guidance tools, and program management. We are 
setting clear cyber security goals and then assisting agencies 
in meeting them. Through our IT capital planning investment 
control process, we are also doing a better job integrating 
security in all phases of our IT project life cycle, from 
initial planning to system retirement. This story of good 
progress and change with much more work to do is representative 
of our numbers.
    In 2004, USDA plans to spend about 68 million to protect 
our information assets. This represents an increase of 6 
percent over the 64 million in securities spending estimates in 
fiscal year 2003. In the past year, six agencies completed risk 
assessments of their cyber security programs from qualified 
security contractors, with an additional four now underway. 
Similarly, nine USDA organizations created independent security 
risk assessments on 26 separate systems. Many others are 
currently in the process of completing assessments. Over the 
past 2 years, we have deployed intrusion detection and 
antivirus software across the Department. Just this month we 
held a training session for agency IT staff on how to deploy 
the Department's latest patch management software solution. By 
deploying patch management software, we will ensure the most 
recent releases of software patches.
    Finally, our USDA FISMA and plan of action and milestones 
report currently shows that we are taking 1,405 distinct 
actions to address 243 program and system-level weaknesses. 
While the numbers we report go up and down as threats to our 
systems change, I am confident we will see progress in our 
POA&M report.
    At USDA, we are fortunate to have a strong senior 
information security officer and staff who drive our 
information and IT security efforts. They are the ones who 
deserve the credit.
    Mr. Chairman, in your invitation to this hearing, you asked 
to discuss the actions that we are taking to remedy the 
deficiencies in both our GISRA and financial reporting. I will 
focus my comments on the highest-priority initiatives.
    Information assurance starts with employee education and 
awareness. We are spending--spreading the word across USDA 
through online courses like the government standard GoLearn.gov 
classroom training, and numerous technical and management 
forums.
    Recognizing the importance of this issue, the Secretary and 
I are personally addressing these concerns at our subcabinet 
meetings and during regular briefings for our agency heads. We 
are making good progress establishing executable business 
resumption and recovery plans for critical information systems. 
At USDA, we are finalizing a standard certification 
accreditation methodology and process for our agencies to 
verify and attest that information security functions as 
required.
    As I mentioned earlier, we revised our IT capital planning 
investment control guidance to ensure system owners address 
security at all stages of an IT project's life cycle.
    I would also like to mention one modernization project that 
is critical to strengthening cyber security at USDA. We are 
redesigning our long distance telecommunication network to 
support the growing demand for E-government services, once 
implemented. Our
system will greatly improve our ability to verify the integrity 
and confidentiality of data transmitted over the network.
    Thank you for the opportunity to be here, Mr. Chairman. 
Thank you.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Charbo follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.087
    
    [GRAPHIC] [TIFF OMITTED] T1648.088
    
    [GRAPHIC] [TIFF OMITTED] T1648.089
    
    [GRAPHIC] [TIFF OMITTED] T1648.090
    
    [GRAPHIC] [TIFF OMITTED] T1648.091
    
    [GRAPHIC] [TIFF OMITTED] T1648.092
    
    [GRAPHIC] [TIFF OMITTED] T1648.093
    
    [GRAPHIC] [TIFF OMITTED] T1648.094
    
    Mr. Putnam. I now recognize Mr. Ladner. Drew Ladner was 
appointed Chief Information Officer of the U.S. Treasury 
Department in March 2003. He is responsible for managing the 
Treasury's $2.5 billion information technology strategy and 
budget, serving as Treasury's official lead on E-government 
initiatives, and providing policy direction and oversight of 
the Department's security programs. Welcome to the 
subcommittee. You are recognized.

