b"<html>\n<title> - INFORMATION SECURITY IN THE FEDERAL GOVERNMENT: ONE YEAR INTO THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n   INFORMATION SECURITY IN THE FEDERAL GOVERNMENT: ONE YEAR INTO THE \n              FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION\n                POLICY, INTERGOVERNMENTAL RELATIONS AND\n                               THE CENSUS\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 16, 2004\n\n                               __________\n\n                           Serial No. 108-167\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n94-838                      WASHINGTON : DC\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\nCHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nMARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nDOUG OSE, California                 DENNIS J. KUCINICH, Ohio\nRON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois\nJO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts\nTODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri\nCHRIS CANNON, Utah                   DIANE E. WATSON, California\nADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland\nJOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California\nNATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, \nCANDICE S. MILLER, Michigan              Maryland\nTIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of \nMICHAEL R. TURNER, Ohio                  Columbia\nJOHN R. CARTER, Texas                JIM COOPER, Tennessee\nMARSHA BLACKBURN, Tennessee          ------ ------\nPATRICK J. TIBERI, Ohio                          ------\nKATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont \n                                         (Independent)\n\n                    Melissa Wojciak, Staff Director\n       David Marin, Deputy Staff Director/Communications Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n          Phil Barnett, Minority Chief of Staff/Chief Counsel\n\n   Subcommittee on Technology, Information Policy, Intergovernmental \n                        Relations and the Census\n\n                   ADAM H. PUTNAM, Florida, Chairman\nCANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri\nDOUG OSE, California                 DIANE E. WATSON, California\nTIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts\nMICHAEL R. TURNER, Ohio\n\n                               Ex Officio\n\nTOM DAVIS, Virginia                  HENRY A. WAXMAN, California\n                        Bob Dix, Staff Director\n                 Chip Walker, Professional Staff Member\n                         Juliana French, Clerk\n            Adam Bordes, Minority Professional Staff Member\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on March 16, 2004...................................     1\nStatement of:\n    Corts, Paul, Assistant Attorney General for Administration, \n      Department of Justice......................................    88\n    Dacey, Robert F., Director, Information Security Issues, U.S. \n      General Accounting Office..................................     9\n    Evans, Karen, Administrator, Electronic Government and \n      Information Technology, Office of Management and Budget....    47\n    Merschoff, Ellis W., Chief Information Officer, Nuclear \n      Regulatory Commission......................................   138\n    Rush, Jeffrey, Jr., Inspector General, Department of the \n      Treasury...................................................    97\n    Weems, Kerry, Acting Assistant Secretary for Budget, \n      Technology and Finance, Department of Health and Human \n      Services...................................................   150\n    Wu, Benjamin, Deputy Under Secretary for Technology, \n      Department of Commerce.....................................    58\nLetters, statements, etc., submitted for the record by:\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................   190\n    Corts, Paul, Assistant Attorney General for Administration, \n      Department of Justice, prepared statement of...............    91\n    Dacey, Robert F., Director, Information Security Issues, U.S. \n      General Accounting Office, prepared statement of...........    11\n    Evans, Karen, Administrator, Electronic Government and \n      Information Technology, Office of Management and Budget, \n      prepared statement of......................................    50\n    Merschoff, Ellis W., Chief Information Officer, Nuclear \n      Regulatory Commission, prepared statement of...............   140\n    Putnam, Hon. Adam H., a Representative in Congress from the \n      State of Florida, prepared statement of....................     5\n    Rush, Jeffrey, Jr., Inspector General, Department of the \n      Treasury, prepared statement of............................    99\n    Weems, Kerry, Acting Assistant Secretary for Budget, \n      Technology and Finance, Department of Health and Human \n      Services, prepared statement of............................   152\n    Wu, Benjamin, Deputy Under Secretary for Technology, \n      Department of Commerce, prepared statement of..............    61\n\n \n   INFORMATION SECURITY IN THE FEDERAL GOVERNMENT: ONE YEAR INTO THE \n              FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\n                              ----------                              \n\n\n                        TUESDAY, MARCH 16, 2004\n\n                  House of Representatives,\n   Subcommittee on Technology, Information Policy, \n        Intergovernmental Relations and the Census,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 1:17 p.m., in \nroom 2247, Rayburn House Office Building, Hon. Adam Putnam \n(chairman of the subcommittee) Presiding.\n    Present: Representative Putnam.\n    Staff present: Bob Dix, staff director; John Hambel, senior \ncounsel; Chip Walker and Shannon Weinberg, professional staff \nmembers; Juliana French, clerk; Suzanne Lightman, fellow; Adam \nBordes, minority professional staff member; and Cecelia Morton, \nminority office manager.\n    Mr. Putnam. Good afternoon. A quorum being present on this \nrainy Tuesday and the sound system back up and running, the \nSubcommittee on Technology, Information Policy, \nIntergovermental Relations and the Census will come to order.\n    Good afternoon and welcome to another important hearing on \ncybersecurity. This is the first oversight hearing conducted by \nthe subcommittee on IT security this year.\n    Last year, we learned a great deal about threats, \nvulnerabilities, new technologies and new strategies for \naddressing the important issue of information security. Since \nour last hearing on this topic, the only thing that has really \nchanged is the urgency of the threat.\n    While I believe that it may be fair to say that there might \nbe more discussions taking place about these issues, the time \nfor discussion and debate now yields to a more important \nrequirement for action. Every month virus and worm attacks are \nbecoming more prevalent and more malicious. One recent report \nplaced the worldwide mitigation costs for the month of February \n2004, at $83 billion. Some say that number is overinflated. So \nlet's say that it's off by half. That's still a staggering \nnumber.\n    The cyber threat poses some very unique and difficult \nchallenges. Our infrastructure and government systems can be \nattacked from anywhere, at any time. We know that various \nterrorist groups are very sophisticated and becoming more so \neach day, not to mention government-sponsored attacks. Our \ngovernment has taken dramatic steps to increase our physical \nsecurity, but protecting our information networks has not \nprogressed commensurately, either in the public or private \nsectors. DHS is really just getting its feet on the ground in \nthis arena. While I acknowledge the efforts of the National \nCyber Security Division, I will reiterate my concern that we \nare collectively not moving fast enough to protect the American \npeople and the U.S. economy from the very real threats that \nexist today.\n    The privacy and security of the public remain at risk. The \neconomic damage being done to our economy is significant. The \nmagnitude of this clearly is what makes this hearing so \nimportant, because governmentwide we are still failing to \nadequately secure our networks. Government must be the leader. \nWe must set the standard, and we must do it now. The oversight \nby this subcommittee will be commensurate with the threat: ever \nincreasing and aggressive.\n    In December of last year, the subcommittee released the \n2003 Federal Computer Security Score Card. It was the 4th year \nthat Federal agencies were graded, following the process begun \nby former Congressman Steve Horn. This past scorecard for the \nfirst time based grades on the criteria established by the \nFederal Information Security Management Act [FISMA].\n    Chairman Davis, through his FISMA legislation as part of \nthe E-Government Act of 2002, laid the groundwork for better \nsecurity and better reporting for the governments's computer \nsystems. This year's grades were based on the FISMA compliance \nreports that the agencies provided to Congress and OMB in \nSeptember of last year. OMB has worked hard to advance computer \nsecurity at all the Federal agencies. I would also like to \nthank the GAO for their invaluable help in preparation of these \ngrades.\n    This year is an important grading year because, for the \nfirst time, we can accurately compare the agencies to a \nprevious year because the grading elements provide an apples-\nto-apples comparison.\n    This year overall the Federal Government received a grade \nof D. That's a modest increase over the F the government \nreceived last year.\n    For the first time, two agencies, the Nuclear Regulatory \nCommission and the National Science Foundation received A's.\n    Fourteen agencies have increased their grades this year, \nalthough a couple actually slid backward.\n    Only five agencies--five agencies--in the Federal \nGovernment have completed reliable inventories of their \ncritical IT assets, leaving 19 without reliable inventories. \nThis is troubling considering we are 4 years into this process \nand we still have far too many agencies with incomplete \ninventories.\n    How can you secure what you do not know you have? How can \nyou claim to have completed a certification and accreditation \nprocess absent a reliable inventory of your assets?\n    The IGs of three agencies--DOD, Veterans Affairs and \nTreasury--did not submit reports in a timely manner. This \nrepresents a serious problem. I must stress the IG component of \nthis equation is critically important. The independent \nverification is vital and particularly in light of the fact \nthat there were significant differences between many of the \nagencies and their IG's. Seven agencies had differences of two \ngrades or more with their IGs.\n    Fourteen agencies are still below a C, and eight received \nfailing grades.\n    As we worked on these grades, there were some overriding \nthemes that became apparent for the agencies with good grades \nversus those with poor grades: a full inventory of their \ncritical IT assets; they identified critical infrastructure and \nmission critical systems; a strong incident identification and \nreporting procedure; tight controls over contractors; strong \nplans of actions and milestones that serve as guides for \nfinding and eliminating security weaknesses.\n    The Nuclear Regulatory Commission and the National Science \nFoundation should be commended for their outstanding scores, as \nwell as the Social Security Administration and the Department \nof Labor for their B pluses. And while DHS has a failing grade \nthis year, we recognize the difficult reorganization that took \nplace and we expect significant improvement next year.\n    To assist agencies, I have requested that each of the 24 \ngraded agencies come to meet with staff to discuss their grade. \nSo far, staff has met with 14; and the results are very \nencouraging. We have seen a great deal of enthusiasm and \nwillingness to do the work necessary. The agencies have also \nexpressed gratitude for the opportunity to discuss the work \nthey are doing and the grades with the subcommittee.\n    I am encouraged that OMB, in the recently released FISMA \nreport and during Clay Johnson's testimony 2 weeks ago, \nstressed that there was an increased determination to hold \nagencies accountable for implementing FISMA. There is some \nclarification that I will seek today in something that is \nwritten in the OMB report. The report on page 13 says the \nfollowing: ``while awareness of IT security requirements and \nresponsibilities has spread beyond security and IT employees, \nmore agency program officials must engage and be held \naccountable for ensuring that the systems that support their \nprograms and operations are secure. This issue requires the \nFederal Government to think of security in a new manner. The \nold thinking of IT security as the responsibility of a single \nagency official or the agency's IT security office is out of \ndate, contrary to law and policy and significantly endangers \nthe ability of agencies to safeguard their IT investments.''\n    While I agree that IT security is a collective \nresponsibility, the language I referred to seems to indicate \nthat no one person will be held accountable. I disagree. This \nchairman and this subcommittee will seek accountability of the \nhighest agency official responsible for information technology \ninvestments to insure that IT security is baked into the \ninvestment decisionmaking process, consistent with the law as \nestablished in the Clinger-Cohen Act.\n    I have already initiated a process, working with Chairman \nDavis, to amend the Clinger-Cohen Act to explicitly identify \ninformation security as a required element of the IT investment \nmanagement oversight and decisionmaking process within every \nagency of the Federal Government. The grade of D for the \nFederal Government simply is not acceptable.\n    Frankly, one of the continuing obstacles to progress is \nthat too many people still view information security as a \ntechnology issue. This is a management and governance issue and \nmust be accounted for in every business case and in \nimplementation of a Federal enterprise architecture. This is \nthe responsibility of all stakeholders, and the silo walls must \ncome down with this and other transformation efforts to employ \ncollaborative solutions that will provide increased safety and \nprotection for the American people and the U.S. economy.\n    I welcome and applaud the increased oversight being \nemployed by the Office of Management and Budget through the use \nof existing tools and business case evaluation. I particularly \napplaud the recent announcement that OMB will not approve \nagency expenditures for IT development and modernization \nprojects until they have sufficiently demonstrated that their \nexisting information technology assets are secure.\n    Working together as partners in progress, we will continue \nto be vigilant in our efforts to achieve the security of the \ninformation networks that support the mission activities of the \nFederal Government and protect the information assets that they \ncontain.\n    Many cybersecurity technologies offered in today's \nmarketplace can serve as safeguards and countermeasures to \nprotect agencies' IT infrastructures. To assist agencies in \nidentifying and selecting such technologies, I have asked GAO \nto categorize specific technologies according to the \nfunctionality they provide and describe what the technologies \ndo, how they work, and their reported effectiveness. GAO is \nreleasing this report today, and I want to thank them for their \nwork and effort in producing this document. I read it on the \nplane up here, and it's outstanding. It is information security \nfor dummies, Congressmen and bureaucrats; and I found it \nextremely helpful. Had I had that GAO report when I first \nbecame chairman, it would have knocked the learning curve down \na bit, but it was very helpful.\n    I would like to welcome all of our witnesses here today. I \nwant to thank you for your time, and I look forward to your \ntestimony.\n    [The prepared statement of Hon. Adam H. Putnam follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4838.001\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.002\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.003\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.004\n    \n    Mr. Putnam. I ask unanimous consent to insert in the \nrecord, the statement of my ranking member, the gentleman from \nMissouri, Mr. Clay. Without objection, show it done.\n    We will move directly into testimony.\n    All of you are old hands at this. You understand the light \nprocess, and we certainly appreciate your summarizing your \nstatements.\n    Please rise and raise your right hands.\n    [Witnesses sworn.]\n    Mr. Putnam. I indicate for the record that all the \nwitnesses responded in the affirmative.\n    I would like to introduce our first witness, Robert Dacey. \nMr. Dacey is currently Director of Information Security Issues \nat the U.S. General Accounting Office. I thought that we \nchanged that. Has that passed the Senate yet? Don't you have a \nnew name?\n    Mr. Dacey. I'm not sure quite yet.\n    Mr. Putnam. Everybody is waiting on the Senate.\n    His responsibilities include evaluating information \nsystems, security and Federal agencies and corporations, \nassessing the Federal infrastructure for managing information \nsecurity, evaluating the Federal Government's efforts to \nprotect our Nation's private and public critical infrastructure \nfrom cyber threats, and identifying best security practices at \nleading organizations and promoting their adoption by Federal \nagencies.\n    You are always a great asset as a witness to this \nsubcommittee, and you are recognized. Welcome.\n\n STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY \n             ISSUES, U.S. GENERAL ACCOUNTING OFFICE\n\n    Mr. Dacey. Mr. Chairman, I am pleased to be here today to \ndiscuss the Federal Government's efforts to implement FISMA. As \nyou requested, I will briefly summarize my written statement.\n    Since 1997, we have identified information security as a \ngovernmentwide high-risk issue. Congress has demonstrated their \nconcern through ongoing hearings on information security and \nenactment of reform legislation. This subcommittee has played a \nvery active role in addressing Federal information security \nchallenges, including the grades you referred to in your \nopening statement which are based on a broad range of \ninformation included in the FISMA reports.