b"<html>\n<title> - NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE FEDERAL GOVERNMENT'S D+ INFORMATION SECURITY GRADE</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\nNO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE FEDERAL GOVERNMENT'S D+ \n                       INFORMATION SECURITY GRADE\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             APRIL 7, 2005\n\n                               __________\n\n                           Serial No. 109-13\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n20-562                      WASHINGTON : 2005\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nCHRISTOPHER SHAYS, Connecticut       HENRY A. WAXMAN, California\nDAN BURTON, Indiana                  TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nGIL GUTKNECHT, Minnesota             CAROLYN B. MALONEY, New York\nMARK E. SOUDER, Indiana              ELIJAH E. CUMMINGS, Maryland\nSTEVEN C. LaTOURETTE, Ohio           DENNIS J. KUCINICH, Ohio\nTODD RUSSELL PLATTS, Pennsylvania    DANNY K. DAVIS, Illinois\nCHRIS CANNON, Utah                   WM. LACY CLAY, Missouri\nJOHN J. DUNCAN, Jr., Tennessee       DIANE E. WATSON, California\nCANDICE S. MILLER, Michigan          STEPHEN F. LYNCH, Massachusetts\nMICHAEL R. TURNER, Ohio              CHRIS VAN HOLLEN, Maryland\nDARRELL E. ISSA, California          LINDA T. SANCHEZ, California\nGINNY BROWN-WAITE, Florida           C.A. DUTCH RUPPERSBERGER, Maryland\nJON C. PORTER, Nevada                BRIAN HIGGINS, New York\nKENNY MARCHANT, Texas                ELEANOR HOLMES NORTON, District of \nLYNN A. WESTMORELAND, Georgia            Columbia\nPATRICK T. McHENRY, North Carolina               ------\nCHARLES W. DENT, Pennsylvania        BERNARD SANDERS, Vermont \nVIRGINIA FOXX, North Carolina            (Independent)\n------ ------\n\n                    Melissa Wojciak, Staff Director\n       David Marin, Deputy Staff Director/Communications Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n          Phil Barnett, Minority Chief of Staff/Chief Counsel\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on April 7, 2005....................................     1\nStatement of:\n    Crandlemire, Bruce N., Assistant Inspector General for Audit, \n      U.S. Agency for International Development; John Streufert, \n      Acting Chief Information Officer, U.S. Agency for \n      International Development, accompanied by Mark Norman, \n      USAID OIG; Melinda Dempsey, USAID OIG; Philip M. Heneghan, \n      USAID; Frank Deffer, Assistant Inspector General for \n      Information Technology, U.S. Department of Homeland \n      Security; Steve Cooper, Chief Information Officer, U.S. \n      Department of Homeland Security, accompanied by Edward G. \n      Coleman, DHS OIG; Ted Alves, Assistant Inspector General \n      for IT and Financial Management, U.S. Department of \n      Transportation; Daniel Matthews, Chief Information Officer, \n      U.S. Department of Transportation, accompanied by Rebecca \n      Leng, DOT OIG; Ed Densmore, DOT OIG; Nate Custer, DOT OIG; \n      Vicki Lord, DOT OCIO; and Dr. Dan Mehan, CIO, FAA..........    71\n        Alves, Ted...............................................   105\n        Cooper, Steve............................................    99\n        Crandlemire, Bruce N.....................................    71\n        Deffer, Frank............................................    89\n        Matthews, Daniel.........................................   124\n        Streufert, John..........................................    79\n    Wilshusen, Greg, Director, Information Security Issues, U.S. \n      Government Accountability Office; and Karen S. Evans, \n      Administrator, Office of E-Government and Information \n      Technology, U.S. Office of Management and Budget...........    22\n        Evans, Karen S...........................................    52\n        Wilshusen, Greg..........................................    22\nLetters, statements, etc., submitted for the record by:\n    Alves, Ted, Assistant Inspector General for IT and Financial \n      Management, U.S. Department of Transportation, prepared \n      statement of...............................................   107\n    Cooper, Steve, Chief Information Officer, U.S. Department of \n      Homeland Security, prepared statement of...................   102\n    Crandlemire, Bruce N., Assistant Inspector General for Audit, \n      U.S. Agency for International Development, prepared \n      statement of...............................................    74\n    Cummings, Hon. Elijah E., a Representative in Congress from \n      the State of Maryland, prepared statement of...............    17\n    Davis, Chairman Tom, a Representative in Congress from the \n      State of Virginia, prepared statement of...................     4\n    Deffer, Frank, Assistant Inspector General for Information \n      Technology, U.S. Department of Homeland Security, prepared \n      statement of...............................................    91\n    Evans, Karen S., Administrator, Office of E-Government and \n      Information Technology, U.S. Office of Management and \n      Budget, prepared statement of..............................    54\n    Matthews, Daniel, Chief Information Officer, U.S. Department \n      of Transportation, prepared statement of...................   126\n    Ruppersberger, Hon. C.A. Dutch, a Representative in Congress \n      from the State of Maryland, prepared statement of..........    12\n    Streufert, John, Acting Chief Information Officer, U.S. \n      Agency for International Development, prepared statement of    81\n    Wilshusen, Greg, Director, Information Security Issues, U.S. \n      Government Accountability Office, prepared statement of....    24\n\n \nNO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE FEDERAL GOVERNMENT'S D+ \n                       INFORMATION SECURITY GRADE\n\n                              ----------                              \n\n\n                        THURSDAY, APRIL 7, 2005\n\n                          House of Representatives,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The committee met, pursuant to notice, at 10 a.m., in room \n2154, Rayburn House Office Building, Hon. Tom Davis (chairman \nof the committee) presiding.\n    Present: Representatives Davis, Duncan, Cummings, \nRuppersberger, and Norton.\n    Staff present: Ellen Brown, legislative director and senior \npolicy counsel; Robert Borden, counsel/parliamentarian; Rob \nWhite, press secretary; Victoria Proctor, senior professional \nstaff member; Jamie Hjort, professional staff member; Chaz \nPhillips, policy counsel; Teresa Austin, chief clerk; Sarah \nD'Orsie, deputy clerk; Kristin Amerling, minority deputy chief \ncounsel; Karen Lightfoot, minority communications director/\nsenior policy advisor; Nancy Scola, minority professional staff \nmember; Earley Green, minority chief clerk; and Jean Gosa, \nminority assistant clerk.\n    Chairman Tom Davis. Good morning. The committee will come \nto order.\n    I would like to welcome everyone to today's hearing on \nimplementation of FISMA, the Federal Information Security \nManagement Act of 2002.\n    We rely heavily on information technology and the Internet \nto support our economy, our national security and government \noperations. For instance, e-commerce is more popular than ever; \nChristmas 2004 saw record high consumer demapped on retail Web \nsites. IT systems are used to operate and protect our critical \ninfrastructures. And in the Federal Government, electronic \ngovernment initiatives create efficiencies, save taxpayers time \nand money, and help eliminate redundant processes.\n    Given the interconnectivity of systems, all it takes is one \nweak link to break the chain. All users, whether they are at \nhome or at school or at work, need to understand the impact of \nweak security and the measures that should be taken to prevent \ncyber attacks.\n    Everyone must protect his or her cyberspace, and of course, \nthat includes the government. Therefore, it is critical that \nthe Federal Government adequately protect its systems to ensure \nthe continuity of operations, and to maintain public trust. \nThis is particularly true of agencies such as the Internal \nRevenue Service, the Social Security Administration and the \nDepartment of Veterans Affairs that maintain citizens' personal \ninformation in their systems. Recent failures by the Bank of \nAmerica and Choice Point have focused the spotlight on identity \ntheft. Successful FISMA implementation is important because a \nsimilar event could occur in the government.\n    Like the private sector, agencies are not immune to the \nloss of personal information. Threats to government systems \ncould result in identity theft and subsequent financial damage \nand frustration, as well as diminished trust in government IT \ncapabilities and electronic government programs.\n    Every day Federal information systems are subjected to \nprobes or attacks from outside sources. Cyber attacks are \nevolving and becoming more sophisticated. Therefore, a \ngovernment information security management program must be \ncomprehensive, yet flexible enough to adapt to the changing \ncyber threat environment. It is a matter of good management and \ngood business practice, but it is also a matter of national \nsecurity. FISMA provides that structure by requiring that each \nagency create a comprehensive risk-based approach to agency-\nwide information security management.\n    OMB performs an important role in the information security \nmanagement process by encouraging agencies to adopt a new \napproach to security. In the past, information security was \noften seen as an afterthought, more of a crisis response than a \nmanagement tool. OMB is helping to alter that perspective. It \nholds the agencies responsible for protecting Federal systems \nthrough business case evaluations so that agencies can better \nfulfill their missions. OMB requires agencies to address their \nsecurity deficiencies before they are permitted to spend money \non IT upgrades or new IT projects.\n    I support this action because it forces agencies to \nconcentrate on security before adding new layers of systems to \ntheir architecture and potentially complicating their security \nconcerns.\n    I'm also pleased that OMB has identified a sixth line of \nbusiness, cyber security. Laws like FISMA and the Clinger-Cohen \namendment require every agency to think about and invest in \ninformation security. However, each agency does it differently. \nThe reason FISMA grades show the Federal Government still has a \nlong way to go when it comes to information security. As with \nthe other five lines of business, the goal of the cyber \nsecurity line of businesses is to use business principles and \nbest practices to identify common solutions for business \nprocesses and/or technology-based shared services for \ngovernment agencies. The intended result is better, more \nefficient and consistent security across the Federal Government \nfor the same amount of dollars, if not less. And at the end of \nthe day, it's not how much money you spend, though, it's how \nwell you spend it.\n    To help us gauge the agencies information security \nprogress, FISMA requires the CIOs and IGs to submit reports to \nCongress and OMB. The committee enlists GAO's technical \nassistance to prepare the annual scorecard. This year the \ngovernment made a slight improvement, receiving a D+. The \noverall government score is two points above last year, but \nneedless to say, this isn't impressive. Progress is slow. Our \nobjective today is to find out how the government can improve, \nand why some agencies can show remarkable improvement while \nothers appear to flounder.\n    We will hear from the IGs and CIOs of two agencies that \nimproved their scores this year, Department of Transportation \nand the U.S. Agency for International Development. We will also \nhear from the IG and the CIO of the Department of Homeland \nSecurity, a poor performer again this year. I think it is worth \nnoting that DHS has cyber security responsibilities for the \nNation, and must work with the private sector regularly on \nthese issues. Given this role, DHS needs to have its house in \norder and should become a security leader among agencies. What \nis holding them up? Well, the DHS witnesses will discuss the \nunique challenges that they face in a large and relatively new \nagency, and what actions they are taking to improve their \ninformation security, giving us a better understanding of their \ndifficulties.\n    In addition, we're concerned about how well the CIO and IG \noffices communicate about issues such as their interpretations \nof the OMB reporting requirements. Disagreements on \ninterpretation may impact their respective reports and make it \ndifficult for us to get an accurate picture of the agency's \ninformation security progress. This also raises questions about \nthe clarity of the guidance, and whether agencies respond to \nOMB about the guidance during the comment period so their \ncomments and concerns are adequately addressed in the final \nversion.\n    We will examine whether the IGs need a standardized \ninformation security audit framework similar to that used for \nfinancial management systems. Also, we need to address whether \nagencies need additional guidance, procedures or resources to \nimprove their information security and fully comply with FISMA.\n    Panel one witnesses from GAO and OMB will focus on \ninformation security from the government-wide perspective. \nPanel two is comprised of agency representatives and will focus \non the agency-level perspective on implementation of FISMA.\n    We'll hear from the IGs and CIOs at USAID, DHS, and the \nDepartment of Transportation. GAO will join panel two for the \nquestion-and-answer period.\n    [The prepared statement of Chairman Tom Davis follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.001\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.002\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.003\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.004\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.005\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.006\n    \n    Chairman Tom Davis. I now recognize our distinguished \nranking member, Mr. Waxman, for his opening statement.\n    Mr. Ruppersberger. I'm not Mr. Waxman, I'm a little bit \nlarger than Mr. Waxman.\n    Chairman Tom Davis. Well, when he comes, we will recognize \nhim. In the meantime, we're very pleased to recognize from \nBaltimore City, Mr. Ruppersberger, who I will be happy to \nrecognize.\n    Mr. Ruppersberger. Well, first, thank you for calling this \nhearing today on OMB's report to Congress on the Federal \nInformation Security Management Act.\n    According to the report, the U.S. Agency for International \nDevelopment and the Department of Transportation received the \nhighest grades of all 24 agencies reviewed. I hope that during \ntoday's hearing, we will be able to pull out some best \npracticing and tangible suggestions from those agencies as to \nhow the other 22 can improve their grades. It is disappointing \nand unacceptable that our government agencies' overall grade is \na D+, however, I'm encouraged by the few successes that will be \ndiscussed here today.\n    The F grade for the Department of Homeland Security is \ntotally unacceptable because of the high stakes involved and \ntheir mission to protect our national security. Last week, the \nPresident's Commission on the Intelligence Capabilities of the \nUnited States issued their report regarding WMDs. In the \nreport's postscript the Commission identified security, \ncounterintelligence, and information assurance as crucial \nissues in the intelligence community and the Director of \nNational Intelligence in the next few years to come.