STATEMENT OF DREW LADNER, CHIEF INFORMATION OFFICER, DEPARTMENT 
                          OF TREASURY

    Mr. Ladner. Thank you, Mr. Chairman.
    Mr. Chairman, Ranking Member Clay, thank you for the 
opportunity to appear today to discuss the state of Treasury's 
IT security as well as the actions underway for remediating the 
Department's material weaknesses. The continued leadership of 
the chairman and the members of the subcommittee is essential 
if we are to improve IT security and accountability not only at 
Treasury but across the Federal Government.
    The present state of Treasury's IT security requires 
improvement to achieve our objective: closing all IT-related 
material weaknesses as identified by GISRA's fiscal year 2002 
review process. As of March 31, 2003, the Department had 14 
material weaknesses. These included nine at the Internal 
Revenue Service, three at the Financial Management Service, one 
at the Mint, and one at the Departmental Offices.
    To bolster IT security, Treasury has taken a number of 
actions to date to resolve outstanding issues addressed by the 
Treasury Inspector General and the Treasury Inspector General 
for Tax Administration.
    First, Treasury has implemented an aggressive oversight and 
compliance program for IT security. During fiscal year 2003, 
reviews will have been completed for all of the bureau's IT 
security programs to establish a baseline for future annual 
reviews. This is the first time that the Department has 
conducted a complete review of the IT security programs.
    Second, to maximize implementation success and 
accountability, Treasury has set specific goals to improve 
security with the use of performance measures, including the 80 
percent to which Mark Forman alluded previously.
    Third, a combined Federal Information Security Management 
Act 2003 data call has just been instituted by the Treasury 
CIO, IG, and TIGTA. This joint data call is expected to remedy 
the inconsistency to which the chairman referred earlier in 
reporting numbers in the last two surveys performed under 
GISRA.
    Fourth, Treasury has taken further action to ensure the 
protection of our critical infrastructure cyber assets.
    Fifth, to augment the FISMA requirement for periodic 
security training, Treasury has scheduled an IT security 
conference for the bureau's IT security managers and staffs. 
This conference will include high-level training sessions and 
targeted technical sessions focused on Treasury's IT security 
issues, along with promoting new CD-ROM and Internet-accessible 
training opportunities.
    Treasury is committed to identifying the root causes of 
unacceptable IT security and putting in place the structures, 
processes, and systems that will ensure the Department has a 
strong security regime. Let me describe several initiatives 
briefly that are key.
    First of all, as soon as I began as Treasury CIO, I decided 
that my first priority as Treasury CIO would be IT governance. 
Pursuant to the Clinger-Cohen Act, the CIO's mission is to 
ensure that the Department wisely steward the funds of our 
taxpayer citizens on technology systems so that we can deliver 
ultimately valuable E-government services and other services. 
Establishing the right structures, processes, and systems of 
sound IT governance not only provides for sound planning and 
budget allocation, but also necessitates incorporating security 
considerations into our capital planning and investment 
controls. It's a cardinal rule in business operations that the 
quality of a design has a disproportionate impact on the life 
cycle cost of the system. If Treasury's systems are not secure 
when we develop and deploy, the Department leaves itself 
vulnerable until deficiencies are remediated and taxpayer 
dollars are not stewarded to boot.
    An additional benefit is that Treasury increasingly aligns 
its IT operations with Department goals and objectives, 
achieving a more integrated, cohesive, and institutionalized 
security regime across Treasury.
    In short, achieving a strategic, robust, and integrated 
security regime will be limited if our capital planning 
investment control process does not share those same 
characteristics.
    In addition to the new IT governance regime, we are working 
very hard on the enterprise architecture that also achieves the 
goals that Mark Forman described previously. This will provide 
us a baseline for planning our security regime as well.
    Third, proactive interagency collaboration on IT security 
provides additional evidence of the institutionalization of 
Treasury's IT security. The measures thereof are included in my 
submitted statement.
    In the Office of the CIO, our mission is to steward 
Treasury's information resources with integrity and 
professionalism. I remain committed to doing that and working 
on everything we can do to ensure that your goals and this 
committee's on IT security are stewarded as well. Thank you 
very much.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Ladner follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.095
    
    [GRAPHIC] [TIFF OMITTED] T1648.096
    
    [GRAPHIC] [TIFF OMITTED] T1648.097
    
    [GRAPHIC] [TIFF OMITTED] T1648.098
    
    [GRAPHIC] [TIFF OMITTED] T1648.099
    
    [GRAPHIC] [TIFF OMITTED] T1648.100
    
    [GRAPHIC] [TIFF OMITTED] T1648.101
    
    [GRAPHIC] [TIFF OMITTED] T1648.102
    
    [GRAPHIC] [TIFF OMITTED] T1648.103
    
    [GRAPHIC] [TIFF OMITTED] T1648.104
    
    [GRAPHIC] [TIFF OMITTED] T1648.105
    
    [GRAPHIC] [TIFF OMITTED] T1648.106
    
    [GRAPHIC] [TIFF OMITTED] T1648.107
    
    [GRAPHIC] [TIFF OMITTED] T1648.108
    
    [GRAPHIC] [TIFF OMITTED] T1648.109
    
    [GRAPHIC] [TIFF OMITTED] T1648.110
    
    [GRAPHIC] [TIFF OMITTED] T1648.111
    
    [GRAPHIC] [TIFF OMITTED] T1648.112
    
    Mr. Putnam. I would like to recognize Bruce Morrison. Mr. 
Morrison assumed his duties as Acting Chief Information Officer 
in the Bureau of Information Resource Management in December 
2002. Previously Mr. Morrison was Deputy Chief Information 
Officer for Operations in the Bureau of Information Resource 
Management. Mr. Morrison is a career senior Foreign Service 
officer. During his 26-year career, he has held a succession of 
information management positions, including serving as dean of 
the School for Applied Information Technology in the Foreign 
Service Institute. We look forward to your testimony. You are 
recognized for 5 minutes. Welcome to the subcommittee.

