[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





   INFORMATION SECURITY IN THE FEDERAL GOVERNMENT: ONE YEAR INTO THE 
              FEDERAL INFORMATION SECURITY MANAGEMENT ACT

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 16, 2004

                               __________

                           Serial No. 108-167

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
94-838                      WASHINGTON : DC
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, 
CANDICE S. MILLER, Michigan              Maryland
TIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of 
MICHAEL R. TURNER, Ohio                  Columbia
JOHN R. CARTER, Texas                JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee          ------ ------
PATRICK J. TIBERI, Ohio                          ------
KATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 DIANE E. WATSON, California
TIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                 Chip Walker, Professional Staff Member
                         Juliana French, Clerk
            Adam Bordes, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 16, 2004...................................     1
Statement of:
    Corts, Paul, Assistant Attorney General for Administration, 
      Department of Justice......................................    88
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office..................................     9
    Evans, Karen, Administrator, Electronic Government and 
      Information Technology, Office of Management and Budget....    47
    Merschoff, Ellis W., Chief Information Officer, Nuclear 
      Regulatory Commission......................................   138
    Rush, Jeffrey, Jr., Inspector General, Department of the 
      Treasury...................................................    97
    Weems, Kerry, Acting Assistant Secretary for Budget, 
      Technology and Finance, Department of Health and Human 
      Services...................................................   150
    Wu, Benjamin, Deputy Under Secretary for Technology, 
      Department of Commerce.....................................    58
Letters, statements, etc., submitted for the record by:
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................   190
    Corts, Paul, Assistant Attorney General for Administration, 
      Department of Justice, prepared statement of...............    91
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office, prepared statement of...........    11
    Evans, Karen, Administrator, Electronic Government and 
      Information Technology, Office of Management and Budget, 
      prepared statement of......................................    50
    Merschoff, Ellis W., Chief Information Officer, Nuclear 
      Regulatory Commission, prepared statement of...............   140
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     5
    Rush, Jeffrey, Jr., Inspector General, Department of the 
      Treasury, prepared statement of............................    99
    Weems, Kerry, Acting Assistant Secretary for Budget, 
      Technology and Finance, Department of Health and Human 
      Services, prepared statement of............................   152
    Wu, Benjamin, Deputy Under Secretary for Technology, 
      Department of Commerce, prepared statement of..............    61

 
   INFORMATION SECURITY IN THE FEDERAL GOVERNMENT: ONE YEAR INTO THE 
              FEDERAL INFORMATION SECURITY MANAGEMENT ACT

                              ----------                              


                        TUESDAY, MARCH 16, 2004

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 1:17 p.m., in 
room 2247, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) Presiding.
    Present: Representative Putnam.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Chip Walker and Shannon Weinberg, professional staff 
members; Juliana French, clerk; Suzanne Lightman, fellow; Adam 
Bordes, minority professional staff member; and Cecelia Morton, 
minority office manager.
    Mr. Putnam. Good afternoon. A quorum being present on this 
rainy Tuesday and the sound system back up and running, the 
Subcommittee on Technology, Information Policy, 
Intergovermental Relations and the Census will come to order.
    Good afternoon and welcome to another important hearing on 
cybersecurity. This is the first oversight hearing conducted by 
the subcommittee on IT security this year.
    Last year, we learned a great deal about threats, 
vulnerabilities, new technologies and new strategies for 
addressing the important issue of information security. Since 
our last hearing on this topic, the only thing that has really 
changed is the urgency of the threat.
    While I believe that it may be fair to say that there might 
be more discussions taking place about these issues, the time 
for discussion and debate now yields to a more important 
requirement for action. Every month virus and worm attacks are 
becoming more prevalent and more malicious. One recent report 
placed the worldwide mitigation costs for the month of February 
2004, at $83 billion. Some say that number is overinflated. So 
let's say that it's off by half. That's still a staggering 
number.
    The cyber threat poses some very unique and difficult 
challenges. Our infrastructure and government systems can be 
attacked from anywhere, at any time. We know that various 
terrorist groups are very sophisticated and becoming more so 
each day, not to mention government-sponsored attacks. Our 
government has taken dramatic steps to increase our physical 
security, but protecting our information networks has not 
progressed commensurately, either in the public or private 
sectors. DHS is really just getting its feet on the ground in 
this arena. While I acknowledge the efforts of the National 
Cyber Security Division, I will reiterate my concern that we 
are collectively not moving fast enough to protect the American 
people and the U.S. economy from the very real threats that 
exist today.
    The privacy and security of the public remain at risk. The 
economic damage being done to our economy is significant. The 
magnitude of this clearly is what makes this hearing so 
important, because governmentwide we are still failing to 
adequately secure our networks. Government must be the leader. 
We must set the standard, and we must do it now. The oversight 
by this subcommittee will be commensurate with the threat: ever 
increasing and aggressive.
    In December of last year, the subcommittee released the 
2003 Federal Computer Security Score Card. It was the 4th year 
that Federal agencies were graded, following the process begun 
by former Congressman Steve Horn. This past scorecard for the 
first time based grades on the criteria established by the 
Federal Information Security Management Act [FISMA].
    Chairman Davis, through his FISMA legislation as part of 
the E-Government Act of 2002, laid the groundwork for better 
security and better reporting for the governments's computer 
systems. This year's grades were based on the FISMA compliance 
reports that the agencies provided to Congress and OMB in 
September of last year. OMB has worked hard to advance computer 
security at all the Federal agencies. I would also like to 
thank the GAO for their invaluable help in preparation of these 
grades.
    This year is an important grading year because, for the 
first time, we can accurately compare the agencies to a 
previous year because the grading elements provide an apples-
to-apples comparison.
    This year overall the Federal Government received a grade 
of D. That's a modest increase over the F the government 
received last year.
    For the first time, two agencies, the Nuclear Regulatory 
Commission and the National Science Foundation received A's.
    Fourteen agencies have increased their grades this year, 
although a couple actually slid backward.
    Only five agencies--five agencies--in the Federal 
Government have completed reliable inventories of their 
critical IT assets, leaving 19 without reliable inventories. 
This is troubling considering we are 4 years into this process 
and we still have far too many agencies with incomplete 
inventories.
    How can you secure what you do not know you have? How can 
you claim to have completed a certification and accreditation 
process absent a reliable inventory of your assets?
    The IGs of three agencies--DOD, Veterans Affairs and 
Treasury--did not submit reports in a timely manner. This 
represents a serious problem. I must stress the IG component of 
this equation is critically important. The independent 
verification is vital and particularly in light of the fact 
that there were significant differences between many of the 
agencies and their IG's. Seven agencies had differences of two 
grades or more with their IGs.
    Fourteen agencies are still below a C, and eight received 
failing grades.
    As we worked on these grades, there were some overriding 
themes that became apparent for the agencies with good grades 
versus those with poor grades: a full inventory of their 
critical IT assets; they identified critical infrastructure and 
mission critical systems; a strong incident identification and 
reporting procedure; tight controls over contractors; strong 
plans of actions and milestones that serve as guides for 
finding and eliminating security weaknesses.
    The Nuclear Regulatory Commission and the National Science 
Foundation should be commended for their outstanding scores, as 
well as the Social Security Administration and the Department 
of Labor for their B pluses. And while DHS has a failing grade 
this year, we recognize the difficult reorganization that took 
place and we expect significant improvement next year.
    To assist agencies, I have requested that each of the 24 
graded agencies come to meet with staff to discuss their grade. 
So far, staff has met with 14; and the results are very 
encouraging. We have seen a great deal of enthusiasm and 
willingness to do the work necessary. The agencies have also 
expressed gratitude for the opportunity to discuss the work 
they are doing and the grades with the subcommittee.
    I am encouraged that OMB, in the recently released FISMA 
report and during Clay Johnson's testimony 2 weeks ago, 
stressed that there was an increased determination to hold 
agencies accountable for implementing FISMA. There is some 
clarification that I will seek today in something that is 
written in the OMB report. The report on page 13 says the 
following: ``while awareness of IT security requirements and 
responsibilities has spread beyond security and IT employees, 
more agency program officials must engage and be held 
accountable for ensuring that the systems that support their 
programs and operations are secure. This issue requires the 
Federal Government to think of security in a new manner. The 
old thinking of IT security as the responsibility of a single 
agency official or the agency's IT security office is out of 
date, contrary to law and policy and significantly endangers 
the ability of agencies to safeguard their IT investments.''
    While I agree that IT security is a collective 
responsibility, the language I referred to seems to indicate 
that no one person will be held accountable. I disagree. This 
chairman and this subcommittee will seek accountability of the 
highest agency official responsible for information technology 
investments to insure that IT security is baked into the 
investment decisionmaking process, consistent with the law as 
established in the Clinger-Cohen Act.
    I have already initiated a process, working with Chairman 
Davis, to amend the Clinger-Cohen Act to explicitly identify 
information security as a required element of the IT investment 
management oversight and decisionmaking process within every 
agency of the Federal Government. The grade of D for the 
Federal Government simply is not acceptable.
    Frankly, one of the continuing obstacles to progress is 
that too many people still view information security as a 
technology issue. This is a management and governance issue and 
must be accounted for in every business case and in 
implementation of a Federal enterprise architecture. This is 
the responsibility of all stakeholders, and the silo walls must 
come down with this and other transformation efforts to employ 
collaborative solutions that will provide increased safety and 
protection for the American people and the U.S. economy.
    I welcome and applaud the increased oversight being 
employed by the Office of Management and Budget through the use 
of existing tools and business case evaluation. I particularly 
applaud the recent announcement that OMB will not approve 
agency expenditures for IT development and modernization 
projects until they have sufficiently demonstrated that their 
existing information technology assets are secure.
    Working together as partners in progress, we will continue 
to be vigilant in our efforts to achieve the security of the 
information networks that support the mission activities of the 
Federal Government and protect the information assets that they 
contain.
    Many cybersecurity technologies offered in today's 
marketplace can serve as safeguards and countermeasures to 
protect agencies' IT infrastructures. To assist agencies in 
identifying and selecting such technologies, I have asked GAO 
to categorize specific technologies according to the 
functionality they provide and describe what the technologies 
do, how they work, and their reported effectiveness. GAO is 
releasing this report today, and I want to thank them for their 
work and effort in producing this document. I read it on the 
plane up here, and it's outstanding. It is information security 
for dummies, Congressmen and bureaucrats; and I found it 
extremely helpful. Had I had that GAO report when I first 
became chairman, it would have knocked the learning curve down 
a bit, but it was very helpful.
    I would like to welcome all of our witnesses here today. I 
want to thank you for your time, and I look forward to your 
testimony.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T4838.001
    
    [GRAPHIC] [TIFF OMITTED] T4838.002
    
    [GRAPHIC] [TIFF OMITTED] T4838.003
    
    [GRAPHIC] [TIFF OMITTED] T4838.004
    
    Mr. Putnam. I ask unanimous consent to insert in the 
record, the statement of my ranking member, the gentleman from 
Missouri, Mr. Clay. Without objection, show it done.
    We will move directly into testimony.
    All of you are old hands at this. You understand the light 
process, and we certainly appreciate your summarizing your 
statements.
    Please rise and raise your right hands.
    [Witnesses sworn.]
    Mr. Putnam. I indicate for the record that all the 
witnesses responded in the affirmative.
    I would like to introduce our first witness, Robert Dacey. 
Mr. Dacey is currently Director of Information Security Issues 
at the U.S. General Accounting Office. I thought that we 
changed that. Has that passed the Senate yet? Don't you have a 
new name?
    Mr. Dacey. I'm not sure quite yet.
    Mr. Putnam. Everybody is waiting on the Senate.
    His responsibilities include evaluating information 
systems, security and Federal agencies and corporations, 
assessing the Federal infrastructure for managing information 
security, evaluating the Federal Government's efforts to 
protect our Nation's private and public critical infrastructure 
from cyber threats, and identifying best security practices at 
leading organizations and promoting their adoption by Federal 
agencies.
    You are always a great asset as a witness to this 
subcommittee, and you are recognized. Welcome.

 STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY 
             ISSUES, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Dacey. Mr. Chairman, I am pleased to be here today to 
discuss the Federal Government's efforts to implement FISMA. As 
you requested, I will briefly summarize my written statement.
    Since 1997, we have identified information security as a 
governmentwide high-risk issue. Congress has demonstrated their 
concern through ongoing hearings on information security and 
enactment of reform legislation. This subcommittee has played a 
very active role in addressing Federal information security 
challenges, including the grades you referred to in your 
opening statement which are based on a broad range of 
information included in the FISMA reports.
    Based on our recent analysis of audit results and on 
reported FISMA information for 24 of the largest agencies, the 
Federal Government has made progress but continues to face 
significant information security risks to its critical 
operations, information and assets.
    The first year FISMA reports provide important comparative 
data on information security performance measures and certain 
new information. The reports identify progress and highlight 
several challenges including the following.
    No. 1, while reported performance measures generally 
increase, there continued to be a wide variance among the 
agencies.
    No. 2, IG's reported less than half of agencies had 
complete system inventories now required by FISMA.
    No. 3, reported systems with certification and 
accreditations continued to increase to 62 percent and systems 
with controls tested to 64 percent. However, both IG 
evaluations and our own ongoing review have identified 
efficiencies in the CNA processes, such as lack of control 
testing and outdated risk assessments. Also, as additional 
systems are certified and accredited and controls tested, it is 
likely that additional deficiencies will be identified.
    No. 4, over half of agency systems do not have tested 
contingency plans, an essential step in ensuring that critical 
systems can continue to operate in the event of unexpected 
interruptions such as a cyber or physical attack.
    No. 5, as a result of new OMB reporting requirements, IG's 
identified challenges in agencies' processes for remediating 
identified deficiencies which are key to ensuring that 
significant weaknesses are addressed in a timely manner and 
receive appropriate resources.
    And, No. 6, we noted opportunities to improve the 
usefulness of reported measures included in FISMA reports 
included independent validation of reported information to 
ensure that such information is reliable.
    In its fiscal year 2003 report to Congress, OMB concluded 
that the Federal Government has made significant strides in 
identifying and addressing longstanding problems, but the 
challenging weaknesses remain. In particular, the report notes 
several governmentwide findings such as progress against 
milestones and lack of clear accountability for ensuring 
security of information and systems.
    The report also presents a plan of action that OMB is 
pursuing with agencies to close the gaps and improve security. 
NIST also has taken a number of actions to develop FISMA-
required system risk levels and corresponding minimum security 
standards and to improve Federal information security. However, 
according to NIST, current and future funding constraints could 
negatively impact its work in this area. Further, Mr. Chairman, 
as you noted in your opening statement, we released today our 
report on current cybersecurity technologies that are available 
to Federal agencies.
    In summary, through the continued emphasis on information 
security by the Congress, the administration, agency management 
and the audit community, the Federal Government has seen 
improvements in its information security. Achieving significant 
and sustainable results will likely require agencies to 
institutionalize programs and processes that prioritize and 
routinely monitor and manage their information security efforts 
and provide information to facilitate day-to-day management of 
information security throughout the agency as well as verify 
the reliability of reported performance information.
    Mr. Chairman, this concludes my statement. I'd be happy to 
answer any questions that you have.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T4838.007
    