\n    The Commission acknowledges that they only scratched the \nsurface of the problem, and the Commission recommends early \naction to define new strategies for managing security in the \n21st century, security that includes information assurance, \nwhich is why we're all here today.\n    This recommendation from the Commission will be a \nbeneficial step in the process for the Department of Homeland \nSecurity and other security offices to improve their \ninfrastructure security and their information and cyber \nsecurity efforts.\n    The good news is that the Justice Department improved the \nmost, going from an F last year to a B- this year. Currently, \nas graded, the FBI is evaluated within the overall grade given \nto Justice. Based on the FBI's mission regarding national \nsecurity interests, I believe they should be graded separately \nfrom the Department of Justice.\n    Again, according to the President's Commission, further \nreforms are also necessary in the FBI's information technology \ninfrastructure which remains a persistent obstacle for \nsuccessful execution of the FBI's national security mission.\n    If we look at the problem as a national security issue in \naddition to a general information security issue, I think we \nwill be able to come together to find solutions that will work \nacross all agencies. I know there is always a tradeoff between \nthe cost of implementing a security measure and the potential \nrisks if we do not. I feel that projecting our citizens and the \ngovernment from information security breaches is worth the cost \nthat will be incurred to set up appropriate security measures. \nI am concerned about all of these issues, but I think if we get \npast the grades and use this hearing and OMB's report as a \nguide, I think we will be able to quickly improve information \nsecurity government-wide.\n    We're here today to point out a problem and to see what we \ncan do to fix it. These failing grades are unacceptable. We \nneed to learn from those agencies who are doing well so that we \ncan improve individual agency's scores and the government-wide \nscore.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Hon. C.A. Dutch Ruppersberger \nfollows:]\n\n[GRAPHIC] [TIFF OMITTED] T0562.007\n\n[GRAPHIC] [TIFF OMITTED] T0562.008\n\n[GRAPHIC] [TIFF OMITTED] T0562.009\n\n    Chairman Tom Davis. Thank you very much. I do not see Mr. \nWaxman, even though he is in my script.\n    The gentleman from Maryland, any opening statement?\n    Mr. Cummings. Yes, thank you very much.\n    Mr. Chairman, I, too, thank you for calling this important \nhearing on the effectiveness of the Federal Government's \nongoing attempt to strengthen the security and reliability of \nits information and information systems.\n    Decades ago, the necessity of such a hearing would have \nbeen questionable as information technology and the Internet \nwere not as prevalent nor as indispensable in the Federal \nGovernment as they are today. In the 21st century, one need not \nlook very far to see how ambiguous information technology and \nthe Internet have become in the day-to-day operations of the \nFederal Government. Communications now travel as fast and as \nfar as the Internet allows. The electronic processing of \ninformation allows delivery of services to function with \nunprecedented ease and accuracy. The sharing of information \nintergovernmentally and across sectors can permit the Federal \nGovernment to operate with renewed effectiveness.\n    However, with all the advantages that accompany the Federal \nGovernment's information technology capabilities, there still \nexist critical areas of concern. The terms ``computer virus,'' \n``worm'' and ``hacker'' are now part of the modern day lexicon \nfor good reason. Given the sensitivity of personal and \nconfidential data found in Federal information systems in \nagencies such as the Internal Revenue Service and the \nDepartment of Defense, the potential exists for cyber criminal, \nterrorist or foreign nation to wreak havoc.\n    The American people are acutely aware that such \nvulnerabilities could not only result in identity theft and a \nloss of privacy, but also endanger our economy and undermine \nour national security.\n    Due to these concerns, information security has become a \ntop governmental priority. To that end, Congress passed the \nFederal Information Security Management Act [FISMA], in 2002. \nThis legislation established a comprehensive framework to \nsafeguard the Federal Government's information and information \nsystems.\n    Agencies are mandated to implement an information security \nprogram, which includes performing risk assessments, accounting \nfor utilized information systems, and developing procedures to \nensure the accessibility and continuity of information. \nAgencies must also furnish the Office of Management and Budget \nwith an annual report on the effectiveness of their program. \nThese agency reports form the basis of the Government Reform \nCommittee's Federal computer security report card. \nSpecifically, the FISMA report for 2004 acknowledges some \nimprovements and perennial challenges in this area.\n    It states that agencies have made substantial progress in \nthe certification and accreditation of systems, the \nincorporation of built-in security costs, the annual testing of \nsystem controls, the development of contingency plans to ensure \noperational continuity, and the implementation of security \nconfiguration requirements. This progress is commendable, \nhowever, given that the 2004 government-wide grade for \ninformation security is a D+, information technology is too \nearly to celebrate. Critically important agencies such as the \nDepartment of Homeland Security, the Department of Health and \nHuman Services and the Department of Veteran Affairs all \nreceived Fs.\n    I would argue no one here would be satisfied if their child \nbrought home these grades from school. How can we afford to \nhave a lower standard for the Federal Government? The American \npeople demand excellence, and Cs, Ds and Fs in securing the \nFederal Government's information just won't do.\n    Today's hearing will serve as an avenue to identify what \nneeds to occur to assist Federal agencies in realizing the \ngoals of FISMA. I hope the witnesses will provide insight to \nhelp Congress determine whether agencies require additional \nguidance in order to meet FISMA requirements, the \nresponsibilities of agency Inspectors General in this process, \nand the need to possibly provide increased flexibility in \nassessing agency compliance with FISMA mandates.\n    With that, Mr. Chairman, I again thank you for calling the \nhearing, and I yield back.\n    [The prepared statement of Hon. Elijah E. Cummings \nfollows:]\n\n[GRAPHIC] [TIFF OMITTED] T0562.010\n\n[GRAPHIC] [TIFF OMITTED] T0562.011\n\n[GRAPHIC] [TIFF OMITTED] T0562.012\n\n[GRAPHIC] [TIFF OMITTED] T0562.013\n\n[GRAPHIC] [TIFF OMITTED] T0562.014\n\n    Chairman Tom Davis. Well, thank you very much.\n    For our first panel we have Greg Wilshusen, who is the \nDirector of Information Security Issues, at the Government \nAccountability Office, who is no stranger to this committee. \nAnd we have Karen Evans, who is the Administrator of the Office \nof E-Government and Information Technology at the Office of \nManagement and Budget. I'm not sure if this is your first time \nin a full committee, you have done a lot in the subcommittee, \nbut we welcome you, we're happy to hear from you, and we \nappreciate the job that you are doing.\n    You know it is our policy to swear witnesses in, so would \nyou rise and raise your right hands.\n    [Witnesses sworn.]\n    Chairman Tom Davis. Thank you very much.\n\n STATEMENTS OF GREG WILSHUSEN, DIRECTOR, INFORMATION SECURITY \n  ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND KAREN S. \n EVANS, ADMINISTRATOR, OFFICE OF E-GOVERNMENT AND INFORMATION \n        TECHNOLOGY, U.S. OFFICE OF MANAGEMENT AND BUDGET\n\n                  STATEMENT OF GREG WILSHUSEN\n\n    Mr. Wilshusen. Mr. Chairman, and members of the committee, \nI am pleased to be here today to discuss Federal efforts to \nimplement requirements of the Federal Information Security \nManagement Act of 2002 [FISMA]. This act requires each agency \nto develop, document, and implement an agency-wide information \nsecurity program that provides security for the information and \ninformation systems that support the operations and assets of \nthe agency, including those provided and/or managed by another \nagency or contractor. Agency programs are to include eight \ncomponents, such as periodic assessment of risks and periodic \ntesting and evaluation of controls. FISMA also requires OMB, \nFederal agencies and Inspectors General [IGs], to report each \nyear on efforts to implement these programs.\n    Mr. Chairman, my bottom-line message today is that \ncontinued efforts are needed to sustain progress made by the \nagencies in implementing the requirements of FISMA.\n    In my testimony today, I will note areas where agencies \nhave made significant progress and those areas where challenges \nremain. In addition, I will discuss opportunities for improving \nthe annual FISMA reporting process.\n    Our reviews of information security controls at Federal \nagencies have found that significant information security \nweaknesses continue to place a broad array of Federal \noperations and assets at risk of misuse and disruption. As a \nresult, we continue to designate Federal information security \nas a government-wide high risk area in our recent update to \nGAO's high-risk series.\n    In its fiscal year 2004 report to the Congress, OMB noted \nthat the 24 major Federal agencies continued to make \nsignificant progress in implementing key information security \nrequirements. For example, OMB reported that the percentage of \nFederal information systems that have been certified and \naccredited rose 15 points to 77 percent. Systems certification \nand accreditation is a process by which agency officials \nauthorize systems to operate. It is to include a security of \nthe management, operational and technical security controls in \nthe system.\n    However, OMB, the agencies, and IGs also reported several \nareas where implementing effective information security \npractices remains a challenge. For example, seven IGs assessed \nthe quality of their agency's certification and accreditation \nprocesses as poor. As a result, agency reported performance \ndata may not accurately reflect the status of the agency's \nefforts to implement this requirement.\n    As another example, 43 percent of Federal systems did not \nhave a tested contingency plan. These plans provide specific \ninstructions for restoring critical systems, business \nprocesses, and information in the event of a disruption of \nservice. The testing of contingency plans is essential to \ndetermine whether the plans will function as intended. Without \ntesting, agencies can have only minimal assurance that they \nwill be able to recover mission-critical systems and processes \nin the event of an interruption.\n    Opportunities exist to improve the annual FISMA reporting \nprocess. For example, in the absence of an independent \nverification of agency-reported data, having a senior agency \nofficial attest to the accuracy of data could provide \nadditional assurance.\n    In addition, performance measurement data do not indicate \nthe relevant importance or risk of the systems for which FISMA \nrequirements have been met. Reporting performance data by \nsystem risk would provide better information about whether \nagencies are prioritizing their information security efforts \naccording to risk.\n    Finally, developing and adopting a commonly accepted \nframework for conducting the annual IG reviews mandated by \nFISMA could help to ensure consistency and usefulness of these \nreviews.\n    Mr. Chairman, this concludes my opening statement. I will \nbe happy to answer any questions you or the members of the \ncommittee may have.\n    [The prepared statement of Mr. Wilshusen follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.015\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.016\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.017\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.018\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.019\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.020\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.021\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.022\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.023\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.024\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.025\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.026\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.027\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.028\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.029\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.030\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.031\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.032\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.033\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.034\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.035\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.036\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.037\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.038\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.039\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.040\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.041\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.042\n    \n    Chairman Tom Davis. Thank you. We do have a number of \nquestions.\n    Ms. Evans, thanks for being with us.\n\n                  STATEMENT OF KAREN S. EVANS\n\n    Ms. Evans. Good morning, Mr. Chairman, and members of the \ncommittee. Thank you for inviting me to speak about the status \nof the Federal Government's efforts to safeguard our \ninformation and systems.\n    In March 2005 OMB issued our second annual report on \nimplementing the Federal Information Security Management Act \n[FISMA]. We continue to believe FISMA provides a sound \nfoundation for improving and maintaining a strong Federal \ninformation technology security program. In short, FISMA is \nworking. Results are apparent. Agencies and Inspectors General \nare becoming more acclimated to its requirements, and new \ntechnical guidelines from the National Institute of Standards \nand Technology are coming online to promote further progress. \nWe see no need at this time to revise it in any significant \nway, in fact, substantial revision could delay additional \nprogress.\n    Across the Federal Government, most agencies have shown \nsubstantial progress in improving their information security \nprograms. In addition, for the first time agencies reported the \ndegree to which they've implemented security configurations for \noperating systems and software applications. We found that all \nagencies have begun developing and implementing security \nconfiguration policies for at least some of their operating \nsystems.\n    While progress has been made, deficiencies in agency \nsecurity procedures and practices remain. Two common \ndeficiencies noted by the agency's Inspector Generals include \nweaknesses in agency-wide plans of actions and milestones, and \nthe lack of quality in some of the agencies' certification and \naccreditation processes.\n    In addition, we have identified other areas of concern; \nthey include overall inconsistency in agency and government-\nwide FISMA implementation, self and IG evaluations. Potentially \nunnecessary duplication of effort and resources across the \ngovernment, ensuring adequate security of contractor-provided \nservices, and a transition to Internet protocol version 6.