STATEMENT OF BRUCE MORRISON, ACTING CHIEF INFORMATION OFFICER, 
                      DEPARTMENT OF STATE

    Mr. Morrison. Thank you, Mr. Chairman, and Ranking Member 
Clay. I am honored to be here and appreciate the opportunity to 
discuss information security at the Department of State. While 
we are not where we would like to be in cyber security, I can 
report on the initial stages of improving our program.
    We at the State Department have the highest level of 
support and attention from Secretary Powell and Under Secretary 
for Management Green. Secretary Powell considers information 
technology to be a strategic component in implementing U.S. 
foreign policy.
    Let me summarize IT security at State. We have long had a 
strong perimeter defense, with technical, physical, and 
personnel controls, including an antivirus program, firewalls, 
intrusion detection, and incident reporting. However, we 
realize that a sound cyber security program is built upon a 
defense-in-depth strategy that includes management controls as 
well as technical and operational measures. What we have lacked 
in the past is a comprehensive management structure and a 
serious systems authorization program.
    It is a new day at State, with the convergence of several 
events bringing a fresh approach and commitment to cyber 
security.
    First, GISRA, and then, FISMA focused top management 
attention on cyber security. Second, we have new cyber security 
leadership at State. I stepped into the position of acting CIO 
6 months ago. Additionally, there is a new Assistant Secretary 
for Diplomatic Security with whom we collaborate closely.
    Finally, OMB very helpfully mandated that we authorize all 
systems by the fourth quarter of 2004.
    Our new organization is giving birth to a new cyber 
security culture and is producing results. We have a new Office 
of Information Assurance headed by a senior officer reporting 
directly to me. This office handles IT security policy, program 
management, performance measures, risk management, and 
reporting. There is increased departmentwide cyber security 
focus, as all offices are now involved to some degree in cyber 
security through the plans of action and milestones process and 
awareness programs. As I mentioned, there is an excellent 
rapport and collaboration between the Chief Information Officer 
and the Bureau of Diplomatic Security on all aspects of cyber 
security. Similarly, a cooperative partnership exists with the 
Chief Financial Officer on Critical Infrastructure Protection 
and the information technology budget.
    We have a senior-level multidisciplinary cyber security 
advisory group. There is a close working relationship with the 
Office of the Inspector General. In biweekly meetings with the 
Inspector General, we discuss a variety of cyber security 
issues, with FISMA requirements and systems authorization 
taking center stage.
    State has recently established an E-government program 
board chaired by Under Secretary for Management Green to manage 
all IT funds. Information assurance experts now review every IT 
system budget request to assure that appropriate security 
considerations are budgeted and executed. Very significantly, 
we have developed a certification and authorization plan. It 
was submitted to OMB in March, fully funded in mid-April. We 
are on track with the plan, with 10 percent of our systems 
done, and a goal of 33 percent by August 2003, and 100 percent 
by August 2004.
    We are taking specific steps to institutionalize cyber 
security management and practices, enhancing policies, 
developing a cyber security program management plan, 
integrating security into planning, and providing training. New 
systems are addressing security from the outset. Our future 
budget request will include security costs. Regular awareness 
sessions for all users, and mandatory training for security 
practitioners will assist in institutionalizing cyber security.
    In summary, we are still at the early stages of creating a 
comprehensive cyber security program, but we have made great 
strides over the past few months. This progress contributed to 
our PMA scores going from red to yellow to green.
    I appreciate the opportunity to talk before the committee.
    Mr. Putnam. Thank you, Mr. Morrison. You timed it 
perfectly, too.
    [The prepared statement of Mr. Morrison follows:]

