[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]





NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE FEDERAL GOVERNMENT'S D+ 
                       INFORMATION SECURITY GRADE

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 7, 2005

                               __________

                           Serial No. 109-13

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
20-562                      WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
CHRISTOPHER SHAYS, Connecticut       HENRY A. WAXMAN, California
DAN BURTON, Indiana                  TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
GIL GUTKNECHT, Minnesota             CAROLYN B. MALONEY, New York
MARK E. SOUDER, Indiana              ELIJAH E. CUMMINGS, Maryland
STEVEN C. LaTOURETTE, Ohio           DENNIS J. KUCINICH, Ohio
TODD RUSSELL PLATTS, Pennsylvania    DANNY K. DAVIS, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
JOHN J. DUNCAN, Jr., Tennessee       DIANE E. WATSON, California
CANDICE S. MILLER, Michigan          STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio              CHRIS VAN HOLLEN, Maryland
DARRELL E. ISSA, California          LINDA T. SANCHEZ, California
GINNY BROWN-WAITE, Florida           C.A. DUTCH RUPPERSBERGER, Maryland
JON C. PORTER, Nevada                BRIAN HIGGINS, New York
KENNY MARCHANT, Texas                ELEANOR HOLMES NORTON, District of 
LYNN A. WESTMORELAND, Georgia            Columbia
PATRICK T. McHENRY, North Carolina               ------
CHARLES W. DENT, Pennsylvania        BERNARD SANDERS, Vermont 
VIRGINIA FOXX, North Carolina            (Independent)
------ ------

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 7, 2005....................................     1
Statement of:
    Crandlemire, Bruce N., Assistant Inspector General for Audit, 
      U.S. Agency for International Development; John Streufert, 
      Acting Chief Information Officer, U.S. Agency for 
      International Development, accompanied by Mark Norman, 
      USAID OIG; Melinda Dempsey, USAID OIG; Philip M. Heneghan, 
      USAID; Frank Deffer, Assistant Inspector General for 
      Information Technology, U.S. Department of Homeland 
      Security; Steve Cooper, Chief Information Officer, U.S. 
      Department of Homeland Security, accompanied by Edward G. 
      Coleman, DHS OIG; Ted Alves, Assistant Inspector General 
      for IT and Financial Management, U.S. Department of 
      Transportation; Daniel Matthews, Chief Information Officer, 
      U.S. Department of Transportation, accompanied by Rebecca 
      Leng, DOT OIG; Ed Densmore, DOT OIG; Nate Custer, DOT OIG; 
      Vicki Lord, DOT OCIO; and Dr. Dan Mehan, CIO, FAA..........    71
        Alves, Ted...............................................   105
        Cooper, Steve............................................    99
        Crandlemire, Bruce N.....................................    71
        Deffer, Frank............................................    89
        Matthews, Daniel.........................................   124
        Streufert, John..........................................    79
    Wilshusen, Greg, Director, Information Security Issues, U.S. 
      Government Accountability Office; and Karen S. Evans, 
      Administrator, Office of E-Government and Information 
      Technology, U.S. Office of Management and Budget...........    22
        Evans, Karen S...........................................    52
        Wilshusen, Greg..........................................    22
Letters, statements, etc., submitted for the record by:
    Alves, Ted, Assistant Inspector General for IT and Financial 
      Management, U.S. Department of Transportation, prepared 
      statement of...............................................   107
    Cooper, Steve, Chief Information Officer, U.S. Department of 
      Homeland Security, prepared statement of...................   102
    Crandlemire, Bruce N., Assistant Inspector General for Audit, 
      U.S. Agency for International Development, prepared 
      statement of...............................................    74
    Cummings, Hon. Elijah E., a Representative in Congress from 
      the State of Maryland, prepared statement of...............    17
    Davis, Chairman Tom, a Representative in Congress from the 
      State of Virginia, prepared statement of...................     4
    Deffer, Frank, Assistant Inspector General for Information 
      Technology, U.S. Department of Homeland Security, prepared 
      statement of...............................................    91
    Evans, Karen S., Administrator, Office of E-Government and 
      Information Technology, U.S. Office of Management and 
      Budget, prepared statement of..............................    54
    Matthews, Daniel, Chief Information Officer, U.S. Department 
      of Transportation, prepared statement of...................   126
    Ruppersberger, Hon. C.A. Dutch, a Representative in Congress 
      from the State of Maryland, prepared statement of..........    12
    Streufert, John, Acting Chief Information Officer, U.S. 
      Agency for International Development, prepared statement of    81
    Wilshusen, Greg, Director, Information Security Issues, U.S. 
      Government Accountability Office, prepared statement of....    24

 
NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE FEDERAL GOVERNMENT'S D+ 
                       INFORMATION SECURITY GRADE