\n    Based on our recent analysis of audit results and on \nreported FISMA information for 24 of the largest agencies, the \nFederal Government has made progress but continues to face \nsignificant information security risks to its critical \noperations, information and assets.\n    The first year FISMA reports provide important comparative \ndata on information security performance measures and certain \nnew information. The reports identify progress and highlight \nseveral challenges including the following.\n    No. 1, while reported performance measures generally \nincrease, there continued to be a wide variance among the \nagencies.\n    No. 2, IG's reported less than half of agencies had \ncomplete system inventories now required by FISMA.\n    No. 3, reported systems with certification and \naccreditations continued to increase to 62 percent and systems \nwith controls tested to 64 percent. However, both IG \nevaluations and our own ongoing review have identified \nefficiencies in the CNA processes, such as lack of control \ntesting and outdated risk assessments. Also, as additional \nsystems are certified and accredited and controls tested, it is \nlikely that additional deficiencies will be identified.\n    No. 4, over half of agency systems do not have tested \ncontingency plans, an essential step in ensuring that critical \nsystems can continue to operate in the event of unexpected \ninterruptions such as a cyber or physical attack.\n    No. 5, as a result of new OMB reporting requirements, IG's \nidentified challenges in agencies' processes for remediating \nidentified deficiencies which are key to ensuring that \nsignificant weaknesses are addressed in a timely manner and \nreceive appropriate resources.\n    And, No. 6, we noted opportunities to improve the \nusefulness of reported measures included in FISMA reports \nincluded independent validation of reported information to \nensure that such information is reliable.\n    In its fiscal year 2003 report to Congress, OMB concluded \nthat the Federal Government has made significant strides in \nidentifying and addressing longstanding problems, but the \nchallenging weaknesses remain. In particular, the report notes \nseveral governmentwide findings such as progress against \nmilestones and lack of clear accountability for ensuring \nsecurity of information and systems.\n    The report also presents a plan of action that OMB is \npursuing with agencies to close the gaps and improve security. \nNIST also has taken a number of actions to develop FISMA-\nrequired system risk levels and corresponding minimum security \nstandards and to improve Federal information security. However, \naccording to NIST, current and future funding constraints could \nnegatively impact its work in this area. Further, Mr. Chairman, \nas you noted in your opening statement, we released today our \nreport on current cybersecurity technologies that are available \nto Federal agencies.\n    In summary, through the continued emphasis on information \nsecurity by the Congress, the administration, agency management \nand the audit community, the Federal Government has seen \nimprovements in its information security. Achieving significant \nand sustainable results will likely require agencies to \ninstitutionalize programs and processes that prioritize and \nroutinely monitor and manage their information security efforts \nand provide information to facilitate day-to-day management of \ninformation security throughout the agency as well as verify \nthe reliability of reported performance information.\n    Mr. Chairman, this concludes my statement. I'd be happy to \nanswer any questions that you have.\n    Mr. Putnam. Thank you very much.\n    [The prepared statement of Mr. Dacey follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4838.007\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.008\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.009\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.010\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.011\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.012\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.013\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.014\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.015\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.016\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.017\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.018\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.019\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.020\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.021\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.022\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.023\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.024\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.025\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.026\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.027\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.028\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.029\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.030\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.031\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.032\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.033\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.034\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.035\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.036\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.037\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.038\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.039\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.040\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.041\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.042\n    \n    Mr. Putnam. Our next witness is Karen Evans.\n    In September 2003, Karen Evans was appointed by President \nBush to be Administrator of the Office of Electronic Government \nand Information Technology at the Office of Management and \nBudget. Prior to joining OMB, Ms. Evans was Chief Information \nOfficer at the Department of Energy and served as vice chairman \nof the CIO Council, the principal forum for agency CIOs to \ndevelop IT recommendations. Previously, she served at the \nDepartment of Justice as Assistant and Division Director for \nInformation System Management. She is doing a great job over at \nOMB.\n    We're always delighted to have you join us and share your \nexpertise with us. You are recognized.\n\nSTATEMENT OF KAREN EVANS, ADMINISTRATOR, ELECTRONIC GOVERNMENT \n  AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET\n\n    Ms. Evans. Thank you.\n    Good afternoon, Mr. Chairman. Thank you for inviting me to \nspeak about the status of the Federal Government's efforts to \nsafeguard our information and systems. My remarks will focus on \nthe findings of the OMB fiscal year 2003 FISMA report and the \nnext steps to address our IT security challenges.\n    Earlier this month, OMB issued our third annual report to \nCongress on agency compliance with IT security requirements in \nlaw and policy. FISMA, like its predecessor, the Government \nInformation Security Reform Act, continues to be a valuable \ntool in improving the state of Federal IT security, both the \nsecurity of systems and promoting the protection of \ninformation.\n    The OMB FISMA report identifies IT security progress and \nweaknesses in fiscal year 2003. The report summarizes progress \nsuch as Federal performance against three governmentwide goals \nidentified in the President's fiscal year 2004 budget. Agencies \nreported their progress against a key set of IT security \nperformance measures. These measures reveal areas of the \nprogress from fiscal year 2001 through 2003 as well as \nweaknesses.\n    Agency IG reports verified some of this progress and, in \nother instances, called into question the quality of some of \nthe work. For example, while there are notable increases in the \npercentage of systems with security plans, many Federal systems \nstill do not have contingency plans in place to ensure \ncontinuity of operations.\n    IG reports also continue to identify a number of troubling \ngovernmentwide issues and trends such as reoccurring IT \nsecurity weaknesses, some of which are repeating material \nweaknesses. Far too many systems continue to operate with \nserious weaknesses.\n    Another area highlighted in OMB's report was the need for \nimproved accountability within agencies. The law is very clear \non this issue. The agency head is ultimately responsible for \nthe security of their information and systems and is charged \nwith ensuring agency senior officials and the agency CIO \nfulfill their specific IT security responsibilities.\n    Agency senior officials are responsible for providing \nsecurity for the information and the systems which support \ntheir operation and assets. In fact, the majority of IT \nspending within agencies is not on IT infrastructure and \nnetworks, traditionally owned and operated by the CIOs, but \nrather on mission IT investments. It is within these systems \nthat many weaknesses reoccur.\n    To address these problems and others, OMB will continue to \nengage management and leverage the budget processes. While IT \nsecurity clearly has a technical component, at its core is an \nessential management function. Most of the Federal Government's \nIT security weaknesses can be resolved through better \nmanagement and accountability. Through the budget process, OMB \nrequires agencies to incorporate IT security through the \nlifecycle of all investments. Failure to appropriately \nincorporate security puts the investment at considerable risk.\n    To enforce this requirement, OMB notified those agencies \nwith significant information and system security weaknesses \nthrough budget guidance to remediate operational systems with \nweaknesses prior to spending fiscal year 2004 IT development or \nmodernization and funds. If additional resources are needed to \nresolve those weaknesses, agencies are to use those fiscal year \n2004 IT funds originally sought for new development.\n    Additionally, OMB continues to enforce IT security through \nthe President's management agenda under the E-Gov scorecard. \nAgencies may not get to green under E-Gov unless they fully \nmeet specified IT security criteria, including 90 percent of \nthe systems being certified and accredited and that their IG \nhas verified the agency has a plan of action and milestones \nprocess in place which meets the OMB criteria. The PMA enables \nOMB to hold agencies, their senior agency officials and the CIO \naccountable for IT security performance.\n    Finally, as we move into the 4th year of these annual IT \nsecurity requirements, our goal is to improve FISMA reporting \ninstructions so that we more clearly capture results and \nperformance measures continue to mature to focus on key IT \nsecurity areas. NIST is actively working on the development of \nnew guidelines required under FISMA which will play a \nsignificant role in guiding technical implementation of agency \nIT security efforts.\n    In particular, as part of the development of OMB's fiscal \nyear 2004 FISMA guidance, we are focusing on the following 3 \nyears: one, evolving the IT security performance measures to \nmove beyond status reporting to also identify the quality of \nwork done; two, the independent evaluations by the IGs continue \nto be a source of indispensable information, and further \ntargeting of the IG efforts to assess a development \nimplementation and performance of key IT security processes are \ninvaluable; and, three, providing additional clarity to certain \ndefinitions to eliminate interpretation difference within \nagencies and between agencies and the IGs.\n    In conclusion, I would like to acknowledge the significant \nwork of the agencies and IGs in conducting the annual review \nand evaluations. It is this effort which gives OMB and the \nCongress much greater visibility into the agency IT security \nstatus and progress.\n    While notable progress in resolving IT security weaknesses \nhas been made, problems continue and new threats and \nvulnerabilities continue to materialize. Much work remains, and \nOMB will continue to work with agencies, GAO and Congress to \npromote appropriate risk-based and cost-effective IT security \nprograms, policies and procedures to adequately secure our \noperations and assets.\n    I would be glad to take any questions at this time.\n    Mr. Putnam. Thank you, Miss Evans.\n    [The prepared statement of Ms. Evans follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4838.043\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.044\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.045\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.046\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.047\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.048\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.049\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.050\n    \n    Mr. Putnam. Our third witness is Benjamin Wu.\n    Ben Wu was sworn in as Deputy Under Secretary for \nTechnology at the U.S. Department of Commerce in November 2001. \nIn this capacity, he supervises policy development, direction \nand management at the Technology Administration, a bureau of \nover 4,000 employees that includes the National Institute of \nStandards and Technology.\n    Prior to joining Commerce, Mr. Wu held senior staff \npositions in the U.S. Congress where he led on issues affecting \nthe U.S. technology and competitiveness policy.\n    You are, I believe, an alumni of this subcommittee.\n    Mr. Wu. Yes, sir. I did work very closely with the \nsubcommittee and the Committee on Government Reform, but I \nactually was an employee of the Committee on Science.\n    Mr. Putnam. He worked in Congress from 1988, serving as \ncounsel to Congresswoman Connie Morella and on the Science \nCommittee.\n    Welcome back.\n\n     STATEMENT OF BENJAMIN WU, DEPUTY UNDER SECRETARY FOR \n               TECHNOLOGY, DEPARTMENT OF COMMERCE\n\n    Mr. Wu. Thank you, Mr. Chairman. It is a pleasure to be \nback. I thank you for the opportunity to appear before you \ntoday again.\n    As you mentioned, when I worked in the House I also was a \nlead committee staff on the House Y2K Task Force, and in that \nvain we had an opportunity to work very closely with GAO and \nalso former Congressman Steve Horn as he developed grades for \nassessing the agencies' involvement and participation in Y2K \nactivities. It has since evolved into computer security, and I \ncongratulate you for your efforts in continuing that leadership \nthat is so needed on cyber security. Back then, we partnered \nwith GAO.\n    As you talk about this partnership in progress to move \nforward on cybersecurity, GAO again is proving to be an \nexcellent partner; and, also, under Karen's guidance, OMB is as \nwell. We see NIST also playing a very important partnership \nrole in that partnership for progress.\n    I want to thank you for the opportunity to testify about \nthe NIST contributions that strengthen our information security \nin the Federal Government. I want to focus my remarks on the \nNIST efforts to implement our assignments under FISMA and some \nof the challenges that we are facing and confronting.\n    FISMA's enactment reinforced our longstanding statutory \nresponsibilities for security research and for developing \nFederal information standards and guidelines. With FISMA, \nCongress gave NIST a vote of confidence about its abilities to \nwork and further this research, and we do appreciate that \nrecognition.\n    NIST standards and guidelines form the basis of the Federal \nGovernment's ability to improve cybersecurity. Our security \nwork at NIST is being done out of our Information Technology \nLaboratory, which develops tests, metrics, as well as guidance \nfor building trust and confidence in IT systems that are now so \npervasive in our Nation's economy.\n    Behind me is Susan Zevin, who is the leader of our \nInformation Technology Laboratory, and also Ed Roback, who is \nthe head of the Computer Security Division at NIST. Those two \nand their team at NIST helped build a trust of users of IT \nsystems by concentrating on techniques and tools to manage, to \nuse and improve IT security system. NIST's success really \nrelies on its status as an objective third party working with \nprivate sector vendors, standards development organizations, \nand consortia.\n    Mr. Chairman, I want to give you a status report on where \nNIST is in terms of its FISMA responsibilities.\n    The general responsibilities that were assigned to NIST \nunder FISMA included developing IT standards, identifying \ninformation security vulnerabilities, assessing private sector \npolicies, assisting the private sector as well, and also \nevaluating security policies.\n    FISMA also contained a number of specific assignments to \nNIST, and they included the development of standards and \nguidelines, recommended types of information systems, as well \nas minimum information security requirements, an Incident \nHandling Guideline, and security performance indicators, as \nwell as an annual reports to the committee.\n    To summarize the progress that we have made since FISMA \nbecame the law in December 17, 2002, significant progress has \nbeen made on the specific assignments and many have been \ncompleted. They include the FIPS Publication 199, which was \ncompleted in January 2004; the NIST Special Publication 800-60, \nwhich is to be completed this summer, and a draft is now \navailable; the NIST SP 800-53 is also ready for completion in \nDecember 2005, and the public draft is available; the NIST SP \n800-55 to be completed in July 2003; the NIST SP 800-59 to be \ncompleted in August 2003; and also the NIST SP 800-61, which \nwas just completed this past January.\n    But, as Bob mentioned, we are concerned because Congress \nwas unable to meet the Presidential budget request for the NIST \nCybersecurity Division in the fiscal year 2004 appropriations \nand, as a consequences, Mr. Chairman, although we continue to \ngive FISMA activities priority in our budgeting process, the \nguidelines, the standards, and related research in the \nfollowing areas may not be able to be accommodated within our \nfiscal year 2004 funding level and have to be scaled back.