    [GRAPHIC] [TIFF OMITTED] T1648.113
    
    [GRAPHIC] [TIFF OMITTED] T1648.114
    
    [GRAPHIC] [TIFF OMITTED] T1648.115
    
    [GRAPHIC] [TIFF OMITTED] T1648.116
    
    [GRAPHIC] [TIFF OMITTED] T1648.117
    
    [GRAPHIC] [TIFF OMITTED] T1648.118
    
    [GRAPHIC] [TIFF OMITTED] T1648.119
    
    [GRAPHIC] [TIFF OMITTED] T1648.120
    
    [GRAPHIC] [TIFF OMITTED] T1648.121
    
    [GRAPHIC] [TIFF OMITTED] T1648.122
    
    [GRAPHIC] [TIFF OMITTED] T1648.123
    
    [GRAPHIC] [TIFF OMITTED] T1648.124
    
    [GRAPHIC] [TIFF OMITTED] T1648.125
    
    [GRAPHIC] [TIFF OMITTED] T1648.126
    
    [GRAPHIC] [TIFF OMITTED] T1648.127
    
    [GRAPHIC] [TIFF OMITTED] T1648.128
    
    [GRAPHIC] [TIFF OMITTED] T1648.129
    
    Mr. Putnam. I want to read for you what I read to the first 
panel out of an article from the Federal Times, from an 
information security specialist in an anonymous social service 
agency. They state, ``Someone at our parent department told OMB 
we would have it done in July. We can't get it done right by 
then, so we will throw together some documentation and make it 
look like we did.''
    That never happens in any of your departments. Does it?
    Mr. Frazier. Of course it happens. Of course it happens. 
Notwithstanding the anonymity of the person who stated that, we 
know that people try to meet these artificial deadlines, and in 
the process, they--haste makes waste. And it happens.
    Mr. Putnam. Anyone else wish to jump out there?
    Mr. Cobb. I think that it's not that they are necessarily 
preparing a fraudulent set of paperwork or that's necessarily 
occurring. Instead it's a question of thoroughness. 
Specifically, how thorough are the examinations, planning, 
testing, and the different elements of the security plans.
    Mr. Putnam. Mr. Ladner.
    Mr. Ladner. My view is that the process will continue to be 
compromised until there is a plan that not only addresses the 
objectives that are set out by the statutes which we have to 
comply with, but that we go the extra mile. And so what we are 
doing at Treasury is to certainly hit our numbers on CIA, 
certainly hit the other objectives, but ensure that we actually 
have a security governance process and plan in place.
    Second, I think that the process will continue to be 
compromised if we view it in static terms instead of dynamic. 
What I mean by that, is that we need to be able to have real-
time visibility into what's happening at, in our case, the 
bureau level so that we can see on an ongoing basis what the 
numbers are. And I think over time the data quality will 
improve, so that we reduce the probability of individuals being 
able to toss over the wall data and reports that are less than 
accurate.
    Mr. Putnam. I'm told that it's been 3 years since agencies 
were told to complete their inventory of systems, and that has 
not yet been fully completed. Is that correct?
    Mr. Morrison. One of the first things that I did after 
taking over as CIO was to complete an inventory of systems 
using OMB and National Institute of Standards and Technology 
guidelines. So it is true that was only done at the State 
Department this year.
    Mr. Putnam. So we've had 3 years of artificial deadlines. 
That's fairly dynamic, and it took 3 years to get there.
    What about Treasury?
    Mr. Ladner. Whether it's ensuring that we have a good 
security program or ensuring that, for example, Treasury is 
delivering services at low cost--at high service levels--to our 
bureaus from our large network, we need to make sure that we 
understand what infrastructure we have. And so we have directed 
the bureaus to participate in a Treasury-wide total cost of 
ownership review, which will enable us to know what we have and 
therefore be able to drive enterprise architecture and the 
ability to drive the security programs much more effectively. 
So we will have that probably within several months, by fall.
    Mr. Putnam. We look forward to seeing it in the fall. But 
that will still be substantially beyond when it was to be 
completed. Correct?
    Mr. Ladner. That's my understanding based on what I've 
learned in the last 3 months. That's correct.
    Mr. Putnam. OK. What about Ag?
    Mr. Charbo. We are in the process as well of looking at 
what systems we have and where they are. We have 576 IT 
projects. Our focus right now is to consolidate those down to a 
more manageable level. Let's retire those that are legacy, 
let's retire them, move on, identify those under redevelopment, 
bring those into the planning and investment process so that 
security, as Mark discussed earlier, can be placed up front 
where it is more cost effective and easier to manage.
    Mr. Putnam. Mr. Charbo, you came from FSA, so I am going to 
pick on you first. In the article the same unnamed person said, 
in expressing their frustration not having appropriate 
authority, ``they have their own funding and don't report to 
us. When I call them and ask for this or that report, they just 
ignore me.''
    Is that something that you found in your role at FSA, that 
you had difficulty getting the different branches around the 
country to take your requests seriously?
    Mr. Charbo. From a security perspective, that is somewhat 
better managed at FSA within the Department. Most of that 
funding is being placed under the common computing environment 
budget which is a centralized budget for the service center 
agencies. So we have a better handle on how the security is 
being done in those agencies within the service center, FSA 
included.
    Mr. Putnam. So that's not a problem at FSA. Is it a problem 
in other parts of the department?
    Mr. Charbo. I won't deny that at times it is difficult to 
get information out of agencies, yes. And when we experience 
that, my position is to go to the Deputy Secretary, the 
administrators, or directly to the Secretary if we need 
movement. And I've been getting that support when we do that.
    Mr. Putnam. Anyone else wish to add to that or comment on 
that?
    Mr. Morrison. I think the State Department made a big step 
forward this year by organizing an E-government program board 
that now governs the entire IT budget. That was a very 
necessary step to carry out the act.
    Mr. Frazier. Mr. Chair, at Commerce, one of the biggest 