    [GRAPHIC] [TIFF OMITTED] T4838.008
    
    [GRAPHIC] [TIFF OMITTED] T4838.009
    
    [GRAPHIC] [TIFF OMITTED] T4838.010
    
    [GRAPHIC] [TIFF OMITTED] T4838.011
    
    [GRAPHIC] [TIFF OMITTED] T4838.012
    
    [GRAPHIC] [TIFF OMITTED] T4838.013
    
    [GRAPHIC] [TIFF OMITTED] T4838.014
    
    [GRAPHIC] [TIFF OMITTED] T4838.015
    
    [GRAPHIC] [TIFF OMITTED] T4838.016
    
    [GRAPHIC] [TIFF OMITTED] T4838.017
    
    [GRAPHIC] [TIFF OMITTED] T4838.018
    
    [GRAPHIC] [TIFF OMITTED] T4838.019
    
    [GRAPHIC] [TIFF OMITTED] T4838.020
    
    [GRAPHIC] [TIFF OMITTED] T4838.021
    
    [GRAPHIC] [TIFF OMITTED] T4838.022
    
    [GRAPHIC] [TIFF OMITTED] T4838.023
    
    [GRAPHIC] [TIFF OMITTED] T4838.024
    
    [GRAPHIC] [TIFF OMITTED] T4838.025
    
    [GRAPHIC] [TIFF OMITTED] T4838.026
    
    [GRAPHIC] [TIFF OMITTED] T4838.027
    
    [GRAPHIC] [TIFF OMITTED] T4838.028
    
    [GRAPHIC] [TIFF OMITTED] T4838.029
    
    [GRAPHIC] [TIFF OMITTED] T4838.030
    
    [GRAPHIC] [TIFF OMITTED] T4838.031
    
    [GRAPHIC] [TIFF OMITTED] T4838.032
    
    [GRAPHIC] [TIFF OMITTED] T4838.033
    
    [GRAPHIC] [TIFF OMITTED] T4838.034
    
    [GRAPHIC] [TIFF OMITTED] T4838.035
    
    [GRAPHIC] [TIFF OMITTED] T4838.036
    
    [GRAPHIC] [TIFF OMITTED] T4838.037
    
    [GRAPHIC] [TIFF OMITTED] T4838.038
    
    [GRAPHIC] [TIFF OMITTED] T4838.039
    
    [GRAPHIC] [TIFF OMITTED] T4838.040
    
    [GRAPHIC] [TIFF OMITTED] T4838.041
    
    [GRAPHIC] [TIFF OMITTED] T4838.042
    
    Mr. Putnam. Our next witness is Karen Evans.
    In September 2003, Karen Evans was appointed by President 
Bush to be Administrator of the Office of Electronic Government 
and Information Technology at the Office of Management and 
Budget. Prior to joining OMB, Ms. Evans was Chief Information 
Officer at the Department of Energy and served as vice chairman 
of the CIO Council, the principal forum for agency CIOs to 
develop IT recommendations. Previously, she served at the 
Department of Justice as Assistant and Division Director for 
Information System Management. She is doing a great job over at 
OMB.
    We're always delighted to have you join us and share your 
expertise with us. You are recognized.

STATEMENT OF KAREN EVANS, ADMINISTRATOR, ELECTRONIC GOVERNMENT 
  AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET

    Ms. Evans. Thank you.
    Good afternoon, Mr. Chairman. Thank you for inviting me to 
speak about the status of the Federal Government's efforts to 
safeguard our information and systems. My remarks will focus on 
the findings of the OMB fiscal year 2003 FISMA report and the 
next steps to address our IT security challenges.
    Earlier this month, OMB issued our third annual report to 
Congress on agency compliance with IT security requirements in 
law and policy. FISMA, like its predecessor, the Government 
Information Security Reform Act, continues to be a valuable 
tool in improving the state of Federal IT security, both the 
security of systems and promoting the protection of 
information.
    The OMB FISMA report identifies IT security progress and 
weaknesses in fiscal year 2003. The report summarizes progress 
such as Federal performance against three governmentwide goals 
identified in the President's fiscal year 2004 budget. Agencies 
reported their progress against a key set of IT security 
performance measures. These measures reveal areas of the 
progress from fiscal year 2001 through 2003 as well as 
weaknesses.
    Agency IG reports verified some of this progress and, in 
other instances, called into question the quality of some of 
the work. For example, while there are notable increases in the 
percentage of systems with security plans, many Federal systems 
still do not have contingency plans in place to ensure 
continuity of operations.
    IG reports also continue to identify a number of troubling 
governmentwide issues and trends such as reoccurring IT 
security weaknesses, some of which are repeating material 
weaknesses. Far too many systems continue to operate with 
serious weaknesses.
    Another area highlighted in OMB's report was the need for 
improved accountability within agencies. The law is very clear 
on this issue. The agency head is ultimately responsible for 
the security of their information and systems and is charged 
with ensuring agency senior officials and the agency CIO 
fulfill their specific IT security responsibilities.
    Agency senior officials are responsible for providing 
security for the information and the systems which support 
their operation and assets. In fact, the majority of IT 
spending within agencies is not on IT infrastructure and 
networks, traditionally owned and operated by the CIOs, but 
rather on mission IT investments. It is within these systems 
that many weaknesses reoccur.
    To address these problems and others, OMB will continue to 
engage management and leverage the budget processes. While IT 
security clearly has a technical component, at its core is an 
essential management function. Most of the Federal Government's 
IT security weaknesses can be resolved through better 
management and accountability. Through the budget process, OMB 
requires agencies to incorporate IT security through the 
lifecycle of all investments. Failure to appropriately 
incorporate security puts the investment at considerable risk.
    To enforce this requirement, OMB notified those agencies 
with significant information and system security weaknesses 
through budget guidance to remediate operational systems with 
weaknesses prior to spending fiscal year 2004 IT development or 
modernization and funds. If additional resources are needed to 
resolve those weaknesses, agencies are to use those fiscal year 
2004 IT funds originally sought for new development.
    Additionally, OMB continues to enforce IT security through 
the President's management agenda under the E-Gov scorecard. 
Agencies may not get to green under E-Gov unless they fully 
meet specified IT security criteria, including 90 percent of 
the systems being certified and accredited and that their IG 
has verified the agency has a plan of action and milestones 
process in place which meets the OMB criteria. The PMA enables 
OMB to hold agencies, their senior agency officials and the CIO 
accountable for IT security performance.
    Finally, as we move into the 4th year of these annual IT 
security requirements, our goal is to improve FISMA reporting 
instructions so that we more clearly capture results and 
performance measures continue to mature to focus on key IT 
security areas. NIST is actively working on the development of 
new guidelines required under FISMA which will play a 
significant role in guiding technical implementation of agency 
IT security efforts.
    In particular, as part of the development of OMB's fiscal 
year 2004 FISMA guidance, we are focusing on the following 3 
years: one, evolving the IT security performance measures to 
move beyond status reporting to also identify the quality of 
work done; two, the independent evaluations by the IGs continue 
to be a source of indispensable information, and further 
targeting of the IG efforts to assess a development 
implementation and performance of key IT security processes are 
invaluable; and, three, providing additional clarity to certain 
definitions to eliminate interpretation difference within 
agencies and between agencies and the IGs.
    In conclusion, I would like to acknowledge the significant 
work of the agencies and IGs in conducting the annual review 
and evaluations. It is this effort which gives OMB and the 
Congress much greater visibility into the agency IT security 
status and progress.
    While notable progress in resolving IT security weaknesses 
has been made, problems continue and new threats and 
vulnerabilities continue to materialize. Much work remains, and 
OMB will continue to work with agencies, GAO and Congress to 
promote appropriate risk-based and cost-effective IT security 
programs, policies and procedures to adequately secure our 
operations and assets.
    I would be glad to take any questions at this time.
    Mr. Putnam. Thank you, Miss Evans.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC] [TIFF OMITTED] T4838.043
    
    [GRAPHIC] [TIFF OMITTED] T4838.044
    
    [GRAPHIC] [TIFF OMITTED] T4838.045
    
    [GRAPHIC] [TIFF OMITTED] T4838.046
    
    [GRAPHIC] [TIFF OMITTED] T4838.047
    
    [GRAPHIC] [TIFF OMITTED] T4838.048
    
    [GRAPHIC] [TIFF OMITTED] T4838.049
    
    [GRAPHIC] [TIFF OMITTED] T4838.050
    
    Mr. Putnam. Our third witness is Benjamin Wu.
    Ben Wu was sworn in as Deputy Under Secretary for 
Technology at the U.S. Department of Commerce in November 2001. 
In this capacity, he supervises policy development, direction 
and management at the Technology Administration, a bureau of 
over 4,000 employees that includes the National Institute of 
Standards and Technology.
    Prior to joining Commerce, Mr. Wu held senior staff 
positions in the U.S. Congress where he led on issues affecting 
the U.S. technology and competitiveness policy.
    You are, I believe, an alumni of this subcommittee.
    Mr. Wu. Yes, sir. I did work very closely with the 
subcommittee and the Committee on Government Reform, but I 
actually was an employee of the Committee on Science.
    Mr. Putnam. He worked in Congress from 1988, serving as 
counsel to Congresswoman Connie Morella and on the Science 
Committee.
    Welcome back.

     STATEMENT OF BENJAMIN WU, DEPUTY UNDER SECRETARY FOR 
               TECHNOLOGY, DEPARTMENT OF COMMERCE

    Mr. Wu. Thank you, Mr. Chairman. It is a pleasure to be 
back. I thank you for the opportunity to appear before you 
today again.
    As you mentioned, when I worked in the House I also was a 
lead committee staff on the House Y2K Task Force, and in that 
vain we had an opportunity to work very closely with GAO and 
also former Congressman Steve Horn as he developed grades for 
assessing the agencies' involvement and participation in Y2K 
activities. It has since evolved into computer security, and I 
congratulate you for your efforts in continuing that leadership 
that is so needed on cyber security. Back then, we partnered 
with GAO.
    As you talk about this partnership in progress to move 
forward on cybersecurity, GAO again is proving to be an 
excellent partner; and, also, under Karen's guidance, OMB is as 
well. We see NIST also playing a very important partnership 
role in that partnership for progress.
    I want to thank you for the opportunity to testify about 
the NIST contributions that strengthen our information security 
in the Federal Government. I want to focus my remarks on the 
NIST efforts to implement our assignments under FISMA and some 
of the challenges that we are facing and confronting.
    FISMA's enactment reinforced our longstanding statutory 
responsibilities for security research and for developing 
Federal information standards and guidelines. With FISMA, 
Congress gave NIST a vote of confidence about its abilities to 
work and further this research, and we do appreciate that 
recognition.
    NIST standards and guidelines form the basis of the Federal 
Government's ability to improve cybersecurity. Our security 
work at NIST is being done out of our Information Technology 
Laboratory, which develops tests, metrics, as well as guidance 
for building trust and confidence in IT systems that are now so 
pervasive in our Nation's economy.
    Behind me is Susan Zevin, who is the leader of our 
Information Technology Laboratory, and also Ed Roback, who is 
the head of the Computer Security Division at NIST. Those two 
and their team at NIST helped build a trust of users of IT 
systems by concentrating on techniques and tools to manage, to 
use and improve IT security system. NIST's success really 
relies on its status as an objective third party working with 
private sector vendors, standards development organizations, 
and consortia.
    Mr. Chairman, I want to give you a status report on where 
NIST is in terms of its FISMA responsibilities.
    The general responsibilities that were assigned to NIST 
under FISMA included developing IT standards, identifying 
information security vulnerabilities, assessing private sector 
policies, assisting the private sector as well, and also 
evaluating security policies.
    FISMA also contained a number of specific assignments to 
NIST, and they included the development of standards and 
guidelines, recommended types of information systems, as well 
as minimum information security requirements, an Incident 
Handling Guideline, and security performance indicators, as 
well as an annual reports to the committee.
    To summarize the progress that we have made since FISMA 
became the law in December 17, 2002, significant progress has 
been made on the specific assignments and many have been 
completed. They include the FIPS Publication 199, which was 
completed in January 2004; the NIST Special Publication 800-60, 
which is to be completed this summer, and a draft is now 
available; the NIST SP 800-53 is also ready for completion in 
December 2005, and the public draft is available; the NIST SP 
800-55 to be completed in July 2003; the NIST SP 800-59 to be 
completed in August 2003; and also the NIST SP 800-61, which 
was just completed this past January.
    But, as Bob mentioned, we are concerned because Congress 
was unable to meet the Presidential budget request for the NIST 
Cybersecurity Division in the fiscal year 2004 appropriations 
and, as a consequences, Mr. Chairman, although we continue to 
give FISMA activities priority in our budgeting process, the 
guidelines, the standards, and related research in the 
following areas may not be able to be accommodated within our 
fiscal year 2004 funding level and have to be scaled back.
    They include guidelines on archiving and disposal of 
information, checklists and guidelines, new security protocols, 
operating our Computer Security Expert Assist Team, supporting 
the NIAP, minimum security recommended requirements, as well as 
some of our implementation for IPv6.
    At current levels of funding, we've also had to delay a 
number of other activities which I will not list in total.
    But, let me be clear, due to prioritization within the 
Computer Security Division, none of the specific tasks that are 
assigned to us under FISMA are affected. Rather, they're 
proceeding as scheduled as best we can within the timeframes 
allowed under legislation. But we feel that NIST is so uniquely 
poised to do so much more, and we are limited really only by 
our budget constraints.
    Before Congress now is the President's fiscal year 2005 
budget request that includes a proposed increase of $6 million 
for NIST to address the key national needs in cybersecurity. 
With the proposed increase of $6 million for 2005 with the 
current level funding----
    Mr. Putnam. Did you say million or billion?
    Mr. Wu. Million. We would love for it to be billion, but we 
also understand the constraints on the Federal budget.
    But coupled with the current $10 million that NIST has for 
its efforts, we believe that NIST can work more effectively 
with industry and government agencies to accelerate solutions 
to critical cybersecurity issues.
    Additionally, this would include costs that would allow us 
to work together with the Homeland Security Department's 
Science and Technology Directorate, as well as the Information, 
Analysis and Infrastructure Protection Directorate in the 
National Cyber Security Division.
    We also would like to see if we can continue to provide 
other agency reimbursable work and partner with other Federal 
agencies so that we can have people tap into the NIST expertise 
and also allow for other agencies to meet their FISMA 
responsibilities.
    In conclusion, Mr. Chairman, the standards and guidelines 
produced by NIST are key to the Federal Government's ability to 
improve cybersecurity. NIST's impact reaches far beyond just 
the Federal system, since the NIST guidelines are also used by 
State and local governments as well as often adopted by the 
private sector, domestically as well as internationally.
    NIST takes its cybersecurity role very seriously and will 
work with the committee to ensure that we are able to carry out 
our mandate to work with industry, with academia and standard 
development organizations to ensure the secure flow of vital 
and sensitive information throughout our society. We applaud 
the committee for its leadership and also for detailing a 
specific leadership role for NIST to play in supporting that 
effort.
    In the FISMA activities those already accomplished as well 
as those currently under way will lead to a more consistent 
risk-based and cost-effective IT security at all Federal 
agencies. We look forward to working very closely with you, OMB 
as well as GAO.
    Thank you, Mr. Chairman.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Wu follows:]