                              ----------                              


                        THURSDAY, APRIL 7, 2005

                          House of Representatives,
                            Committee on Government Reform,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10 a.m., in room 
2154, Rayburn House Office Building, Hon. Tom Davis (chairman 
of the committee) presiding.
    Present: Representatives Davis, Duncan, Cummings, 
Ruppersberger, and Norton.
    Staff present: Ellen Brown, legislative director and senior 
policy counsel; Robert Borden, counsel/parliamentarian; Rob 
White, press secretary; Victoria Proctor, senior professional 
staff member; Jamie Hjort, professional staff member; Chaz 
Phillips, policy counsel; Teresa Austin, chief clerk; Sarah 
D'Orsie, deputy clerk; Kristin Amerling, minority deputy chief 
counsel; Karen Lightfoot, minority communications director/
senior policy advisor; Nancy Scola, minority professional staff 
member; Earley Green, minority chief clerk; and Jean Gosa, 
minority assistant clerk.
    Chairman Tom Davis. Good morning. The committee will come 
to order.
    I would like to welcome everyone to today's hearing on 
implementation of FISMA, the Federal Information Security 
Management Act of 2002.
    We rely heavily on information technology and the Internet 
to support our economy, our national security and government 
operations. For instance, e-commerce is more popular than ever; 
Christmas 2004 saw record high consumer demapped on retail Web 
sites. IT systems are used to operate and protect our critical 
infrastructures. And in the Federal Government, electronic 
government initiatives create efficiencies, save taxpayers time 
and money, and help eliminate redundant processes.
    Given the interconnectivity of systems, all it takes is one 
weak link to break the chain. All users, whether they are at 
home or at school or at work, need to understand the impact of 
weak security and the measures that should be taken to prevent 
cyber attacks.
    Everyone must protect his or her cyberspace, and of course, 
that includes the government. Therefore, it is critical that 
the Federal Government adequately protect its systems to ensure 
the continuity of operations, and to maintain public trust. 
This is particularly true of agencies such as the Internal 
Revenue Service, the Social Security Administration and the 
Department of Veterans Affairs that maintain citizens' personal 
information in their systems. Recent failures by the Bank of 
America and Choice Point have focused the spotlight on identity 
theft. Successful FISMA implementation is important because a 
similar event could occur in the government.
    Like the private sector, agencies are not immune to the 
loss of personal information. Threats to government systems 
could result in identity theft and subsequent financial damage 
and frustration, as well as diminished trust in government IT 
capabilities and electronic government programs.
    Every day Federal information systems are subjected to 
probes or attacks from outside sources. Cyber attacks are 
evolving and becoming more sophisticated. Therefore, a 
government information security management program must be 
comprehensive, yet flexible enough to adapt to the changing 
cyber threat environment. It is a matter of good management and 
good business practice, but it is also a matter of national 
security. FISMA provides that structure by requiring that each 
agency create a comprehensive risk-based approach to agency-
wide information security management.
    OMB performs an important role in the information security 
management process by encouraging agencies to adopt a new 
approach to security. In the past, information security was 
often seen as an afterthought, more of a crisis response than a 
management tool. OMB is helping to alter that perspective. It 
holds the agencies responsible for protecting Federal systems 
through business case evaluations so that agencies can better 
fulfill their missions. OMB requires agencies to address their 
security deficiencies before they are permitted to spend money 
on IT upgrades or new IT projects.
    I support this action because it forces agencies to 
concentrate on security before adding new layers of systems to 
their architecture and potentially complicating their security 
concerns.
    I'm also pleased that OMB has identified a sixth line of 
business, cyber security. Laws like FISMA and the Clinger-Cohen 
amendment require every agency to think about and invest in 
information security. However, each agency does it differently. 
The reason FISMA grades show the Federal Government still has a 
long way to go when it comes to information security. As with 
the other five lines of business, the goal of the cyber 
security line of businesses is to use business principles and 
best practices to identify common solutions for business 
processes and/or technology-based shared services for 
government agencies. The intended result is better, more 
efficient and consistent security across the Federal Government 
for the same amount of dollars, if not less. And at the end of 
the day, it's not how much money you spend, though, it's how 
well you spend it.
    To help us gauge the agencies information security 
progress, FISMA requires the CIOs and IGs to submit reports to 
Congress and OMB. The committee enlists GAO's technical 
assistance to prepare the annual scorecard. This year the 
government made a slight improvement, receiving a D+. The 
overall government score is two points above last year, but 
needless to say, this isn't impressive. Progress is slow. Our 
objective today is to find out how the government can improve, 
and why some agencies can show remarkable improvement while 
others appear to flounder.
    We will hear from the IGs and CIOs of two agencies that 
improved their scores this year, Department of Transportation 
and the U.S. Agency for International Development. We will also 
hear from the IG and the CIO of the Department of Homeland 
Security, a poor performer again this year. I think it is worth 
noting that DHS has cyber security responsibilities for the 
Nation, and must work with the private sector regularly on 
these issues. Given this role, DHS needs to have its house in 
order and should become a security leader among agencies. What 
is holding them up? Well, the DHS witnesses will discuss the 
unique challenges that they face in a large and relatively new 
agency, and what actions they are taking to improve their 
information security, giving us a better understanding of their 
difficulties.
    In addition, we're concerned about how well the CIO and IG 
offices communicate about issues such as their interpretations 
of the OMB reporting requirements. Disagreements on 
interpretation may impact their respective reports and make it 
difficult for us to get an accurate picture of the agency's 
information security progress. This also raises questions about 
the clarity of the guidance, and whether agencies respond to 
OMB about the guidance during the comment period so their 
comments and concerns are adequately addressed in the final 
version.
    We will examine whether the IGs need a standardized 
information security audit framework similar to that used for 
financial management systems. Also, we need to address whether 
agencies need additional guidance, procedures or resources to 
improve their information security and fully comply with FISMA.
    Panel one witnesses from GAO and OMB will focus on 
information security from the government-wide perspective. 
Panel two is comprised of agency representatives and will focus 
on the agency-level perspective on implementation of FISMA.
    We'll hear from the IGs and CIOs at USAID, DHS, and the 
Department of Transportation. GAO will join panel two for the 
question-and-answer period.
    [The prepared statement of Chairman Tom Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.001
    