battles that we've fought, but I think one of the battles that 
was absolutely essential, was to make certain that all of the 
individual agency CIOs reported to, at least for part of their 
management responsibility, to the Department's CIO. And so 
those individual bureau CIOs now have more authority to 
override some of the concerns, override even their program head 
if they disagree with him. So that is something that has, I 
think been absolutely critical to improving the process at 
Commerce where you have the individual CIOs reporting to a head 
CIO at the departmental level.
    Mr. Ladner. In my first month at Treasury, we created with 
the Treasury Budget Office, a Technology Investment Review 
Board that reviews all IT investments across Treasury. And so I 
think that, as bureaus understand both from a statutory 
standpoint as well as an end-user standpoint that we have to 
have security considerations integrated into the budget 
process, that increasingly that close collaborative 
relationship is being created.
    Mr. Putnam. Mr. Cobb, you have heard Mr. Frazier's 
testimony expressing some concern about artificial deadlines or 
overly aggressive schedules that would cause people to 
potentially cut corners in their quest to get certified or 
accredited. NASA has worked rather hard to improve its 
performance and has made some progress. How did you ensure that 
the agency's desire to make that progress didn't lead to 
skimping on the work of correcting vulnerabilities?
    Mr. Cobb. Well, our audit strategy has been primarily aimed 
at looking at specific systems, and as I mentioned we've done 
26 audits last year of specific systems. Some were agency-wide. 
And I took note of the biweekly meetings at State.
    We don't have those biweekly meetings and we should have 
them; because, for example, we didn't see NASA's executive 
summary until a week before they submitted the GISRA report. So 
we were not on top of the reports of improvement of the NASA 
programs and NASA's assessments of its systems, by the time we 
filed our GISRA report. The way in which we are going to get 
after that is by assessing exactly how thorough NASA was in 
their systems analyses. In addition, we're going to continue to 
do our aggressive auditing of NASA systems to determine the 
thoroughness of their systems' analyses and we will try to 
verigy their results through sampling.
    Mr. Putnam. You have heard the recurring theme that this is 
a management issue or a technology issue, it's not a money 
issue. Mr. Ladner, your IG stated that there is a general 
feeling that some bureaus, ``appeared to view the GISRA annual 
reporting process as a pro forma exercise.'' In your GISRA 
report to OMB, 8 of the 10 current material weaknesses in IT 
security were repeats from 2001.
    Mr. Morrison, your IG stated that the lack of security 
planning and missions is the result of, ``insufficient guidance 
from the Department, and a general belief that IT information 
security is less important than other elements of security.''
    Mr. Charbo, your IG at USDA said, ``The Department did not 
have security plans in place for all its major applications and 
general support systems, had not planned for contingency, had 
not certified security controls in place and authorized 
processing for all of its systems. Nor had the Department 
identified all of its mission-essential infrastructure, 
conducted risk assessments, or prepared mitigation plans on the 
identified risks.''
    What are you all going to do to change the culture at your 
departments?
    Mr. Charbo. We have been doing this in a process where the 
first thing is discovery. We feel that we've identified the 
projects on the IT basis by doing a few things. One is we've 
lowered our waiver process of how departments and agencies 
within USDA can spend their dollars for IT so that we can 
identify where is the money going and what things are being 
done with this. We've also incorporated that into the 
investment process with OMB, the 300 business case analysis 
which now requires two key things for this. One is project 
management skills. Even though we have a project identified, 
that does not mean it's going to get delivered on time, on 
budget, and meeting the requirements that the system was 
intended to do.
    We now have a process in place that we believe will do 
that, and that is requiring a name, an accountable person with 
the skills to deliver that project on time on budget and with 
the requirements. Security is a major component. Given all the 
requirements in that document, if security is lacking, it will 
not go forward. We will not approve that investment moving 
forward. We have also made our senior executives accountable 
under a security grading process that we have within the chief 
information officers. We've started monthly meetings with 
administrators.
    Typically what we do is we have to identify what have you 
spent on security rather than it being a definite budgeted line 
item for security. So we are talking more of a proactive than 
reactive, which, in a lot of the cases, the reports represent. 
It's just trying to find out what has been done rather than 
where we are going. We have identified where do we want to be 
in the next year. Within our office through July, we have 
identified, on a quarterly basis, where we want to be with 
security. We have done that with our e-government areas, our 
network management and several key areas within the IT area of 
the Department of Agriculture.
    Mr. Putnam. Mr. Ladner and Mr. Morrison.
    Mr. Ladner. At Treasury, I mentioned our focus on the 
capital planning process. We believe that is absolutely 
critical if we are going to get change across the Department. 
One of the actions we've taken in the last 3 months is to 
create, for the first time, an office of policy and planning 
that pulls together the IT government's enterprise architecture 
and our tracking of E-Government services so we can integrate 
security--not in a silo-like fashion--but truly across all of 
our functions and across the Department. Second, we have 
deployed a PKI, a public key infrastructure, and we are looking 
forward to having a framework with specific examples where we 
can move the ball forward in improving our security. And I 