\n    While we believe FISMA itself, along with the implementing \nguidance from OMB, NIST, and the national security authorities \nare sufficiently comprehensive and detailed to address these \nconcerns at a policy level. Consistent implementation is \ndifficult and requires considerable expertise and resources at \nthe agency.\n    I would like to answer directly one of the questions asked \nin your invitation letter, whether there is a need for the \nInspector General auditing framework similar to that used in \nfinancial audits. We have found the IG's analysis extremely \nvaluable in gaining additional insight into the agency's IT \nsecurity programs and operations. Much of the analysis in our \nannual report comes from the IG's findings, but at the same \ntime, like agency CIOs and operational program officials, IGs \nhave varying capacities in the areas of resource available and \nsecurity expertise.\n    And across the IG community, there are differing \nmethodologies and perspectives on what comprises a sound \nsecurity program, including the proper way to implement FISMA. \nTherefore, to the extent that an IG framework would promote \ngreater consistency, we would support it; but we do note a few \nconcerns; first and foremost, we strongly believe that the work \nof the IG should, to the maximum extent practical, be \nintegrated with and not separate from agency IT security \nprograms; and second, we're concerned with the adoption of a \nstrict and specific review requirement for FISMA purposes if \nthey would, in any way, limit the essential interaction needed \nbetween IGs and CIOs.\n    In addition to ongoing discussions to promote consistency \nin oversight and reporting, we have asked the IGs to \nparticipate in the newly formed IT security line of business. \nWe expect this line of business will not only lead to a de \nfacto IG and CIO reporting framework, but more importantly, a \nstronger Federal Government-wide IT security program.\n    While the task force performs its work, OMB will continue \nto use our existing oversight mechanisms to improve agency and \ngovernment-wide IT security performance. Information technology \nsecurity is one of the No. 1 critical components that agencies \nmust implement in order to achieve green for the e-government \ninitiative of the President's management agenda. If the \nsecurity criteria are not successfully met, agencies cannot \nmove forward regardless of their performance against the other \ncriteria.\n    In conclusion, over the past year agencies have made \nsignificant progress in closing the Federal Government \ninformation technology security performance gaps.\n    I would like to acknowledge the significant work of the \nagencies and the IGs in conducting the annual reviews and \nevaluations. While notable progress in resolving IT security, \nweaknesses have been made, problems continue, and new threats \nand vulnerabilites continue to materialize. To address these \nchallenges OMB will continue to work with the agencies, GAO and \nCongress to promote appropriate risk-based and cost-effective \nIT security programs, policies and procedures to adequately \nsecure our operations and assets. But again, we believe FISMA \nis more than adequate in its current form to support all the \nneeded improvement efforts. I would be glad to take any \nquestions at this time.\n    [The prepared statement of Ms. Evans follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.043\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.044\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.045\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.046\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.047\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.048\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.049\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.050\n    \n    Chairman Tom Davis. Well, thank you both.\n    Ms. Evans, what changes or improvements is your office \nproposing for the 2005 FISMA guidance? And do you plan to issue \nnew updated guidance regarding your circular A-130?\n    Ms. Evans. We are working right now with the IG community \nand NIST, CNSS and GAO to revise the reporting requirements. \nIt's going to be similar to last year. We are going to focus \nthis year more on performance metrics, and we are we going to \ninclude a new reporting requirement this year dealing with \nprivacy of the information that the agencies are collecting.\n    Chairman Tom Davis. Well, some agencies have expressed \nconcern that the term ``system'' is not well defined; for \ninstance, how should an agency classify a state system that \ncontains Federal data? Does OMB plan to address this in the new \nguidance?\n    Ms. Evans. The definition of a system--and I want to answer \nthis question both from my past experience as an agency CIO, \nand now as the policy official.\n    The reason why I believe that we have allowed the \ndefinition to be the way that it is is that it provides maximum \nflexibility. So as agencies would potentially view this as \nambiguous, we view it from a policy perspective as giving the \nagencies flexibility that they need to be able to determine and \nanalyze what risk is appropriate for assets within their \ncontrol that they have that they are responsible for.\n    So there is an ambiguous nature to the definition of \nsystem, but we look at it as it allows the flexibility for the \nagency to define that so that they can then go forward and \nimplement the management policies and procedures they need in \norder to deal with that.\n    You could do something very small and say one piece--there \ncould be an application on one piece that has enormous risk \nthat it would impose if it was connected to a network; you may \ndetermine that should be called a system, and go through the \nfull certification and accreditation for that. And a system \ncould be as huge as a network, where the whole department's \nnetwork, that can constitute a system because there are certain \nrules of engagement that you would want to have, rules of \nbehavior on that system before you would go forward and allow \nother resources to be connected to it. So we don't necessarily \nwant to go down and be so proscriptive in our definitions as to \nrestrict the ability of the agency to be able to go forward and \ndetermine what is the best posture for them.\n    Chairman Tom Davis. But you could have agencies defining it \ndifferently, basically.\n    Ms. Evans. They may, and that is why the evaluation that is \nbeing done by the IG, the independent evaluation coming in, \nlooks at how they apply that definition, how they have a \nmethodology within their department to see if the thought \nprocess that they put behind it to determine it is sound to \naddress the risk.\n    Chairman Tom Davis. OK. Mr. Wilshusen, what do agencies \nhave to do to get information security removed from the GAO \nhigh-risk list? This is, as you know, the list was expanded to \ninclude cyber security--well, cyber critical infrastructure \nprotection. Information security has been on the list since \n1997. Can you briefly discuss what you think needs to be done \nto get this off the high-risk list?\n    Mr. Wilshusen. Well, first of all, what they need to do--\nand where we have consistently found on our review--is to \nimplement at each agency an effective agency-wide information \nsecurity program, such as those principles and requirements \nembodied in FISMA. And we have found that many of the agencies \nhave not done that. This in turn has allowed and has resulted \nin many of their systems being insecure.\n    Chairman Tom Davis. Now why don't they do that? Is it lack \nof money, they've got so many priorities at this point this is \njust one, without additional resources, that they're reluctant \nto do?\n    Mr. Wilshusen. It is probably a couple of issues. Certainly \nthe emphasis and level of attention since the passage of FISMA \nhas helped and has improved both awareness and accountability \nof the highest levels of each of the agencies, and that has \nbeen a positive thing. But in many cases it's primarily \nmanagement issues, even though security has technical aspects \nto it. Many of the findings and issues that we identify are the \nresult of management issues where certain requirements are just \nnot being implemented.\n    Chairman Tom Davis. OK. Thank you very much. I'm going to \nhave some more questions, but Mr. Ruppersberger is going to get \na turn here.\n    Mr. Ruppersberger. Well, after looking at the reports and \nthe grades, I see that some agencies have improved. Is there \nany effort to have a departmental roundtable to share best \npractices? I mean, what we are really here for today is to try \nto get us to a level where we are going to be a lot more \nefficient, and we have to find a way to do this. And it seems \nto me, when you have agencies that are doing well and agencies \nthat aren't doing well, let's look at it and share information.\n    Could either one of you address that issue?\n    Ms. Evans. Yes, sir, I would be glad to.\n    There is actually two efforts underway. One the chairman \nalready noted, which is the cyber security line of business. \nThis is an interagency government-wide task force that OMB has \nbrought together under the leadership of the Department of \nHomeland Security as well as it is being co-chaired by NSA. And \nwhat we are doing there is looking at all of the issues. There \nare four particular areas that we are looking at, like \ntraining, like management practices of framework, those types \nof activities which get to the heart of your question, what is \nworking, and what can we take that is working within the \nagencies and move it out government-wide?\n    The one thing that when we set up this task force is, \nbecause of the way FISMA is set up and the way that a cyber \nsecurity program should work, a good IT program should work \nwithin a department is you still have to look at the risk. Each \ndepartment may have a different level of risk, so you can't \nnecessarily think that one size would fit all. But that is what \nthe security line of business is looking at.\n    Also, on the CIO council, the Department of Justice Vance \nHitch, is our cyber security liaison; he works very closely \nwith our Best Practices Committee on topics, and topics such as \nsecurity have always been on the forefront to bring together \nthe appropriate groups so that we can share best practices. And \nthen also, there is a newly named forum that we are--the CIO \ncouncil is co-chairing with Congressman Davis' staff, which is \nthe Chief Information Security Officers Forum.\n    So we are trying to bring it together at multiple levels \nwithin an organization, and across the government as a whole, \nso that practices can be identified----\n    Mr. Ruppersberger. Let me ask you this question: So much of \nwhatever we do in management, managing large organizations, \nwhatever, is accountability, and also giving the resources to \nthe people that we want to perform the mission. How about the \nissue of maybe a government-wide audit standard? Do you think \nthat would help in this situation? It seems that we need a \nstandard for all of our agencies. Now we have different \nmissions and different areas that we move into. What do you \nthink of that issue?\n    Ms. Evans. Well, I believe, through the President's \nmanagement agenda, that we have added specific criteria into \nthe score card under e-government, so we are holding the \nagencies accountable for their performance.\n    Mr. Ruppersberger. But these failing grades are just not \nacceptable.\n    Ms. Evans. I believe that the progress and the way that we \nare measuring progress--we have the same goals in mind, both \nthe committee as well as the administration. How we are \nmeasuring progress may be a little bit different based on what \nthe rating factors are based on what the committee has. You are \nspecifically asking me about an auditing standard, and FISMA \nspecifically makes a difference between audit and evaluation. \nAnd we really think that it's more of an evaluation because \nthis really needs to be a collaborative effort within the \nentire department, because as you are talking about it, it is a \nmanagement issue as well. If it turns into an audit situation, \nour concern is is that there won't be as much exchange, that it \nis more an evaluation----\n    Mr. Ruppersberger. That's a good point. I'm near the end of \nmy 5 minutes, I want to keep moving down another area.\n    I am very concerned about the issue of the failing grade \nwith Homeland Security, and I guess it is your turn, Mr. \nWilshusen. Why do you feel at this point that Department of \nHomeland Security has a failing grade? What can we do to move \nthat to another level to get them a lot more proficient in this \nsubject matter today?\n    Mr. Wilshusen. Well, first of all, Homeland Security does--\nand I guess you will talk to the CIO and IG on the next panel \nas well, but they have had a number of challenges that they \nneed to overcome just in the creation of the department to----\n    Mr. Ruppersberger. No question.\n    Mr. Wilshusen. And that has been pretty much a key factor \nin some of the challenges that they face. However, at the same \ntime, only just recently have they established key positions \nwithin that department in terms of having a chief information \nsecurity officer, and they have identified key individuals to \nbe responsible for information security. But it will take quite \na bit of an effort for them to kind of meld different systems \nto make sure there is appropriate accountability, and the \nalignment of the information security program at the department \nlevel with different operating entities. Right now there is \napparently quite a bit of autonomy between the two.\n    Mr. Ruppersberger. And we can develop that in the next \npanel also, I see my time is up.\n    Chairman Tom Davis. Ms. Norton.\n    Ms. Norton. Thank you, Mr. Chairman.\n    I'm sorry I was detained and I did not hear the entire \ntestimony, but what concerns me is the unevenness among the \nagencies. Mr. Ruppersberger asked about homeland security and \nthere may be some reason why they haven't gotten most of their \nact together, but some of these agencies you would expect to do \nbetter, you would expect the Department of State to do better, \nyou would expect the Nuclear Regulatory Agency not to go down.\n    And I note that the agencies look like they are in charge \nof this entire process. They are required to take the steps to \ndo the inventory of their systems. And apparently in the \nsurvey, 70 percent of them said they wanted greater guidance in \nmeeting the requirements. The report cards signify nothing, if \nnot the need for greater guidance. I'm wondering if too much of \nthis is left to agencies who have no expertise here either in \nchoosing consultants in security aspects of computer systems; \nin fact, no agency really does have that expertise. I'm \nwondering if simply saying to the agencies, do this, has been \nsufficient, particularly when they themselves say they want \ngreater guidance in meeting the requirements. And I suppose the \nobvious question is, do you agree, and where would such \nguidance come from? Are any steps being taken to offer greater \nguidance, given the rather pathetic reports that are indicated \nin the Federal computer security report card?\n    Ms. Evans. First off, what we are trying to do from an \nadministration perspective is avoid being very, very \nproscriptive in the policy because what we want to avoid is \npeople just going down and cranking through--mechanically \ncranking through and getting checkmarks because you really want \nthe practice to be engrained, and we were talking about \nmanagement practices.