    [GRAPHIC] [TIFF OMITTED] T4838.051
    
    [GRAPHIC] [TIFF OMITTED] T4838.052
    
    [GRAPHIC] [TIFF OMITTED] T4838.053
    
    [GRAPHIC] [TIFF OMITTED] T4838.054
    
    [GRAPHIC] [TIFF OMITTED] T4838.055
    
    [GRAPHIC] [TIFF OMITTED] T4838.056
    
    [GRAPHIC] [TIFF OMITTED] T4838.057
    
    [GRAPHIC] [TIFF OMITTED] T4838.058
    
    [GRAPHIC] [TIFF OMITTED] T4838.059
    
    [GRAPHIC] [TIFF OMITTED] T4838.060
    
    [GRAPHIC] [TIFF OMITTED] T4838.061
    
    [GRAPHIC] [TIFF OMITTED] T4838.062
    
    [GRAPHIC] [TIFF OMITTED] T4838.063
    
    Mr. Putnam. Ms. Evans, in your 2003 FISMA report you say 
that ensuring the security of most agency information and 
systems is not the sole responsibility of the agency CIO. While 
I can understand where you're coming from, that everybody has a 
role to play in their own piece of the agency or department, 
there's an old saying that everyone's responsibility is no 
one's responsibility. How do you see increasing the awareness 
of all employees to their information security responsibilities 
while still having some accountability built into the system.
    Ms. Evans. I believe that there is accountability built 
into the system. The way that is, is that FISMA's very clear 
that it holds the agency head responsible for the cybersecurity 
posture of the agency. That agency head then manages what risk 
do I want to go forward with, and there is a tiered approach 
into this where the CIO manages from an enterprise prospective. 
So based on policies and guidelines that come out from OMB and 
from Congress, the CIO then manages across the enterprise or 
through the corporation, so to speak.
    But then, as that then goes down, each then program 
officer--or in this case the way that we refer to this is 
agency senior officials, because it could be staff office, it 
could be assistant secretary, is responsible for ensuring their 
portion of that cybersecurity posture. The agency head 
determines what risk are they willing to live with and then 
they move down through the structure to ensure that the 
accountability is built into that.
    So the point of the report is to say that, although the CIO 
puts together the enterprise solutions, so to speak, and the 
policies and the procedures, the CIO also then ensures that 
investments that are occurring within those program offices 
will meet that risk posture that the Secretary wants to have as 
a whole.
    So we believe it is clear, but we also need to articulate 
that it is important that everybody has to do their portion of 
what is responsible here, from the very first employee when 
they come on board, to being aware that maybe I shouldn't put a 
disk into my computer that I brought in from home, to the 
agency head, the Secretary, who has to manage all of the 
assets.
    Mr. Putnam. What negative consequences have there been to 
the agencies who received failing grades or even backslid in 
their scores and things like that? What action has been taken 
to demonstrate accountability?
    Ms. Evans. We have been working through a series of 
processes that we have in place.
    First off, there's the President's management agenda 
scorecard. The E-Gov scorecard manages the progress of the 
agencies going forward, and cybersecurity is a major portion of 
that. There is a quarterly grade that we give to each agency 
which clearly holds again the agency head responsible as well 
as going down through the agencies because it recognizes within 
there everyone has to play a part in the cybersecurity piece.
    But also, additionally, through the budget process this 
year we went forward, and cybersecurity is an important issue 
for this administration, so we gave specific guides to the 
agencies through the budget process of how we wanted to ensure 
that they were taking and looking at what they needed to do to 
secure their assets. So they were given specific guidance 
through the budget guidance that said you have to turn in a 
plan and that this plan is specifically focused on 
certification and accreditation which really deals with the 
business process and how you manage cybersecurity across your 
enterprise.
    They were given specific timeframes to turn those plans in 
to us and the costs associated with making that happen so that 
we can achieve the goals that we have set out for ourselves 
which we didn't achieve that we had laid out in the fiscal year 
2004 budget.
    So we are now in the process of looking at these plans and 
working with the budget side as well as the management side 
within OMB and then each of the agencies to make those plans a 
reality and to ensure that we go forward and we secure those 
systems.
    Mr. Putnam. In reading your testimony, you indicate 12 
agencies have a remediation process verified by their IGs as 
meeting the necessary criteria. Do you know the agencies who 
did not have a remediation process? You are only batting 500.
    Ms. Evans. Yes, I know. That's not a very good grade. I can 
give you the specific agencies. It's in the report. But----
    Mr. Putnam. Are they the big boys? That's really what I 
want to know.
    Ms. Evans. It's a mixture of agencies. But the remediation 
process is dealing with--that's an IG verified--we have the IG 
verify that process. That deals with that they have a process 
in place that ensures that, as they go forward and they 
purchase new types of things or that a new vulnerability comes 
up, that they have a process in place that allows them to 
remediate that weakness. That includes things like 
configuration management and those type of processes to go 
forward.
    We gave 18 agencies additional guidance through the budget 
process to deal with certification and accreditation so that 
gets to the issue of ensuring that they really have identified 
what their system inventory is and that they are going through 
and they have a process in place that allows them to certify 
and accredit these systems which really then gets the 
discipline in place for you to really evaluate as you go 
forward.
    Mr. Putnam. I'm looking back to my opening statement. Only 
five agencies have completed reliable inventories. That's 
correct, right?
    And we've been doing this for 4 years.
    Ms. Evans. Yes, sir.
    Mr. Putnam. So you're saying that your budget guidance 
language tells them what they needed to do to get it right. But 
did anything actually happen? I mean, if only five have done 
it, the other 19 are saying, well, we're in pretty good 
company.
    Ms. Evans. Are you asking what specific actions we have 
taken since the budget guidance has been issued to the 
agencies?
    Mr. Putnam. I guess I'm asking if there's been anything 
other than guidance.
    Ms. Evans. Oh, sure. As part of that guidance process and 
as we go forward and as we've outlined previously, there are 
tools that are available to us at OMB such as apportionment of 
funds.
    The budget guidance is very clear. When a budget guidance 
goes out and we tell the agencies you cannot spend new 
development dollars in this area because they have been 
categorized as new development dollars, that's just not saying 
you can't spend it. It's the OMB budget accountants working 
with us, that there is a process that we have in place with OMB 
that doesn't allow those dollars to be released to the 
agencies. So dollars are not moving out until we have these 
plans and we feel comfortable that the agencies are really 
looking at this.
    To get to your issue about inventory, we really believe 
that it is tied to the management of the portfolio as well as 
investments.
    You really have to know what you have to be able to come 
forward with a good business case to say, for example, I have a 
modernization plan, here is my architecture, here is my as-is 
architecture, here is the to-be. Through our efforts on the 
architecture as well as managing the portfolio and the business 
cases, this will really make the agencies really have a good 
process in place, and it really will identify the inventory so 
that we can say there are so many servers, there's so many of 
these, there's so many of those, this is the cost that it will 
take to upgrade that, and here's the benefit associated with 
that.
    So we think through the combination of all these management 
practices it will get to the heart of the issue of what do we 
own, how are we going to secure it, how are we moving forward 
with a modernization plan. We believe that the Federal 
enterprise architecture and the architecture efforts of the 
agencies really lend to that and really are assisting the 
agencies to really put that discipline in place.
    Mr. Putnam. So can you tell me how many dollars and how 
many specific modernization or development requests have been 
apportioned pending the successful completion of reliable 
inventory?
    Ms. Evans. Well, I have gone back, based on the previous 
hearing; and if you haven't gotten this answer I can give it to 
you now. There is $9.97 billion associated with office 
automation, telecommunications and infrastructure. That's 
total. So that includes development and steady State dollars.
    We are working with each agency. I can take that back and 
find out specifically if we can release that information to 
you, but we have apportioned agencies. We really would like to 
work with the agencies in a positive way to be able to move 
forward and not necessarily single out one agency over the 
other.
    I think it's pretty obvious, based on your scorecard of 
going through of what agencies we're really working with very 
closely, as well as agency IG reports and the FISMA report 
itself. You can see the variance in the system, and you can see 
how the statistics are, that you know pretty much where the 
agencies we're working with.
    Mr. Putnam. It just seems to me that the new dollars for 
upgrades of systems and purchases of new systems and 
development would just come to a screeching halt if you really 
had to be compliant with FISMA before you got anything new.
    Ms. Evans. Well, it would depend on what your plan is, 
also, going forward. Some of the systems--and if you look at 
the technologies that are outlined in the GAO report that 
they're releasing today, some of those do require a certain 
technology solution there which will require a purchase. But it 
may not necessarily be the same purchase that you were 
intending to do, for example, for a business system upgrade.
    You may then say, OK, I am the Assistant Secretary in 
charge of this particular office. I have a huge program that 
really has a risk that is being imposed over here on all the 
rest of the assets within the department, and I'm the one who 
doesn't have a good plan in place. I have not certified and 
accredited my systems. I am not the one--you know, I'm the one 
who is holding the department back.
    So then the CIO with their technical staff would talk with 
that and work with that Assistant Secretary, but they would 
make those decisions based on the priorities of where they want 
to be.
    So if it's a choice between upgrading a financial 
management system, and we're saying this is what you have to 
do, they put a plan in place in order to execute what we're 
saying you have to do, it's to their advantage to do it in the 
most cost-effective way. Because if they really need that 
financial system upgraded, which I'm just using as an example 
here, then they would do this in an expeditious way so that 
they could still use those development dollars.
    Mr. Putnam. Well, I think that you're making progress 
generally across the board. You've got an 80 percent goal to 
integrate security and new investments, and you're up to 78 
percent. That's pretty good stuff. That's kind of hard to argue 
with.
    But it's also hard to get around the fact that only five 
agencies know what they own. Everybody's held accountable for 
their inventory. Even in a little old congressional office, you 
cannot get rid of a VCR that's 12 years old without taking it 
off your inventory and all this stuff.
    It just seems like it's a very, very basic thing that these 
agencies ought to be able to get their arms around and then be 
able to say, well, we have 15 systems or 15 desktops that are 
unaccounted for and they're, on average, 13 years old. So they 
probably got thrown out a long time ago. It is probably a safe 
bet that they are unaccountable because they were thrown out.
    If it's a secured computer at the Department of Energy, it 
might be a different issue. But just knowing what you have 
seems to me to be the basic criteria before you do any of the 
other stuff. You can't secure what you don't know you have. You 
can't certify or accredit what you don't know you have.
    It just seems like, above and beyond the scorecard and the 
grades and the F's and the A's and all that, the fact that only 
five agencies really know what they own is very troubling.
    Ms. Evans. I would say that I agree with you, sir, and that 
we're going to continue to work with the agencies. We believe 
that some of the programs that we've moved forward on, things 
such as Smart Buy and those types of initiatives, through 
several of these processes will get the agencies really focused 
on asset management, software management, inventory control, 
those types of things.
    Technology continues to evolve; and many times if we make 
it very onerous that work can't get done, people have a 
tendency to bypass that security as well. There's a lot of 
technologies out there that make use of wireless technologies 
that they can put their own network in case--because the CIO 
becomes so oppressive that they cannot get their work done. So 
it is a balance of being able to go forward and have good 
security but also, as you said, to have good inventory control 
and have good business processes in place so that we're totally 
accountable for our dollars.
    Mr. Putnam. You said in your testimony as well that it is 
important that FISMA reporting instructions mature. What do you 
mean by that?
    Ms. Evans. Well, pretty much you've hit the issue on the 
head. It is that we're going through the process right now 
where we have metrics, where the agencies are self-recording. 
So when we say we have a goal of 80 percent of the systems 
being certified and accredited and then we have a percentage of 
62 percent of those systems being certified and accredited, 
it's really what is the validity of that number. Because the 
basic premise of the inventory is faulted. But we also believe 
that, because of the reporting that we have and the oversight 
and this is 3 years going into the 4th year, that we can now, 
because the baseline is there, really start dealing with more 
mature aspects like the quality of certification and 
accreditation. What can we do to help the agencies to get good 
inventory control and process so that we can then say, what is 
a system, and have a clearer definition of what is a system so 
that when I put an inventory control process in place I can 
give you a clear answer and then you can compare for sure 
agency to agency, system to system, inventory to inventory.
    Mr. Putnam. So you don't necessarily recommend legislative 
changes to the FISMA reporting requirements?
    Ms. Evans. I would say at this particular point based on 
what we have, no, sir.
    Mr. Putnam. You also say that the independent evaluations 
by the IGs are indispensable, and I would agree with that.
    What do we do about the IGs who don't report, which is 
something that we found here, or those who reported late, some 
of them almost 3 months late? And the situation where IGs are 
commenting or evaluating on an entirely different subsection 
than what the agency is reporting on? Is that something that is 
problematic for OMB? It was problematic for us in preparing our 
scores.
    Ms. Evans. We are working with the IGs. There is an IG 
Council similar to the CIO Council of which my boss Clay 
Johnson also is the chair of. We have started meetings with the 
IG to actually deal with a lot of those types of issues about 
resolving what are the differences in the interpretations of 
the way that certain things are written in there so that when 
you get a report again how an IG is evaluating, it would be 
consistent, and it gets back to the same issues of their 
interpretation of the metrics and the agency's interpretation 
of the reporting as well.
    Those meetings have begun. We are working to get their 
input into this process so that when we issue the FISMA 
guidance for this year, we hope to bring clarity to those 
issues so that things will be more level, so to speak, between 
the IGs.
    Mr. Putnam. That would be very helpful.
    Mr. Dacey, what are your thoughts on that discrepancy 
between the IG reports and the agency reports? Has the GAO made 
any recommendations on how we can improve the audit process?
    Mr. Dacey. There are a couple of things that I think need 
to be considered moving forward; and I would agree, too, that 
the measures need to--I'm not saying the measures that are here 
but additional information perhaps is a better way to describe 
it. It may be helpful to interpret the progress of agencies and 
information security.
    When FISMA was set up, I think an important part of that 
was to have the IGs be an integral part of the process for a 
couple of reasons.
    First of all, I think they provide a valuable independent 
check on the security of the systems. In other words, if we're 
looking at a system as we do, GAO, when we look at systems, we 
may identify vulnerabilities. The first question we ask is, 
well, have these been picked up by the agency's CNA process, if 
there was a CNA done. Had they been picked up in the plans of 
actions and milestones and things of that nature? If we find 
that they haven't, then we know something is broken and 
something isn't working right. It's kind of definitive proof 
that at the end of the day process was or wasn't working. So I 
think that's an important role.
    The role that I think needs to evolve, though, is to get 
the IGs more involved in looking at the processes by which the 
agencies develop these numbers and the way they report them. I 
think if they do that and there is a process that is relatively 
reliable in bringing those numbers forward--and I focus on 
that, too, because oftentimes the numbers aren't available 
until the very end, so auditing the numbers themselves may be a 
challenge. So I think the IGs can look at the process and match 
that up again when they're doing their audits. If they are 
auditing a system and it hasn't been CNA'd properly but yet the 
agency is counting it in their CNA tally, then that is a 
problem.
    So I think you need to work to keep that going, but again 
kind of increase the IG's roll to look at the processes and 
match that up against what they're finding in the individual 
systems that they do audit.
    Mr. Putnam. Ms. Evans, there is an article in today's 
Washington Post where a Federal judge has ordered the Interior 
Department to shut down most employees' Internet access and 
some of the public Web sites, ``after concluding that the 
agency has failed to fix computer security problems that 
threaten millions of dollars owed to Native Americans.''
    I understand that this is an ongoing issue, but if you 
would like to comment on it, I would like to give you that 
opportunity.
    Ms. Evans. Well, my only comment would be--is that 
Interior, just like any other department, is that we continue 
to work with them to assist them in addressing what their cyber 
security issues are through our processes like the President's 
management agenda, the scorecard, as well as the budget process 
that we just recently talked about in that guidance.
    Mr. Putnam. What did Interior get? What was their score, 
their grade?
    Ms. Evans. An F.
    Mr. Putnam. Is there any other department that--I mean, 
when we talk about computer security, sometimes we get off in 
the weeds, and it almost becomes this academic discussion. I 
mean, I have never heard of a judge ordering somebody to 
disconnect from the Web. Has that ever happened before?
    Mr. Dacey.
    Mr. Dacey. This is actually the third time for Interior, I 
believe, that an order has been issued by the court to stop. 
That's the only one with which I'm familiar at a Federal agency 
where there has actually been a court involvement in the 
process.
    Mr. Putnam. So it's so bad that three times the judge has 
ordered them to disconnect?
    Mr. Dacey. Well, not speaking to the individual case, but 
there is a legal case in dispute, and the judge, in ruling on 
that, in protecting the reliability of certain data that 
related to the Indian Affairs that they are concerned about 
people being able to get in. In fact, I believe at the first go 
around, when they were removed, the court had hired an ethical 
hacking group to participate, and they, in fact, had broken 
into their systems. And I believe it was reported that they 
created fictitious accounts in the Indian Affairs systems. And 
that became the concern, that you needed to protect access from 
outside into this data and this financial information related 
to that.
    I would note that Interior, though, even on the measures 
that are on OMB's scorecard, pretty much consistently, except 
for one area, was below the average of other Federal agencies 
and, as you said, got an F in their grade. So there is a 
challenge there, I think, in their information security.
    Mr. Putnam. I would say so.
    Mr. Dacey, you mentioned in your report, the CIO's don't 
control mission systems. And I believe I read in Ms. Evans' 
testimony that, in fact, 65 percent of IT is mission-related 
activities. I thought FISMA put CIOs in the position of 
responsibility for all agency systems. Could you clarify that?
    Mr. Dacey. I guess--I think our reference was actually to 
what OMB had said, so I will let Ms. Evans take care of that. 
But at the same time, I think it is important to note that--and 
I don't have an exact count, but one of the challenges is also 
making sure that authority goes with that responsibility. I 
know an increasing number of agencies has clearly given their 
CIOs the authority to enforce security standards throughout the 
agency. I don't have numbers, but I do believe that some do not 
have that authority. And in fact, I know when we have been 
doing some of these audits, we found that, in fact, the CIO at 
the agency level didn't always have control over what the 
individual bureaus did which could endanger security of the 
entire agency if not properly controlled. So I think that is 
one aspect. But, again, Ms. Evans might want to talk more about 
the specific numbers.
    Ms. Evans. You want to understand how it works?
    Mr. Putnam. Are CIOs responsible for the mission-related 
activities or not?
    Ms. Evans. They are responsible from a strategic standpoint 
and from a corporate standpoint, which means that when an 
agency is divided off or a department is divided off and you 
have the offices within it, you get the guidance from 
headquarters, so to speak. And so the CIO is responsible for 
formulating what is that overall guidance, what is that policy, 
to ensure the cyber security going forward for that department.
    When the program office--and in this case, we are talking 
agency senior officials--when they send their investment plans 
forward and they have an operational aspect of what they are 
doing within their program offices, they have to adhere to 
those policies and guidelines. And then the CIO, if they have 
an operational aspect, can ensure that they are conforming to 
those policies.
    Sometimes some CIOs only have a policy aspect. If they have 