think that where the bureaus see the CIO and the CIO leadership 
actively engaged in spending time on improving our security, I 
think that sends a very strong signal.
    For example, last week the Bureau of Engraving and Printing 
affixed, for the first time in our Department, a digital 
signature to a form. We are actively trying to not only improve 
security but also essential PKI vehicles. I am very involved in 
that and I think that sends a very strong signal to the rest of 
the bureaus.
    I would also add, in addition to what Scott said about 
accountability, that at the IRS where security has been an 
issue with regard to reports, they are working very hard with 
my office to address and to fix our exhibit 300's issue. And I 
think at the end of the day, we can't wave the flag on progress 
unless we have really made progress and that's the test of 
fixing the 300's. In addition, the IRS is holding their 
managers accountable for fixing their security issues on those 
300's and I think that's a real sign. Getting to your question 
on the cultural dimension, we're in fact making progress on the 
cultural dimension--but there's a long way to go.
    Mr. Morrison. Mr. Chairman, Under Secretary Green is 
leading aggressively on the IT security issue. I'm engaged 
directly with the other assistant secretaries. I'm happy to say 
that in the last two quarters, we now have over 90 percent of 
the State Department bureaus engaged in the plans of action and 
milestone process. As my colleagues have mentioned, it's 
vitally important that security become an integral element of 
the budget process, which we achieved this spring. So in 
summary, it's a slow painful process, but we are making 
progress at changing the culture.
    Mr. Putnam. Mr. Clay, you're recognized.
    Mr. Clay. Thank you, Mr. Chairman. Mr. Frazier, the 
Department of Commerce accounts for much of the improvement in 
the OMB table. The subcommittee's report card shows only modest 
improvement at the Department between 2001 and 2002. Can you 
explain the difference, and which do you believe is the more 
accurate reflection of the situation at the Department?
    Mr. Frazier. I guess I could start with a quote from 
something my grandmother used to say to me: ``You know, we are 
not where we should be and where we want to be, but thank God 
we're not where we used to be.'' So I think there is a mind-set 
in the Department that recognizes that we have made tremendous 
progress. But I have to tell you, we still have a long way to 
go. I don't want to speak for what GAO says or even what the 
Department CIO says, I'll just speak for what my systems 
evaluators have found. Every time they have gone into an area 
that has supposedly been certified and has been accredited, 
they have found problems that continue.
    Here I will quote Ronald Reagan: ``trust but verify.'' 
There is usually this mind-set that because somebody tells you 
something, it must be true, and that is not always the case. 
And I don't think there is any intent to deceive as much as it 
is as let's get this done and let's get that done. And as we go 
back and start to verify and see that there are still gaps, we 
have also been tremendously impressed with how responsive the 
Department has been to deal with our issues.
    And so now you begin to see that they are saying before we 
send this forward, maybe we ought to go out and do some testing 
and do some validating. So I think that the explanation is that 
we still have a ways to go. We have made progress. But part of 
it is in the mind-set. I think the Chair has hit it a number of 
times on the head by saying that the management philosophy has 
changed. Take this seriously.
    The Secretary is making sure that people are held 
accountable for this. One area that I remain concerned with is 
that I see that the managers, the CIOs have gotten the message. 
I still have concerns as to whether the folks on the front 
lines have gotten the message. I can't tell you how many times 
we have gone back to tell a CIO of a particular bureau who 
thinks this is one of their model systems. And I say let me 
show what we have found. And of course they become very 
disappointed. So there is still a great deal of work to be done 
but I have to tell you that significant progress has been made. 
Being one of the folks that has been around a little while and 
again when I was here 2 years ago, it was such a dismal report. 
So I can take pride in saying that a lot has happened, but we 
still have a long way to go.
    Mr. Clay. Thank you for that response. Mr. Cobb, NASA 
accounts for most of the rest of the improvement in the table. 
The subcommittee's report card shows a decline in performance 
in that Department between 2001 and 2002. Can you explain that 
difference and which do you believe is the more accurate 
reflection of the situation at NASA?
    Mr. Cobb. Well, I think the variance in the views between 
the IG's and CIO's may be due to the differences in 
interpretating of the data. I think that's the same reason that 
you have a different story between how the subcommittee views 
the meaing of data and how OMB views the data.
    My impression from what I have seen in the 1 year that I 
have been the NASA IG is that NASA is doing much better than 
when I came in. The reason is because the senior levels of 
management and the CIO's office, have acknowledged the fact 
that they have serious problems. They have had a number of 
management changes in the CIO's office. They have a lot of 
plans and programs that are underway. The verdict is out on 
whether or not they're going to effectively meet the challenges 
of IT security.
    But certainly, in terms of the cultural change and what 
they have not done, is make the center CIO's report to the 
CIO's NASA has 10 or so centers that report to the center 
directors. The CIO doesn't write their evaluation. I think NASA 
is doing much better. They're focusing on the problems and we 
keep beating the drum right behind them.
    Mr. Clay. How are the front line workers implementing these 
applications and systems?
    Mr. Cobb. NASA has a very large number of systems and 
related systems' NASA reports. But there may be systems and 
applications of systems that information managers don't even 