\n    So in order to meet what we are hearing from the agencies \nabout additional guidance, we did take that to heart, and that \nis why the cyber security line of business was announced. They \nare looking at very specific areas, and we are bringing in the \nexpertise in order to complement the team that has been put \ntogether government-wide. There will be recommendations that \ncome out of that task force, specifically about how to identify \nproblems, how to move forward, how to make sure that we have \nconsistent and measurable types of statistics, how to do good \ncertification and accreditation, and how to achieve the things \nthat they are being measured upon, because I do agree with you, \nyou just can't say, here are the requirements, go out and do \nit, and not provide the help and assistance that they need, \nespecially when they are asking for it.\n    So the products that will come out of the cyber security \nline of business we are very hopeful will address the issue of \ngiving further guidance, without issuing new policies.\n    Ms. Norton. I don't understand what you mean about policy--\nbeing proscriptive as to policy. As I understand it, they want \ngreater guidance in meeting the requirements and a \nclarification of FISMA's assessment guidelines. I don't see \nwhere there is policy proscription involved in that.\n    Mr. Wilshusen. One of the sources that the agencies can \nlook to is NIST. Since FISMA was enacted, it placed \nspecifically a responsibility to NIST in preparing and \nproviding guidance and requirements to agencies and \nimplementing the various aspects of FISMA. Over the last \nseveral--2 years, NIST has come out with guidance, and indeed \nthey are going to be coming out with some additional guidance \nin different areas going forward.\n    Ms. Norton. Well, they can look to that, and they could \nhave looked to that all along, I take it.\n    Mr. Wilshusen. Over the last couple of years they have \nissued new guidance.\n    Ms. Norton. Well, all I can say is if the agency--if this \nlarge percentage of the agencies that is, a super majority say \nwe need greater guidance, it does seem to me that whatever is \nin place is insufficient, and that the responsibility of the \nadministration centrally is to assure that they get that \nguidance so that these pathetic grades do not come before the \ncommittee again.\n    Thank you very much, Mr. Chairman.\n    Chairman Tom Davis. Thank you very much.\n    The gentleman from Tennessee.\n    Mr. Duncan. Well, thank you, Mr. Chairman.\n    I remember when we passed the one agriculture bill, farm \nbill a few years ago, 2 or 3 years ago, the Wall Street Journal \nhad an editorial--and the bill was called the Farm Security \nAct--and it said any time we have the word ``security'' in a \nbill, we ought to give it 4 times the scrutiny because they \nwere putting the word ``security'' in every bill, and we were \ngoing to great, great expense, and not getting a lot of bang \nfor the buck, so to speak.\n    And then I have also read and heard that every computer \nsystem is obsolete the day it's taken out of the box now \nbecause the technology is moving so fast. So the concerns I \nhave--and I know Governor Gilmore from Virginia, who chaired \nthe President's Commission on Security and Terrorism, he said--\nin his cover letter to the President, he said we must resist \nthe urge to try to achieve total and complete computer because \nhe said it's not attainable, and if we aren't careful, we will \ndrain our resources from other things that are achievable.\n    So I guess the two concerns I have is, No. 1, the cost of \nsome of these things, because what I read repeatedly, I \nremember the FBI came up with a computer system that we spent \nhundreds of millions on, and then they said it was a disaster \nafter we had paid for it. So what do we do on the cost of some \nof these things? Are we looking at those costs and what we are \ngetting for our money so we don't just go ridiculously \noverboard? And second, are we settling for a Mercedes instead \nof constantly seeking to get Rolls Royces in regard to these \nsystems?\n    You've always got these companies that want to sell you \nmore and better and newer, and I'm just wondering are we using \na little common sense in regard to some of these things?\n    Mr. Wilshusen. Well, certainly you are absolutely right, \nthere is no way to provide absolute assurance that you are \ngoing to prevent any particular security infractions or \nviolations and the like. You can never give 100 percent \nassurance that you are going to be able to thwart all security \nthreats.\n    What you have to do, and what FISMA requires, is that you \nhave a risk-based program and process in which you assess the \nrisk to your systems, and then come up with cost-effective \nmeasures to protect against those particular risks. And \ncertainly, that is one of the key underpinnings of any \ninformation security program is having it based on risk.\n    Mr. Duncan. All right.\n    Yes, ma'am.\n    Ms. Evans. As far as your question about evaluating the \ncost based on the cyber security program, every agency is \nrequired, as they bring forth their IT investments, to ensure \nthat the cyber security aspect, the risk associated with \nimplementing that system, is addressed, and the costs are \nincluded in the cost of that business case coming forward.\n    So they have to look at how to secure the system against \nthe benefits that they are going to achieve for implementing \nthat system to ensure that there is an adequate return on \ninvestment as they go forward.\n    So the business case process does get to your other concern \nabout ensuring that cost is being adequately addressed as they \ngo forward.\n    Mr. Duncan. Well, I just don't want to see us go \nridiculously overboard on the costs, or in any other direction, \nand have to buy new computer systems at hundreds of millions or \neven billions of dollars worth of cost just because somebody \ncomes up with a little better system the next year than we had \nthe year before. I mean, we just can't afford to keep doing \nthat. And then have us read and hear at hearings and read in \nthe paper that systems that some department or agency bought 1 \nyear, as soon as it's taken--as soon as it's put on line, it's \nnot what it was promised to be. So I just hope you will take \nthose considerations--those concerns into consideration.\n    Thank you very much, Mr. Chairman.\n    Chairman Tom Davis. Thank you very much. Let me do a couple \nof followups.\n    The annual scorecard reflects that many of the larger \nagencies have--consistently are poor performers, it may be \nbecause of the complexity of their system. Has OMB identified a \ntrend here?\n    Ms. Evans. We have gone through and looked at the issues \nassociated with the larger agencies. I think it does get back \nto some of the other high level issues that have been raised by \nthe committee themselves, which is proper attention from \nmanagement and ensuring that the priorities are established \nwithin the Department to be able to move forward. And a lot of \nit has to do with the leadership aspect of giving the proper \nattention to the program.\n    So the way that we are trying to address that, again, is \nback to the accountability issue, putting the proper tools in \nplace, working with the agencies, but using the President's \nmanagement agenda to hold the cabinet secretaries accountable \nfor their performance in this area.\n    Chairman Tom Davis. And CIOs could be great, but if the \ncabinet secretaries aren't paying attention, or the managers, \nit makes it a lot tougher, doesn't it?\n    Ms. Evans. Right. So we are trying to make sure--the \nadministration is trying to make sure--and is making sure \nthrough the President's management agenda--that the cyber \nsecurity aspect of anything that they do is brought to the \nlevel of the attention of the Deputy Secretary and the \nSecretary, who are responsible for the overall programs of \ntheir department.\n    Chairman Tom Davis. Let me just talk about the \ncertification and accreditation, this C and A process, so to \nspeak. I know that one of OMB's objectives in its plan of \naction is having all the systems C and A'd. But many IGs are \nreported on a very inconsistent quality of agencies C and A \nprocess. If the number of certified and accredited systems is \nincreased, but there is a question about the quality of the \nprocesses, should we question the value of that information? \nAnd I will ask Mr. Wilshusen to also respond.\n    Ms. Evans. Well, I was going to say the shorter answer is \nyes, you should question the quality of that based on the IG's \nfinding; and that gets back to making sure that we provide \nbetter guidance where the agencies are asking for that, and \nworking with the IG community and working with the CIOs as to \nhaving a good credible certification and accreditation program \nso that it does insert the discipline of always constantly \nlooking at the risk.\n    Mr. Wilshusen. And I would agree, you certainly do need to \nquestion those statistics.\n    You know, just looking at what the agencies have reported \nin terms of 77 percent of all the systems have been certified \nand accredited, but one of the key aspects of that is to have a \ntesting contingency plan that you need in order to be certified \nand accredited, and yet the agencies are also reporting that \nonly 57 percent of their systems have testing contingency \nplans. So just that, in and of itself, shows that there is some \nquestion about the reliability of that data.\n    Chairman Tom Davis. We are going to hear Daniel Matthews, \nwho is the DOT's CIO, suggest in his testimony eliminating \ntiming differences between the IG and the agency reports in \norder to create a common point in time for measuring the status \nof an agency's IT security program. I can see the merit of that \nchange; I would appreciate any comments either of you might \nhave on that.\n    Mr. Wilshusen. OK. In terms of having an as-of date, what \nthat would typically allow would allow the IGs to be able to \nperhaps verify the information that the agencies are reporting \non their report cards in their performance measures, if that is \nthe goal of having such an as-of date. Similar to like on the \nfinancial statement report where we have the end of the fiscal \nyear, and then the IGs have another 45 days to make the report \non it. But other than that, you know, I'm not sure what the \nbenefit would be.\n    Chairman Tom Davis. All right.\n    Ms. Evans. I was going to say, I concur with that. And we \nare just--we would proceed with caution on an as-of date \nbecause we want to make sure that interaction between the IGs \nand the CIOs for their programs are ongoing, even while they \nare still doing this annual reporting as well. So there is \nnothing wrong with getting an as-of date in order to have \nconsistency for reporting, as long as the other goals are met.\n    Chairman Tom Davis. OK. Thank you very much.\n    Mr. Ruppersberger.\n    Mr. Ruppersberger. I just have one question of you, Ms. \nEvans.\n    The Federal Information Security Management Act extends a \nrequirement from the Paperwork Reduction Act that agencies \ndevelop detailed inventories of their systems, and this seems \nto be a requirement that agencies have a struggle with. One \nofficial from the Department of Energy recently remarked that \nunless that agency overhaul gets decentralized structure, poor \nassessment under FISMA were guaranteed for years to come.\n    Do you think that there are ways that FISMA's inventory \nrequirement could be changed to address such concerns, without \ncompromising security?\n    Ms. Evans. That is an issue that we are attempting to \naddress with the change in the scorecard criteria as well. \nChairman Davis brought up the fact that we are saying all \nsystems need be to certified and accredited. At the heart of \nthat requirement is getting to how agencies are identifying \ntheir inventory.\n    What we intend, and the issue that we brought forward to \nthe Interagency Task Force is to get a best practice or lessons \nlearned from the agencies that are scoring really well on how \nthey got a handle on their inventory process, and be able to \napply that out to the agency.\n    If at the end of that task force effort that is not \npossible, then we will look at other alternatives and make \nrecommendations or changes to address the inventory issue.\n    Mr. Ruppersberger. OK. And for 2004, three agencies did not \nsubmit independent IG reports to OMB for their annual report. \nCan you explain why agencies are not complying with the IG \nindependent evaluation, and if they're not, what \nrecommendations will you have so that we make sure they do?\n    Mr. Wilshusen. Well, one I think was in the case where \nthey--I think that was from the previous year, when DOD and VA \ndid not submit their report.\n    Mr. Ruppersberger. And that is not an issue now?\n    Mr. Wilshusen. Not as much this year, I don't think.\n    Mr. Ruppersberger. Well, you say not as much though; if \nit's not, let's talk about----\n    Mr. Wilshusen. OK. I'm sorry, right. No, I don't think that \nwas a major issue.\n    Mr. Ruppersberger. For any of the agencies.\n    Mr. Wilshusen. That's correct.\n    Mr. Ruppersberger. OK. That's good news then.\n    Chairman Tom Davis. Anyone else with questions? Anything \nyou would like to add to clarify anything?\n    Ms. Evans. Well, the only thing, sir, I would like to add \nis that we appreciate the focus of the committee on this issue \nbecause, as you know, it is a continuing priority for the \nadministration in that we want to continue to make sure that \ncyber security is at the forefront of everything that we do. \nYou have to have this going forward and manage the risk as we \ncontinue to take more and more information and move more and \nmore--and deploy more and more in technology. So thank you for \nyour oversight.\n    Chairman Tom Davis. And thanks for what you're doing. I'll \njust say, all you need is a bad adverse cyber event and \neverybody is going to be all over this thing and asking the \nquestions that we're asking now, why wasn't this done. And I'm \nnot sure who the fall guy will be, but it ain't gonna be me.\n    And the difficulty in the private sector in many ways are \nahead of us because they always are looking at the downside, \nthey have to look at that. In government, many times the \nmanagers will take the risk that it won't happen on my watch, \nand they will go ahead with some of their other priorities; and \nyet we know we're talking so people out there--for their \nreasons are trying get in. So we appreciate your efforts on \nthis, and the CIO's efforts. I think a lot of this depends on \nhow close our CIOs are working with the agency heads at the end \nof the day.\n    The other thing is, I think ultimately these FISMA report \ncards are going to have to be tied to funding because sometimes \nthat's the only thing people understand, you can preach, you \ncan give them boxes to check, but if you tie it to funding, \nthat really gets their attention, and that may have to be the \nnext step if we continue to see the occurrences we do with some \nof these report cards.\n    We're going to hear from some very good CIOs in the next \npanel that have just very difficult jobs. These are difficult \njobs in some of these agencies where you are putting a lot of \ntheir elements together, some of them that have been not \nworking well for a long time, but we'll get to that.\n    Anything you want to add?