\n    They include guidelines on archiving and disposal of \ninformation, checklists and guidelines, new security protocols, \noperating our Computer Security Expert Assist Team, supporting \nthe NIAP, minimum security recommended requirements, as well as \nsome of our implementation for IPv6.\n    At current levels of funding, we've also had to delay a \nnumber of other activities which I will not list in total.\n    But, let me be clear, due to prioritization within the \nComputer Security Division, none of the specific tasks that are \nassigned to us under FISMA are affected. Rather, they're \nproceeding as scheduled as best we can within the timeframes \nallowed under legislation. But we feel that NIST is so uniquely \npoised to do so much more, and we are limited really only by \nour budget constraints.\n    Before Congress now is the President's fiscal year 2005 \nbudget request that includes a proposed increase of $6 million \nfor NIST to address the key national needs in cybersecurity. \nWith the proposed increase of $6 million for 2005 with the \ncurrent level funding----\n    Mr. Putnam. Did you say million or billion?\n    Mr. Wu. Million. We would love for it to be billion, but we \nalso understand the constraints on the Federal budget.\n    But coupled with the current $10 million that NIST has for \nits efforts, we believe that NIST can work more effectively \nwith industry and government agencies to accelerate solutions \nto critical cybersecurity issues.\n    Additionally, this would include costs that would allow us \nto work together with the Homeland Security Department's \nScience and Technology Directorate, as well as the Information, \nAnalysis and Infrastructure Protection Directorate in the \nNational Cyber Security Division.\n    We also would like to see if we can continue to provide \nother agency reimbursable work and partner with other Federal \nagencies so that we can have people tap into the NIST expertise \nand also allow for other agencies to meet their FISMA \nresponsibilities.\n    In conclusion, Mr. Chairman, the standards and guidelines \nproduced by NIST are key to the Federal Government's ability to \nimprove cybersecurity. NIST's impact reaches far beyond just \nthe Federal system, since the NIST guidelines are also used by \nState and local governments as well as often adopted by the \nprivate sector, domestically as well as internationally.\n    NIST takes its cybersecurity role very seriously and will \nwork with the committee to ensure that we are able to carry out \nour mandate to work with industry, with academia and standard \ndevelopment organizations to ensure the secure flow of vital \nand sensitive information throughout our society. We applaud \nthe committee for its leadership and also for detailing a \nspecific leadership role for NIST to play in supporting that \neffort.\n    In the FISMA activities those already accomplished as well \nas those currently under way will lead to a more consistent \nrisk-based and cost-effective IT security at all Federal \nagencies. We look forward to working very closely with you, OMB \nas well as GAO.\n    Thank you, Mr. Chairman.\n    Mr. Putnam. Thank you very much.\n    [The prepared statement of Mr. Wu follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4838.051\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.052\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.053\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.054\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.055\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.056\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.057\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.058\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.059\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.060\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.061\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.062\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.063\n    \n    Mr. Putnam. Ms. Evans, in your 2003 FISMA report you say \nthat ensuring the security of most agency information and \nsystems is not the sole responsibility of the agency CIO. While \nI can understand where you're coming from, that everybody has a \nrole to play in their own piece of the agency or department, \nthere's an old saying that everyone's responsibility is no \none's responsibility. How do you see increasing the awareness \nof all employees to their information security responsibilities \nwhile still having some accountability built into the system.\n    Ms. Evans. I believe that there is accountability built \ninto the system. The way that is, is that FISMA's very clear \nthat it holds the agency head responsible for the cybersecurity \nposture of the agency. That agency head then manages what risk \ndo I want to go forward with, and there is a tiered approach \ninto this where the CIO manages from an enterprise prospective. \nSo based on policies and guidelines that come out from OMB and \nfrom Congress, the CIO then manages across the enterprise or \nthrough the corporation, so to speak.\n    But then, as that then goes down, each then program \nofficer--or in this case the way that we refer to this is \nagency senior officials, because it could be staff office, it \ncould be assistant secretary, is responsible for ensuring their \nportion of that cybersecurity posture. The agency head \ndetermines what risk are they willing to live with and then \nthey move down through the structure to ensure that the \naccountability is built into that.\n    So the point of the report is to say that, although the CIO \nputs together the enterprise solutions, so to speak, and the \npolicies and the procedures, the CIO also then ensures that \ninvestments that are occurring within those program offices \nwill meet that risk posture that the Secretary wants to have as \na whole.\n    So we believe it is clear, but we also need to articulate \nthat it is important that everybody has to do their portion of \nwhat is responsible here, from the very first employee when \nthey come on board, to being aware that maybe I shouldn't put a \ndisk into my computer that I brought in from home, to the \nagency head, the Secretary, who has to manage all of the \nassets.\n    Mr. Putnam. What negative consequences have there been to \nthe agencies who received failing grades or even backslid in \ntheir scores and things like that? What action has been taken \nto demonstrate accountability?\n    Ms. Evans. We have been working through a series of \nprocesses that we have in place.\n    First off, there's the President's management agenda \nscorecard. The E-Gov scorecard manages the progress of the \nagencies going forward, and cybersecurity is a major portion of \nthat. There is a quarterly grade that we give to each agency \nwhich clearly holds again the agency head responsible as well \nas going down through the agencies because it recognizes within \nthere everyone has to play a part in the cybersecurity piece.\n    But also, additionally, through the budget process this \nyear we went forward, and cybersecurity is an important issue \nfor this administration, so we gave specific guides to the \nagencies through the budget process of how we wanted to ensure \nthat they were taking and looking at what they needed to do to \nsecure their assets. So they were given specific guidance \nthrough the budget guidance that said you have to turn in a \nplan and that this plan is specifically focused on \ncertification and accreditation which really deals with the \nbusiness process and how you manage cybersecurity across your \nenterprise.\n    They were given specific timeframes to turn those plans in \nto us and the costs associated with making that happen so that \nwe can achieve the goals that we have set out for ourselves \nwhich we didn't achieve that we had laid out in the fiscal year \n2004 budget.\n    So we are now in the process of looking at these plans and \nworking with the budget side as well as the management side \nwithin OMB and then each of the agencies to make those plans a \nreality and to ensure that we go forward and we secure those \nsystems.\n    Mr. Putnam. In reading your testimony, you indicate 12 \nagencies have a remediation process verified by their IGs as \nmeeting the necessary criteria. Do you know the agencies who \ndid not have a remediation process? You are only batting 500.\n    Ms. Evans. Yes, I know. That's not a very good grade. I can \ngive you the specific agencies. It's in the report. But----\n    Mr. Putnam. Are they the big boys? That's really what I \nwant to know.\n    Ms. Evans. It's a mixture of agencies. But the remediation \nprocess is dealing with--that's an IG verified--we have the IG \nverify that process. That deals with that they have a process \nin place that ensures that, as they go forward and they \npurchase new types of things or that a new vulnerability comes \nup, that they have a process in place that allows them to \nremediate that weakness. That includes things like \nconfiguration management and those type of processes to go \nforward.\n    We gave 18 agencies additional guidance through the budget \nprocess to deal with certification and accreditation so that \ngets to the issue of ensuring that they really have identified \nwhat their system inventory is and that they are going through \nand they have a process in place that allows them to certify \nand accredit these systems which really then gets the \ndiscipline in place for you to really evaluate as you go \nforward.\n    Mr. Putnam. I'm looking back to my opening statement. Only \nfive agencies have completed reliable inventories. That's \ncorrect, right?\n    And we've been doing this for 4 years.\n    Ms. Evans. Yes, sir.\n    Mr. Putnam. So you're saying that your budget guidance \nlanguage tells them what they needed to do to get it right. But \ndid anything actually happen? I mean, if only five have done \nit, the other 19 are saying, well, we're in pretty good \ncompany.\n    Ms. Evans. Are you asking what specific actions we have \ntaken since the budget guidance has been issued to the \nagencies?\n    Mr. Putnam. I guess I'm asking if there's been anything \nother than guidance.\n    Ms. Evans. Oh, sure. As part of that guidance process and \nas we go forward and as we've outlined previously, there are \ntools that are available to us at OMB such as apportionment of \nfunds.\n    The budget guidance is very clear. When a budget guidance \ngoes out and we tell the agencies you cannot spend new \ndevelopment dollars in this area because they have been \ncategorized as new development dollars, that's just not saying \nyou can't spend it. It's the OMB budget accountants working \nwith us, that there is a process that we have in place with OMB \nthat doesn't allow those dollars to be released to the \nagencies. So dollars are not moving out until we have these \nplans and we feel comfortable that the agencies are really \nlooking at this.\n    To get to your issue about inventory, we really believe \nthat it is tied to the management of the portfolio as well as \ninvestments.\n    You really have to know what you have to be able to come \nforward with a good business case to say, for example, I have a \nmodernization plan, here is my architecture, here is my as-is \narchitecture, here is the to-be. Through our efforts on the \narchitecture as well as managing the portfolio and the business \ncases, this will really make the agencies really have a good \nprocess in place, and it really will identify the inventory so \nthat we can say there are so many servers, there's so many of \nthese, there's so many of those, this is the cost that it will \ntake to upgrade that, and here's the benefit associated with \nthat.\n    So we think through the combination of all these management \npractices it will get to the heart of the issue of what do we \nown, how are we going to secure it, how are we moving forward \nwith a modernization plan. We believe that the Federal \nenterprise architecture and the architecture efforts of the \nagencies really lend to that and really are assisting the \nagencies to really put that discipline in place.\n    Mr. Putnam. So can you tell me how many dollars and how \nmany specific modernization or development requests have been \napportioned pending the successful completion of reliable \ninventory?\n    Ms. Evans. Well, I have gone back, based on the previous \nhearing; and if you haven't gotten this answer I can give it to \nyou now. There is $9.97 billion associated with office \nautomation, telecommunications and infrastructure. That's \ntotal. So that includes development and steady State dollars.\n    We are working with each agency. I can take that back and \nfind out specifically if we can release that information to \nyou, but we have apportioned agencies. We really would like to \nwork with the agencies in a positive way to be able to move \nforward and not necessarily single out one agency over the \nother.\n    I think it's pretty obvious, based on your scorecard of \ngoing through of what agencies we're really working with very \nclosely, as well as agency IG reports and the FISMA report \nitself. You can see the variance in the system, and you can see \nhow the statistics are, that you know pretty much where the \nagencies we're working with.\n    Mr. Putnam. It just seems to me that the new dollars for \nupgrades of systems and purchases of new systems and \ndevelopment would just come to a screeching halt if you really \nhad to be compliant with FISMA before you got anything new.\n    Ms. Evans. Well, it would depend on what your plan is, \nalso, going forward. Some of the systems--and if you look at \nthe technologies that are outlined in the GAO report that \nthey're releasing today, some of those do require a certain \ntechnology solution there which will require a purchase. But it \nmay not necessarily be the same purchase that you were \nintending to do, for example, for a business system upgrade.\n    You may then say, OK, I am the Assistant Secretary in \ncharge of this particular office. I have a huge program that \nreally has a risk that is being imposed over here on all the \nrest of the assets within the department, and I'm the one who \ndoesn't have a good plan in place. I have not certified and \naccredited my systems. I am not the one--you know, I'm the one \nwho is holding the department back.\n    So then the CIO with their technical staff would talk with \nthat and work with that Assistant Secretary, but they would \nmake those decisions based on the priorities of where they want \nto be.\n    So if it's a choice between upgrading a financial \nmanagement system, and we're saying this is what you have to \ndo, they put a plan in place in order to execute what we're \nsaying you have to do, it's to their advantage to do it in the \nmost cost-effective way. Because if they really need that \nfinancial system upgraded, which I'm just using as an example \nhere, then they would do this in an expeditious way so that \nthey could still use those development dollars.\n    Mr. Putnam. Well, I think that you're making progress \ngenerally across the board. You've got an 80 percent goal to \nintegrate security and new investments, and you're up to 78 \npercent. That's pretty good stuff. That's kind of hard to argue \nwith.\n    But it's also hard to get around the fact that only five \nagencies know what they own. Everybody's held accountable for \ntheir inventory. Even in a little old congressional office, you \ncannot get rid of a VCR that's 12 years old without taking it \noff your inventory and all this stuff.\n    It just seems like it's a very, very basic thing that these \nagencies ought to be able to get their arms around and then be \nable to say, well, we have 15 systems or 15 desktops that are \nunaccounted for and they're, on average, 13 years old. So they \nprobably got thrown out a long time ago. It is probably a safe \nbet that they are unaccountable because they were thrown out.\n    If it's a secured computer at the Department of Energy, it \nmight be a different issue. But just knowing what you have \nseems to me to be the basic criteria before you do any of the \nother stuff. You can't secure what you don't know you have. You \ncan't certify or accredit what you don't know you have.\n    It just seems like, above and beyond the scorecard and the \ngrades and the F's and the A's and all that, the fact that only \nfive agencies really know what they own is very troubling.\n    Ms. Evans. I would say that I agree with you, sir, and that \nwe're going to continue to work with the agencies. We believe \nthat some of the programs that we've moved forward on, things \nsuch as Smart Buy and those types of initiatives, through \nseveral of these processes will get the agencies really focused \non asset management, software management, inventory control, \nthose types of things.\n    Technology continues to evolve; and many times if we make \nit very onerous that work can't get done, people have a \ntendency to bypass that security as well. There's a lot of \ntechnologies out there that make use of wireless technologies \nthat they can put their own network in case--because the CIO \nbecomes so oppressive that they cannot get their work done. So \nit is a balance of being able to go forward and have good \nsecurity but also, as you said, to have good inventory control \nand have good business processes in place so that we're totally \naccountable for our dollars.\n    Mr. Putnam. You said in your testimony as well that it is \nimportant that FISMA reporting instructions mature. What do you \nmean by that?\n    Ms. Evans. Well, pretty much you've hit the issue on the \nhead. It is that we're going through the process right now \nwhere we have metrics, where the agencies are self-recording. \nSo when we say we have a goal of 80 percent of the systems \nbeing certified and accredited and then we have a percentage of \n62 percent of those systems being certified and accredited, \nit's really what is the validity of that number. Because the \nbasic premise of the inventory is faulted. But we also believe \nthat, because of the reporting that we have and the oversight \nand this is 3 years going into the 4th year, that we can now, \nbecause the baseline is there, really start dealing with more \nmature aspects like the quality of certification and \naccreditation. What can we do to help the agencies to get good \ninventory control and process so that we can then say, what is \na system, and have a clearer definition of what is a system so \nthat when I put an inventory control process in place I can \ngive you a clear answer and then you can compare for sure \nagency to agency, system to system, inventory to inventory.