know about. The scientific community, in terms of the front 
lines, are very mission-oriented, and I don't think that they 
view their mission is IT security. I think their mission is 
doing incredible scientific endeavors. And I would absolutely 
agree that the biggest challenge that any CIO has is how to get 
the entire organization inculcated with a concept that IT 
security is a primary responsibility rather than a secondary 
responsibility.
    Mr. Clay. Thank you.
    Mr. Morrison, the State Department was one of the agencies 
whose grade went down from 2001 to 2002. Can you explain that 
decline?
    Mr. Morrison. I wasn't the Chief Information Officer at 
that time, but I was there. I think that OMB summed it up very 
well that the Department lost its focus on IT security and 
allowed itself to concentrate more on other matters. We 
certainly don't dispute the findings of the OIG or the 
judgments of GAO or OMB.
    Mr. Clay. Mr. Charbo and Ladner, both of your agencies 
received failing grades in both 2001 and 2002. Can you explain 
why your agencies have not adequately addressed computer 
security over this period? Start with you, Mr. Ladner.
    Mr. Ladner. Like Mr. Morrison, I am fairly new, about 3 
months, so my understanding from what my briefings have been is 
that the structures and processes and systems simply weren't in 
place to facilitate an enterprise-wide view of security, which 
is absolutely critical. And so, for example, at the IRS, where 
a number of the security issues have been, what the IRS has 
done is to transition more from a facilities based approach to 
an enterprise wide based approach.
    So this is something that now we are pushing both now on a 
Treasury-wide basis as well as at the bureau level.
    Mr. Clay. Mr. Charbo.
    Mr. Charbo. I guess just this one time we won't say much 
about consistency in the grades. From my perspective, I am not 
looking back at those. We are very focused on where we want to 
go. Using the FISMA report, we have identified over 1,400 tasks 
that we need to do to correct the 243 weaknesses that we have, 
rather than just, on a quarterly basis or an annual basis, 
coming back and trying to say OK, where are we now? We are 
taking ownership of those to reduce those. We have identified 
folks in every agency within the Department of who owns 
responsibility within those systems to correct it. And our 
vision is to reduce those numbers in half on the next mark if 
we can, identify the funds that we need in order to do that and 
move forward with those.
    Mr. Clay. And that process is occurring now.
    Mr. Charbo. That process is occurring right now.
    Mr. Clay. Thank you very much for all of your answers. I 
appreciate it.
    Mr. Putnam. Thank you, Mr. Clay. This panel has made 
several references to personal drive affecting their 
departments, the leadership, the priority, the sense of urgency 
that you have brought as fresh leadership in this area. My 
concern is that we have not institutionalized this as a 
priority in the departments, and that a year from now, when we 
have someone else sitting here, they say I have only been on 
the job 3 months or 6 months. I wasn't here for the last FISMA 
or GISRA report. And I know different ones of you have alluded 
to this, but what are the last institutional changes that you 
are deploying that will guarantee that regardless of who 
occupies your position, these information security measures 
will become a part of the culture all the way down to the front 
line level?
    Mr. Frazier, do you want to jump out there?
    Mr. Frazier. It is an interesting observation. You remember 
when you started earlier this morning, you read the quote from 
The Federal Times, and you were talking about documentation and 
someone had said that we don't think documentation is that 
important, we can either document something or we can get the 
work done. Well, here's where I disagree with that: That 
statement is absolutely wrong. Because when you document 
something, you leave a record so that it doesn't matter whether 
I am sitting as the CIO today and John Doe is sitting there 
next week. You have a base line. When something hasn't been 
documented, we haven't put it down.
    Every time a new CIO comes in, they are starting from 
scratch, so we don't make the kinds of progress that we should 
be building upon. Every time a new CIO comes in, there is a new 
plan that says let's really get this under control. And this is 
difficult work. One of my staff gave me a cartoon that said IT 
security is like a stubborn mule. You know, making progress 
with it is something that's very difficult but you shouldn't 
have to reinvent the wheel every time. So it's the documenting 
it so that you begin to institutionalize the process, so 
there's a frame of reference that we know where we were and all 
of us can talk on the same page, if you will.
    I think that's one of the important steps that should be 
taken. So I go back to that and I think that is indicative of 
the kinds of things that have to happen.
    Mr. Putnam. What about the attitudes of people you have to 
work with who think it is an either/or tradeoff?
    Mr. Frazier. We were lucky. I'll tell you that about 2 
years ago when I came up to testify, we were highly critical of 
the Department. The new Deputy Secretary had just been on the 
job for less than 3 days and he was dragged before the 
committee to respond to Bob Dacey's report and my report, and I 
mean, they just ripped him apart. In the process, he left that 
meeting, called me into his office, and said, ``What do we need 
to do to get this turned around?'' So we have had the kind of 
cooperation that has made a tremendous difference, and it's 
because I think that he saw how serious the Congress was about 
this issue in that it wasn't something that was going to go 
away.
    And in the process he has instilled in his managers--we do 
some incredible work at Commerce, but people have to understand 
if you don't have systems and things that are secure, you put 
all of those programs at risk in the process. That message is 
out there, and it's out there and making a difference.
    Mr. Putnam. We are going to make sure that message gets to 
the FAA who made the comment. Anyone else?