\n    Mr. Wilshusen. Right. And I would just like to also express \nmy appreciation for these oversight hearings because this \ncertainly does help to hold the agencies accountable for \nimplementing information security, and also with light comes \nheat, and heat usually brings action. And hopefully the \nincrease of attention that this committee brings will help to \nimprove that as well----\n    Chairman Tom Davis. And a lot of times we're just \noversight; in this case we have jurisdiction as well. The FISMA \ncame out of this committee. We do share oversight \nresponsibilities with the Commerce Committee and with the \nHomeland Security Committee on which I serve. And that's good, \nI think we want everybody looking at this. I want to see more \nfocus on this from more committees and more questions answered, \nthat's what gets agency heads' attention.\n    But Ms. Evans, we appreciate your efforts on this. \nSometimes you're the voice out there in the wilderness crying, \nbut I know you have--your bosses are behind what you're doing \nand everything as well, and we want to make sure you have the \ntools to get the job done.\n    Thank you very much. We will take about a 2-minute recess \nand set up for the next panel.\n    [Recess.]\n    Chairman Tom Davis. We are now going to move to our second \npanel, and it is a distinguished panel indeed. We appreciate \nhaving everybody back. Mr. Wilshusen, who is here to stay on to \nanswer questions but doesn't need to be sworn in again. We have \nBruce Crandlemire, who is the Assistant Inspector General for \nAudit, U.S. Agency for International Development. John \nStreufert, the Acting Chief Information Officer of the U.S. \nAgency for International Development. Mr. Frank Deffer, who is \nthe Assistant Inspector General for Information Technology, \nDepartment of Homeland Security. Steve Cooper, no stranger to \nthis committee, the Chief Information Officer, Department of \nHomeland Security. Ted Alves, the Assistant Inspector General \nfor IT and Financial Management, Department of Transportation. \nDaniel Matthews, the Chief Information Officer, Department of \nTransportation.\n    It is our policy that we swear all the witnesses in, so if \nyou could just rise and raise your right hands. Can we identify \nthe folks in the back who will be answering questions, too?\n    Mr. Wilshusen. Ms. Melinda Dempsey, USAID. Mark Norman, who \nis the Audit Manager who has all the detail knowledge.\n    Chairman Tom Davis. Great. Thank you.\n    Mr. Crandlemire. Phil Heneghan, the Information Systems \nSecurity Officer, USAID.\n    Mr. Deffer. Edward Coleman, my Security Director.\n    Chairman Tom Davis. Excellent.\n    Mr. Alves. Rebecca Leng, Deputy Assistant Director.\n    Mr. Matthews. This is Ed Densmore, Director of IT Security, \nDepartment of Transportation, and Dr. Dan Mehan who is the CIO \nof the Federal Aviation.\n    Chairman Tom Davis. You have enough help there, don't you?\n    And how about in the back? I just need to make sure the \nclerk gets everybody down for the record.\n    OK. Thank you.\n    [Witnesses sworn.]\n    Chairman Tom Davis. Thank you all very much for being here. \nWe've got a 5-minute rule we try to follow. The goal is to get \nout of here about noon, so it will be 5 minutes apiece. So that \nleaves us time for questions and we'll be fine.\n    Your entire statement is in the record, so it will be based \non that.\n    Mr. Crandlemire, we will start with you, and thank you for \nbeing with us today.\n\nSTATEMENTS OF BRUCE N. CRANDLEMIRE, ASSISTANT INSPECTOR GENERAL \n  FOR AUDIT, U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT; JOHN \n STREUFERT, ACTING CHIEF INFORMATION OFFICER, U.S. AGENCY FOR \n INTERNATIONAL DEVELOPMENT, ACCOMPANIED BY MARK NORMAN, USAID \n  OIG; MELINDA DEMPSEY, USAID OIG; PHILIP M. HENEGHAN, USAID; \n   FRANK DEFFER, ASSISTANT INSPECTOR GENERAL FOR INFORMATION \nTECHNOLOGY, U.S. DEPARTMENT OF HOMELAND SECURITY; STEVE COOPER, \n    CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF HOMELAND \nSECURITY, ACCOMPANIED BY EDWARD G. COLEMAN, DHS OIG; TED ALVES, \n ASSISTANT INSPECTOR GENERAL FOR IT AND FINANCIAL MANAGEMENT, \n   U.S. DEPARTMENT OF TRANSPORTATION; DANIEL MATTHEWS, CHIEF \n    INFORMATION OFFICER, U.S. DEPARTMENT OF TRANSPORTATION, \n  ACCOMPANIED BY REBECCA LENG, DOT OIG; ED DENSMORE, DOT OIG; \nNATE CUSTER, DOT OIG; VICKI LORD, DOT OCIO; AND DR. DAN MEHAN, \n                            CIO, FAA\n\n               STATEMENT OF BRUCE N. CRANDLEMIRE\n\n    Mr. Crandlemire. Thank you, Mr. Chairman, and other \ncommittee members, for the opportunity to provide testimony for \nthe U.S. Agency for International Development's compliance with \nFISMA. As you requested, my testimony will focus on the state \nof information security at USAID and the methodology with which \nwe used to perform our audit in 2004. In addition, I will \ndiscuss the need for standardized FISMA auditing framework and \npossibly what guidance would be needed for agencies to fully \ncomply with FISMA.\n    USAID has made many positive strides over the last several \nyears in addressing information security weaknesses. In \nparticular, USAID has made several improvements in response to \naudits performed by my office and in turn substantially \nimproved its computer security program.\n    In 1997, the Office of Inspector General identified \ninformation security as a material weakness at USAID; USAID \ninformation technology officials agreed with our conclusion and \nincluded it in USAID's annual report as required by FMFIA. At \nthat time, USAID did not have an organizational structure that \nclearly delegated information security responsibilities, \npolicies that provided for an effective information security \nprogram, or key management processes to ensure that security \nrequirements were met. These material weaknesses remained \noutstanding for several years until fiscal year 2004, when \nUSAID concluded, and we agreed, that information security was \nno longer a material weakness at the agency.\n    In the recent 2 years, the most significant changes are an \nappointment of an information security officer and the \nimplementation of a centralized information security framework. \nUnder this framework, USAID centrally manages its Windows 2000 \ndomain servers, firewalls, and virus scan software for most of \nUSAID's networks; instituted a process to assess information \nsystem security for the purchase of capital assets; and is \ncontinually updating its information security policies and \nprocedures.\n    The agency has also identified several technological \nchanges to improve its computer security. For example, they \ndeployed Windows 2000, which has allowed the agency to lock \ndown and configure security settings and incorporate many \nsecurity improvements in comparisons with Windows 98. They have \ninstalled operating network sensors to detect unauthorized \nattempts to access our network. They run daily scans of its \nworldwide network to proactively identify potential \nvulnerabilities. They have also implemented a tips of the day \nprogram, which is an automated security awareness program that \nprovides reminders to all system network users each day as a \nprerequisite to sign into the network.\n    Through these systemwide information technology and network \nchanges, information security and information security \nawareness at USAID locations around the world have been \nsignificantly increased.\n    Although USAID has made substantial progress in improving \nsecurity, information security weaknesses still remain. As \nreported in our 2004 FISMA audit report, the agency had not \ndeveloped a disaster recovery program for its three major \nsystems and had not tested the disaster recovery programs in \ntwo other systems.\n    The OIG methodology for assessing USAID information \nsecurity into FISMA was to conduct an audit as opposed to an \nevaluation. For fiscal year 2004, our audit field work was \nconducted from August 19th to October 6th and involved over 600 \nhours. In addition, as part of our financial statement audit, \nwe incorporated about 2,800 staff hours as part of our general \ncontrol work. This work complemented our FISMA work.\n    To perform the audit, we interviewed USAID officials to \ndiscuss their answers to the OMB questionnaire, and then we \ntested the support for the answers. For each of USAID's 49 \nanswers to the questionnaire, we determined whether the \nagency's answer was supported by source documentation.\n    I am going to move now to the need for an Inspector General \nauditing framework for information security. In our opinion, \nsince the OIG input to the FISMA process is used to upgrade \nsecurity among civilian agencies, there is an implicit \nassumption that there must be a defined common set of \nattributes to facilitate meaningful comparisons of independent \nevaluation or audits performed by each IG.\n    Further, the establishment of these attributes or common \nsecurity auditing framework should be developed on a \ncollaborative basis among the IG community, OMB, and the \nGovernment Accountability Office. This framework also should \naddress the resources needed to carry out the development and \nimplementation of the framework along with congressional \nsupport for such an initiative.\n    I have just a couple comments on the existing process. I \nthink the agencies and the IGs need more time to prepare or \nmore time to respond to the annual FISMA questionnaire. Since \n2002, the time between the issuance of the guidance until the \ntime we actually start--we actually have to report in has \ngotten less. In 2002, it was 76 days, and this last year it was \nonly 44 days. We need more time so we can more efficiently use \nour audit resources.\n    That concludes my statement.\n    [The prepared statement of Mr. Crandlemire follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.051\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.052\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.053\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.054\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.055\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Streufert, thanks for being with us.\n\n                  STATEMENT OF JOHN STREUFERT\n\n    Mr. Streufert. Thank you, Mr. Chairman, and members of the \ncommittee. I want to thank you for the opportunity to testify \non the status of our FISMA implementation and our security \nprogram. We submitted detailed information in response to your \nquestions. What I would like to do in my oral remarks is \naddress the 10 reasons that helped us improve our IT scores \nduring the past period.\n    No. 10, our industry partnerships. USAID has teamed with \nindustry both in services and in our tools to increase \nperformance. There has been a commitment to continuous \nimprovement that has now spread over a 2-year period.\n    No. 9, managing risk. Our agency information system \nsecurity officer defined risk as critical. We want to be \ncompliant with the rules but make sure that compliance does not \novershadow our responsibility to attend to threats and impact \non our business results.\n    No. 8, central administration. USAID IT security sensitive \nsettings have been drawn from 80 countries and 20 time zones to \nbe administered centrally at AID headquarters. This would not \nhave happened without executive support at all levels. We have \none organization and one approach when it comes to security.\n    Continuous awareness. As Bruce mentioned, we have a product \ncalled tips of the day implemented worldwide where 135,000 \ninstances of training and awareness came into effect. Our \nawareness also includes the followup on every action item we \nhave of a finding of a security improvement.\n    Item 6, rules of behavior. The agency has defined that the \nuse of the network and our systems is a privilege and not a \nright. Though our employees have overwhelmingly supported IT \nsecurity for the imperative it is, a handful of employees who \nhave violated IT rules of behavior have been submitted for \ndisciplinary action and, where warranted, recommended for \nremoval for the reasons of that improper conduct.\n    Continuous measurement. USAID has 15,000 devices connected \nto it worldwide, 5,000 software tools and packages, 8 major \napplications and 3 what we call general support systems against \nwhich our disciplines are applied. These devices are centrally \nchecked worldwide 10 times a month for among 33,000 possible IT \nsecurity weaknesses using the same tool that protects worldwide \ninternational credit card transactions. We felt that the most \nsophisticated tool was in fact important for our purposes.\n    Management accountability, to refer to an item one of the \nmembers drew attention to. We give the boss of our 90 technical \nmanagers worldwide a grade of A to F once a month, because it \nis their business at risk in addition to ours collectively. \nRegions and bureaus who represent these 90 technical managers \nand their bosses receive grades A through F for all their \nreporting units, which has created a competition for \nexcellence. Our managers have performed this work in harm's \nway, Afghanistan, Iraq, and other hardship posts, and among \noperating environments where power and other circumstances such \nas interrupted telecommunication lines have made it difficult. \nNotwithstanding these difficulties and including setting up for \ntsunami relief, we have been able to implement a security \nprogram and found significant benefits for it.\n    Item No. 3, correlation of threats. We have found it \nessential to install sensors throughout our networks to capture \nthose critical events and submit them to a statistical \ncorrelation so that we may find whether systematic attacks in \nfact are occurring which otherwise would be hidden from visual \ninspection.\n    Item No. 2, continuous audit review. We have forged over \nthe past 7 years a partnership with our Inspector General who \nhas in fact audited every significant IT initiative of our \norganization for the past 7 years. We have come to learn that \nthe harshest criticism from our auditors and others, GAO and \nexternally, is a source for building on strength, and we have \nchosen to respond to those items of improvement in just that \nway.\n    Last and perhaps most importantly, our Administrator Andrew \nNatsios defined IT security as critical to success of the \nagency. He has defined the need to improve management systems \nacross the board, and information technology was one of those \nareas of improvement. In each of the cases where a critical \nissue was facing the agency in the area of IT security, when we \ncarried it forward to him we received his full support. We \nbelieve the correct decisions were made, which in fact has been \ncritical to the success of our organization and our security \neffort.\n    Thank you very much.\n    [The prepared statement of Mr. Streufert follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.056\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.057\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.058\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.059\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.060\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.061\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.062\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.063\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Deffer.\n\n                   STATEMENT OF FRANK DEFFER\n\n    Mr. Deffer. Thank you, Mr. Chairman, and members of the \ncommittee, for the opportunity to be here today to discuss the \nstatus of FISMA implementation in the Department of Homeland \nSecurity.\n    Mr. Chairman, I would note at the outset that we in the \nInspector General's office have developed an effective working \nrelationship with the DHS CIO and his staff in order to \nfacilitate FISMA compliance at DHS.