the policy aspect, then they are involved through the budget 
process to ensure all of these other things that we are talking 
about--that the investment has adequate cyber security based 
into its life cycle, that they do have plans that are in place 
that continue to measure what is going on within their program 
offices. So they do it from a corporate perspective.
    If they have an operational perspective, that is an 
additional authority suit because, normally, what they do is 
they control infrastructure as well as telecommunications, all 
of those types of things. So they control the big network. So 
they can put policies in place that say, if you don't meet this 
certain threshold of security or if you are not certified and 
accredited, you cannot hook up to departmental resources. And 
that's usually where most program offices need to go in order 
to be able to go out to get onto the Internet to be able to 
reach, you know, big financial management types of systems, HR 
systems. And so CIOs do have the authority to be able to do 
that if they manage the corporate assets.
    Mr. Putnam. Have you had an opportunity to read the GAO 
report that they released today, Ms. Evans?
    Ms. Evans. Well, we were glancing at it today.
    Mr. Putnam. The breakdown of all the different information 
security measures and their taxonomic chart is pretty darned 
good. You came from Energy and from Justice as a CIO, you 
understand the challenges both from your current level and from 
the agency level perspective. And we are going to photocopy the 
key portions of that GAO report. We have to take the blue 
binder. Because of the blue binder, nobody is going to read it. 
But we have to really kind of break it down into the easy-to-
understand key charts that Mr. Dacey put together.
    If you were going to send it to somebody in the agency to 
bring about change, who would you send it to, because CIOs 
already know that stuff? I mean, they could have written it. I 
mean, when you are talking about kind of an easy-to-use, easy-
to-read user's guide, who would you send it to really have an 
impact on behavior and understanding of what we are talking 
about in making systems more secure?
    Ms. Evans. In this particular case, if I put it in easy-to-
read key charts off of here, we work--the initiative owners 
through the President's management agenda work very closely 
with the President's Management Council. So I would send it out 
through the President's Management Council and say, here is a 
guide of--here is what you need to look at as technologies are 
coming up. Because the CIO advises that person as the chief 
operating officer of the agency, most times it is the deputy 
secretary of the department that participates in the 
President's Management Council.
    Mr. Putnam. And that's the person who also makes the 
decisions about what budget requests to send to you, about 
whether we are going to buy this system or that system and we 
are going to have a firewall or a VPN or who gets----
    Ms. Evans. They review--deputy secretaries review the 
budget as they come up. Most agencies have hearings in the 
summer based on the guidance that goes out. And the key 
offices, just like a CIO, have input into how a program office 
is put together, how the budget is put together, 
recommendations. And so if there are issues--say, for example, 
based on my days at Energy, if there were issues with a 
specific program office who we felt really wasn't pulling their 
weight as far as cyber security was concerned, when these 
reviews occur, the deputy secretary would get key questions to 
ask that assistant secretary during their review.
    You know, one question could be, how well are you working 
with your CIO? You know, do you have everything in place? Are 
you ensuring that cyber security is being adequately addressed 
within your program office?
    And so something like this, if it was dealing with 
investment decisions and these would be key points, those would 
be like key questions that you would ask them so that they 
could ask to ensure that their portfolio, when it comes 
forward, meets those criteria.
    Mr. Putnam. Thank you.
    Mr. Wu, FISMA made NIST responsible for issuing a fair 
amount of guidance, guidance that is essential to the security 
of the information systems in the Federal Government. Could you 
comment on--and you did somewhat in your opening statement--
could you elaborate on the resources that are necessary to 
provide that guidance?
    Mr. Wu. Well, certainly at the Department of Commerce and 
also at NIST, there is an understanding of the importance of 
NIST's role in implementing FISMA in how general standards are 
developed and created, and the key role this plays as the 
linchpin, the first domino, in a sense, for FISMA to be 
implemented very effectively. And so there is a priority placed 
within the Computer Security Division and within our 
Information Technology Laboratory to make sure that we meet all 
of the mandates and requirements of FISMA.
    The challenges I alluded to in my testimony and Bob 
referenced in his is that, at least for this fiscal year, NIST 
did not receive the President's budget request for 2004; 
Congress was unable to provide that. And as a consequence, 
there is a fear that we may not be able to move forward in some 
of the research that would be required for some of the more 
emerging technologies.
    For example, as we focused on a very real and immediate 
near-term need for guidance under FISMA, we are not keeping up 
with the rapid advances and technologies like RFIDs, the Radio 
Frequency Identification Devices, which is a very key component 
to some of these emerging technologies for communications that, 
unfortunately, under our funding situation, we may not be able 
to put resources in there for--certainly for 2004. We have to 
delay it for 2005 depending on how the congressional 
appropriations may look.
    So there is a fear and a concern within the laboratory 
within the Department that we may not be able to be as 
aggressive as we'd like to be in our efforts and research. But 
in terms of meeting the FISMA responsibilities, NIST is 
committed to doing that.
    Mr. Putnam. And the guide that you are creating for FISMA, 
I would imagine, would be pretty helpful guidance outside the 
government as well. Does NIST have an ability or a system to 
allow people to download that guide or to have access to that 
guide, to request it so that there can be a wider distribution?
    Mr. Wu. Well, information dissemination is critical to make 
sure that the work that NIST does is brought out to the Federal 
agencies as well as to the private sector. But it does have a 
cost as well. We hope to work very closely with OMB as well as 
with NTIS, which is also part of the Department of Commerce, 
for information dissemination so that we can have the 
information placed in as many hands as possible. And also NIST 
will, of course, make it available on its Web site.
    Mr. Putnam. FISMA also requires agencies to develop 
policies governing configuration, so if someone sets up a 
server, they know what security controls they have to set, and 
NIST has developed that guide as well. What is the status of 
that?
    Mr. Wu. The status of--I believe--I'm not quite sure 
which--if you are referring to a specific publication or a 
specific--or a publication number. But we can certainly provide 
that for you.
    Mr. Putnam. Thank you.
    Mr. Wu. But as I said, right now, NIST has met its 
timeliness requirements for its publications, and we look 
forward to completing those if--either in right now or 
available in public draft or available in terms of a full 
report.
    Mr. Putnam. Ms. Evans, is there, for lack of a better term, 
a rapid-response team of professionals who can move into a 
situation like this Department of the Interior issue and work 
to resolve it on an emergency-type basis? I mean, recognizing, 
in addition to just being terribly embarrassing, it has cost 
people money and defrauded the Government and everything else. 
The fact that it has happened three times is--what is OMB's 
role in a situation like that?
    Ms. Evans. Well, each agency is responsible for having a 
computer-assistance-type team, incident-response team. However, 
through the new work that is going on now over at DHS--my 
office works very closely with DHS, especially in the area of 
implementation of the National Cyber Security Strategy. And so 
with working with the particular office over there under IAIP 
and working with those groups, there are several resources that 
they put in place that work very closely in conjunction with 
the CIO counsel. So in a particular situation like this, we 
could make recommendations as well as DHS could make 
recommendations of getting specific assistance through the 
resources that are available at DHS.
    Mr. Wu. Mr. Chairman, if I may, I was just handed some 
information. As Ms. Evans mentioned about DHS, we have also 
been working with DHS. And in regard to your question about the 
comprehensive security checklist and benchmarks, DHS has been 
partnering with NIST in this regard, and we will be able to 
maintain a Web-based portal on this listed checklist. And we 
hope to have that available in fiscal year 2005, in the years 
after as well.
    Mr. Putnam. Very good.
    Mr. Dacey, would you comment on the 2003 FISMA reports, the 
areas that strike you as being the most important improvements, 
the most important deficiencies and your evaluation of the 
progress overall?
    Mr. Dacey. Well, I think in my oral statement I raised some 
of the concerns. I know there has been progress. We have seen 
evidence of that through increases in the measures. But we have 
also seen that through looking at the whole series of audits 
that have taken place, both in respect to financial audits and 
other audits that the IGs have performed and GAOs performed. So 
there are improvements. I would characterize them as kind of 
heightened awareness as well or continued heightened awareness 
by agencies for a couple of reasons: A, they know we are not 
going away. This is an annual event, in fact now quarterly, 
reporting to OMB. So I think that is an important issue.
    So there is a recognition that things are going to be 
watched. And, of course, the involvement of this committee is 
an important element in that as well.
    In terms of the areas that are the concerns, I guess, or 
some of the areas of concern would be trying to make sure that 
some of these percentages keep increasing. And the pace of that 
is a good question. And how fast they can increase, I can't 
tell you. But certainly they have been improving over years. 
But the areas that are of concern most in my mind would be the 
certification and accreditation and the control testing, 
because that's where you are going to identify whether there 
are additional weaknesses and vulnerabilities in your system. 
If that is done correctly is, I would say, most important and 
certainly key, because that may unveil additional weaknesses 
that need to be addressed that haven't been identified yet.
    In terms of the contingency planning, I have spoken about 
that in my statement as well. That is a critical area. And we 
have, again, less than half of the agencies with tested plans. 
And NASA, actually, has quite a bit of success in their 
reporting of that measure. If you exclude NASA, I think it is 
around 38 percent/40 percent of agencies that have tested 
plans, the rest of the Federal Government. So I think that is 
an important area because I think as we have increased 
exposures to viruses, worms and other kinds of malicious 
attacks, you really need a contingency plan in place, because 
I'm not sure you can anticipate everything that might happen to 
your system, particularly when we are getting to a time when it 
is conceivable that attacks could be launched before 
vulnerabilities are notified and identified in the public and 
patches are even made available. And that is definitely a 
trend.
    So I think that is another area of importance. Some of the 
agencies are literally, I think, at zero percent on their 
contingency plan testing--and some very low. So I think those 
are some areas that kind of jump out in my mind when I look at 
the FISMA reports.
    Again, in the progress area, I think it is important to 
keep having OMB managing and monitoring the process, Congress 
involved, the IG's involved. There are a lot of players.
    I think the other key area would be to have the agencies 
make sure they have the processes in place to manage this on an 
ongoing basis. Two or 3 years ago, I'm not sure anybody really 
had a whole lot of processes in place. When we had the first 
GISRA reports, it was extremely ad hoc reporting that was 
coming into the agencies, and they were putting it all 
together--and Karen can speak to that and how it was at Energy. 
But it wasn't a pretty process.
    And as time has gone on, some of the agencies have 
developed more routine processes to get that information, to 
manage it day to day, not just for FISMA reporting purposes or 
for GISRA but actually to use it from a management standpoint. 
I think that is going to be a critical role in changing this 
whole dynamic and moving to a more sustainable progress that 
goes forward.
    Mr. Putnam. That has been one of the complaints, is that 
agencies and their CIOs, in preparing their reports, they are 
really only trying to just meet the requirements of FISMA, and 
they are not actually improving the overall information 
security.
    And I suppose that gets to your earlier point, Ms. Evans, 
about the next level is making more meaningful, more mature, as 
you put it, requirements.
    Ms. Evans. Right.
    Mr. Putnam. Did you want to add anything in terms of your 
evaluation of the scores and progress, deficiencies, thoughts?
    Ms. Evans. Well, again, I would just like to say that we 
are making progress. I mean, we couldn't even give you--even 
though we don't have a real good solid way of doing the 
inventory, we couldn't even give you these numbers previously. 
I mean, we couldn't even--we would be debating on what is a 
system and how to move forward. So I think the government has 
made huge progress.
    And although we are looking at these reports, I think you 
can also demonstrate, based on the results, that the Government 
is moving forward. And that is our ability to repel attacks as 
they are coming about and to deal with services as viruses are 
occurring.
    Two or 3 years ago, when you looked at what we were doing 
when Corea came out of Melissa, many of the agency systems went 
down, and they were offline. And that's why they had to have 
contingency plans and everything else. But now, with the 
viruses that appear to be coming out, sometimes hourly, the 
agencies are being able to sustain business and being able to 
go forward because these processes are in place. They are 
looking at things. They may not be the best. There is a lot 
more that we can do, but we have made progress.
    Mr. Putnam. Am I overemphasizing this inventory issue? I 
mean, in terms of the big scheme of things and government 
information security, am I too hung up on that? I mean, in 
terms of the priorities, the problems that are out there?
    Mr. Dacey. I don't think you are too hung up on it. I think 
there's several reasons. First of all--I mean, not just because 
it can affect some of the measures, because denominators are 
going to change dramatically, particularly when DOD's numbers 
come into play, it will change dramatically.
    But the issue is how to manage the systems. I think there 
are a lot of cascading effects. I know when we started looking 
at some of the patch management practices, one of the 
challenges in doing that was even identifying the systems they 
had so they can figure out, well, does this patch apply to me?
    A lot of agencies defaulted to system administrators 
individually having to try to deal with that. And I know we had 
the issue with PADC and tried to put out something at a Federal 
level to help agencies at least notify them. But the lack of a 
real complete inventory was a challenge, because we had several 
agencies that said we want PADC for every system administrator 
because, otherwise, we don't know collectively at the top what 
all our systems are, and you are going to have to deal directly 
with them.
    It also affects configuration management. I don't know how 
you manage your configuration if you don't know what all your 
pieces are.
    So there is a lot of additional cost and cascading effects. 
So, no, I don't think it is a light issue; I think it is a 
serious issue, again, mainly because it relates to these other 
areas that really can't be performed well or efficiently 
without it.
    Mr. Putnam. There are a lot of Fs. How much difference is 
there within the F category? Are there some that are on their 
way out of the F category? I mean, are all the Fs grouped 
together, or are there some that are just off-the-chart bad, 
like Interior? I mean, three judges' orders to shut down the 
Internet is pretty--I would think would be about as bad as it 
gets. But maybe it really is worse. I don't know. I'm scared to 
know the answer.
    Mr. Dacey. One thing that we also tried to look at in our 
analysis of the information was across the seven performance 
measures that are detailed in OMB's reports is, how are 
agencies doing relative to the average for those measures? In 
other words, how are they doing? And we found there were--let's 
see--seven agencies that were below in all seven measures, or 
at least one measure, or maybe one measure was above and six 
below. So there are some agencies where there is a pretty 
consistent below average score across those measures, and I 
think that carries into some of the other things that were 
considered in your grades as well.
    At the same time, there are people at the top level, too, 
that are consistently--we have, let's see, eight agencies that 
are above average in all categories or all but one.
    So you have a lot of players at both ends, and then you 
have a whole bunch of agencies in the middle. So I think it is 
a mixed story. And even within some agencies, they might have 
several above and several below. So it is not an even kind of 
process in bringing them up necessarily.
    Mr. Putnam. How many--in that lower category, how many 
below average ratings did the Department of Defense have?
    Mr. Dacey. The Department of Defense actually, based on the 
information I have, was--exceeded the average in five of the 
seven categories.
    Mr. Putnam. But still received an F?
    Mr. Dacey. Yes. There was a general correlation between the 
seven measures against the average and the grades. There are a 
few anomalies, because the grades the subcommittee gave 
included a consideration of a variety of other FISMA indicators 
that weren't part of these seven factors. So there are some. 
But in general, they tended to be in the same relative range.
    Mr. Putnam. And DOD was allowed to report on a subsection 
of their systems. Correct?
    Mr. Dacey. That is correct.
    Mr. Putnam. Is any other agency given that consideration?
    Mr. Dacey. Other than the stipulation that a lot of 
agencies don't have complete inventories, which is obviously a 
problem.
    Mr. Putnam. All but five are reporting on a portion of 
their systems.
    Mr. Dacey. They are the only agency who has reported or 
acknowledged that they are only reporting on a subset of their 
whole systems. I think they have 3,000 or 4,000 systems in 
total.
    Mr. Putnam. And next year, they will be required to report 
on all.
    Mr. Dacey. I will defer to Ms. Evans. That's what was in 
their report.
    Ms. Evans. Right. And on the scorecard, going forward on 
the scorecard, which we are referring back to, they are 
required, in order to be able to move, if they want to move to 
green, just like all agencies, they are required to report on 
all. And we are holding to that criteria.
    Mr. Putnam. But, I mean, other than not being a green in 
the President's management report.
    Ms. Evans. Well, you have to look at this. This is still a 
management issue. These are very highly competitive folks. And 
this gets back into, you know, when the scorecard gets 
published, and it is just like this scorecard here, I mean, 
nobody wants to be an F. And so you are either going to 
rationalize why you are doing badly, or you are just going to 
improve your processes overall and move forward.
    The whole purpose of the President's management agenda is 
to achieve results, and the President is very committed to 
that, and this administration is very committed to that. This 
is a piece of that agenda. And so we are committed to achieving 
the results, and the results are to ensure that we have a good 
cyber security posture going forward. So that is how we intend 
to hold the agencies accountable.
    Mr. Wu. Mr. Chairman.
    Mr. Putnam. I hope you are right.
    Mr. Wu. At the Department of Commerce, we, as Ms. Evans has 
indicated, are striving to try to reach green. And it is a 
competitive process. Secretary Evans has made that a priority, 
and I suspect all the other secretaries have as well. We 
haven't quite reached it yet, but we are making strides, and we 
do want to do that. And so there is a commitment to do that, 
and we are following the guidance of OMB and Ms. Evans.
    Mr. Putnam. Well, I hope NIST got a good score.
    Mr. Wu. Well, NIST is part of the Department of Commerce.
    Mr. Putnam. What did Commerce get? I don't have it in front 
of me. A gentleman's C?
    Mr. Wu. No, I think we did well. I will have to talk to our 
Inspector General.
    Mr. Putnam. You got a C.
    Mr. Wu. I will speak to Johnny Frazier and see how much 
better we did.
    Mr. Putnam. C for Commerce.
    All right. Any other comments from our first panel before 
we move into the second half of this hearing? I want to thank 
all of you for your participation and your ongoing efforts to 
improve this. It is a long, hard struggle, and I know most of 
you have been in it for a whole lot longer than I have. And I 
tip my hat to you, and I wish you the best as we continue to 
move forward. And we certainly offer the resources and the 
abilities of this subcommittee to help you help them do a 
better job. Thank you very much.
    And we will stand in recess for a couple of minutes until 
we can set up the second panel.
    [Recess.]
    Mr. Putnam. The subcommittee will reconvene. We have seated 
panel two. As is the custom with this subcommittee and the full 
committee, I would ask the witnesses and anyone accompanying 
them who will be providing information to please rise and raise 
your right hands.
    [Witnesses sworn.]
    Mr. Putnam. Let the record note that all four witnesses 
responded in the affirmative.
    We have had a request from the NRC to use a photographer. 
Since they are one of only two who got an A, they can have 
whatever they want. So come get a picture of this big smile.
    We will begin our testimony. The first witness is Paul 
Corts. Paul R. Corts was sworn in as Assistant Attorney General 
for Administration in November 2002. Prior to entering 
government service, he served as president of Palm Beach 
Atlantic University for 11.5 years. He also served as president 
of Wingate University in North Carolina and has held 
administrative and teaching positions at Oklahoma Baptist 
University and Western Kentucky University. As Assistant 
Attorney General for Administration, Dr. Corts oversees the 
Department's Justice Management Division and is the chief 
financial officer.
    Welcome to the subcommittee. You are recognized for 5 
minutes.