    Mr. Morrison. I think that the FISMA Act itself, as well as 
OMB's Presidential management agenda process has gone a long 
ways toward institutionalizing IT security. It certainly has 
focused top management attention on this matter. We've made 
fundamental changes in our budget process and frankly, there's 
nothing like having to report every quarter, or in my case, I 
have to report to the Under Secretary for management, both in 
writing and orally every month. And there's nothing like having 
to report frequently and regularly to focus your attention on 
correcting problems. And I think that this framework that's 
provided by the act and by OMB is not going to go away, if I go 
away.
    Mr. Ladner. The reason that change is enduring is that 
there are structures, processes and systems in place that are 
hard to change, and that's why our first step was IT 
governance. So I think that if we want people on the front 
lines to believe that their actions, or lack thereof, have an 
impact, we have to tie resource allocation to performance. And 
that's what IT governance and security governance ensures.
    Clearly there's a long way to go on this front, but our 
goal at the Treasury Department is to articulate a framework 
which we have, and then pick out instances where we are showing 
that the lack of performance results in resource reallocation. 
And that's the kind of change that we believe will be more 
enduring.
    Mr. Charbo. If I could point out a few of the firsts that 
we have done that will carry on, regardless of who sits in the 
Chair that I sit in right now. We have released some governance 
policy around security. It's quite a load to the agencies. 
However, we are putting people in place and contracts in place 
to help support them in correcting their security needs. We've 
also started a configuration management and policy board to 
manage the configurations across the Department. We are testing 
our business systems, the ability to recover. We're doing that 
at FSA, at NRCS, Rural Development, the National Finance 
Center.
    First time now we are consistently testing these on a timed 
basis, so it's not just once when somebody asks whether or not 
we're doing it, but it's on a regular cycle now that we're 
testing those, and that's more and more systems that we're 
doing it as well. We have also initiated a department-wide 
process to identify what the plans are. Where one system is 
dependent on another, if that system goes down, others may go 
down. We're interested in those threats.
    So we have initiated some process to connect those dots, 
identify the trees that we need to initiate in the event of a 
crisis. We have also changed our investment board around so now 
that security is a key component in all of the investments 
within USDA. The CIO owns those projects, positioning those 
projects within that investment board. On April 1, we released 
our first enterprise architecture vision of where we would like 
to see the investments move in the Department of Agriculture as 
well.
    And last, we're training folks in project management. We've 
initiated a number of classes. Those classes are done in 
various locations throughout the country to provide us the 
quality folks that we need to deliver on some of these things. 
I believe those will continue, whether or not I'm in the chair 
that I currently sit in.
    Mr. Putnam. Mr. Cobb, do you have anything to add?
    Mr. Cobb. I would agree with that. I think that FISMA is 
providing our IG office with the tools to get after the agency 
in terms of making sure that their programs are compliant with 
what you would expect from a robust IT security system. One 
concern I have about the structure of GISRA and FISMA is the 
extent to which the act requires independent evaluations of the 
system as a whole. Also, whether the system, from an umbrella 
standpoint, is actually accomplishing the objective of 
protecting information.
    I would like to have my office work toward conducting a 
review of the policies to see whether or not they are 
substantively working. And the other big point that gets back 
to that front line is that it is critical to inculcate all 
Federal employees on the importance of IT security. There may 
be an avenue for legislating training requirements to make sure 
that this message is communicated. However, I'll leave that to 
speculation at this point.
    Mr. Putnam. We look forward to hearing your conclusion when 
you reach it, and we'll let that be the final word for the 
second panel. You know, it seems that the Federal Government 
never really learned its lesson on physical security or 
perimeter security and enforced protection until after Beirut, 
and Oklahoma City and Khobar Towers and the U.S.S. Cole, and we 
never really learned our lessons on aviation security until 
after September 11. And it seems terribly frustrating that what 
it would appear is that it will take a digital September 11 or 
digital Pearl Harbor or some catastrophic cyber attack for 
people to get the message that this is important, that this is 
a priority, not just in some egghead CIO's office, but all the 
way down to the front line as part of their daily 
responsibilities.
    And I think that is the part that is incredibly 
frustrating. We hear an awful lot of connecting the dots and 
learning from the mistakes of the past. As it relates to cyber 
threats, there is very little indication that anyone takes the 
threat seriously. I want to thank our witnesses for their 
contribution to our efforts in understanding this issue better, 
and I look forward to your continuing cooperation as we move 
toward greater coordination and more progress in improving our 
Federal Government's information security. I also want to thank 
Mrs. Miller, Ms. Watson and Mr. Clay for their participation 
and leadership on the subcommittee.
    In the event that there may be additional questions that we 
did not get to today, the record will remain open for 2 weeks 
for submitted questions and answers. Thank you all very much 
and the subcommittee stands adjourned.
    [Whereupon, at 12:25 p.m., the subcommittee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T1648.130

[GRAPHIC] [TIFF OMITTED] T1648.131

[GRAPHIC] [TIFF OMITTED] T1648.132

[GRAPHIC] [TIFF OMITTED] T1648.133