\n    As we reported last year, DHS has made significant progress \nin developing and implementing its information security program \nat the headquarters level. For example, DHS developed the \nnecessary plans such as the information security program \nmanagement plan to provide the foundation for an agencywide \nprogram. Based on our review of those plans, DHS has \nestablished an adequate structure, blueprint, and process to \nimplement and manage its program. Also, the Department has \ndeveloped an adequate process to report security weaknesses in \nits plan of action and milestones, or POA&M, and has adopted an \nenterprise management tool, trusted agent FISMA, to collect and \ntrack data related to all POA&M activities.\n    Even with these efforts, however, there are a number of \nfactors that are hindering further progress. Specifically, one \nof the impediments to implementing DHS's program is that the \nCIO is not a member of the department's senior management team. \nTherefore, the CIO does not have the authority to strategically \nmanage agencywide IT programs, systems, or investments. \nFurthermore, there is no formal reporting relationship between \nthe DHS CIO and the component CIOs or between the DHS CISO and \nthe department security managers.\n    Also, DHS does not have an accurate and complete system \ninventory. An initial attempt at developing an inventory in \n2003 did not provide an accurate picture of DHS's information \nsystems. In September 2004, DHS began a second effort using an \noutside contractor to establish a system inventory.\n    Finally, while DHS has developed an adequate process to \nreport security weaknesses in its POA&M, DHS components have \nnot established verification processes to ensure that all IT \nsecurity weaknesses are included. Overall, DHS is on the right \ntrack to create and maintain an effective program. However, the \nDepartment and its components still have much work to do to \nbecome fully FISMA compliant.\n    Mr. Chairman, as you know, annual information security \nevaluations began 4 years ago with the Government Information \nSecurity Reform Act [GISRA]. And I would say that, after being \ninvolved in four of these efforts, two at the State Department \nOIG, and using a different approach each time, it is becoming \nclear that a more standard approach is needed, perhaps similar \nto that used in financial audits. This standard framework would \nensure--help ensure that all IGs review and report on the same \ninformation across all agencies. Currently, each IG performs \nits FISMA evaluation based on its interpretation of FISMA and \nOMB guidance. A standard audit framework should allow OMB and \nCongress to more effectively and objectively determine the \nstatus of information security across the entire Federal \nGovernment.\n    Finally, let me say a few words about what additional \nguidance or procedures are needed to help improve FISMA \ncompliance. OMB issues annual guidance to agencies and IGs to \npromote consistent reporting across government and to ensure \nthat agencies comply with FISMA. But this guidance needs to be \nclearer. For example, organizational components in DHS have \nstruggled with the definition of a system for FISMA reporting. \nThis has hindered DHS's ability to develop a reliable \ninventory.\n    Another area of concern is how security of systems is \nmeasured by the FISMA metrics. OMB asks the agencies and IGs \nfor the number of systems that have been reviewed, certified, \nand accredited, but treats all systems the same. That is, \nsystems are not differentiated between routine or mission \ncritical. For example, an agency may have certified and \naccredited 80 percent of its systems, but it could still be \nseriously at risk if its mission critical systems are those \nthat have not been certified and accredited.\n    Mr. Chairman, this concludes my prepared statement. I \nappreciate your time and attention, and welcome any questions \nfrom you or members of the committee.\n    [The prepared statement of Mr. Deffer follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.064\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.065\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.066\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.067\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.068\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.069\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.070\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.071\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Cooper, I understand that you announced today, at least \nfrom reading the trade press, that you are leaving your post.\n    Mr. Cooper. I did.\n    Chairman Tom Davis. I just want to say--well, I hope this \nisn't your last time before the committee; we may bring you \nback as a consultant, but we appreciate the job that you have \ndone.\n    Mr. Cooper. Thank you.\n    Chairman Tom Davis. You have been steadfast in coming \nbefore us and offering your ideas, and we consider you a \nvaluable asset to the committee. Thanks for being with us.\n\n                   STATEMENT OF STEVE COOPER\n\n    Mr. Cooper. Thank you, Mr. Chairman, and members of the \ncommittee. It is my pleasure to appear before the committee \nagain, and I wish to thank the chairman and the members for \nproviding me the opportunity to update you on our efforts and \nprogress in integrating and securing information systems within \nthe Department of Homeland Security.\n    I would like to begin by acknowledging the important role \nthat our Inspector General plays in the Department. We have \nestablished an extremely effective and collaborative \npartnership with our Inspector General, and especially with \nrespect to the development and operations of information \ntechnologies and support of the critical missions of the \nDepartment. The IG has been an important and independent voice \nas the Department formulates a strategy for building a robust \nand effective information security program.\n    Mr. Deffer has provided what I believe to be an accurate \nand detailed assessment of our progress to date and rather than \nrepeat what has been already said I would like to focus my \nremarks on the future.\n    The DHS Information Security Program is structured around \ncompliance with FISMA as well as OMB and NIST guidance. I want \nto stress that we are not proud of our failing grade. We have \ndone much, and much needs to be done. Specifically, we have \nimplemented and continue to implement a number of security \nperformance metrics to address the issues represented by the \nFISMA grade.\n    I fully understand that the success of the Department is \ndependent upon our ability to protect sensitive information \nused to secure the homeland, and to this end, the Department's \nInformation Security Program has been designed to provide a \nsecure and trusted computing environment based upon sound risk \nmanagement principles and program planning. The development of \na formal trust model within this program will eliminate \ninstitutional barriers that regularly divide organizations and \nwill enable disparate agencies to more effectively share \ninformation within this common trusted framework. We have \nimplemented a digital dashboard that provides us for the first \ntime with the status of security performance based upon \ncomputed FISMA metrics, and we have implemented a security \nperformance scorecard.\n    Three key Information Security Program initiatives under \nway for over a year now are beginning to provide tangible \nresults. As these three efforts converge, together they will \npave the way for real and measurable security improvements in \nthe near future. These include, first, completing a \ncomprehensive baseline inventory for defining accreditation \nboundaries and assigning responsibilities for security controls \nfor appropriate program officials throughout the Department; \nsecond, fielding a robust set of automated enterprise security \nmanagement tools to optimize our security processes; and, \nthird, implementing a comprehensive and repeatable set of \nmetrics for holding program officials accountable.\n    The baseline systems inventory project now under way has \nalready identified a significant number of legacy systems that \nwere not previously identified in our initial systems inventory \nthat we did during the standup of the Department. At one of the \norganizational elements, this most recent system inventory \nproject has now identified 106 information systems programs \ncompared to the 5 that were previously identified at standup.\n    In response to this legacy issue, the Department is \ndeveloping a comprehensive remediation plan for completing all \nthe required certification and accreditations by the end of \nfiscal year 2006. Related to these actions, we have implemented \na department plan of action and milestones process and an \nenterprised system to manage that plan of action. Evidence that \nDHS is successfully institutionalizing this process is \ndemonstrated by the fact that our initial fiscal year 2003 \nprogram and milestones contained less than 100 line items, \nmeaning task activities that we identified that we needed to \ndo, while our current plan now contains several thousand line \nitems and activities.\n    Furthermore, we have implemented a certification and \naccreditation tool that will ensure C&A equality and map that \ncertification and accreditation testing to our established \npolicies. The C&A and remediation plan will include a \nprioritized list of systems to be certified based upon the \nsystem's security impact level, which means the systems with \nhigher security impact levels will be the first systems that we \nwill accredit if not already accredited. This remediation plan \nwill identify a variety of funding alternatives for completing \nall certifications and accreditations, and our new automated \nsecurity management tools are already designed to streamline \nthis process. Use of this tool has now been mandated for all \nactivity initiated after April 10th.\n    This aggressive remediation effort will provide a sound \nbaseline of secure systems with appropriate controls in place. \nHowever, we must continue to improve our security posture \nthroughout the life cycle of each and every system or \napplication in use in the Department. For this reason, we are \ncontinuing to refine the program so that we will remain \nrelevant for the future. Program enhancements currently under \nway include developing a communications plan for our \ninformation security program, to include a Web-based \ninformation security portal that will improve the availability \nof information security data to all DHS employees, including \nthose who do not have access to DHS Online; and, publishing an \nupdated Information Security Program strategic plan outlining a \nrevised vision for the future of the program based on lessons \nlearned over the past 2 years.\n    Finally, to sustain a viable and healthy information \nsystems program and security program, I know that we must have \nstrong support throughout the Department. Through the DHS Chief \nInformation Officers' Council, I will work with each member to \nensure that we not only continue to improve our security \nposture through periodic program reviews, but that we also \nimplement new and improved measures wherever appropriate.\n    Thank you, and I look forward to your questions.\n    [The prepared statement of Mr. Cooper follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.072\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.073\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.074\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Alves.\n\n                     STATEMENT OF TED ALVES\n\n    Mr. Alves. Thank you. Thank you, Mr. Chairman, and members \nof the committee for the opportunity to testify on the progress \nthe Department of Transportation has made and the challenges it \nfaces implementing FISMA.\n    This committee has been a driving force behind improvements \nmade over the last several years in protecting Federal \ninformation and information systems. I also want to take this \nopportunity to compliment OMB, NIST, and GAO for the leadership \nroles they have played in this effort.\n    With an annual IT budget of about $2.7 billion, the \nTransportation Department maintains over 480 systems to carry \nout the Department's mission. For example, the Department \noperates financial systems that process over $35 billion in \ngrants to States and local governments, and the Federal \nAviation Administration relies on about 100 systems to provide \nsafe and efficient air traffic control 24 hours a day.\n    As you requested, I will discuss the progress \nTransportation has made and the challenges it faces to \nstrengthen information security practices, the need for a \nframework to guide Inspector General FISMA audits, and the \napproach we take to audit computer security issues.\n    The commitment to improve information security begins at \nthe top, and we attribute much of the Department's progress \nover the last 2 years to the support provided by Secretary \nMineta. In early 2003, the Secretary appointed a Chief \nInformation Officer and significantly strengthened his roles \nand responsibilities. Since then, the CIO has played a much \nmore prominent role in managing IT issues in all DOT component \nagencies.\n    Key improvements the Department has made include the \nfollowing four areas. First, the CIO invigorated the Investment \nReview Board, which now considers security issues when \nreviewing the major systems.\n    Second, the Department enhanced its ability to protect \nsystems from internal and external attacks by, among other \nthings, establishing an incident response center to prevent, \ndetect, and analyze intrusions from the Internet.\n    Third, the Department increased the number of certified and \naccredited systems from 33 percent to over 90 percent by \ndedicating resources to do the reviews and by closely \nmonitoring progress.\n    And fourth, the Department significantly strengthened \nbackground checks on contractor personnel.\n    Notwithstanding this progress, DOT still faces challenges \nto secure its systems. These include: The Department needs to \nenhance security over air traffic control systems. We have \nreported that security deficiencies affect en route computer \nsystems which control high altitude traffic. Because the issues \nare sensitive, we can only cover two issues today.\n    First, FAA certified that en route systems were secure, but \nthe review was limited to a developmental system. FAA has \nagreed to review operational systems deployed at the 20 en \nroute centers.\n    Second, FAA agreed to identify a contingency plan to \nrestore air service in the event of a prolonged en route center \ndisruption.\n    We recently expressed concern about FAA's progress \ncorrecting these deficiencies to the FAA Administrator, the \nOffice of the Secretary, and the CIO, and we are working \nclosely with those officials to ensure continued progress.\n    The Department needs to improve the security certification \nprocess. We also found some deficiencies in the quality of \ncertification reviews, including inadequate risk assessments, \nlack of evidence that tests had been performed, and in one case \na test item failed when we retested it. The Department also \nneeds to continue its focus on emerging threats.