    STATEMENT OF PAUL CORTS, ASSISTANT ATTORNEY GENERAL FOR 
             ADMINISTRATION, DEPARTMENT OF JUSTICE

    Mr. Corts. Mr. Chairman, I appreciate the opportunity to 
appear before you today to discuss the Department's efforts in 
the areas of information technology security and the actions 
underway within the Department to institutionalize the daily 
management of security risks and to implement the requirements 
of FISMA. And I want to commend you and the committee for your 
past and current efforts to shine the spotlight on Federal 
agencies' security performance.
    I certainly want to emphasize that the Department of 
Justice embraces the importance of IT security. Our senior 
management is committed to protecting the Department's IT 
assets from attacks and vulnerabilities, and we have clearly 
identified responsibility for IT security with the CIO.
    IT is key to the Department's success in meeting our 
strategic goals. We place a very high value on the availability 
and integrity of the information in our systems, along with 
confidentiality and privacy concerns. And the nature of our 
work in Justice requires a highly robust security for IT.
    As reported in the OMB Security Act Report for 2003, we 
reported 243 IT systems, 24 programs, 35 contractor operations 
and facilities. All of our programs and 206 systems were 
reviewed in accordance with FISMA guidance provided by OMB and 
NIST. The Department incorporates IT security requirements in 
all of our contracts, and we perform security reviews on half 
of the contract operations and facilities during the fiscal 
year. In addition, over 90 percent of our IT systems have been 
assessed for risks, and over 80 percent have been fully 
certified and accredited to date.
    In the past, the Department operated in an extremely 
decentralized fashion, and that really contributed to IT and 
the computing environment being highly fragmented. This is a 
major concern with our inspector general during the past years, 
and since we joined the Department, it is a concern that the 
CIO and I share. Furthermore, we are fully aware of your 
concerns with our progress in information security, and we take 
these very seriously as well.
    Since I arrived at Justice 16 months ago, the Department 
has taken a number of actions that not only reflect the 
commitment of senior management to correcting past deficiencies 
but also to establish a solid foundation for sustained future 
progress. And many of the IG's recommendations have been 
accomplished, or initiatives are underway that will provide for 
improved performance in the coming year.
    Through the AG's leadership and vision, I think we have 
come a long way toward a more centrally coordinated department, 
and this has made a lot of progress and a very positive impact 
on our IT efforts.
    Specifically, we have clarified our CIO position in terms 
of the Clinger-Cohen Act responsibilities, we have implemented 
a Web-based security awareness training tool. We have trained 
77 percent of our employees so far on that with a goal of 95 by 
summer, implemented a computer emergency response team and 
integrated IT security with a capital investment process and 
some other actions that are underway to remedy deficiencies.
    The Department's senior management team is committed to 
ensuring that these activities are under way, and we have them 
planned to correct both past deficiencies and be sure that we 
integrate these into an institutionalized kind of an 
environment.
    We have reorganized the office of the CIO and named a chief 
information security officer. We've developed a Department-wide 
IT security program. We have established IT security program 
goals. We have approved a policy for 17 information security 
standards; chartered an IT Security Council and six project 
teams; integrated IT security with enterprise architecture and 
the investment management process, developed system risk 
assessment and a test plan tool; provided for CIO collaboration 
and review of component corrective action plans; continued 
development of a public key infrastructure capability; 
continued development of a unified financial management system 
throughout the Department; provided resources to assist 
components in assessing their systems; implemented a monthly 
report card, which you see here.
    This is the age of the report card. So we've come up with a 
report card, a sample there, that is done on a monthly basis to 
let the individual components know how they are doing in the 
area of IT security.
    So the accomplishments and initiatives we have underway 
address many of the IG's recommendations and will provide for 
improved performance in the coming year. We acknowledge the 
need to do more. It is a matter of continuous improvement that 
we are committed to while at the same time we are working to 
reduce risks associated with our IT assets. And I want to thank 
you and the committee for the focus that you are giving to 
this, and we pledge to you our cooperation and support.
    [The prepared statement of Mr. Corts follows:]

    [GRAPHIC] [TIFF OMITTED] T4838.064
    
    [GRAPHIC] [TIFF OMITTED] T4838.065
    
    [GRAPHIC] [TIFF OMITTED] T4838.066
    
    [GRAPHIC] [TIFF OMITTED] T4838.067
    
    [GRAPHIC] [TIFF OMITTED] T4838.068
    
    [GRAPHIC] [TIFF OMITTED] T4838.069
    
    Mr. Putnam. Thank you very much, Mr. Corts.
    Our next witness is Jeffrey Rush, Jr. Mr. Rush was sworn in 
as the Inspector General for the Department of Treasury in July 
1999. Prior to that, he served as the Inspector General of the 
U.S. Agency for International Development and is the acting 
Inspector General of the Peace Corps. Mr. Rush also served for 
23 years in the U.S. Department of Agriculture.
    Welcome to the subcommittee. You are recognized for 5 
minutes.