\n    Mr. Putnam. So you don't necessarily recommend legislative \nchanges to the FISMA reporting requirements?\n    Ms. Evans. I would say at this particular point based on \nwhat we have, no, sir.\n    Mr. Putnam. You also say that the independent evaluations \nby the IGs are indispensable, and I would agree with that.\n    What do we do about the IGs who don't report, which is \nsomething that we found here, or those who reported late, some \nof them almost 3 months late? And the situation where IGs are \ncommenting or evaluating on an entirely different subsection \nthan what the agency is reporting on? Is that something that is \nproblematic for OMB? It was problematic for us in preparing our \nscores.\n    Ms. Evans. We are working with the IGs. There is an IG \nCouncil similar to the CIO Council of which my boss Clay \nJohnson also is the chair of. We have started meetings with the \nIG to actually deal with a lot of those types of issues about \nresolving what are the differences in the interpretations of \nthe way that certain things are written in there so that when \nyou get a report again how an IG is evaluating, it would be \nconsistent, and it gets back to the same issues of their \ninterpretation of the metrics and the agency's interpretation \nof the reporting as well.\n    Those meetings have begun. We are working to get their \ninput into this process so that when we issue the FISMA \nguidance for this year, we hope to bring clarity to those \nissues so that things will be more level, so to speak, between \nthe IGs.\n    Mr. Putnam. That would be very helpful.\n    Mr. Dacey, what are your thoughts on that discrepancy \nbetween the IG reports and the agency reports? Has the GAO made \nany recommendations on how we can improve the audit process?\n    Mr. Dacey. There are a couple of things that I think need \nto be considered moving forward; and I would agree, too, that \nthe measures need to--I'm not saying the measures that are here \nbut additional information perhaps is a better way to describe \nit. It may be helpful to interpret the progress of agencies and \ninformation security.\n    When FISMA was set up, I think an important part of that \nwas to have the IGs be an integral part of the process for a \ncouple of reasons.\n    First of all, I think they provide a valuable independent \ncheck on the security of the systems. In other words, if we're \nlooking at a system as we do, GAO, when we look at systems, we \nmay identify vulnerabilities. The first question we ask is, \nwell, have these been picked up by the agency's CNA process, if \nthere was a CNA done. Had they been picked up in the plans of \nactions and milestones and things of that nature? If we find \nthat they haven't, then we know something is broken and \nsomething isn't working right. It's kind of definitive proof \nthat at the end of the day process was or wasn't working. So I \nthink that's an important role.\n    The role that I think needs to evolve, though, is to get \nthe IGs more involved in looking at the processes by which the \nagencies develop these numbers and the way they report them. I \nthink if they do that and there is a process that is relatively \nreliable in bringing those numbers forward--and I focus on \nthat, too, because oftentimes the numbers aren't available \nuntil the very end, so auditing the numbers themselves may be a \nchallenge. So I think the IGs can look at the process and match \nthat up again when they're doing their audits. If they are \nauditing a system and it hasn't been CNA'd properly but yet the \nagency is counting it in their CNA tally, then that is a \nproblem.\n    So I think you need to work to keep that going, but again \nkind of increase the IG's roll to look at the processes and \nmatch that up against what they're finding in the individual \nsystems that they do audit.\n    Mr. Putnam. Ms. Evans, there is an article in today's \nWashington Post where a Federal judge has ordered the Interior \nDepartment to shut down most employees' Internet access and \nsome of the public Web sites, ``after concluding that the \nagency has failed to fix computer security problems that \nthreaten millions of dollars owed to Native Americans.''\n    I understand that this is an ongoing issue, but if you \nwould like to comment on it, I would like to give you that \nopportunity.\n    Ms. Evans. Well, my only comment would be--is that \nInterior, just like any other department, is that we continue \nto work with them to assist them in addressing what their cyber \nsecurity issues are through our processes like the President's \nmanagement agenda, the scorecard, as well as the budget process \nthat we just recently talked about in that guidance.\n    Mr. Putnam. What did Interior get? What was their score, \ntheir grade?\n    Ms. Evans. An F.\n    Mr. Putnam. Is there any other department that--I mean, \nwhen we talk about computer security, sometimes we get off in \nthe weeds, and it almost becomes this academic discussion. I \nmean, I have never heard of a judge ordering somebody to \ndisconnect from the Web. Has that ever happened before?\n    Mr. Dacey.\n    Mr. Dacey. This is actually the third time for Interior, I \nbelieve, that an order has been issued by the court to stop. \nThat's the only one with which I'm familiar at a Federal agency \nwhere there has actually been a court involvement in the \nprocess.\n    Mr. Putnam. So it's so bad that three times the judge has \nordered them to disconnect?\n    Mr. Dacey. Well, not speaking to the individual case, but \nthere is a legal case in dispute, and the judge, in ruling on \nthat, in protecting the reliability of certain data that \nrelated to the Indian Affairs that they are concerned about \npeople being able to get in. In fact, I believe at the first go \naround, when they were removed, the court had hired an ethical \nhacking group to participate, and they, in fact, had broken \ninto their systems. And I believe it was reported that they \ncreated fictitious accounts in the Indian Affairs systems. And \nthat became the concern, that you needed to protect access from \noutside into this data and this financial information related \nto that.\n    I would note that Interior, though, even on the measures \nthat are on OMB's scorecard, pretty much consistently, except \nfor one area, was below the average of other Federal agencies \nand, as you said, got an F in their grade. So there is a \nchallenge there, I think, in their information security.\n    Mr. Putnam. I would say so.\n    Mr. Dacey, you mentioned in your report, the CIO's don't \ncontrol mission systems. And I believe I read in Ms. Evans' \ntestimony that, in fact, 65 percent of IT is mission-related \nactivities. I thought FISMA put CIOs in the position of \nresponsibility for all agency systems. Could you clarify that?\n    Mr. Dacey. I guess--I think our reference was actually to \nwhat OMB had said, so I will let Ms. Evans take care of that. \nBut at the same time, I think it is important to note that--and \nI don't have an exact count, but one of the challenges is also \nmaking sure that authority goes with that responsibility. I \nknow an increasing number of agencies has clearly given their \nCIOs the authority to enforce security standards throughout the \nagency. I don't have numbers, but I do believe that some do not \nhave that authority. And in fact, I know when we have been \ndoing some of these audits, we found that, in fact, the CIO at \nthe agency level didn't always have control over what the \nindividual bureaus did which could endanger security of the \nentire agency if not properly controlled. So I think that is \none aspect. But, again, Ms. Evans might want to talk more about \nthe specific numbers.\n    Ms. Evans. You want to understand how it works?\n    Mr. Putnam. Are CIOs responsible for the mission-related \nactivities or not?\n    Ms. Evans. They are responsible from a strategic standpoint \nand from a corporate standpoint, which means that when an \nagency is divided off or a department is divided off and you \nhave the offices within it, you get the guidance from \nheadquarters, so to speak. And so the CIO is responsible for \nformulating what is that overall guidance, what is that policy, \nto ensure the cyber security going forward for that department.\n    When the program office--and in this case, we are talking \nagency senior officials--when they send their investment plans \nforward and they have an operational aspect of what they are \ndoing within their program offices, they have to adhere to \nthose policies and guidelines. And then the CIO, if they have \nan operational aspect, can ensure that they are conforming to \nthose policies.\n    Sometimes some CIOs only have a policy aspect. If they have \nthe policy aspect, then they are involved through the budget \nprocess to ensure all of these other things that we are talking \nabout--that the investment has adequate cyber security based \ninto its life cycle, that they do have plans that are in place \nthat continue to measure what is going on within their program \noffices. So they do it from a corporate perspective.\n    If they have an operational perspective, that is an \nadditional authority suit because, normally, what they do is \nthey control infrastructure as well as telecommunications, all \nof those types of things. So they control the big network. So \nthey can put policies in place that say, if you don't meet this \ncertain threshold of security or if you are not certified and \naccredited, you cannot hook up to departmental resources. And \nthat's usually where most program offices need to go in order \nto be able to go out to get onto the Internet to be able to \nreach, you know, big financial management types of systems, HR \nsystems. And so CIOs do have the authority to be able to do \nthat if they manage the corporate assets.\n    Mr. Putnam. Have you had an opportunity to read the GAO \nreport that they released today, Ms. Evans?\n    Ms. Evans. Well, we were glancing at it today.\n    Mr. Putnam. The breakdown of all the different information \nsecurity measures and their taxonomic chart is pretty darned \ngood. You came from Energy and from Justice as a CIO, you \nunderstand the challenges both from your current level and from \nthe agency level perspective. And we are going to photocopy the \nkey portions of that GAO report. We have to take the blue \nbinder. Because of the blue binder, nobody is going to read it. \nBut we have to really kind of break it down into the easy-to-\nunderstand key charts that Mr. Dacey put together.\n    If you were going to send it to somebody in the agency to \nbring about change, who would you send it to, because CIOs \nalready know that stuff? I mean, they could have written it. I \nmean, when you are talking about kind of an easy-to-use, easy-\nto-read user's guide, who would you send it to really have an \nimpact on behavior and understanding of what we are talking \nabout in making systems more secure?\n    Ms. Evans. In this particular case, if I put it in easy-to-\nread key charts off of here, we work--the initiative owners \nthrough the President's management agenda work very closely \nwith the President's Management Council. So I would send it out \nthrough the President's Management Council and say, here is a \nguide of--here is what you need to look at as technologies are \ncoming up. Because the CIO advises that person as the chief \noperating officer of the agency, most times it is the deputy \nsecretary of the department that participates in the \nPresident's Management Council.\n    Mr. Putnam. And that's the person who also makes the \ndecisions about what budget requests to send to you, about \nwhether we are going to buy this system or that system and we \nare going to have a firewall or a VPN or who gets----\n    Ms. Evans. They review--deputy secretaries review the \nbudget as they come up. Most agencies have hearings in the \nsummer based on the guidance that goes out. And the key \noffices, just like a CIO, have input into how a program office \nis put together, how the budget is put together, \nrecommendations. And so if there are issues--say, for example, \nbased on my days at Energy, if there were issues with a \nspecific program office who we felt really wasn't pulling their \nweight as far as cyber security was concerned, when these \nreviews occur, the deputy secretary would get key questions to \nask that assistant secretary during their review.\n    You know, one question could be, how well are you working \nwith your CIO? You know, do you have everything in place? Are \nyou ensuring that cyber security is being adequately addressed \nwithin your program office?\n    And so something like this, if it was dealing with \ninvestment decisions and these would be key points, those would \nbe like key questions that you would ask them so that they \ncould ask to ensure that their portfolio, when it comes \nforward, meets those criteria.\n    Mr. Putnam. Thank you.\n    Mr. Wu, FISMA made NIST responsible for issuing a fair \namount of guidance, guidance that is essential to the security \nof the information systems in the Federal Government. Could you \ncomment on--and you did somewhat in your opening statement--\ncould you elaborate on the resources that are necessary to \nprovide that guidance?\n    Mr. Wu. Well, certainly at the Department of Commerce and \nalso at NIST, there is an understanding of the importance of \nNIST's role in implementing FISMA in how general standards are \ndeveloped and created, and the key role this plays as the \nlinchpin, the first domino, in a sense, for FISMA to be \nimplemented very effectively. And so there is a priority placed \nwithin the Computer Security Division and within our \nInformation Technology Laboratory to make sure that we meet all \nof the mandates and requirements of FISMA.\n    The challenges I alluded to in my testimony and Bob \nreferenced in his is that, at least for this fiscal year, NIST \ndid not receive the President's budget request for 2004; \nCongress was unable to provide that. And as a consequence, \nthere is a fear that we may not be able to move forward in some \nof the research that would be required for some of the more \nemerging technologies.\n    For example, as we focused on a very real and immediate \nnear-term need for guidance under FISMA, we are not keeping up \nwith the rapid advances and technologies like RFIDs, the Radio \nFrequency Identification Devices, which is a very key component \nto some of these emerging technologies for communications that, \nunfortunately, under our funding situation, we may not be able \nto put resources in there for--certainly for 2004. We have to \ndelay it for 2005 depending on how the congressional \nappropriations may look.\n    So there is a fear and a concern within the laboratory \nwithin the Department that we may not be able to be as \naggressive as we'd like to be in our efforts and research. But \nin terms of meeting the FISMA responsibilities, NIST is \ncommitted to doing that.\n    Mr. Putnam. And the guide that you are creating for FISMA, \nI would imagine, would be pretty helpful guidance outside the \ngovernment as well. Does NIST have an ability or a system to \nallow people to download that guide or to have access to that \nguide, to request it so that there can be a wider distribution?\n    Mr. Wu. Well, information dissemination is critical to make \nsure that the work that NIST does is brought out to the Federal \nagencies as well as to the private sector. But it does have a \ncost as well. We hope to work very closely with OMB as well as \nwith NTIS, which is also part of the Department of Commerce, \nfor information dissemination so that we can have the \ninformation placed in as many hands as possible. And also NIST \nwill, of course, make it available on its Web site.\n    Mr. Putnam. FISMA also requires agencies to develop \npolicies governing configuration, so if someone sets up a \nserver, they know what security controls they have to set, and \nNIST has developed that guide as well. What is the status of \nthat?\n    Mr. Wu. The status of--I believe--I'm not quite sure \nwhich--if you are referring to a specific publication or a \nspecific--or a publication number. But we can certainly provide \nthat for you.\n    Mr. Putnam. Thank you.\n    Mr. Wu. But as I said, right now, NIST has met its \ntimeliness requirements for its publications, and we look \nforward to completing those if--either in right now or \navailable in public draft or available in terms of a full \nreport.\n    Mr. Putnam. Ms. Evans, is there, for lack of a better term, \na rapid-response team of professionals who can move into a \nsituation like this Department of the Interior issue and work \nto resolve it on an emergency-type basis? I mean, recognizing, \nin addition to just being terribly embarrassing, it has cost \npeople money and defrauded the Government and everything else. \nThe fact that it has happened three times is--what is OMB's \nrole in a situation like that?\n    Ms. Evans. Well, each agency is responsible for having a \ncomputer-assistance-type team, incident-response team. However, \nthrough the new work that is going on now over at DHS--my \noffice works very closely with DHS, especially in the area of \nimplementation of the National Cyber Security Strategy. And so \nwith working with the particular office over there under IAIP \nand working with those groups, there are several resources that \nthey put in place that work very closely in conjunction with \nthe CIO counsel. So in a particular situation like this, we \ncould make recommendations as well as DHS could make \nrecommendations of getting specific assistance through the \nresources that are available at DHS.\n    Mr. Wu. Mr. Chairman, if I may, I was just handed some \ninformation. As Ms. Evans mentioned about DHS, we have also \nbeen working with DHS. And in regard to your question about the \ncomprehensive security checklist and benchmarks, DHS has been \npartnering with NIST in this regard, and we will be able to \nmaintain a Web-based portal on this listed checklist. And we \nhope to have that available in fiscal year 2005, in the years \nafter as well.\n    Mr. Putnam. Very good.\n    Mr. Dacey, would you comment on the 2003 FISMA reports, the \nareas that strike you as being the most important improvements, \nthe most important deficiencies and your evaluation of the \nprogress overall?