\n    The fact that you raised the question of whether a \nframework is needed to help standardize IG FISMA reports \nsuggests that the current framework does not fully meet \noversight requirements. This issue is being addressed by the \nPresident's Council on Integrity and Efficiency, a group of \nPresidentially appointed IGs, but they have not yet reached a \nconsensus. We think a broader discussion involving the key \nplayers, congressional staff, OMB, GAO, and the IG community \ncould help forge a consensus among all interested parties. The \nIG community would benefit from better understanding how our \nFISMA reports are used by oversight organizations; oversight \norganizations would benefit from understanding the challenges \nthe IG community faces addressing computer security issues at \nagencies with very different system risks and missions.\n    Regarding our approach to meet FISMA requirements, each \nyear we do detailed tests on a subset of systems to answer \nOMB's specific questions such as the number of systems with \ncontingency plans. We also perform computer security audits \nfocused on specific systems of security issues. We use all of \nthis work to reach conclusions about the status of DOT's \nInformation Security Program when preparing our annual FISMA \nreport.\n    Mr. Chairman, this concludes my oral testimony. I would be \nhappy to answer any questions.\n    [The prepared statement of Mr. Alves follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.075\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.076\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.077\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.078\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.079\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.080\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.081\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.082\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.083\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.084\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.085\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.086\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.087\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.088\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.089\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.090\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.091\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Matthews, last but not least here.\n\n                  STATEMENT OF DANIEL MATTHEWS\n\n    Mr. Matthews. Thank you, Mr. Chairman, and members of the \ncommittee. I thank you for the opportunity to appear here today \nto discuss the Department of Transportation's implementation of \nthe Federal Information Security Management Act of 2002 \n[FISMA].\n    I serve as the Department's CIO, and I also currently serve \nas the vice chair of the CIO Council. The DOT Office of the \nChief Information Officer has operational responsibility for \nthe departmental network and communications infrastructure as \nwell as providing shared services for the Office of the \nSecretary and the operating administrations currently engaged \nin the Department's information technology services \nconsolidation.\n    FISMA compliance at DOT is moving from the intensity of the \npast year's implementation activities to a more operational \nmode. Our system inventory is mature, our certification and \naccreditation methodology is defined, and we have begun \noversight of the remediation of weaknesses identified over the \ncourse of the last 2 years. Additionally, we have been in the \nprocess of making assessments of the Department's ongoing \nsecurity posture. Securing the IT assets of the Department of \nTransportation is a critical responsibility that falls to the \nCIO's office.\n    In striving to secure those assets, many people from \nvarious areas must pull together. The strides the Department \nhas made over the past year occurred in large measure because \nof the support of Secretary Norman Y. Mineta. His leadership \nand guidance combined with each and every modal administrator's \ncommitment are critical to the Department's success.\n    We are pleased to have achieved an A-minus rating on the \nFISMA scorecard, and we note that DOT relied on teamwork across \nthe agency, the establishment, refinement, and validation of \nour system inventory, good communications, comprehensive \ntraining, and the support of the Inspector General throughout \nthe year. This last point is critical. With our Inspector \nGeneral, who is engaged, involved, and informed throughout the \nprocess, DOT makes sure that it approaches FISMA requirements \nappropriately and the end products and results are supportable.\n    The teamwork for FISMA compliance was established through \nthe acceptance of a single departmentwide methodology in lieu \nof individual approaches established by each operating \nadministration. That methodology allowed us to focus and work \ncollectively on a single plan in which all participants had \nconfidence. This gave us the benefit of synergy, an end greater \nthan the sum of its individual parts.\n    If we endeavor to proceed using agency unique approaches, \nsome agencies may have been successful and some may have \nfaltered. With the support of an industry-recognized security \nsubject matter expert from Titan Corp., along with agencywide \nbuy-in and acceptance, DOT was able to reduce overall \ncertification and accreditation schedules, manpower \nrequirements and costs. More importantly, DOT was able to \nensure accuracy, consistency, and completeness of each \naccreditation package.\n    The strides made over the last year to comply with FISMA \nrequirements were impressive. DOT has accredited over 90 \npercent of all operational IT systems, established a program to \nensure security as part of every system's development life \ncycle, significantly reduced vulnerabilities of public facing \nsystems, and improved training and communications at all levels \nof the organization.\n    Moving forward, DOT is using metrics to gauge FISMA's \nimplementation and compliance throughout the Department. This \npoint is important. DOT recognizes that plans of actions and \nmilestones, POA&Ms, are established from the certification and \naccreditation process required by FISMA and are reviewed by the \nInspector General. DOT uses these POA&Ms as a mechanism to \nensure we mitigate the risks and remediate vulnerabilities \nidentified during the CNA process knowing full well that the \nactions taken prescribed in the POA&M will specifically improve \nDOT's overall security posture.\n    To address the steps DOT is taking to further strengthen IT \nsecurity, we are coordinating and cooperating with DHS on cyber \nexercises, we are addressing the critical need for enterprise-\nwide vulnerability management, we are implementing baseline \nsecurity configuration standards for critical software, and we \nare consolidating IT services.\n    More needs to be done. The FAA's National Air Space System \nis part of the national critical infrastructure program. I am \nworking directly with the FAA senior leadership and the \nInspector General to ensure FAA secures and protects the \nimportant NAS systems and telecommunications infrastructure. \nEnsuring the FAA constructs are measurable plans of actions in \nconjunction with its POA&Ms, audit reports, and IG findings, \nwith follow through to complete its commitments is fundamental \nto DOT's ability to maintain current FISMA scorecard ratings.\n    I have included in my statement some specific observations \nand suggestions for creation of an ``as of date'' and believe \nthat existing FISMA guidance is adequate but have some \nadditional comments. I look forward to answering your \nquestions. And, again, I thank you for this opportunity.\n    [The prepared statement of Mr. Matthews follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T0562.100\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.101\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.102\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.103\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.104\n    \n    [GRAPHIC] [TIFF OMITTED] T0562.105\n    \n    Chairman Tom Davis. Thank you very much.\n    I think a recurrent theme both with DOT and USAID is that \nyou are getting support at the top, that this comes--it is not \njust generated from the CO, it is top down, it is holding \npeople accountable. Great stories. I hope we can learn from \nthat.\n    Mr. Cooper, let me start with you because your department \nis great but it is down. I don't hold you accountable. You are \none of the best CIOs in the business, and we are sorry to see \nyou going. But I wonder if we could talk about, you also, as \nyou could see from some of the early comments from our members, \nthe area everybody wants to focus on. Homeland security is a \nhot topic. It is an area where the systems need to be up. It is \na very difficult job given the type of systems you inherited \nwhen we merged the departments. I think we can--that is a \ngiven; this was a very, very, very tough job. But we are a long \nway from where we need to be. We are seeing improvement, and I \nappreciate your opening statement.\n    What are the major obstacles you would put together that \nHomeland Security faces uniquely versus some of the other \nagencies that make it so difficult?\n    Mr. Cooper. OK. Let me try to answer that question \ndirectly, very specifically and very candidly.\n    Chairman Tom Davis. This is the last bite I get at you.\n    Mr. Cooper. No, that is all right. I am happy to come back. \nAnd let me also try to put it within the context of the FISMA \nscorecard, because I think this will be extremely helpful, I \nhope, to the committee as well as to members of the audience \nand interested parties and my colleagues.\n    The first thing that we face as the Department of Homeland \nSecurity is the fact that we have inherited a huge amount from \nour legacy environments. Now, that translates to the inventory \nin the FISMA scorecard. This is not a defense. We are not where \nwe need to be. But the scoring in the scorecard, we get minus \n10 points against our total score until we can actually certify \nthat we have inventoried 95 percent of the systems and \napplications that are in the Department. And here's what we're \nlearning and here's what we found. Meaning no disrespect to my \ncolleagues on the panel, DOT has identified 480, I think Dan \nsaid 480 significant applications or the ones that they have \nidentified and accredited. And, again, no offense to AID, but I \nthink you guys have nine. We have over 3,600.\n    So there's a simple fact, it's a numbers game. All right? \nWe move from 34 percent of that initial 3,600 to 68 percent. \nNow, the scorecard doesn't reflect the progress. 68 percent I \nadmit is still a failing grade. But we know what we need to do, \nwe are working with our IG, we have demonstrated that our \ncertification and accreditation process is sound. We need to \nstay the course and apply it. We have committed to completing \n100 percent certification and accreditation by fiscal year \n2006.\n    Another major area. Configuration management addresses the \ndifferent parts and pieces in the FISMA scorecard. Now, what \nthat translates to is how many different operating systems or \nplatforms or environments does the Department have? We have \neverything that's listed in the scorecard. But I--and I am the \none that can be held accountable. I made a tactical and \nconscious decision that we were not going to put significant \neffort into the configuration management aspect of all of the \nlisted platforms for the following reason: We are also \nundergoing a major IT infrastructure transformation program. We \nare consolidating those operating platforms and the operating \nsystems and the associated applications, and we are eliminating \nsome of those. Therefore, I made a decision that said don't put \nany energy into publishing guidelines within the Department in \nour Information Security Program around configuration \nmanagement for those platforms and operating systems that we \nare going to retire. I am the person, I am accountable. But it \nreflects in our score because we then don't--we legitimately \ndon't have anything in that area.\n    Another thing, final thing we did very quickly. The \ntraining of all DHS employees in information assurance and \ninformation security management is an extremely high value \nactivity. It scores very few points on the scorecard. But we \nconsciously made a decision, again. We have trained almost 100 \npercent of all of our employees across the Department. That's \n180,000 people, and we accomplished that in the past 2 fiscal \nyears.\n    So those are very specific examples in the framework of the \nscorecard that I think help reveal some of the complexities \nthat we're facing but also significant progress.\n    Chairman Tom Davis. What are the most difficult parts of \nall the disparate systems that you have? You know, what are the \nmost dysfunctional or most vulnerable areas that you have at \nDHS?\n    Mr. Cooper. That's a tough question in that I'm not sure I \nwant to put any parts of the Department on the spot.\n    Chairman Tom Davis. Well, but you inherited legacy systems \nand some of these. Like we know, the old INS system just wasn't \nworking. Now, we've got new--I mean, this is something that \nthis committee has talked about and everything else. I am not \ntrying to go out to tell terrorists where we are vulnerable or \nsomething. But within those confines you have some old legacy \nsystems that you haven't been able to move forward on as \nquickly as others and stuff like that. Give me a priority list, \nin other words.\n    Mr. Cooper. OK. I'm going to share at least the part that \nwe've identified.\n    Chairman Tom Davis. You're leaving now. I can't do \nanything.\n    Mr. Cooper. That's true.\n    Chairman Tom Davis. You are under oath, too.\n    Mr. Cooper. They can fire me early, I guess.\n    Chairman Tom Davis. But we will hire you. We will pick you \nup if you need it.\n    Mr. Cooper. Here's what we found. And, again, please \nunderstand, I offer this in a very constructive way. It's not \nmeant to be critical.\n    Chairman Tom Davis. Absolutely.\n    Mr. Cooper. One of the areas that we have found a little \nbit more challenged is in some of the legacy INS, Immigration \nand Naturalization Services, and Citizenship and Immigration \nServices, as those two entities exist now. But in fact those \nwere more or less, I won't say truly combined, but they were \nall under the auspices of an organizational structure inside \nthe Department of Justice that pretty much operated from the \nsame or similar platforms. Now, we have broken them apart, so \nto speak. But in breaking them apart, we actually don't have \nall of the IT infrastructure and skills and personnel and \neverything fully in place yet.\n    Now, again, plans are in place, we are making good \nprogress, but it remains a challenge because we just don't have \nquite enough of the resources in the timeframe we would like to \nhave to finish a lot of the certification and accreditation, \nsome of the securing activities that we need to do.\n    Our Customs and Border Protection environment has actually \nmade very, very good progress in a lot of areas, and what we \nare doing is drawing upon the positive skills and the positive \nperformance in CBP to now reach over and assist ICE and CIS. So \nwe figured out ways that we can actually leverage where we have \ngood stuff going on and address some of the challenge areas.\n    Chairman Tom Davis. How many incidents--well, we don't \nreally get the level of incident reporting. Am I right? We \ndon't get the incident reporting that we'd like to get that we \nfeel is accurate. Is that fair?\n    Mr. Wilshusen. Well, OMB reported that in their 2004 report \non FISMA that they felt that the reporting was sporadic from \nthe different agencies, and they had questions and concerns \nabout that.