 STATEMENT OF JEFFREY RUSH, JR., INSPECTOR GENERAL, DEPARTMENT 
                        OF THE TREASURY

    Mr. Rush. Thank you, Mr. Chairman.
    In your letter of February 26, you asked me to address 
three points in my statement: One, a summary of the state of 
information security at Treasury; two, the methodology used to 
audit Treasury and the resources available to my office; and, 
finally, the circumstances that led to the delay in our 
reporting of results under FISMA.
    First, although we have been reporting on serious 
information security weaknesses since 1998, I will limit my 
testimony only to the work done in the last 3 years. Our 
reporting in fiscal years 2001 and 2002 was under the 
Government Information Security Reform Act [GISRA]. This most 
recent job was done under FISMA. All three assessments as well 
as management's own have identified serious deficiencies in 
information security throughout the Department.
    Let me summarize just what we consider the important 
deficiencies to be. First, most of the systems have not been 
certified or accredited. Second, Treasury has been unable to 
provide an accurate inventory year to year of systems to be 
certified and accredited. Third, Treasury's plans of action and 
milestones and for fixing security--serious security 
weaknesses--are not complete and are inconsistent. Four, 
Treasury does not fully comply with the reporting of security 
incidents. Fifth, Treasury did not use the National Institute 
of Standards and Technology guidance for all of its programs. 
Sixth, interdependencies and relationships of critical 
operations have not been fully identified. And, finally, 
Treasury has not provided sufficient information technology and 
security training to the majority of its employees.
    Second, in conducting our fiscal year 2003 evaluation of 
Treasury's information security program and practices, we 
follow the guidance issued by the Office of Management and 
Budget on August 6, 2003. I have attached a copy of that 
guidance to the statement. The guidance prescribed a set of 
questions to be answered by both agency management and by the 
Offices of Inspectors General. In this regard, OIGs were to 
evaluate a representative sample of all of the types of agency 
systems. One area that was to be emphasized this year was--in 
OIG's assessment--was against specific criteria which the 
agency developed, implemented or was managing in agency-wide 
plans of actions and milestones process. The plans of actions 
and milestones process is key to effective remediation of IT 
security weaknesses and instrumented for the agency to get 
green under the expanding government scorecard of the 
President's management agenda.
    Finally, as background for the reason for our delay in 
FISMA reporting, during March 2003, we divested approximately 
70 percent of our staff to the Department of Homeland Security 
Office of Inspector General pursuant to the Homeland Security 
Act. Our audit staff was reduced from 165 to 62 during the last 
6 months of a fiscal year. Our annual audit plan had to be 
completely revised. Thus, this divestiture and subsequent 
attrition reduced our IT audit group from 14 to 5.
    With our much reduced staffing, we determined we could not 
complete FISMA on schedule and sustain an accelerated audit of 
the Department's fiscal year 2003 financial statements. In 
consultation with the Department and the Office of Management 
and Budget, priority was given to the audit of the Department's 
fiscal year 2003 performance and accountability report, and we 
committed to issue the FISMA report within 30 days of that 
date. And, accordingly, the financial statement audit was 
completed on an accelerated basis on November 14, 2003, and we 
issued our FISMA report on December 15, 2003.
    But let me stop and make clear to you that I probably owe 
you an apology. If not, I will give you one anyway. As early as 
July 2003, apparently everyone but this committee was informed 
of the decision to concentrate on completing the accelerated 
financial statement, clearly putting FISMA at a second 
priority; thus, the late report that was due in September.
    Considering our current staffing levels and looking 
forward, we have not been able to and do not anticipate being 
able to hire additional IT auditors in the near future. Thus, 
we plan to contract for the FISMA evaluation for the non-
national-security systems for fiscal year 2004. We will perform 
the fiscal year 2004 FISMA evaluation for Treasury's national 
security systems with our own staff.
    That concludes my statement.
    [The prepared statement of Mr. Rush follows:]

    [GRAPHIC] [TIFF OMITTED] T4838.070
    
    [GRAPHIC] [TIFF OMITTED] T4838.071
    
    [GRAPHIC] [TIFF OMITTED] T4838.072
    
    [GRAPHIC] [TIFF OMITTED] T4838.073
    
    [GRAPHIC] [TIFF OMITTED] T4838.074
    
    [GRAPHIC] [TIFF OMITTED] T4838.075
    
    [GRAPHIC] [TIFF OMITTED] T4838.076
    
    [GRAPHIC] [TIFF OMITTED] T4838.077
    
    [GRAPHIC] [TIFF OMITTED] T4838.078
    
    [GRAPHIC] [TIFF OMITTED] T4838.079
    
    [GRAPHIC] [TIFF OMITTED] T4838.080
    
    [GRAPHIC] [TIFF OMITTED] T4838.081
    
    [GRAPHIC] [TIFF OMITTED] T4838.082
    
    [GRAPHIC] [TIFF OMITTED] T4838.083
    
    [GRAPHIC] [TIFF OMITTED] T4838.084
    
    [GRAPHIC] [TIFF OMITTED] T4838.085
    
    [GRAPHIC] [TIFF OMITTED] T4838.086
    
    [GRAPHIC] [TIFF OMITTED] T4838.087
    
    [GRAPHIC] [TIFF OMITTED] T4838.088
    
    [GRAPHIC] [TIFF OMITTED] T4838.089
    
    [GRAPHIC] [TIFF OMITTED] T4838.090
    
    [GRAPHIC] [TIFF OMITTED] T4838.091
    
    [GRAPHIC] [TIFF OMITTED] T4838.092
    
    [GRAPHIC] [TIFF OMITTED] T4838.093
    
    [GRAPHIC] [TIFF OMITTED] T4838.094
    
    [GRAPHIC] [TIFF OMITTED] T4838.095
    
    [GRAPHIC] [TIFF OMITTED] T4838.096
    
    [GRAPHIC] [TIFF OMITTED] T4838.097
    
    [GRAPHIC] [TIFF OMITTED] T4838.098
    
    [GRAPHIC] [TIFF OMITTED] T4838.099
    
    [GRAPHIC] [TIFF OMITTED] T4838.100
    
    [GRAPHIC] [TIFF OMITTED] T4838.101
    
    [GRAPHIC] [TIFF OMITTED] T4838.102
    
    [GRAPHIC] [TIFF OMITTED] T4838.103
    
    [GRAPHIC] [TIFF OMITTED] T4838.104
    
    [GRAPHIC] [TIFF OMITTED] T4838.105
    
    [GRAPHIC] [TIFF OMITTED] T4838.106
    
    [GRAPHIC] [TIFF OMITTED] T4838.107
    
    [GRAPHIC] [TIFF OMITTED] T4838.108
    
    Mr. Putnam. Thank you very much, Mr. Rush.
    Our next witness is Ellis Merschoff. Mr. Merschoff is the 
Chief Information Officer for the Nuclear Regulatory 
Commission. Prior to serving as CIO, Mr. Merschoff was the 
Director of the Western Region for NRC. He had worked at NRC in 
various capacities since leaving the U.S. Navy in 1980. He was 
awarded the Presidential Distinguished Executive Award in 2000 
and is a licensed professional engineer.
    Welcome to the subcommittee. You are recognized for 5 
minutes.

  STATEMENT OF ELLIS W. MERSCHOFF, CHIEF INFORMATION OFFICER, 
                 NUCLEAR REGULATORY COMMISSION

    Mr. Merschoff. Thank you, Mr. Chairman. I appreciate this 
opportunity to testify with regard to the activities of the 
U.S. Nuclear Regulatory Commission as they relate to the 
Federal Information Security Management Act.
    The mission of the NRC is to regulate the Nation's civilian 
use of byproduct, source, and special nuclear materials to 
ensure protection of public health and safety, to promote the 
common defense and security, and to protect the environment. 
Our headquarters is located in Rockville, MD, with regional 
offices located in Pennsylvania, Georgia, Illinois, and Texas. 
We have a technical training center located in Tennessee and 
resident inspector sites located at 70 nuclear power plants and 
fuel-cycle facilities around the country.
    Although I have been the NRC's chief information officer 
for only 9 months, I have been with the NRC, as you stated, for 
24 years. Of those 24 years, I was an NRC line manager for 18 
years and served as a regional administrator for 6 years. I 
understand the operational and business needs of the NRC which 
allows me to contribute a perspective that enables the agency 
to effectively apply information technology to meet the 
business needs of the NRC while achieving the appropriate level 
of computer security for the agency.
    As an agency, we have 4,000 interconnected computers that 
exchange approximately 100,000 e-mail messages and receive 
another 40,000 e-mail messages from the Internet every day. On 
a daily basis, we experience 500 attempts at reconnaissance of 
our systems, strip out 300 suspicious e-mail attachments, 
identify 100 attempts at denial-of-service attacks and isolate 
10 virus occurrences.
    The NRC has identified all major operational applications 
and support systems, each of which has been certified and 
accredited. Outstanding findings from risk assessments and 
other evaluations are entered into a tracking system, monitored 
and closed out when resolved. We review the security controls 
for each of these systems on an annual basis, using the self-
assessment process provided by NIST and benefit from a strong 
working relationship with NRC's Office of the Inspector 
General.
    The NRC emphasizes computer security awareness at all 
levels of the organization, from senior management to the 
individual employee and contractor. We require that each 
employee take an annual computer security awareness course 
which is available online to ensure accessibility at the 
employee's desktop.
    The NRC holds an annual observance of International 
Computer Security Awareness Day, which has grown in 
participation over the past 10 years. In November 2003, close 
to half of our headquarter's population attended this event.
    Like all Federal agencies, the NRC must contend with 
viruses and other malicious software. We download new virus 
definitions to all desktops and deploy relevant computer 
security patches as soon as testing ensures compatibility with 
the NRC's mission-related software. The NRC also utilizes 
announcements to notify staff about viruses, hoax, spam, and 
scams that might affect our staff. Ask Cyber Tiger is a regular 
column in the NRC's newsletter that seeks to answer employees' 
computer security questions. Our computer security staff 
created Cyber Tiger about 8 years ago to act as a spokesman and 
a logo character to convey our computer security messages.
    The NRC is the only Federal agency with a comprehensive 
electronic document management system known as ADAMS for which 
the agency received the Archivist of the U.S. Achievement 
Award. ADAMS supports the creation, storage, retrieval and 
management of documents and records related to the NRC's core 
business functions. The system stores the agency's record copy 
in electronic form for efficient transfer to the National 
Archives and Records Administration. Users can search for, view 
the image of and print documents at their work stations 
regardless of geographic location. ADAMS software identifies 
and authenticates users and applies access controls to ensure 
that each document is viewed or modified only by appropriate 
individuals.
    In summary, the NRC operates with offices across the 
Nation. We take computer security requirements very seriously 
and work toward a seamless integration of computer security in 
our day-to-day operations. The NRC's computer security 
challenges continue to evolve, and we continue to revise our 
program to address these new requirements. I appreciate the 
opportunity to appear before you today, and would be pleased to 
answer any questions you may have.
    [The prepared statement of Mr. Merschoff follows:]

    [GRAPHIC] [TIFF OMITTED] T4838.109
    
    [GRAPHIC] [TIFF OMITTED] T4838.110
    
    [GRAPHIC] [TIFF OMITTED] T4838.111
    
    [GRAPHIC] [TIFF OMITTED] T4838.112
    
    [GRAPHIC] [TIFF OMITTED] T4838.113
    
    [GRAPHIC] [TIFF OMITTED] T4838.114
    
    [GRAPHIC] [TIFF OMITTED] T4838.115
    
    [GRAPHIC] [TIFF OMITTED] T4838.116
    
    [GRAPHIC] [TIFF OMITTED] T4838.117
    
    [GRAPHIC] [TIFF OMITTED] T4838.118
    
    Mr. Putnam. Thank you very much, Mr. Merschoff.
    Our fourth witness for the second panel is Kerry Weems. Mr. 
Weems is in his 23rd year of Federal employment, 21 of those 
being at the Department of Health and Human Services. In 1988, 
Mr. Weems left the Social Security Administration and began 
work for the budget office in the Office of the Secretary, 
Department of Health and Human Services. Since then, he has 
served in a variety of capacities ranging from senior analyst 
to branch chief and division director. In June 2002, he became 
Deputy Assistant Secretary for Budget and, since January 2003, 
has served as Acting Assistant Secretary for Budget, 
Technology, and Finance.
    You are recognized for 5 minutes. Welcome to the 
subcommittee.

   STATEMENT OF KERRY WEEMS, ACTING ASSISTANT SECRETARY FOR 
BUDGET, TECHNOLOGY AND FINANCE, DEPARTMENT OF HEALTH AND HUMAN 
                            SERVICES

    Mr. Weems. Thank you, Mr. Chairman. It is a pleasure to be 
here. And thank you for inviting me today.
    Today, I would like to describe to you the existing efforts 
HHS has undertaken to improve the security posture of our 
agency and to comply with Federal legislative and regulatory 
directives.
    In its most recent FISMA report, HHS reported 222 systems, 
13 programs and 77 contractor operations and facilities, all of 
which require information technology protection. I would first 
like to summarize the current state of information technology 
security within HHS and the actions underway to address 
identified weaknesses and improvements that are currently 
underway.
    I am pleased to report that improvements are being made in 
the management of information security at HHS. We have built a 
solid foundation and policy and procedures for IT security 
operations and management, including a series of supporting 
guides to assist personnel throughout HHS in understanding and 
implementing security policies and guidance. These policies and 
guides form a common baseline for standard IT security 
throughout the Department, which our operating divisions can 
exceed if their business operations require stronger 
protections.
    Updates were also made on previous policies to meet new 
guidance from OMB, specifically in the areas of privacy impact 
assessments, plan of actions and milestone, security 
performance, measures and metrics, security program reviews, 
and self assessments. Additional updates were made to address 
newly emerging technologies.
    In addition to these efforts, the Secretary launched Secure 
One HHS, a comprehensive program that blends targeted IT 
security, technical support and assistance with managerial and 
operational changes designed to improve the methods and 
practices of all personnel with IT security responsibilities 
throughout the Department. This program provides the framework 
for adequately securing our information systems.
    In fulfilling this initiative, HHS has demonstrated its 
commitment to protect the health and welfare of the American 
public. Key focus areas of Secure One HHS currently include 
critical infrastructure protection, system and program level 
security development, FISMA compliance, which includes numerous 
subcomponents such as certification and accreditation and 
incorporation of plans of actions and milestones as a 
management tool.
    In less than a year, HHS has made major progress in 
employing an extensive security program and increasing the 
level of security throughout HHS. We have taken decisive steps 
to remediate the weaknesses identified in the FISMA report, 
drafted new policies and issued new guidance considering 
integration of security into the system development lifecycle. 
We have linked IT security with capital budgeting by improving 
and integrating IT security elements into the exhibit 53 and 
300 submissions required by OMB, and we have augmented our 
procedures for the IT investment review board to ensure that IT 
security is addressed before new investments are made. We have 
implemented a streamlined yet very intensive support structure 
that provides our operating division with automated tools that 
improve and centralize data collection and reporting of FISMA 
plans of action milestones.
    HHS has also licensed an automated NIST self-assessment 
tool to standardize and facilitate the department-wide 
utilization of NIST guidance. These tools are supplemented by 
extensive support and monthly plan of action and milestone 
review meetings with the information security officer of each 
operating division.
    HHS has also drafted guidance concerning security 
certification and accreditation and developed remediation plans 
for ensuring certification and accreditation of all appropriate 
systems.
    CNA compliance has increased in the last 6 months and is 
well on its way to exceeding its goal of 90 percent by June 
30th of this year. As of today, we have achieved nearly 60 
percent with a goal of 70 percent for the end of this month.
    For systems that have not completed CNA, each system has a 
specific remediation plan targeting their path toward 
certification. Recently, security remediation plans have been 
expanded to track privacy impact assessments as well as 
linkages between system security and capital planning 
relationships. The chief information security officer has 
conducted reviews of the training and awareness policies and 
practices currently in place and issued guidance regarding the 
management of mandatory annual user security-awareness 
training.
    Last, HHS is developing a departmental security operations 
center that will significantly improve our incident response 
capabilities and institutionalize a more rigorous defense 
against malicious hackers and other threats.
    Thank you. That ends my testimony.
    [The prepared statement of Mr. Weems follows:]