\n    Mr. Dacey. Well, I think in my oral statement I raised some \nof the concerns. I know there has been progress. We have seen \nevidence of that through increases in the measures. But we have \nalso seen that through looking at the whole series of audits \nthat have taken place, both in respect to financial audits and \nother audits that the IGs have performed and GAOs performed. So \nthere are improvements. I would characterize them as kind of \nheightened awareness as well or continued heightened awareness \nby agencies for a couple of reasons: A, they know we are not \ngoing away. This is an annual event, in fact now quarterly, \nreporting to OMB. So I think that is an important issue.\n    So there is a recognition that things are going to be \nwatched. And, of course, the involvement of this committee is \nan important element in that as well.\n    In terms of the areas that are the concerns, I guess, or \nsome of the areas of concern would be trying to make sure that \nsome of these percentages keep increasing. And the pace of that \nis a good question. And how fast they can increase, I can't \ntell you. But certainly they have been improving over years. \nBut the areas that are of concern most in my mind would be the \ncertification and accreditation and the control testing, \nbecause that's where you are going to identify whether there \nare additional weaknesses and vulnerabilities in your system. \nIf that is done correctly is, I would say, most important and \ncertainly key, because that may unveil additional weaknesses \nthat need to be addressed that haven't been identified yet.\n    In terms of the contingency planning, I have spoken about \nthat in my statement as well. That is a critical area. And we \nhave, again, less than half of the agencies with tested plans. \nAnd NASA, actually, has quite a bit of success in their \nreporting of that measure. If you exclude NASA, I think it is \naround 38 percent/40 percent of agencies that have tested \nplans, the rest of the Federal Government. So I think that is \nan important area because I think as we have increased \nexposures to viruses, worms and other kinds of malicious \nattacks, you really need a contingency plan in place, because \nI'm not sure you can anticipate everything that might happen to \nyour system, particularly when we are getting to a time when it \nis conceivable that attacks could be launched before \nvulnerabilities are notified and identified in the public and \npatches are even made available. And that is definitely a \ntrend.\n    So I think that is another area of importance. Some of the \nagencies are literally, I think, at zero percent on their \ncontingency plan testing--and some very low. So I think those \nare some areas that kind of jump out in my mind when I look at \nthe FISMA reports.\n    Again, in the progress area, I think it is important to \nkeep having OMB managing and monitoring the process, Congress \ninvolved, the IG's involved. There are a lot of players.\n    I think the other key area would be to have the agencies \nmake sure they have the processes in place to manage this on an \nongoing basis. Two or 3 years ago, I'm not sure anybody really \nhad a whole lot of processes in place. When we had the first \nGISRA reports, it was extremely ad hoc reporting that was \ncoming into the agencies, and they were putting it all \ntogether--and Karen can speak to that and how it was at Energy. \nBut it wasn't a pretty process.\n    And as time has gone on, some of the agencies have \ndeveloped more routine processes to get that information, to \nmanage it day to day, not just for FISMA reporting purposes or \nfor GISRA but actually to use it from a management standpoint. \nI think that is going to be a critical role in changing this \nwhole dynamic and moving to a more sustainable progress that \ngoes forward.\n    Mr. Putnam. That has been one of the complaints, is that \nagencies and their CIOs, in preparing their reports, they are \nreally only trying to just meet the requirements of FISMA, and \nthey are not actually improving the overall information \nsecurity.\n    And I suppose that gets to your earlier point, Ms. Evans, \nabout the next level is making more meaningful, more mature, as \nyou put it, requirements.\n    Ms. Evans. Right.\n    Mr. Putnam. Did you want to add anything in terms of your \nevaluation of the scores and progress, deficiencies, thoughts?\n    Ms. Evans. Well, again, I would just like to say that we \nare making progress. I mean, we couldn't even give you--even \nthough we don't have a real good solid way of doing the \ninventory, we couldn't even give you these numbers previously. \nI mean, we couldn't even--we would be debating on what is a \nsystem and how to move forward. So I think the government has \nmade huge progress.\n    And although we are looking at these reports, I think you \ncan also demonstrate, based on the results, that the Government \nis moving forward. And that is our ability to repel attacks as \nthey are coming about and to deal with services as viruses are \noccurring.\n    Two or 3 years ago, when you looked at what we were doing \nwhen Corea came out of Melissa, many of the agency systems went \ndown, and they were offline. And that's why they had to have \ncontingency plans and everything else. But now, with the \nviruses that appear to be coming out, sometimes hourly, the \nagencies are being able to sustain business and being able to \ngo forward because these processes are in place. They are \nlooking at things. They may not be the best. There is a lot \nmore that we can do, but we have made progress.\n    Mr. Putnam. Am I overemphasizing this inventory issue? I \nmean, in terms of the big scheme of things and government \ninformation security, am I too hung up on that? I mean, in \nterms of the priorities, the problems that are out there?\n    Mr. Dacey. I don't think you are too hung up on it. I think \nthere's several reasons. First of all--I mean, not just because \nit can affect some of the measures, because denominators are \ngoing to change dramatically, particularly when DOD's numbers \ncome into play, it will change dramatically.\n    But the issue is how to manage the systems. I think there \nare a lot of cascading effects. I know when we started looking \nat some of the patch management practices, one of the \nchallenges in doing that was even identifying the systems they \nhad so they can figure out, well, does this patch apply to me?\n    A lot of agencies defaulted to system administrators \nindividually having to try to deal with that. And I know we had \nthe issue with PADC and tried to put out something at a Federal \nlevel to help agencies at least notify them. But the lack of a \nreal complete inventory was a challenge, because we had several \nagencies that said we want PADC for every system administrator \nbecause, otherwise, we don't know collectively at the top what \nall our systems are, and you are going to have to deal directly \nwith them.\n    It also affects configuration management. I don't know how \nyou manage your configuration if you don't know what all your \npieces are.\n    So there is a lot of additional cost and cascading effects. \nSo, no, I don't think it is a light issue; I think it is a \nserious issue, again, mainly because it relates to these other \nareas that really can't be performed well or efficiently \nwithout it.\n    Mr. Putnam. There are a lot of Fs. How much difference is \nthere within the F category? Are there some that are on their \nway out of the F category? I mean, are all the Fs grouped \ntogether, or are there some that are just off-the-chart bad, \nlike Interior? I mean, three judges' orders to shut down the \nInternet is pretty--I would think would be about as bad as it \ngets. But maybe it really is worse. I don't know. I'm scared to \nknow the answer.\n    Mr. Dacey. One thing that we also tried to look at in our \nanalysis of the information was across the seven performance \nmeasures that are detailed in OMB's reports is, how are \nagencies doing relative to the average for those measures? In \nother words, how are they doing? And we found there were--let's \nsee--seven agencies that were below in all seven measures, or \nat least one measure, or maybe one measure was above and six \nbelow. So there are some agencies where there is a pretty \nconsistent below average score across those measures, and I \nthink that carries into some of the other things that were \nconsidered in your grades as well.\n    At the same time, there are people at the top level, too, \nthat are consistently--we have, let's see, eight agencies that \nare above average in all categories or all but one.\n    So you have a lot of players at both ends, and then you \nhave a whole bunch of agencies in the middle. So I think it is \na mixed story. And even within some agencies, they might have \nseveral above and several below. So it is not an even kind of \nprocess in bringing them up necessarily.\n    Mr. Putnam. How many--in that lower category, how many \nbelow average ratings did the Department of Defense have?\n    Mr. Dacey. The Department of Defense actually, based on the \ninformation I have, was--exceeded the average in five of the \nseven categories.\n    Mr. Putnam. But still received an F?\n    Mr. Dacey. Yes. There was a general correlation between the \nseven measures against the average and the grades. There are a \nfew anomalies, because the grades the subcommittee gave \nincluded a consideration of a variety of other FISMA indicators \nthat weren't part of these seven factors. So there are some. \nBut in general, they tended to be in the same relative range.\n    Mr. Putnam. And DOD was allowed to report on a subsection \nof their systems. Correct?\n    Mr. Dacey. That is correct.\n    Mr. Putnam. Is any other agency given that consideration?\n    Mr. Dacey. Other than the stipulation that a lot of \nagencies don't have complete inventories, which is obviously a \nproblem.\n    Mr. Putnam. All but five are reporting on a portion of \ntheir systems.\n    Mr. Dacey. They are the only agency who has reported or \nacknowledged that they are only reporting on a subset of their \nwhole systems. I think they have 3,000 or 4,000 systems in \ntotal.\n    Mr. Putnam. And next year, they will be required to report \non all.\n    Mr. Dacey. I will defer to Ms. Evans. That's what was in \ntheir report.\n    Ms. Evans. Right. And on the scorecard, going forward on \nthe scorecard, which we are referring back to, they are \nrequired, in order to be able to move, if they want to move to \ngreen, just like all agencies, they are required to report on \nall. And we are holding to that criteria.\n    Mr. Putnam. But, I mean, other than not being a green in \nthe President's management report.\n    Ms. Evans. Well, you have to look at this. This is still a \nmanagement issue. These are very highly competitive folks. And \nthis gets back into, you know, when the scorecard gets \npublished, and it is just like this scorecard here, I mean, \nnobody wants to be an F. And so you are either going to \nrationalize why you are doing badly, or you are just going to \nimprove your processes overall and move forward.\n    The whole purpose of the President's management agenda is \nto achieve results, and the President is very committed to \nthat, and this administration is very committed to that. This \nis a piece of that agenda. And so we are committed to achieving \nthe results, and the results are to ensure that we have a good \ncyber security posture going forward. So that is how we intend \nto hold the agencies accountable.\n    Mr. Wu. Mr. Chairman.\n    Mr. Putnam. I hope you are right.\n    Mr. Wu. At the Department of Commerce, we, as Ms. Evans has \nindicated, are striving to try to reach green. And it is a \ncompetitive process. Secretary Evans has made that a priority, \nand I suspect all the other secretaries have as well. We \nhaven't quite reached it yet, but we are making strides, and we \ndo want to do that. And so there is a commitment to do that, \nand we are following the guidance of OMB and Ms. Evans.\n    Mr. Putnam. Well, I hope NIST got a good score.\n    Mr. Wu. Well, NIST is part of the Department of Commerce.\n    Mr. Putnam. What did Commerce get? I don't have it in front \nof me. A gentleman's C?\n    Mr. Wu. No, I think we did well. I will have to talk to our \nInspector General.\n    Mr. Putnam. You got a C.\n    Mr. Wu. I will speak to Johnny Frazier and see how much \nbetter we did.\n    Mr. Putnam. C for Commerce.\n    All right. Any other comments from our first panel before \nwe move into the second half of this hearing? I want to thank \nall of you for your participation and your ongoing efforts to \nimprove this. It is a long, hard struggle, and I know most of \nyou have been in it for a whole lot longer than I have. And I \ntip my hat to you, and I wish you the best as we continue to \nmove forward. And we certainly offer the resources and the \nabilities of this subcommittee to help you help them do a \nbetter job. Thank you very much.\n    And we will stand in recess for a couple of minutes until \nwe can set up the second panel.\n    [Recess.]\n    Mr. Putnam. The subcommittee will reconvene. We have seated \npanel two. As is the custom with this subcommittee and the full \ncommittee, I would ask the witnesses and anyone accompanying \nthem who will be providing information to please rise and raise \nyour right hands.\n    [Witnesses sworn.]\n    Mr. Putnam. Let the record note that all four witnesses \nresponded in the affirmative.\n    We have had a request from the NRC to use a photographer. \nSince they are one of only two who got an A, they can have \nwhatever they want. So come get a picture of this big smile.\n    We will begin our testimony. The first witness is Paul \nCorts. Paul R. Corts was sworn in as Assistant Attorney General \nfor Administration in November 2002. Prior to entering \ngovernment service, he served as president of Palm Beach \nAtlantic University for 11.5 years. He also served as president \nof Wingate University in North Carolina and has held \nadministrative and teaching positions at Oklahoma Baptist \nUniversity and Western Kentucky University. As Assistant \nAttorney General for Administration, Dr. Corts oversees the \nDepartment's Justice Management Division and is the chief \nfinancial officer.\n    Welcome to the subcommittee. You are recognized for 5 \nminutes.\n\n    STATEMENT OF PAUL CORTS, ASSISTANT ATTORNEY GENERAL FOR \n             ADMINISTRATION, DEPARTMENT OF JUSTICE\n\n    Mr. Corts. Mr. Chairman, I appreciate the opportunity to \nappear before you today to discuss the Department's efforts in \nthe areas of information technology security and the actions \nunderway within the Department to institutionalize the daily \nmanagement of security risks and to implement the requirements \nof FISMA. And I want to commend you and the committee for your \npast and current efforts to shine the spotlight on Federal \nagencies' security performance.\n    I certainly want to emphasize that the Department of \nJustice embraces the importance of IT security. Our senior \nmanagement is committed to protecting the Department's IT \nassets from attacks and vulnerabilities, and we have clearly \nidentified responsibility for IT security with the CIO.\n    IT is key to the Department's success in meeting our \nstrategic goals. We place a very high value on the availability \nand integrity of the information in our systems, along with \nconfidentiality and privacy concerns. And the nature of our \nwork in Justice requires a highly robust security for IT.\n    As reported in the OMB Security Act Report for 2003, we \nreported 243 IT systems, 24 programs, 35 contractor operations \nand facilities. All of our programs and 206 systems were \nreviewed in accordance with FISMA guidance provided by OMB and \nNIST. The Department incorporates IT security requirements in \nall of our contracts, and we perform security reviews on half \nof the contract operations and facilities during the fiscal \nyear. In addition, over 90 percent of our IT systems have been \nassessed for risks, and over 80 percent have been fully \ncertified and accredited to date.\n    In the past, the Department operated in an extremely \ndecentralized fashion, and that really contributed to IT and \nthe computing environment being highly fragmented. This is a \nmajor concern with our inspector general during the past years, \nand since we joined the Department, it is a concern that the \nCIO and I share. Furthermore, we are fully aware of your \nconcerns with our progress in information security, and we take \nthese very seriously as well.\n    Since I arrived at Justice 16 months ago, the Department \nhas taken a number of actions that not only reflect the \ncommitment of senior management to correcting past deficiencies \nbut also to establish a solid foundation for sustained future \nprogress. And many of the IG's recommendations have been \naccomplished, or initiatives are underway that will provide for \nimproved performance in the coming year.\n    Through the AG's leadership and vision, I think we have \ncome a long way toward a more centrally coordinated department, \nand this has made a lot of progress and a very positive impact \non our IT efforts.\n    Specifically, we have clarified our CIO position in terms \nof the Clinger-Cohen Act responsibilities, we have implemented \na Web-based security awareness training tool. We have trained \n77 percent of our employees so far on that with a goal of 95 by \nsummer, implemented a computer emergency response team and \nintegrated IT security with a capital investment process and \nsome other actions that are underway to remedy deficiencies.\n    The Department's senior management team is committed to \nensuring that these activities are under way, and we have them \nplanned to correct both past deficiencies and be sure that we \nintegrate these into an institutionalized kind of an \nenvironment.\n    We have reorganized the office of the CIO and named a chief \ninformation security officer. We've developed a Department-wide \nIT security program. We have established IT security program \ngoals. We have approved a policy for 17 information security \nstandards; chartered an IT Security Council and six project \nteams; integrated IT security with enterprise architecture and \nthe investment management process, developed system risk \nassessment and a test plan tool; provided for CIO collaboration \nand review of component corrective action plans; continued \ndevelopment of a public key infrastructure capability; \ncontinued development of a unified financial management system \nthroughout the Department; provided resources to assist \ncomponents in assessing their systems; implemented a monthly \nreport card, which you see here.