\n    Chairman Tom Davis. Well, let me just go with each agency \nand ask the CIO or IG or which office; but start with AID. Are \nyou getting a lot of incidents of penetrations every year, and \ndo you test yourself? Do you hire people who come in and try to \npenetrate? That was inarticulate, but I think you understand.\n    Mr. Streufert. We're initiating some internal testing, and \nwe're constantly monitoring for intrusions, and I think that \nthe most constructive part of that is that we are tracking \nprecisely those patterns and trying to assess who's at us. So, \nfrom an internal purpose, we are doing well.\n    Chairman Tom Davis. Is that reported up the food chain in \nterms of who we think is going after you?\n    Mr. Streufert. We make every effort that we possibly can, \nand the comments that we collect internally on this topic are \nsome of the descriptions that come out from elsewhere at \nvarying degrees of descriptions, some general, some specific. \nAnd so we think an area of potential improvement is having a \nmatching of a good taxonomy externally against what we are \nactually seeing, and we think that this will improve over time.\n    Chairman Tom Davis. Let me ask Homeland Security. What are \nyou seeing in that area? I don't want you to give away the \nstore, but----\n    Mr. Cooper. No. First of all, we see hundreds of thousands \nof attempts on an annual basis. We actually identified 214 \nincidents. We reported 100 percent of the 214 both to the IG \nand up through US-CERT that passes over to OMB.\n    Chairman Tom Davis. Do you have a good idea of who the \npeople are that are trying to get in?\n    Mr. Cooper. Yes, we do, partly because of the link into the \nintel environment and everything. So, yes, we do. We believe \nthis is an area and it actually is represented in our scorecard \nwhere we are in very good shape.\n    Chairman Tom Davis. And it helps you also target your \nresources when you know who is coming after you. Doesn't it?\n    Mr. Cooper. Absolutely.\n    Chairman Tom Davis. And how about Transportation?\n    Mr. Matthews. Mr. Chairman, last year we had over 3,000 \nincidents and reported them. We do track individuals, Web \nsites, IP addresses that are coming toward the Department as \nwell as other information. We routinely----\n    Chairman Tom Davis. One of them gets through and really \ngets into the system, they could run you amuck. Couldn't they? \nThey could really destroy you?\n    Mr. Matthews. Absolutely, no doubt, if somebody penetrates \nthe shield, indeed they can run amuck. You know, TOPOFF III is \ncurrently going on, and when I'm sitting watching what we're \ndoing in TOPOFF III I'm constantly reminded that if someone did \na concerted effort and went after the communications of the \nFederal Government, its ability to respond could be impacted.\n    Chairman Tom Davis. And it helps. I mean, I think it's \nreassuring to us to know that at least you have a pretty good \nidea of who is after you.\n    Mr. Matthews. Yes.\n    Chairman Tom Davis. And that helps you, doesn't it, in \nterms of where you spend your resources? It may or may not help \nyour report card, but it helps you in terms of where you spend \nyour resources?\n    Mr. Matthews. Absolutely 100 percent. We work hand in glove \nwith the IG to do the forensics and pursue and prosecute those \nindividuals as well.\n    Chairman Tom Davis. Mr. Alves, do you agree with that?\n    Mr. Alves. Yes, I do. The Department of Transportation has \nmade really significant progress in this area over the last \ncouple of years, and whenever there is an intrusion they let us \nknow immediately. We do some of the penetration testing \nourselves.\n    Chairman Tom Davis. Some of them are yours.\n    Mr. Alves. To test the system and make sure that it's \nsecure.\n    Chairman Tom Davis. And Mr. Cooper, let me just ask you. \nThe fact that you have an idea in most of these cases, I \ngather, who is coming, allows you to expend resources in those \nareas, maybe to the detriment of other areas but at least it \nallows you to give appropriate prioritization, and that ought \nto give the committee some assurance that you're on top of it.\n    Mr. Cooper. Yes, sir. In this case, we do. And in this \ncase, because of the capability within the Department, we work \nvery closely with our Homeland Security Operations Centers, we \nwork very closely with our Intelligence Analysis and \nInfrastructure Protection Directorate, and actually share. All \nof the key members of my team are cleared to the highest \nlevels, and so we actually use a lot of the classified \ninformation to help us address risks, threats, and \nvulnerabilities.\n    Chairman Tom Davis. OK. You feel--well, we'll have another \nconversation later. But thank you again. My 10 minutes is up.\n    Mr. Ruppersberger.\n    Mr. Ruppersberger. OK. Mr. Deffer, in your testimony you \nmentioned that FISMA does not differentiate between routine or \nmission critical systems.\n    Mr. Deffer. Correct.\n    Mr. Ruppersberger. And you continue to say that the agency \nmight still be at risk if its security, a vast majority of its \nsystems yet is left vulnerable, the most mission critical ones. \nCan you explain how your department has balanced meeting its \nFISMA obligations with protecting its most critical systems?\n    Mr. Deffer. Well, I think the Department has sort of--\nthey've made an effort to get their systems certified and \naccredited. I don't know if they've--Mr. Cooper talked about \nthis, trying to get them on a risk based methodology to certify \nand accredit those systems that are high priority. But the \nnumbers don't tell us which systems that have been certified \nand accredited are really that important. We don't know \nwhether--has their network been certified and accredited? I \ndon't know. But, you know, their training management system \nFLETC may have been certified and accredited, and that's a good \nthing, but it's probably not as important as the network or \nother critical applications.\n    Mr. Cooper. If I may kind of clarify. We have made a very \nconscious and deliberate decision to go after our mission \ncritical systems first. So we are taking a risk-based \nprioritization approach to what we accredit.\n    The good news that I can share with the committee is that \nthe 68 percent that are now accredited include almost every one \nof our major mission critical systems, and we are getting to \nsome that doesn't mean they're not important but lesser impact \nor risk by not accrediting them right away. That is the \napproach we're taking.\n    Mr. Ruppersberger. I would like more, a little bit more \nabout the questions that the chairman asked you, and I was \ngoing to ask you more questions but you answered some of them. \nOne of the questions was, when do you expect that the \nDepartment of Homeland Security will come up to where they need \nto be? And you mentioned that your goal was 2006. Do you feel \nthat you are on time for that goal at this point?\n    Mr. Cooper. Yes, we do.\n    Mr. Ruppersberger. And what is it, the end of the year, \nbeginning of the year? Where are we?\n    Mr. Cooper. By the end of fiscal year 2006 we expect to \ncomplete almost 100 percent of those items represented by the \nscorecard. Now, here's what is going to happen though, and we \nwill see whether or not I'm a good prognosticator. \nUnfortunately, the way that we are going at this and the way \nthat the scoring works in the scorecard, I think what we are \ngoing to do is we are going to jump. We may indeed be--I'm \nhoping we will get to a D in fiscal year 2005. I am being very \ncandid here. Because we lose 10 points off of our total score \nbecause of this 95 percent requirement for inventory. And we \nwill not complete 95 percent of our full inventory by the end \nof fiscal year 2005. We are going to be very, very close, but I \nam not sure we'll trip it. We are going to basically lose 20 \npoints of our score because of the configuration management \napproach that I explained to you. If you deduct those 30 points \nfrom the score and we do everything else, that's 70, which puts \nus at 70 percent, which may creep us into a D.\n    What I think is going to happen is we are probably going to \nbe, I hope, at a D; and then in 2006, as we complete all this \nstuff, we are going to jump significantly up. So you are going \nto kind of see, unfortunately, not much in the score, and then \nwe will be there.\n    Mr. Ruppersberger. There is no question the Department of \nHomeland Security has a lot of administrative issues that they \nhave to deal with, you know, inheriting all these different \nagencies, you know, pulling them together, the funding issues. \nI mean, it's a very difficult job, as you know, and I \nunderstand that. Do you feel that the system that's being used \nnow and the standards for grading are just more of a \nbureaucratic type of system of holding people accountable based \non Homeland Security and all the issues you have, do you think \nit's fair? And what would you do to change that system based on \nwhere you are now and to get to the end game? Because it's \nnot--the grade is a standard, but bottom line, we want to get \nto where you can provide the best national security for our \ncountry.\n    Mr. Cooper. Exactly. Bob West, who is our Chief Information \nSecurity Officer, and I believe very strongly that the criteria \nare very sound. We have no issue with the criteria. Now, Bob \nand I both will grumble to you and complain about the negative \npoints that kind of in this last go-round were assessed, but we \nunderstand them and we'll live with them. What becomes most \nimportant I think is how a department like the Department of \nHomeland Security kind of prioritizes and applies these \ncriteria. And you've heard, I've explained the approach that we \ntook, I've explained a little bit of why. I believe very \nstrongly that if the committee will allow us to stay the \ncourse, and with support of our new Secretary and Deputy \nSecretary, the Department of Homeland Security will indeed \narrive rather quickly, although it may be fiscal year 2006, at \nprecisely where the intent of the committee and the scorecard \nand FISMA represent.\n    Mr. Ruppersberger. Do you feel that you have the money or \nthe resources to deal with the problem.\n    Mr. Deffer. I think applied in a prioritized approach, yes. \nNow any time--again, you know, I may get beaten up, it's OK, \nthe worst they can do is fire me. Any time we have additional \nfunding and resource we can move faster. But we believe that \nwithin the funding and resource that we have, we absolutely are \non track to succeed.\n    Mr. Ruppersberger. I don't know if you can answer the \nquestion--I may go back to Mr. Wilshusen, who is still at the \npanel. I am concerned a little bit about what is happening with \nrespect to Justice, and especially FBI within Justice. We know \nsome of the issues, that FBI is having a hard time in their \ntechnology area. And it seems to me we have other groups--we \ntalked about this in the first panel, I know CIA and NSA are \ndoing very well. And we cannot afford to have our FBI that is \nso important to our national security, especially domestic \nsecurity, not be where they need to be.\n    Can you discuss some of these issues--well, I'm going to \nask you the question basically. You said that Immigration was \nunder Justice, and now they also have some issues that you are \ndealing with because they are now under Homeland Security. I'm \nconcerned that we need to really refocus and prioritize in \nthose arenas, especially FBI. You are doing Immigration. But \nhow can, with the problems that the FBI is having, how can we \nnow have a grading system where the Justice Department went \nfrom I think a D or an F to a B+ or B-? Could you explain that?\n    Mr. Deffer. Well, I can offer a couple of thoughts. I'm not \nsure I can actually explain it. But one of the things that \nworks to----\n    Mr. Ruppersberger. And I'm going to ask you to answer this, \ntoo, Mr. Wilshusen.\n    Mr. Deffer. One of the things that works to any \ndepartment's advantage is if you have less things to do and \nless things to accredit and certify, then within the same \nresource base you can accomplish a lot more.\n    Justice lost, if you will, a significant portion of what \nrepresented the legacy systems that weren't accredited at one \npoint in time. We inherited them all. So I think that they----\n    Mr. Ruppersberger. Good news for them, bad news for you, \nright?\n    Mr. Deffer. Exactly. And that's one sense.\n    Now the other thing that I would offer--and again, the \nright person to really talk to is Zal Azmi, who is the CIO at \nthe FBI, an extremely competent professional. Zal and I have \ntalked a couple different times about information assurance, \nsome of the challenges that we are sharing in exchanging \ninformation and working together, our respective agencies.\n    I believe that under Zal they do have the proper talent and \napproach, I can't really speak to the timing.\n    Mr. Ruppersberger. Do you know if they are getting the \nresources to do the job, based on your conversations about it?\n    Mr. Deffer. Zal and I have talked about a number of \nvacancies, key vacancies that Zal is working on to fill. I \nthink that as he fills those he will be able to pick up speed.\n    Mr. Ruppersberger. I think that is a very high priority, I \nwould think.\n    Do you want to address that issue, also, Mr. Wilshusen?\n    Mr. Wilshusen. Sure. The key thing in terms of FBI and DOJ \nhaving an increased score this year was basically because of \nwhat they had reported on their FISMA report to OMB and to \nCongress. That score was based upon an analysis of what they \nhad reported.\n    Mr. Ruppersberger. Are you aware of the problems with \nrespect to the FBI?\n    Mr. Wilshusen. I am aware with regard to issues related to \nDCF a Trilogy----\n    Mr. Ruppersberger. Their technology issue.\n    Mr. Wilshusen [continuing]. That they had developed that or \nwere in the process of developing it, and it has since been \nterminated. At least the operational pilots have been \nterminated.\n    Mr. Ruppersberger. Do you feel they have a plan to move \nforward in what needs to be done to be brought up to speed?\n    Mr. Wilshusen. I don't know that because we haven't looked \nat that, but we have received a request to take a look at that.\n    Mr. Ruppersberger. We sure don't want to criticize the FBI. \nWhat we want to do is give the FBI all the resources they need \nto fix this problem. And again it seems to me--and we alluded \nto this in the first panel--when you have systems that work--\nand again, I can say this, I'm on the House Select Intelligence \nCommittee, I know NSA's systems are doing well. We need to make \nsure we pull together, find out what is working and not \nworking, and move forward. If it's a resource problem, we have \nto fix it. If it's a money problem, we have to fix it.\n    My time is up. Thank you for being here today.\n    Chairman Tom Davis. Well, we've kept you a long time. We \nappreciate everything. Anybody want to add anything, add in \nanything they said along the way?\n    I think it has been very helpful to the committee as we \nmove forward. I want to just thank every one of you for being \nhere. I want to congratulate both AID and Transportation on \nyour improvements this year. I think you've talked about this \nis really a team effort, it is not the CIO.\n    Mr. Cooper, thank you. It has been a good explanation for \nus. We wish you the best of luck as you move forward and \nappreciate the job you have done.\n    Thank you very much. The hearing is adjourned.\n    [Whereupon, at 12:03 p.m., the committee was adjourned.]\n    [Additional information submitted for the hearing record \nfollows:]\n\n[GRAPHIC] [TIFF OMITTED] T0562.106\n\n[GRAPHIC] [TIFF OMITTED] T0562.107\n\n                                 <all>\n\x1a\n</pre></body></html>\n"