    [GRAPHIC] [TIFF OMITTED] T4838.119
    
    [GRAPHIC] [TIFF OMITTED] T4838.120
    
    [GRAPHIC] [TIFF OMITTED] T4838.121
    
    [GRAPHIC] [TIFF OMITTED] T4838.122
    
    [GRAPHIC] [TIFF OMITTED] T4838.123
    
    [GRAPHIC] [TIFF OMITTED] T4838.124
    
    [GRAPHIC] [TIFF OMITTED] T4838.125
    
    [GRAPHIC] [TIFF OMITTED] T4838.126
    
    [GRAPHIC] [TIFF OMITTED] T4838.127
    
    [GRAPHIC] [TIFF OMITTED] T4838.128
    
    [GRAPHIC] [TIFF OMITTED] T4838.129
    
    [GRAPHIC] [TIFF OMITTED] T4838.130
    
    [GRAPHIC] [TIFF OMITTED] T4838.131
    
    [GRAPHIC] [TIFF OMITTED] T4838.132
    
    [GRAPHIC] [TIFF OMITTED] T4838.133
    
    [GRAPHIC] [TIFF OMITTED] T4838.134
    
    [GRAPHIC] [TIFF OMITTED] T4838.135
    
    [GRAPHIC] [TIFF OMITTED] T4838.136
    
    [GRAPHIC] [TIFF OMITTED] T4838.137
    
    [GRAPHIC] [TIFF OMITTED] T4838.138
    
    [GRAPHIC] [TIFF OMITTED] T4838.139
    
    [GRAPHIC] [TIFF OMITTED] T4838.140
    
    [GRAPHIC] [TIFF OMITTED] T4838.141
    
    [GRAPHIC] [TIFF OMITTED] T4838.142
    
    [GRAPHIC] [TIFF OMITTED] T4838.143
    
    [GRAPHIC] [TIFF OMITTED] T4838.144
    
    [GRAPHIC] [TIFF OMITTED] T4838.145
    
    Mr. Putnam. If you have a wrap-up statement, you are 
welcome to make it.
    Mr. Weems. OK. I will be happy to do that.
    We have made significant progress toward implementing an IT 
security program. We recognize that a program and a strategy 
call for the institutionalization of sound IT security 
practices that are essential for safeguarding information 
entrusted to HHS by the citizens of the country. We remain 
committed to this goal as we continue to implement the Secure 
One HHS program. Thank you.
    Mr. Putnam. Thank you. I thank you for your sensitivity to 
the little red light. Some people just keep right on going.
    Mr. Weems. Mr. Chairman, I have sat behind many secretaries 
who have had to watch the red light.
    Mr. Putnam. It can be intimidating. When I was in the State 
legislature, I had to testify before my first subcommittee, and 
it freaked me out when I went yellow much less red.
    Mr. Merschoff, you are the teacher's pet of the panel. Your 
agency received an A, so we are going to give you all the first 
questions and then sort of let you off the hook, I guess.
    You know, relative to some of the other agencies and 
departments, the NRC is relatively small. How much of your 
success was determined by your size and how much of your 
success is scalable in that it could be easily replicated in a 
larger organization?
    Mr. Merschoff. I would say size is a function of the 
timeliness of accomplishment and not the accomplishment itself. 
We are a full scope agency. We develop new IT applications. The 
ADAMS that I discussed is the first in the Government in terms 
of an electronic records management system. We are developing 
another one for an electronic courtroom for the high-level 
waste hearing.
    So what we do is difficult, but being smaller allows us to 
proceed at a pace that is easier to maintain than the large 
agencies. In terms of scalable, I believe it probably is.
    Mr. Putnam. Now that you are on top, how institutional are 
your changes? I mean, do you foresee remaining an A virtually 
indefinitely? What types of changes do you have to make on an 
ongoing basis to continue to meet those top standards for your 
A rating?
    Mr. Merschoff. Well, as Lewis Carroll said in Alice Through 
the Looking Glass, you have to run really fast in this world to 
just stay where you are, or words to that effect. The bar is 
being raised continuously by OMB, so it will be harder this 
year to be an A than it was last year. We have areas to 
continue to work on, two that you have addressed already in 
terms of contingency plans and inventories are areas we have 
work to do in. So there is important work that remains to be 
done relative to our agency.
    I have an outstanding staff, and I have the support of the 
senior management within the agency to maintain computer 
security, so I anticipate we will be able to meet the new 
challenges.
    Mr. Putnam. How have you implemented the accountability 
within all of your managers and program directors? How is that 
effective, and how have you helped them make it, make 
information and security a priority of their everyday life?
    Mr. Merschoff. We have established the corporate level 
procedures that govern the IT systems, chief of which is the 
capital planning and investment control process. We have 
integrated security into the development of new systems, so a 
business line can't develop a new system without the approval 
of the Office of the CIO, and embedded in that approval is 
working hand in hand with us with security. So we have 
confidence that each new security system we bring on line is 
robust in a security sense. And being a peer to the other 
business line managers, they seek our help, and we provide it 
in terms of current operating systems.
    Mr. Putnam. Your background is not technical in nature as 
it relates to IT; you are an engineer, I believe. Do you think 
that has helped you in understanding the importance of this and 
sharing it with others? Do you think that you have more 
credibility with your peers as an engineer as opposed to being 
an IT specialist?
    Mr. Merschoff. I would take issue with my background not 
being technical. I'm an aerospace engineer and a mechanical 
engineer.
    Mr. Putnam. Information technical.
    Mr. Merschoff. I'm not an IT professional. I believe that 
has helped a lot. What I believe agencies need at the CIO level 
is an executive that can hold people and programs accountable 
to achieve certain goals. Engineering as a discipline is one 
that IT in general can benefit from. Engineers look at 
redundancy and reliability and bring a rigorous, disciplined 
thought process to systems development that matches nicely with 
IT development and CPIC development.
    So the direct answer to your question, in terms of 
credibility, I believe it helps a great deal. Having been a 
peer to the senior business line managers in the agency, there 
is a trust in the budgeting process and there is a trust in 
terms of the service delivery process that I think helps us 
progress.
    Mr. Putnam. Thank you.
    Mr. Rush, could you please elaborate on the additional 
financial reporting requirements that took priority and pushed 
FISMA into a secondary position that you referred to in your 
opening statement?
    Mr. Rush. Yes, sir. In fiscal year 2002, we were the first 
Cabinet-level agency at Treasury to accelerate our financial 
reports to the shortened deadline of November 15th. Under 
Secretary Paul O'Neill, much effort was expended to demonstrate 
that financial reports had to be timely to be useful to 
managers. As we approached 2003, it was clear to OMB that was 
an important goal for all of the CFO agencies. Thus, by late 
spring, early summer and immediately following the divestiture 
of a lot of our resources, I met with the assistant for 
management and we consulted with the Comptroller of the United 
States Linda Springer and made clear that we couldn't meet the 
accelerated deadline for 2003 and meet our other requirements 
given the resources that we had lost. We were clearly able to 
produce one of those jobs but not both of them by the 
deadlines.
    So the decision was that the IRS, the Bureaus, the Treasury 
IG for tax administration and the Department would prepare 
their report and send it to OMB on time and that the IG work 
that my office does to bring FISMA to conclusion would be 
followed within 30 days of any successful accelerated financial 
statement report.
    Now, those discussions went on for a couple of weeks, and 
as I indicated to you in my letter, when I distributed the 
report to you I apologized for the first time, we did not think 
to notify this subcommittee because we assumed that having 
coordinated with OMB that information might have been 
available. I regret that. That was my responsibly, and I am 
here to accept that responsibility.
    But as between the two important jobs that we were facing 
as we went into the fall, it was clear that the accelerated 
financial report was the priority for Secretary John Snow and 
for the administration.
    Mr. Putnam. Is contracting out an option? I assume it will 
be, based on your earlier remarks. Is it going to be your 
option in the future to contract out the preparation of the 
FISMA reports?
    Mr. Rush. It will have to be for the foreseeable future, 
because, again, we are not moving our resources up. The 
President's budget request for 2005 gives us a substantial plus 
up over 2004. It almost helps us recover from some of the 
divestiture. But the problem here is timing. As we found last 
summer as we faced the decision of financial statement 
reporting, FISMA reporting, if you can't make those decisions 
early enough in the audit cycle, you can't get a contract out 
there. Our problem was that we were going into this audit 
period anticipating using our own resources to do the work, and 
when we had this tradeoff decision, we found ourselves in the 
position where it was too late to bring a contractor in because 
you still have to supervise the contractor.
    This year we're starting off with better understanding of 
our resources, we're going to do more contract work for--our 
financial reporting, and we intend to use a contractor for most 
of our FISMA work. We'll not do it for the national security 
systems that we report on to you and others as classified 
reports.
    Mr. Putnam. You went from 165 to 62 staff in the IG's 
office?
    Mr. Rush. No, that's just the audit staff.
    Mr. Putnam. Audit staff. Is that proportional to the amount 
of the department that was transferred to the Department of 
Homeland Security?
    Mr. Rush. Well, after a careful study of our audit program 
for the 3 years prior to divestiture, we identified a need to 
transfer somewhere between 30 and 35 percent of our staff to 
Homeland to accompany the work that was associated with the 
Customs Service, the Secret Service, the Federal Law 
Enforcement Training Center and that part of the Bureau of 
Alcohol, Tobacco and Firearms that went to the Justice 
Department. But for reasons still not clear to me, we were cut 
70 percent rather than 35 percent and we've been playing catch-
up.
    That decision was made, and clearly people were trying to 
do the right thing to establish the Department of Homeland. And 
I don't doubt that the people that we contributed to that IG 
office over there have made a difference in the Department of 
Homeland Security, but we had to actually go out and pick up 
about 12 people for the financial statement audit cycle and 
detail them into our office to get that audit done. And we are 
struggling.
    Mr. Putnam. The IRS and Bureau of Public Debt, those audits 
are conducted by you or by the GAO?
    Mr. Rush. The IRS is done entirely by GAO and part of the 
public debt is done by GAO. We rely on those reports to prepare 
the consolidated. We're responsible for the consolidated audit 
and the bureau-level audits and special audits.
    As you know, Treasury right now has eight different stand-
alone audits, everything from the gold and silver reserve to 
special accounts. The recovery in D.C. pushed the pension funds 
from D.C. into Treasury, so we have to manage an account from 
those funds and do a financial statement on the retirement for 
judges and teachers and police officers.
    We do stand-alone audits for the Office of the Comptroller 
of the Currency, the supervisor of national banks; the Office 
of Thrift Supervision, the supervisor of the savings and loan 
industry. We do stand-alone audits for other entities including 
the Financial Management Service, the check writer and the cash 
manager for government.
    Mr. Putnam. And I hear where you're coming from on the 
reasons for the delay.
    At the end of the day, the score was a D, and I'm told 
probably with the input of the IG's report, had it been on 
time, would have remained an F, the same scores received in 
2002.
    In your testimony, you attribute a fair amount of that to 
the IRS. Could you elaborate on that?
    Mr. Rush. Well, the IRS is the largest bureau of Treasury. 
Treasury right now is about 115,000 116,000 people; 100,000 are 
in IRS.
    IRS has gone through major systems modernization for the 
last 4 or 5 years and into the foreseeable future. Their 
inability to accurately identify the number of systems that 
they had really changes all the numbers for Treasury because of 
the miscount or undercount of systems and the failure to 
develop plans consistent with all of those systems.
    But I do not want to make that solely an IRS problem. 
Treasury in every level, in every bureau, has very serious 
information security problems.
    Mr. Putnam. Well, to your credit, you're very blunt and 
candid in your opening statement and your submitted testimony 
to that fact. And it is, considering the nature of Treasury and 
the information it handles and the privacy issues surrounding 
it, people are sensitive about what they pay in taxes and what 
they have, I would think that you would be on the short list of 
folks that we would really want to get it right. And so it is 
important that Treasury can prove.
    Mr. Weems and Mr. Corts, both of you are responsible both 
for financial management and budget, as well as technology of 
your agencies, I believe; is that correct?
    Mr. Corts. That is correct.
    Mr. Putnam. One of the most common complaints that we hear 
is that the components level of departments don't follow 
department-wide policy on information technology and don't feel 
compelled to do so.
    Do you find the same resistance when you direct budget or 
fiscal policy for the Department? And why is there a lesser 
standard of accountability or responsiveness on issues related 
to information technology? Mr. Weems and then Mr. Corts.
    Mr. Weems. The hammer of the budget produces, usually, the 
quickest results; if nothing else, it quickly gets the 
attention of the component head and produces an appeal to the 
Secretary, to me, to somebody else, who then can have a 
reasonable discussion about it.
    Many times, things in other areas seem a bit too esoteric 
to be able to have that kind of discussion. That's why we have 
undertaken in HHS to link these things together. Investments in 
our budget process that do not have proper security simply 
won't go forward, and the agency head or agency official will 
be in the posture of having to appeal, having to have a 
discussion, and also having to explain why they're trying to 
move an information and technology investment that does not 
have security sufficient to the standard.
    Mr. Putnam. Mr. Corts.
    Mr. Corts. There's always a certain amount of push-back.
    I think that the Department of Justice was really--the 
decentralization of the Department caused the bureaus, 
especially the large bureaus, to really take on kind of a 
persona of their own and perhaps push back in both budget and 
IT is stronger in those kinds of situations. But I believe, 
over the last couple of years, with the emphasis on unity as a 
department, we're seeing a great deal of lessening of that.
    The CIO Council that operates within the Department and I 
occasionally will drop in on their meetings. There seems to be 
a good spirit there and a real desire to try to work together. 
The way that we're organized, it does allow the CIO to be very 
involved in the budget process, and I believe it is becoming 
well recognized throughout the Department that the CIO has a 
significant role with respect to budgetary issues.
    So the point that Mr. Weems was making where the budget is 
such a readily identifiable hammer, if you can tie that to IT, 
I think you have an additional kind of hammer to use. So I 
believe that the role that the CIO is playing in budget 
decisions, the CIO's involvement in our management team, is 
giving the CIO additional strengths and a way to deal with this 
push-back issue.
    Mr. Putnam. This is the 4th year in a row that Justice has 
had an F score. What are some things that you can identify as 
barriers to breaking into that D category or something better 
than 4 years of an F?
    Mr. Corts. Well, frankly, we had a lot of organizational 
problems, as I described in the testimony, not the least of 
which was a clear identification of who was in charge of IT 
security. Again, I came to the Department about 16 months ago, 
and quite frankly, I was quite surprised with what I found with 
regard to IT and IT security.
    But I think that we're making big strides, and one of those 
issues was a clear identification of who was going to have IT 
security, because it had previously, in the Department, been 
kind of jerry-rigged, I guess somewhat split between the 
Department security officer and the CIO. And there was a lot of 
struggle over the issue of naming one single person the 
ultimate person responsible for it, but we've crossed that 
bridge and that's really helping us to move forward; and very 
quickly on the heels of that, the appointment of a chief 
information security officer, a person who came with a lot of 