\n    This is the age of the report card. So we've come up with a \nreport card, a sample there, that is done on a monthly basis to \nlet the individual components know how they are doing in the \narea of IT security.\n    So the accomplishments and initiatives we have underway \naddress many of the IG's recommendations and will provide for \nimproved performance in the coming year. We acknowledge the \nneed to do more. It is a matter of continuous improvement that \nwe are committed to while at the same time we are working to \nreduce risks associated with our IT assets. And I want to thank \nyou and the committee for the focus that you are giving to \nthis, and we pledge to you our cooperation and support.\n    [The prepared statement of Mr. Corts follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4838.064\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.065\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.066\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.067\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.068\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.069\n    \n    Mr. Putnam. Thank you very much, Mr. Corts.\n    Our next witness is Jeffrey Rush, Jr. Mr. Rush was sworn in \nas the Inspector General for the Department of Treasury in July \n1999. Prior to that, he served as the Inspector General of the \nU.S. Agency for International Development and is the acting \nInspector General of the Peace Corps. Mr. Rush also served for \n23 years in the U.S. Department of Agriculture.\n    Welcome to the subcommittee. You are recognized for 5 \nminutes.\n\n STATEMENT OF JEFFREY RUSH, JR., INSPECTOR GENERAL, DEPARTMENT \n                        OF THE TREASURY\n\n    Mr. Rush. Thank you, Mr. Chairman.\n    In your letter of February 26, you asked me to address \nthree points in my statement: One, a summary of the state of \ninformation security at Treasury; two, the methodology used to \naudit Treasury and the resources available to my office; and, \nfinally, the circumstances that led to the delay in our \nreporting of results under FISMA.\n    First, although we have been reporting on serious \ninformation security weaknesses since 1998, I will limit my \ntestimony only to the work done in the last 3 years. Our \nreporting in fiscal years 2001 and 2002 was under the \nGovernment Information Security Reform Act [GISRA]. This most \nrecent job was done under FISMA. All three assessments as well \nas management's own have identified serious deficiencies in \ninformation security throughout the Department.\n    Let me summarize just what we consider the important \ndeficiencies to be. First, most of the systems have not been \ncertified or accredited. Second, Treasury has been unable to \nprovide an accurate inventory year to year of systems to be \ncertified and accredited. Third, Treasury's plans of action and \nmilestones and for fixing security--serious security \nweaknesses--are not complete and are inconsistent. Four, \nTreasury does not fully comply with the reporting of security \nincidents. Fifth, Treasury did not use the National Institute \nof Standards and Technology guidance for all of its programs. \nSixth, interdependencies and relationships of critical \noperations have not been fully identified. And, finally, \nTreasury has not provided sufficient information technology and \nsecurity training to the majority of its employees.\n    Second, in conducting our fiscal year 2003 evaluation of \nTreasury's information security program and practices, we \nfollow the guidance issued by the Office of Management and \nBudget on August 6, 2003. I have attached a copy of that \nguidance to the statement. The guidance prescribed a set of \nquestions to be answered by both agency management and by the \nOffices of Inspectors General. In this regard, OIGs were to \nevaluate a representative sample of all of the types of agency \nsystems. One area that was to be emphasized this year was--in \nOIG's assessment--was against specific criteria which the \nagency developed, implemented or was managing in agency-wide \nplans of actions and milestones process. The plans of actions \nand milestones process is key to effective remediation of IT \nsecurity weaknesses and instrumented for the agency to get \ngreen under the expanding government scorecard of the \nPresident's management agenda.\n    Finally, as background for the reason for our delay in \nFISMA reporting, during March 2003, we divested approximately \n70 percent of our staff to the Department of Homeland Security \nOffice of Inspector General pursuant to the Homeland Security \nAct. Our audit staff was reduced from 165 to 62 during the last \n6 months of a fiscal year. Our annual audit plan had to be \ncompletely revised. Thus, this divestiture and subsequent \nattrition reduced our IT audit group from 14 to 5.\n    With our much reduced staffing, we determined we could not \ncomplete FISMA on schedule and sustain an accelerated audit of \nthe Department's fiscal year 2003 financial statements. In \nconsultation with the Department and the Office of Management \nand Budget, priority was given to the audit of the Department's \nfiscal year 2003 performance and accountability report, and we \ncommitted to issue the FISMA report within 30 days of that \ndate. And, accordingly, the financial statement audit was \ncompleted on an accelerated basis on November 14, 2003, and we \nissued our FISMA report on December 15, 2003.\n    But let me stop and make clear to you that I probably owe \nyou an apology. If not, I will give you one anyway. As early as \nJuly 2003, apparently everyone but this committee was informed \nof the decision to concentrate on completing the accelerated \nfinancial statement, clearly putting FISMA at a second \npriority; thus, the late report that was due in September.\n    Considering our current staffing levels and looking \nforward, we have not been able to and do not anticipate being \nable to hire additional IT auditors in the near future. Thus, \nwe plan to contract for the FISMA evaluation for the non-\nnational-security systems for fiscal year 2004. We will perform \nthe fiscal year 2004 FISMA evaluation for Treasury's national \nsecurity systems with our own staff.\n    That concludes my statement.\n    [The prepared statement of Mr. Rush follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4838.070\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.071\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.072\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.073\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.074\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.075\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.076\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.077\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.078\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.079\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.080\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.081\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.082\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.083\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.084\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.085\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.086\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.087\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.088\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.089\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.090\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.091\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.092\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.093\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.094\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.095\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.096\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.097\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.098\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.099\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.100\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.101\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.102\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.103\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.104\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.105\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.106\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.107\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.108\n    \n    Mr. Putnam. Thank you very much, Mr. Rush.\n    Our next witness is Ellis Merschoff. Mr. Merschoff is the \nChief Information Officer for the Nuclear Regulatory \nCommission. Prior to serving as CIO, Mr. Merschoff was the \nDirector of the Western Region for NRC. He had worked at NRC in \nvarious capacities since leaving the U.S. Navy in 1980. He was \nawarded the Presidential Distinguished Executive Award in 2000 \nand is a licensed professional engineer.\n    Welcome to the subcommittee. You are recognized for 5 \nminutes.\n\n  STATEMENT OF ELLIS W. MERSCHOFF, CHIEF INFORMATION OFFICER, \n                 NUCLEAR REGULATORY COMMISSION\n\n    Mr. Merschoff. Thank you, Mr. Chairman. I appreciate this \nopportunity to testify with regard to the activities of the \nU.S. Nuclear Regulatory Commission as they relate to the \nFederal Information Security Management Act.\n    The mission of the NRC is to regulate the Nation's civilian \nuse of byproduct, source, and special nuclear materials to \nensure protection of public health and safety, to promote the \ncommon defense and security, and to protect the environment. \nOur headquarters is located in Rockville, MD, with regional \noffices located in Pennsylvania, Georgia, Illinois, and Texas. \nWe have a technical training center located in Tennessee and \nresident inspector sites located at 70 nuclear power plants and \nfuel-cycle facilities around the country.\n    Although I have been the NRC's chief information officer \nfor only 9 months, I have been with the NRC, as you stated, for \n24 years. Of those 24 years, I was an NRC line manager for 18 \nyears and served as a regional administrator for 6 years. I \nunderstand the operational and business needs of the NRC which \nallows me to contribute a perspective that enables the agency \nto effectively apply information technology to meet the \nbusiness needs of the NRC while achieving the appropriate level \nof computer security for the agency.\n    As an agency, we have 4,000 interconnected computers that \nexchange approximately 100,000 e-mail messages and receive \nanother 40,000 e-mail messages from the Internet every day. On \na daily basis, we experience 500 attempts at reconnaissance of \nour systems, strip out 300 suspicious e-mail attachments, \nidentify 100 attempts at denial-of-service attacks and isolate \n10 virus occurrences.\n    The NRC has identified all major operational applications \nand support systems, each of which has been certified and \naccredited. Outstanding findings from risk assessments and \nother evaluations are entered into a tracking system, monitored \nand closed out when resolved. We review the security controls \nfor each of these systems on an annual basis, using the self-\nassessment process provided by NIST and benefit from a strong \nworking relationship with NRC's Office of the Inspector \nGeneral.\n    The NRC emphasizes computer security awareness at all \nlevels of the organization, from senior management to the \nindividual employee and contractor. We require that each \nemployee take an annual computer security awareness course \nwhich is available online to ensure accessibility at the \nemployee's desktop.\n    The NRC holds an annual observance of International \nComputer Security Awareness Day, which has grown in \nparticipation over the past 10 years. In November 2003, close \nto half of our headquarter's population attended this event.\n    Like all Federal agencies, the NRC must contend with \nviruses and other malicious software. We download new virus \ndefinitions to all desktops and deploy relevant computer \nsecurity patches as soon as testing ensures compatibility with \nthe NRC's mission-related software. The NRC also utilizes \nannouncements to notify staff about viruses, hoax, spam, and \nscams that might affect our staff. Ask Cyber Tiger is a regular \ncolumn in the NRC's newsletter that seeks to answer employees' \ncomputer security questions. Our computer security staff \ncreated Cyber Tiger about 8 years ago to act as a spokesman and \na logo character to convey our computer security messages.\n    The NRC is the only Federal agency with a comprehensive \nelectronic document management system known as ADAMS for which \nthe agency received the Archivist of the U.S. Achievement \nAward. ADAMS supports the creation, storage, retrieval and \nmanagement of documents and records related to the NRC's core \nbusiness functions. The system stores the agency's record copy \nin electronic form for efficient transfer to the National \nArchives and Records Administration. Users can search for, view \nthe image of and print documents at their work stations \nregardless of geographic location. ADAMS software identifies \nand authenticates users and applies access controls to ensure \nthat each document is viewed or modified only by appropriate \nindividuals.\n    In summary, the NRC operates with offices across the \nNation. We take computer security requirements very seriously \nand work toward a seamless integration of computer security in \nour day-to-day operations. The NRC's computer security \nchallenges continue to evolve, and we continue to revise our \nprogram to address these new requirements. I appreciate the \nopportunity to appear before you today, and would be pleased to \nanswer any questions you may have.\n    [The prepared statement of Mr. Merschoff follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4838.109\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.110\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.111\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.112\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.113\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.114\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.115\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.116\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.117\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.118\n    \n    Mr. Putnam. Thank you very much, Mr. Merschoff.\n    Our fourth witness for the second panel is Kerry Weems. Mr. \nWeems is in his 23rd year of Federal employment, 21 of those \nbeing at the Department of Health and Human Services. In 1988, \nMr. Weems left the Social Security Administration and began \nwork for the budget office in the Office of the Secretary, \nDepartment of Health and Human Services. Since then, he has \nserved in a variety of capacities ranging from senior analyst \nto branch chief and division director. In June 2002, he became \nDeputy Assistant Secretary for Budget and, since January 2003, \nhas served as Acting Assistant Secretary for Budget, \nTechnology, and Finance.\n    You are recognized for 5 minutes. Welcome to the \nsubcommittee.\n\n   STATEMENT OF KERRY WEEMS, ACTING ASSISTANT SECRETARY FOR \nBUDGET, TECHNOLOGY AND FINANCE, DEPARTMENT OF HEALTH AND HUMAN \n                            SERVICES\n\n    Mr. Weems. Thank you, Mr. Chairman. It is a pleasure to be \nhere. And thank you for inviting me today.\n    Today, I would like to describe to you the existing efforts \nHHS has undertaken to improve the security posture of our \nagency and to comply with Federal legislative and regulatory \ndirectives.\n    In its most recent FISMA report, HHS reported 222 systems, \n13 programs and 77 contractor operations and facilities, all of \nwhich require information technology protection. I would first \nlike to summarize the current state of information technology \nsecurity within HHS and the actions underway to address \nidentified weaknesses and improvements that are currently \nunderway.\n    I am pleased to report that improvements are being made in \nthe management of information security at HHS. We have built a \nsolid foundation and policy and procedures for IT security \noperations and management, including a series of supporting \nguides to assist personnel throughout HHS in understanding and \nimplementing security policies and guidance. These policies and \nguides form a common baseline for standard IT security \nthroughout the Department, which our operating divisions can \nexceed if their business operations require stronger \nprotections.\n    Updates were also made on previous policies to meet new \nguidance from OMB, specifically in the areas of privacy impact \nassessments, plan of actions and milestone, security \nperformance, measures and metrics, security program reviews, \nand self assessments. Additional updates were made to address \nnewly emerging technologies.\n    In addition to these efforts, the Secretary launched Secure \nOne HHS, a comprehensive program that blends targeted IT \nsecurity, technical support and assistance with managerial and \noperational changes designed to improve the methods and \npractices of all personnel with IT security responsibilities \nthroughout the Department. This program provides the framework \nfor adequately securing our information systems.\n    In fulfilling this initiative, HHS has demonstrated its \ncommitment to protect the health and welfare of the American \npublic. Key focus areas of Secure One HHS currently include \ncritical infrastructure protection, system and program level \nsecurity development, FISMA compliance, which includes numerous \nsubcomponents such as certification and accreditation and \nincorporation of plans of actions and milestones as a \nmanagement tool.\n    In less than a year, HHS has made major progress in \nemploying an extensive security program and increasing the \nlevel of security throughout HHS. We have taken decisive steps \nto remediate the weaknesses identified in the FISMA report, \ndrafted new policies and issued new guidance considering \nintegration of security into the system development lifecycle. \nWe have linked IT security with capital budgeting by improving \nand integrating IT security elements into the exhibit 53 and \n300 submissions required by OMB, and we have augmented our \nprocedures for the IT investment review board to ensure that IT \nsecurity is addressed before new investments are made. We have \nimplemented a streamlined yet very intensive support structure \nthat provides our operating division with automated tools that \nimprove and centralize data collection and reporting of FISMA \nplans of action milestones.\n    HHS has also licensed an automated NIST self-assessment \ntool to standardize and facilitate the department-wide \nutilization of NIST guidance. These tools are supplemented by \nextensive support and monthly plan of action and milestone \nreview meetings with the information security officer of each \noperating division.\n    HHS has also drafted guidance concerning security \ncertification and accreditation and developed remediation plans \nfor ensuring certification and accreditation of all appropriate \nsystems.\n    CNA compliance has increased in the last 6 months and is \nwell on its way to exceeding its goal of 90 percent by June \n30th of this year. As of today, we have achieved nearly 60 \npercent with a goal of 70 percent for the end of this month.\n    For systems that have not completed CNA, each system has a \nspecific remediation plan targeting their path toward \ncertification. Recently, security remediation plans have been \nexpanded to track privacy impact assessments as well as \nlinkages between system security and capital planning \nrelationships. The chief information security officer has \nconducted reviews of the training and awareness policies and \npractices currently in place and issued guidance regarding the \nmanagement of mandatory annual user security-awareness \ntraining.\n    Last, HHS is developing a departmental security operations \ncenter that will significantly improve our incident response \ncapabilities and institutionalize a more rigorous defense \nagainst malicious hackers and other threats.\n    Thank you. That ends my testimony.\n    [The prepared statement of Mr. Weems follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4838.119\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.120\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.121\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.122\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.123\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.124\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.125\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.126\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.127\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.128\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.129\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.130\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.131\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.132\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.133\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.134\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.135\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.136\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.137\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.138\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.139\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.140\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.141\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.142\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.143\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.144\n    \n    [GRAPHIC] [TIFF OMITTED] T4838.145\n    \n    Mr. Putnam. If you have a wrap-up statement, you are \nwelcome to make it.\n    Mr. Weems. OK. I will be happy to do that.\n    We have made significant progress toward implementing an IT \nsecurity program. We recognize that a program and a strategy \ncall for the institutionalization of sound IT security \npractices that are essential for safeguarding information \nentrusted to HHS by the citizens of the country. We remain \ncommitted to this goal as we continue to implement the Secure \nOne HHS program. Thank you.\n    Mr. Putnam. Thank you. I thank you for your sensitivity to \nthe little red light. Some people just keep right on going.\n    Mr. Weems. Mr. Chairman, I have sat behind many secretaries \nwho have had to watch the red light.\n    Mr. Putnam. It can be intimidating. When I was in the State \nlegislature, I had to testify before my first subcommittee, and \nit freaked me out when I went yellow much less red.\n    Mr. Merschoff, you are the teacher's pet of the panel. Your \nagency received an A, so we are going to give you all the first \nquestions and then sort of let you off the hook, I guess.\n    You know, relative to some of the other agencies and \ndepartments, the NRC is relatively small. How much of your \nsuccess was determined by your size and how much of your \nsuccess is scalable in that it could be easily replicated in a \nlarger organization?\n    Mr. Merschoff. I would say size is a function of the \ntimeliness of accomplishment and not the accomplishment itself. \nWe are a full scope agency. We develop new IT applications. The \nADAMS that I discussed is the first in the Government in terms \nof an electronic records management system. We are developing \nanother one for an electronic courtroom for the high-level \nwaste hearing.\n    So what we do is difficult, but being smaller allows us to \nproceed at a pace that is easier to maintain than the large \nagencies. In terms of scalable, I believe it probably is.\n    Mr. Putnam. Now that you are on top, how institutional are \nyour changes? I mean, do you foresee remaining an A virtually \nindefinitely? What types of changes do you have to make on an \nongoing basis to continue to meet those top standards for your \nA rating?\n    Mr. Merschoff. Well, as Lewis Carroll said in Alice Through \nthe Looking Glass, you have to run really fast in this world to \njust stay where you are, or words to that effect. The bar is \nbeing raised continuously by OMB, so it will be harder this \nyear to be an A than it was last year. We have areas to \ncontinue to work on, two that you have addressed already in \nterms of contingency plans and inventories are areas we have \nwork to do in. So there is important work that remains to be \ndone relative to our agency.\n    I have an outstanding staff, and I have the support of the \nsenior management within the agency to maintain computer \nsecurity, so I anticipate we will be able to meet the new \nchallenges.\n    Mr. Putnam. How have you implemented the accountability \nwithin all of your managers and program directors? How is that \neffective, and how have you helped them make it, make \ninformation and security a priority of their everyday life?\n    Mr. Merschoff. We have established the corporate level \nprocedures that govern the IT systems, chief of which is the \ncapital planning and investment control process. We have \nintegrated security into the development of new systems, so a \nbusiness line can't develop a new system without the approval \nof the Office of the CIO, and embedded in that approval is \nworking hand in hand with us with security. So we have \nconfidence that each new security system we bring on line is \nrobust in a security sense. And being a peer to the other \nbusiness line managers, they seek our help, and we provide it \nin terms of current operating systems.\n    Mr. Putnam. Your background is not technical in nature as \nit relates to IT; you are an engineer, I believe. Do you think \nthat has helped you in understanding the importance of this and \nsharing it with others? Do you think that you have more \ncredibility with your peers as an engineer as opposed to being \nan IT specialist?\n    Mr. Merschoff. I would take issue with my background not \nbeing technical. I'm an aerospace engineer and a mechanical \nengineer.\n    Mr. Putnam. Information technical.\n    Mr. Merschoff. I'm not an IT professional. I believe that \nhas helped a lot. What I believe agencies need at the CIO level \nis an executive that can hold people and programs accountable \nto achieve certain goals. Engineering as a discipline is one \nthat IT in general can benefit from. Engineers look at \nredundancy and reliability and bring a rigorous, disciplined \nthought process to systems development that matches nicely with \nIT development and CPIC development.\n    So the direct answer to your question, in terms of \ncredibility, I believe it helps a great deal. Having been a \npeer to the senior business line managers in the agency, there \nis a trust in the budgeting process and there is a trust in \nterms of the service delivery process that I think helps us \nprogress.\n    Mr. Putnam. Thank you.\n    Mr. Rush, could you please elaborate on the additional \nfinancial reporting requirements that took priority and pushed \nFISMA into a secondary position that you referred to in your \nopening statement?\n    Mr. Rush. Yes, sir. In fiscal year 2002, we were the first \nCabinet-level agency at Treasury to accelerate our financial \nreports to the shortened deadline of November 15th. Under \nSecretary Paul O'Neill, much effort was expended to demonstrate \nthat financial reports had to be timely to be useful to \nmanagers. As we approached 2003, it was clear to OMB that was \nan important goal for all of the CFO agencies. Thus, by late \nspring, early summer and immediately following the divestiture \nof a lot of our resources, I met with the assistant for \nmanagement and we consulted with the Comptroller of the United \nStates Linda Springer and made clear that we couldn't meet the \naccelerated deadline for 2003 and meet our other requirements \ngiven the resources that we had lost. We were clearly able to \nproduce one of those jobs but not both of them by the \ndeadlines.\n    So the decision was that the IRS, the Bureaus, the Treasury \nIG for tax administration and the Department would prepare \ntheir report and send it to OMB on time and that the IG work \nthat my office does to bring FISMA to conclusion would be \nfollowed within 30 days of any successful accelerated financial \nstatement report.\n    Now, those discussions went on for a couple of weeks, and \nas I indicated to you in my letter, when I distributed the \nreport to you I apologized for the first time, we did not think \nto notify this subcommittee because we assumed that having \ncoordinated with OMB that information might have been \navailable. I regret that. That was my responsibly, and I am \nhere to accept that responsibility.\n    But as between the two important jobs that we were facing \nas we went into the fall, it was clear that the accelerated \nfinancial report was the priority for Secretary John Snow and \nfor the administration.\n    Mr. Putnam. Is contracting out an option? I assume it will \nbe, based on your earlier remarks. Is it going to be your \noption in the future to contract out the preparation of the \nFISMA reports?\n    Mr. Rush. It will have to be for the foreseeable future, \nbecause, again, we are not moving our resources up. The \nPresident's budget request for 2005 gives us a substantial plus \nup over 2004. It almost helps us recover from some of the \ndivestiture. But the problem here is timing. As we found last \nsummer as we faced the decision of financial statement \nreporting, FISMA reporting, if you can't make those decisions \nearly enough in the audit cycle, you can't get a contract out \nthere. Our problem was that we were going into this audit \nperiod anticipating using our own resources to do the work, and \nwhen we had this tradeoff decision, we found ourselves in the \nposition where it was too late to bring a contractor in because \nyou still have to supervise the contractor.\n    This year we're starting off with better understanding of \nour resources, we're going to do more contract work for--our \nfinancial reporting, and we intend to use a contractor for most \nof our FISMA work. We'll not do it for the national security \nsystems that we report on to you and others as classified \nreports.\n    Mr. Putnam. You went from 165 to 62 staff in the IG's \noffice?\n    Mr. Rush. No, that's just the audit staff.\n    Mr. Putnam. Audit staff. Is that proportional to the amount \nof the department that was transferred to the Department of \nHomeland Security?\n    Mr. Rush. Well, after a careful study of our audit program \nfor the 3 years prior to divestiture, we identified a need to \ntransfer somewhere between 30 and 35 percent of our staff to \nHomeland to accompany the work that was associated with the \nCustoms Service, the Secret Service, the Federal Law \nEnforcement Training Center and that part of the Bureau of \nAlcohol, Tobacco and Firearms that went to the Justice \nDepartment. But for reasons still not clear to me, we were cut \n70 percent rather than 35 percent and we've been playing catch-\nup.\n    That decision was made, and clearly people were trying to \ndo the right thing to establish the Department of Homeland. And \nI don't doubt that the people that we contributed to that IG \noffice over there have made a difference in the Department of \nHomeland Security, but we had to actually go out and pick up \nabout 12 people for the financial statement audit cycle and \ndetail them into our office to get that audit done. And we are \nstruggling.\n    Mr. Putnam. The IRS and Bureau of Public Debt, those audits \nare conducted by you or by the GAO?\n    Mr. Rush. The IRS is done entirely by GAO and part of the \npublic debt is done by GAO. We rely on those reports to prepare \nthe consolidated. We're responsible for the consolidated audit \nand the bureau-level audits and special audits.\n    As you know, Treasury right now has eight different stand-\nalone audits, everything from the gold and silver reserve to \nspecial accounts. The recovery in D.C. pushed the pension funds \nfrom D.C. into Treasury, so we have to manage an account from \nthose funds and do a financial statement on the retirement for \njudges and teachers and police officers.\n    We do stand-alone audits for the Office of the Comptroller \nof the Currency, the supervisor of national banks; the Office \nof Thrift Supervision, the supervisor of the savings and loan \nindustry. We do stand-alone audits for other entities including \nthe Financial Management Service, the check writer and the cash \nmanager for government.\n    Mr. Putnam. And I hear where you're coming from on the \nreasons for the delay.\n    At the end of the day, the score was a D, and I'm told \nprobably with the input of the IG's report, had it been on \ntime, would have remained an F, the same scores received in \n2002.\n    In your testimony, you attribute a fair amount of that to \nthe IRS. Could you elaborate on that?\n    Mr. Rush. Well, the IRS is the largest bureau of Treasury. \nTreasury right now is about 115,000 116,000 people; 100,000 are \nin IRS.\n    IRS has gone through major systems modernization for the \nlast 4 or 5 years and into the foreseeable future. Their \ninability to accurately identify the number of systems that \nthey had really changes all the numbers for Treasury because of \nthe miscount or undercount of systems and the failure to \ndevelop plans consistent with all of those systems.\n    But I do not want to make that solely an IRS problem. \nTreasury in every level, in every bureau, has very serious \ninformation security problems.\n    Mr. Putnam. Well, to your credit, you're very blunt and \ncandid in your opening statement and your submitted testimony \nto that fact. And it is, considering the nature of Treasury and \nthe information it handles and the privacy issues surrounding \nit, people are sensitive about what they pay in taxes and what \nthey have, I would think that you would be on the short list of \nfolks that we would really want to get it right. And so it is \nimportant that Treasury can prove.\n    Mr. Weems and Mr. Corts, both of you are responsible both \nfor financial management and budget, as well as technology of \nyour agencies, I believe; is that correct?\n    Mr. Corts. That is correct.\n    Mr. Putnam. One of the most common complaints that we hear \nis that the components level of departments don't follow \ndepartment-wide policy on information technology and don't feel \ncompelled to do so.\n    Do you find the same resistance when you direct budget or \nfiscal policy for the Department? And why is there a lesser \nstandard of accountability or responsiveness on issues related \nto information technology? Mr. Weems and then Mr. Corts.\n    Mr. Weems. The hammer of the budget produces, usually, the \nquickest results; if nothing else, it quickly gets the \nattention of the component head and produces an appeal to the \nSecretary, to me, to somebody else, who then can have a \nreasonable discussion about it.\n    Many times, things in other areas seem a bit too esoteric \nto be able to have that kind of discussion. That's why we have \nundertaken in HHS to link these things together. Investments in \nour budget process that do not have proper security simply \nwon't go forward, and the agency head or agency official will \nbe in the posture of having to appeal, having to have a \ndiscussion, and also having to explain why they're trying to \nmove an information and technology investment that does not \nhave security sufficient to the standard.\n    Mr. Putnam. Mr. Corts.\n    Mr. Corts. There's always a certain amount of push-back.\n    I think that the Department of Justice was really--the \ndecentralization of the Department caused the bureaus, \nespecially the large bureaus, to really take on kind of a \npersona of their own and perhaps push back in both budget and \nIT is stronger in those kinds of situations. But I believe, \nover the last couple of years, with the emphasis on unity as a \ndepartment, we're seeing a great deal of lessening of that.\n    The CIO Council that operates within the Department and I \noccasionally will drop in on their meetings. There seems to be \na good spirit there and a real desire to try to work together. \nThe way that we're organized, it does allow the CIO to be very \ninvolved in the budget process, and I believe it is becoming \nwell recognized throughout the Department that the CIO has a \nsignificant role with respect to budgetary issues.\n    So the point that Mr. Weems was making where the budget is \nsuch a readily identifiable hammer, if you can tie that to IT, \nI think you have an additional kind of hammer to use. So I \nbelieve that the role that the CIO is playing in budget \ndecisions, the CIO's involvement in our management team, is \ngiving the CIO additional strengths and a way to deal with this \npush-back issue.