skill and background and is just really making giant strides 
for us in the last months, that aren't showing up on scorecards 
yet because the scoring took place before some of these things 
were happening.
    This is a very dynamic thing for us, and it's on the move, 
and I think it is on the move in the right direction.
    Mr. Putnam. I am glad to hear it is on the move now, and I 
hope that it stays true. I was on the Horn subcommittee and 
we've heard from a lot of folks about changes in personnel, 
changes in priority, changes in leadership, changes in 
policies; and we have to institutionalize something that will 
outlast you, that will outlast me and your attorney general and 
this President and everything else to get serious about this.
    Mr. Weems, your testimony indicated a number of excellent 
sounding initiatives, secure one among others, yet your 
department actually slid backward from a D to an F. What 
happened and what can we expect to see happen next year?
    Mr. Weems. Well, Mr. Chairman, I work for Secretary 
Thompson, and on this scale, there's only one passing grade, 
and NRC has it.
    Yes, we did slide backward, and our goal is an A, and the 
Secretary has made that very clear to me. Last year we were 
scored before Secure One HHS was launched. In looking back over 
that report and what happened, I certainly don't want to sound 
like ``the dog ate my homework'' sort of excuse here. We do 
have deficiencies in HHS, but one of those deficiencies is 
documentation. If we had sufficient documentation for some of 
our procedures, our grade would have been higher. So there may 
have been a difference between the way that we are evaluated 
and the way that security works in the real world.
    Having said that, we are striving to do as you have said, 
which is to institutionalize security into HHS, largely through 
the budget process, but also through clear lines of 
responsibility emanating from my office through our various 
operating divisions, so we'll make it clear who is responsible 
for what and along what time lines.
    Mr. Putnam. Your budget has, I believe, increased 
substantially since the creation of the Department of Homeland 
Security; is that correct?
    Mr. Weems. Yes, just a few items went to the Department of 
Homeland Security, but our budget for bioterrorism, which is a 
substantial piece, has gone from about $300 million to about 
$4.1 billion in the fiscal 2005 budget.
    Mr. Putnam. Since your profile has been raised as a result 
of the Department's role in the anthrax investigation and 
ricin, and your Secretary's launch of his war room, as well as 
just the increased awareness in the nature of biothreats, have 
the attempted hacks and attacks on your information systems 
increased as your profile has been raised?
    Mr. Weems. We have noticed some increase there.
    One of the things that I think would be helpful, and I 
believe that this subcommittee has pointed out, would be a 
uniform standard for reporting those. As you know, HHS reported 
a substantial number of incidents, but since they're measured 
inconsistently across all departments, it's difficult for us to 
be able to determine our posture with respect to other agencies 
which may report one, for instance, over a year.
    With the growth of our bioterrorism efforts, that is a 
place where we have been very careful to make sure that we have 
sufficient security, and not just cybersecurity but also 
physical security. You can see that at the NIH campus in 
Bethesda and the CDC campus down in Atlanta.
    Mr. Putnam. Mr. Rush, now that FISMA is permanent and we're 
working on our second year, using the same scoring standards, 
do you anticipate a change in resources allocation either for 
the purpose of contracting, or a shift in staffing similar to 
that, that was caused by the CFO Act that would allow you to 
have the tools you need to be in compliance with FISMA?
    Mr. Rush. We're going to have the tools that we need this 
year because the Deputy Secretary is taking over supervision of 
the CIO operations and there's going to be a concerted effort 
to see some improved performance from management. It has to be 
matched by what we do not only in the content of that work, but 
in the timeliness of the work. So I think we're in good shape 
for 2004.
    We're going to be meeting as early as next week to try to 
bring that to conclusion. But long term, I think we have to 
come to grips with jobs that are process jobs for IGs. These 
are compliance-type jobs for IGs. And while I'm not here to 
speak on behalf of that community, as one who's been in that 
community a long time, we can meet the deadline, but we need to 
begin to rationalize some things.
    I, for one, complained to OMB that the timing didn't make a 
lot of sense. Notwithstanding our resources, it made no sense 
to me to be reporting in September on FISMA when we operate on 
a fiscal year that ends September 30 and we have financial 
reporting that started as early as November 15. Trying to bring 
some of these deadlines and due dates into sync makes a lot 
more sense to folks like me, who have to audit.
    Second, the act didn't have a date; it merely said that OMB 
could establish a date. So we thought it fair for them in the 
future to consider a different reporting date than September 
15. That's not a date that's particularly useful for 
management, by the way. It's completely out of context with 
their own mission and performance reporting.
    So there's a lot to be done as we look out at FISMA 2005-
2006. But for 2004, I think we're just going to knock along and 
get the job done.
    At Treasury, I think you'll see some improved performance. 
I'm very impressed with Deputy Secretary Sam Bodman. He's only 
been in the Department about 2 months. He comes to us from the 
Commerce Department where he had real impact on the 
Department's operation, and we hope that he'll bring that to 
Treasury.
    Mr. Putnam. Those are very interesting suggestions, yours 
on the reporting deadlines and Mr. Weems's suggestion on the 
consistent measurements of incidents.
    Mr. Merschoff, do you have any thoughts on ways that we can 
improve what is measured, how it is measured, is it relevant, 
is the benchmark appropriate? Your thoughts?
    Mr. Merschoff. I agree with Mr. Weems. It's important to be 
able to compare your organization to other organizations to 
benchmark to understand if you're doing something substantially 
different that needs to be addressed. In our case, we reported 
67,000 incidents last year to FedCirc. Some report one or two 
or three, and so it's absolutely impossible----
    Mr. Putnam. Do you know who? HUD had only one attempted--
only one incident. So I guess nobody's interested in breaking 
into HUD's information security or something. It would be quite 
remarkable.
    Mr. Merschoff. But if we're to get better, the CIO Council, 
working together with benchmarking across the entire spectrum 
of what we do, will help us realize where we're performing at a 
level less than the rest of the government on the way to seek 
help and also to provide that help to others.
    Mr. Putnam. Mr. Corts, you're relatively new to this ball 
game. You came from the academic world. What are your thoughts 
on the benchmark and the appropriateness of the standards.
    Mr. Corts. Well, I would certainly agree with the 
consistency issue and, I think, the definitional issue. You 
have to get a clear understanding that everybody is talking the 
same language and comparing apples to apples. And I think--you 
know, I do think this is still a pretty nascent operation, and 
as it matures--and I think it was the language that Karen Evans 
was using--we're going to see things will coalesce better in 
terms of agreement about terms and manners of reporting and so 
forth, which will be to the benefit of all of us from the point 
of view of benchmarking. And in the accreditation work that I'm 
familiar with from academe, those are crucial, just a crucial 
part of the accreditation process.
    Mr. Putnam. What's your deadline for your budget 
submission--I guess Mr. Rush, since you raise the issue of 
deadlines. My understanding is that OMB set the date for FISMA 
reporting to coincide with your budget submissions; is that 
correct?
    Mr. Rush. That may have been their judgment. It did not 
match with the submission. The submission process for the 
fiscal year actually spilled over into late October. We had 
reclama as late as November. The appeals to the President did 
not occur until December, as I recall, this past year and the 
President submitted his budget on February 1st.
    Mr. Putnam. So what----
    Mr. Rush. So I do not see a connection between the budget 
process and FISMA reporting, if there's supposed to be one, and 
I'm not going to object to that. It does not give September 15 
a particular value as a day.
    Mr. Putnam. What date would be more appropriate in your 
view?
    Mr. Rush. We invest so much in financial systems reporting 
because of the Chief Financial Officers Act and GMRA, that it 
would be useful, if we were able to tie our FISMA reporting, 
which often relies on the EDP control audit work in the big 
financial systems, to do it at about the same time or within 30 
days.
    And I'm not making that recommendation for all IGs. I can 
say from Treasury's standpoint, if we could rely on the 
important IT audit work that is part of our consolidated 
financial statement audit, we would be able to get that report 
out and I think you'd get a better product. It's late, but I 
think you will get a better product.
    Mr. Weems. Mr. Chairman, perhaps I can answer that at least 
from the standpoint of the HHS. Our budget deliberations, 
internally at least, inside the Office of the Secretary, 
typically are in July. So if we were in possession of the FISMA 
report in advance of July, we certainly could consider that as 
part of our budget deliberations.
    Typically, August is spent trying to complete the necessary 
documentation to send in a budget to OMB, which is due usually 
right after Labor Day. So, in fact, I believe this year we had 
submitted our budget document to OMB before the FISMA report 
was complete.
    Also, as Mr. Rush has noted, we were in similar throes of 
trying to complete our own audit, which took an awful lot of my 
time and the time of other departmental officials, especially 
the last quarter of the fiscal year and the foregoing 45 days, 
to get to the November 15 audit report date consumes an awful 
lot of time on the financial side and a tremendous amount of 
the leadership's time as well.
    So I would say, from our standpoint, the FISMA report being 
available on a contemporaneous basis in June or May would be 
really important to our budget process.
    Mr. Putnam. Well, that's very helpful and I appreciate your 
suggestions on ways that we can perhaps make FISMA even more 
meaningful, the information from the report more actionable.
    But three of the four of you don't have a whole lot of 
credibility on making recommendations for changes to this 
thing, and some folks have figured out how to do it. It's 
really kind of a unique thing to government that there is this 
kind of flexibility. There are a lot of things going on in 
February and March, but you still have to pay your taxes on 
April 15. You can get the extension, you get the extension, but 
you've still got to pay the man. And people have to file all 
kind of reports to be in compliance with the government.
    And your agencies, your departments and all the other ones, 
are not nearly as understanding as OMB has been and, frankly, 
even as Congress has been about people who just don't do it, or 
they do it 3 months late or they do it whenever they get around 
to it. So we'll take these under advisement.
    But the last thing I want to do, I do not want to cutoff my 
nose to spite my face and avoid making solid, common-sense 
changes that you guys recommend that might make sense; I do not 
want to ignore good suggestions. But what I do not want is for 
there to be yet another reason why people are not scoring 
particularly well because we've changed the rules on them, and 
we have once again given them a whole new set on the standards 
by which they're supposed to play ball.
    The one thing about this year's score is that it is the 
first time that we have back-to-back years that actually are 
comparable, apples-to-apples comparisons to really measure 
progress. And all the frustrations and all the timing issues 
and the inconsistent reporting issues, particularly, that 
relate to incidents affect everyone the same way. So, you know, 
the A guys are dealing with the same lack of clarity as the F 
guys. And so if it's off, it's consistently off throughout the 
government, and it's still relatively correct.
    So we'll take your points under advisement as we review 
there.
    But the last thing I want to do is provide another reason 
why people can come back and say, well, you know, we were all 
geared up for the 2004 structure, but then in 2006 you guys 
moved the yardsticks on us. So we would have been there, but we 
were prepared for the old standard.
    I would give all of you the opportunity to provide any 
closing remarks and then we will adjourn the hearings. So, Mr. 
Weems, if you would like to offer any thoughts, things that you 
would wish had come out, suggestions, we'll move on down the 
line.
    Mr. Weems. Nothing else, Mr. Chairman, except we look for a 
better grade, and if you're looking for a responsible official 
in HHS, that's me. Thank you.
    Mr. Putnam. Thank you.
    Mr. Merschoff. Yes, Mr. Chairman, I would like to recognize 
two reasons for our success. One is the computer security 
staff. They're dedicated, they're motivated, they're competent, 
they're capable and they're the engine behind our success.
    The second is the Office of Inspector General. We have a 
good and productive partnership, a dynamic tension with that 
group where we can disagree with them, they can criticize us, 
we listen to each other and recognize that sometimes we're 
wrong and sometimes we're right; and I think that's helped us a 
lot in terms of improving.
    That concludes my remarks.
    Mr. Putnam. Thank you very much.
    Mr. Rush.
    Mr. Rush. I just want to be sure that I close by making 
clear to you that the problem with timeliness was the problem 
of the Office of Inspector General. It was not the Treasury 
Department. It was not IRS. It was not my partner, the Treasury 
Inspector General for Tax Administration. Each of those three 
partners of mine did their work on time, met the standard and 
got their work product to OMB. The only delinquency at Treasury 
came out of my office, and I regret that.
    Mr. Putnam. Thank you for your candor and for your 
suggestions as well. They were good.
    Mr. Corts.
    Mr. Corts. Back to your point about the time that you do 
this and the consistency and so forth, there is a lot of value, 
I think, in being able to, even if the date might not be where 
everybody wants it, you keep that date, you keep the standard 
so you've got the measurement.
    Going forward 2 years in a row now, it would be great to 
see another year. What's the right time? I'm sure we could 
debate that around, because it could serve all of us; different 
times would serve all of us, maybe any one of us better than 
another date. But I do think there's a lot of value in 
consistency, and I know we look for that in terms of 
benchmarking.
    Finally, Mr. Chairman, we just want you to know that the 
Department of Justice considers this to be of the highest 
priority to us, and we fully intend to improve our mark. And we 
intend to be here and look forward to being here and giving you 
a better report in the future.
    Mr. Putnam. Thank you very much.
    I want to thank all of our witnesses from both panels for 
their contribution to our oversight efforts. As we face almost 
daily reports of the IT vulnerabilities, the Federal Government 
really must be a shining example of IT security.
    I also want to mention that I will be meeting with the 
Federal CIO Council again to express my commitment to this 
issue as well as to hear their feedback on why so many agencies 
have not produced better progress, and perhaps to solicit more 
suggestions, as you have provided, on ways that we can improve 
the process.
    In the event that there may be additional questions we did 
not have time for today, the record will remain open for 2 
weeks for submitted questions and answers.
    Thank you very much. The subcommittee is adjourned.
    [Whereupon, at 3:42 p.m., the subcommittee was adjourned.]
    [The prepared statement of Hon. Wm. Lacy Clay and 
additional information submitted for the hearing record 
follow:]

[GRAPHIC] [TIFF OMITTED] T4838.005

[GRAPHIC] [TIFF OMITTED] T4838.006

[GRAPHIC] [TIFF OMITTED] T4838.146

[GRAPHIC] [TIFF OMITTED] T4838.147

[GRAPHIC] [TIFF OMITTED] T4838.148

[GRAPHIC] [TIFF OMITTED] T4838.149

[GRAPHIC] [TIFF OMITTED] T4838.150

[GRAPHIC] [TIFF OMITTED] T4838.151

[GRAPHIC] [TIFF OMITTED] T4838.152

[GRAPHIC] [TIFF OMITTED] T4838.153

                                 