\n    Mr. Putnam. This is the 4th year in a row that Justice has \nhad an F score. What are some things that you can identify as \nbarriers to breaking into that D category or something better \nthan 4 years of an F?\n    Mr. Corts. Well, frankly, we had a lot of organizational \nproblems, as I described in the testimony, not the least of \nwhich was a clear identification of who was in charge of IT \nsecurity. Again, I came to the Department about 16 months ago, \nand quite frankly, I was quite surprised with what I found with \nregard to IT and IT security.\n    But I think that we're making big strides, and one of those \nissues was a clear identification of who was going to have IT \nsecurity, because it had previously, in the Department, been \nkind of jerry-rigged, I guess somewhat split between the \nDepartment security officer and the CIO. And there was a lot of \nstruggle over the issue of naming one single person the \nultimate person responsible for it, but we've crossed that \nbridge and that's really helping us to move forward; and very \nquickly on the heels of that, the appointment of a chief \ninformation security officer, a person who came with a lot of \nskill and background and is just really making giant strides \nfor us in the last months, that aren't showing up on scorecards \nyet because the scoring took place before some of these things \nwere happening.\n    This is a very dynamic thing for us, and it's on the move, \nand I think it is on the move in the right direction.\n    Mr. Putnam. I am glad to hear it is on the move now, and I \nhope that it stays true. I was on the Horn subcommittee and \nwe've heard from a lot of folks about changes in personnel, \nchanges in priority, changes in leadership, changes in \npolicies; and we have to institutionalize something that will \noutlast you, that will outlast me and your attorney general and \nthis President and everything else to get serious about this.\n    Mr. Weems, your testimony indicated a number of excellent \nsounding initiatives, secure one among others, yet your \ndepartment actually slid backward from a D to an F. What \nhappened and what can we expect to see happen next year?\n    Mr. Weems. Well, Mr. Chairman, I work for Secretary \nThompson, and on this scale, there's only one passing grade, \nand NRC has it.\n    Yes, we did slide backward, and our goal is an A, and the \nSecretary has made that very clear to me. Last year we were \nscored before Secure One HHS was launched. In looking back over \nthat report and what happened, I certainly don't want to sound \nlike ``the dog ate my homework'' sort of excuse here. We do \nhave deficiencies in HHS, but one of those deficiencies is \ndocumentation. If we had sufficient documentation for some of \nour procedures, our grade would have been higher. So there may \nhave been a difference between the way that we are evaluated \nand the way that security works in the real world.\n    Having said that, we are striving to do as you have said, \nwhich is to institutionalize security into HHS, largely through \nthe budget process, but also through clear lines of \nresponsibility emanating from my office through our various \noperating divisions, so we'll make it clear who is responsible \nfor what and along what time lines.\n    Mr. Putnam. Your budget has, I believe, increased \nsubstantially since the creation of the Department of Homeland \nSecurity; is that correct?\n    Mr. Weems. Yes, just a few items went to the Department of \nHomeland Security, but our budget for bioterrorism, which is a \nsubstantial piece, has gone from about $300 million to about \n$4.1 billion in the fiscal 2005 budget.\n    Mr. Putnam. Since your profile has been raised as a result \nof the Department's role in the anthrax investigation and \nricin, and your Secretary's launch of his war room, as well as \njust the increased awareness in the nature of biothreats, have \nthe attempted hacks and attacks on your information systems \nincreased as your profile has been raised?\n    Mr. Weems. We have noticed some increase there.\n    One of the things that I think would be helpful, and I \nbelieve that this subcommittee has pointed out, would be a \nuniform standard for reporting those. As you know, HHS reported \na substantial number of incidents, but since they're measured \ninconsistently across all departments, it's difficult for us to \nbe able to determine our posture with respect to other agencies \nwhich may report one, for instance, over a year.\n    With the growth of our bioterrorism efforts, that is a \nplace where we have been very careful to make sure that we have \nsufficient security, and not just cybersecurity but also \nphysical security. You can see that at the NIH campus in \nBethesda and the CDC campus down in Atlanta.\n    Mr. Putnam. Mr. Rush, now that FISMA is permanent and we're \nworking on our second year, using the same scoring standards, \ndo you anticipate a change in resources allocation either for \nthe purpose of contracting, or a shift in staffing similar to \nthat, that was caused by the CFO Act that would allow you to \nhave the tools you need to be in compliance with FISMA?\n    Mr. Rush. We're going to have the tools that we need this \nyear because the Deputy Secretary is taking over supervision of \nthe CIO operations and there's going to be a concerted effort \nto see some improved performance from management. It has to be \nmatched by what we do not only in the content of that work, but \nin the timeliness of the work. So I think we're in good shape \nfor 2004.\n    We're going to be meeting as early as next week to try to \nbring that to conclusion. But long term, I think we have to \ncome to grips with jobs that are process jobs for IGs. These \nare compliance-type jobs for IGs. And while I'm not here to \nspeak on behalf of that community, as one who's been in that \ncommunity a long time, we can meet the deadline, but we need to \nbegin to rationalize some things.\n    I, for one, complained to OMB that the timing didn't make a \nlot of sense. Notwithstanding our resources, it made no sense \nto me to be reporting in September on FISMA when we operate on \na fiscal year that ends September 30 and we have financial \nreporting that started as early as November 15. Trying to bring \nsome of these deadlines and due dates into sync makes a lot \nmore sense to folks like me, who have to audit.\n    Second, the act didn't have a date; it merely said that OMB \ncould establish a date. So we thought it fair for them in the \nfuture to consider a different reporting date than September \n15. That's not a date that's particularly useful for \nmanagement, by the way. It's completely out of context with \ntheir own mission and performance reporting.\n    So there's a lot to be done as we look out at FISMA 2005-\n2006. But for 2004, I think we're just going to knock along and \nget the job done.\n    At Treasury, I think you'll see some improved performance. \nI'm very impressed with Deputy Secretary Sam Bodman. He's only \nbeen in the Department about 2 months. He comes to us from the \nCommerce Department where he had real impact on the \nDepartment's operation, and we hope that he'll bring that to \nTreasury.\n    Mr. Putnam. Those are very interesting suggestions, yours \non the reporting deadlines and Mr. Weems's suggestion on the \nconsistent measurements of incidents.\n    Mr. Merschoff, do you have any thoughts on ways that we can \nimprove what is measured, how it is measured, is it relevant, \nis the benchmark appropriate? Your thoughts?\n    Mr. Merschoff. I agree with Mr. Weems. It's important to be \nable to compare your organization to other organizations to \nbenchmark to understand if you're doing something substantially \ndifferent that needs to be addressed. In our case, we reported \n67,000 incidents last year to FedCirc. Some report one or two \nor three, and so it's absolutely impossible----\n    Mr. Putnam. Do you know who? HUD had only one attempted--\nonly one incident. So I guess nobody's interested in breaking \ninto HUD's information security or something. It would be quite \nremarkable.\n    Mr. Merschoff. But if we're to get better, the CIO Council, \nworking together with benchmarking across the entire spectrum \nof what we do, will help us realize where we're performing at a \nlevel less than the rest of the government on the way to seek \nhelp and also to provide that help to others.\n    Mr. Putnam. Mr. Corts, you're relatively new to this ball \ngame. You came from the academic world. What are your thoughts \non the benchmark and the appropriateness of the standards.\n    Mr. Corts. Well, I would certainly agree with the \nconsistency issue and, I think, the definitional issue. You \nhave to get a clear understanding that everybody is talking the \nsame language and comparing apples to apples. And I think--you \nknow, I do think this is still a pretty nascent operation, and \nas it matures--and I think it was the language that Karen Evans \nwas using--we're going to see things will coalesce better in \nterms of agreement about terms and manners of reporting and so \nforth, which will be to the benefit of all of us from the point \nof view of benchmarking. And in the accreditation work that I'm \nfamiliar with from academe, those are crucial, just a crucial \npart of the accreditation process.\n    Mr. Putnam. What's your deadline for your budget \nsubmission--I guess Mr. Rush, since you raise the issue of \ndeadlines. My understanding is that OMB set the date for FISMA \nreporting to coincide with your budget submissions; is that \ncorrect?\n    Mr. Rush. That may have been their judgment. It did not \nmatch with the submission. The submission process for the \nfiscal year actually spilled over into late October. We had \nreclama as late as November. The appeals to the President did \nnot occur until December, as I recall, this past year and the \nPresident submitted his budget on February 1st.\n    Mr. Putnam. So what----\n    Mr. Rush. So I do not see a connection between the budget \nprocess and FISMA reporting, if there's supposed to be one, and \nI'm not going to object to that. It does not give September 15 \na particular value as a day.\n    Mr. Putnam. What date would be more appropriate in your \nview?\n    Mr. Rush. We invest so much in financial systems reporting \nbecause of the Chief Financial Officers Act and GMRA, that it \nwould be useful, if we were able to tie our FISMA reporting, \nwhich often relies on the EDP control audit work in the big \nfinancial systems, to do it at about the same time or within 30 \ndays.\n    And I'm not making that recommendation for all IGs. I can \nsay from Treasury's standpoint, if we could rely on the \nimportant IT audit work that is part of our consolidated \nfinancial statement audit, we would be able to get that report \nout and I think you'd get a better product. It's late, but I \nthink you will get a better product.\n    Mr. Weems. Mr. Chairman, perhaps I can answer that at least \nfrom the standpoint of the HHS. Our budget deliberations, \ninternally at least, inside the Office of the Secretary, \ntypically are in July. So if we were in possession of the FISMA \nreport in advance of July, we certainly could consider that as \npart of our budget deliberations.\n    Typically, August is spent trying to complete the necessary \ndocumentation to send in a budget to OMB, which is due usually \nright after Labor Day. So, in fact, I believe this year we had \nsubmitted our budget document to OMB before the FISMA report \nwas complete.\n    Also, as Mr. Rush has noted, we were in similar throes of \ntrying to complete our own audit, which took an awful lot of my \ntime and the time of other departmental officials, especially \nthe last quarter of the fiscal year and the foregoing 45 days, \nto get to the November 15 audit report date consumes an awful \nlot of time on the financial side and a tremendous amount of \nthe leadership's time as well.\n    So I would say, from our standpoint, the FISMA report being \navailable on a contemporaneous basis in June or May would be \nreally important to our budget process.\n    Mr. Putnam. Well, that's very helpful and I appreciate your \nsuggestions on ways that we can perhaps make FISMA even more \nmeaningful, the information from the report more actionable.\n    But three of the four of you don't have a whole lot of \ncredibility on making recommendations for changes to this \nthing, and some folks have figured out how to do it. It's \nreally kind of a unique thing to government that there is this \nkind of flexibility. There are a lot of things going on in \nFebruary and March, but you still have to pay your taxes on \nApril 15. You can get the extension, you get the extension, but \nyou've still got to pay the man. And people have to file all \nkind of reports to be in compliance with the government.\n    And your agencies, your departments and all the other ones, \nare not nearly as understanding as OMB has been and, frankly, \neven as Congress has been about people who just don't do it, or \nthey do it 3 months late or they do it whenever they get around \nto it. So we'll take these under advisement.\n    But the last thing I want to do, I do not want to cutoff my \nnose to spite my face and avoid making solid, common-sense \nchanges that you guys recommend that might make sense; I do not \nwant to ignore good suggestions. But what I do not want is for \nthere to be yet another reason why people are not scoring \nparticularly well because we've changed the rules on them, and \nwe have once again given them a whole new set on the standards \nby which they're supposed to play ball.\n    The one thing about this year's score is that it is the \nfirst time that we have back-to-back years that actually are \ncomparable, apples-to-apples comparisons to really measure \nprogress. And all the frustrations and all the timing issues \nand the inconsistent reporting issues, particularly, that \nrelate to incidents affect everyone the same way. So, you know, \nthe A guys are dealing with the same lack of clarity as the F \nguys. And so if it's off, it's consistently off throughout the \ngovernment, and it's still relatively correct.\n    So we'll take your points under advisement as we review \nthere.\n    But the last thing I want to do is provide another reason \nwhy people can come back and say, well, you know, we were all \ngeared up for the 2004 structure, but then in 2006 you guys \nmoved the yardsticks on us. So we would have been there, but we \nwere prepared for the old standard.\n    I would give all of you the opportunity to provide any \nclosing remarks and then we will adjourn the hearings. So, Mr. \nWeems, if you would like to offer any thoughts, things that you \nwould wish had come out, suggestions, we'll move on down the \nline.\n    Mr. Weems. Nothing else, Mr. Chairman, except we look for a \nbetter grade, and if you're looking for a responsible official \nin HHS, that's me. Thank you.\n    Mr. Putnam. Thank you.\n    Mr. Merschoff. Yes, Mr. Chairman, I would like to recognize \ntwo reasons for our success. One is the computer security \nstaff. They're dedicated, they're motivated, they're competent, \nthey're capable and they're the engine behind our success.\n    The second is the Office of Inspector General. We have a \ngood and productive partnership, a dynamic tension with that \ngroup where we can disagree with them, they can criticize us, \nwe listen to each other and recognize that sometimes we're \nwrong and sometimes we're right; and I think that's helped us a \nlot in terms of improving.\n    That concludes my remarks.\n    Mr. Putnam. Thank you very much.\n    Mr. Rush.\n    Mr. Rush. I just want to be sure that I close by making \nclear to you that the problem with timeliness was the problem \nof the Office of Inspector General. It was not the Treasury \nDepartment. It was not IRS. It was not my partner, the Treasury \nInspector General for Tax Administration. Each of those three \npartners of mine did their work on time, met the standard and \ngot their work product to OMB. The only delinquency at Treasury \ncame out of my office, and I regret that.\n    Mr. Putnam. Thank you for your candor and for your \nsuggestions as well. They were good.\n    Mr. Corts.\n    Mr. Corts. Back to your point about the time that you do \nthis and the consistency and so forth, there is a lot of value, \nI think, in being able to, even if the date might not be where \neverybody wants it, you keep that date, you keep the standard \nso you've got the measurement.\n    Going forward 2 years in a row now, it would be great to \nsee another year. What's the right time? I'm sure we could \ndebate that around, because it could serve all of us; different \ntimes would serve all of us, maybe any one of us better than \nanother date. But I do think there's a lot of value in \nconsistency, and I know we look for that in terms of \nbenchmarking.\n    Finally, Mr. Chairman, we just want you to know that the \nDepartment of Justice considers this to be of the highest \npriority to us, and we fully intend to improve our mark. And we \nintend to be here and look forward to being here and giving you \na better report in the future.\n    Mr. Putnam. Thank you very much.\n    I want to thank all of our witnesses from both panels for \ntheir contribution to our oversight efforts. As we face almost \ndaily reports of the IT vulnerabilities, the Federal Government \nreally must be a shining example of IT security.\n    I also want to mention that I will be meeting with the \nFederal CIO Council again to express my commitment to this \nissue as well as to hear their feedback on why so many agencies \nhave not produced better progress, and perhaps to solicit more \nsuggestions, as you have provided, on ways that we can improve \nthe process.\n    In the event that there may be additional questions we did \nnot have time for today, the record will remain open for 2 \nweeks for submitted questions and answers.\n    Thank you very much. The subcommittee is adjourned.\n    [Whereupon, at 3:42 p.m., the subcommittee was adjourned.]\n    [The prepared statement of Hon. Wm. Lacy Clay and \nadditional information submitted for the hearing record \nfollow:]\n\n[GRAPHIC] [TIFF OMITTED] T4838.005\n\n[GRAPHIC] [TIFF OMITTED] T4838.006\n\n[GRAPHIC] [TIFF OMITTED] T4838.146\n\n[GRAPHIC] [TIFF OMITTED] T4838.147\n\n[GRAPHIC] [TIFF OMITTED] T4838.148\n\n[GRAPHIC] [TIFF OMITTED] T4838.149\n\n[GRAPHIC] [TIFF OMITTED] T4838.150\n\n[GRAPHIC] [TIFF OMITTED] T4838.151\n\n[GRAPHIC] [TIFF OMITTED] T4838.152\n\n[GRAPHIC] [TIFF OMITTED] T4838.153\n\n                                 <all>\n\x1a\n</pre></body></html>\n"