    [GRAPHIC] [TIFF OMITTED] T0562.002
    
    [GRAPHIC] [TIFF OMITTED] T0562.003
    
    [GRAPHIC] [TIFF OMITTED] T0562.004
    
    [GRAPHIC] [TIFF OMITTED] T0562.005
    
    [GRAPHIC] [TIFF OMITTED] T0562.006
    
    Chairman Tom Davis. I now recognize our distinguished 
ranking member, Mr. Waxman, for his opening statement.
    Mr. Ruppersberger. I'm not Mr. Waxman, I'm a little bit 
larger than Mr. Waxman.
    Chairman Tom Davis. Well, when he comes, we will recognize 
him. In the meantime, we're very pleased to recognize from 
Baltimore City, Mr. Ruppersberger, who I will be happy to 
recognize.
    Mr. Ruppersberger. Well, first, thank you for calling this 
hearing today on OMB's report to Congress on the Federal 
Information Security Management Act.
    According to the report, the U.S. Agency for International 
Development and the Department of Transportation received the 
highest grades of all 24 agencies reviewed. I hope that during 
today's hearing, we will be able to pull out some best 
practicing and tangible suggestions from those agencies as to 
how the other 22 can improve their grades. It is disappointing 
and unacceptable that our government agencies' overall grade is 
a D+, however, I'm encouraged by the few successes that will be 
discussed here today.
    The F grade for the Department of Homeland Security is 
totally unacceptable because of the high stakes involved and 
their mission to protect our national security. Last week, the 
President's Commission on the Intelligence Capabilities of the 
United States issued their report regarding WMDs. In the 
report's postscript the Commission identified security, 
counterintelligence, and information assurance as crucial 
issues in the intelligence community and the Director of 
National Intelligence in the next few years to come.
    The Commission acknowledges that they only scratched the 
surface of the problem, and the Commission recommends early 
action to define new strategies for managing security in the 
21st century, security that includes information assurance, 
which is why we're all here today.
    This recommendation from the Commission will be a 
beneficial step in the process for the Department of Homeland 
Security and other security offices to improve their 
infrastructure security and their information and cyber 
security efforts.
    The good news is that the Justice Department improved the 
most, going from an F last year to a B- this year. Currently, 
as graded, the FBI is evaluated within the overall grade given 
to Justice. Based on the FBI's mission regarding national 
security interests, I believe they should be graded separately 
from the Department of Justice.
    Again, according to the President's Commission, further 
reforms are also necessary in the FBI's information technology 
infrastructure which remains a persistent obstacle for 
successful execution of the FBI's national security mission.
    If we look at the problem as a national security issue in 
addition to a general information security issue, I think we 
will be able to come together to find solutions that will work 
across all agencies. I know there is always a tradeoff between 
the cost of implementing a security measure and the potential 
risks if we do not. I feel that projecting our citizens and the 
government from information security breaches is worth the cost 
that will be incurred to set up appropriate security measures. 
I am concerned about all of these issues, but I think if we get 
past the grades and use this hearing and OMB's report as a 
guide, I think we will be able to quickly improve information 
security government-wide.
    We're here today to point out a problem and to see what we 
can do to fix it. These failing grades are unacceptable. We 
need to learn from those agencies who are doing well so that we 
can improve individual agency's scores and the government-wide 
score.
    Thank you, Mr. Chairman.
    [The prepared statement of Hon. C.A. Dutch Ruppersberger 
follows:]

[GRAPHIC] [TIFF OMITTED] T0562.007

[GRAPHIC] [TIFF OMITTED] T0562.008

[GRAPHIC] [TIFF OMITTED] T0562.009

    Chairman Tom Davis. Thank you very much. I do not see Mr. 
Waxman, even though he is in my script.
    The gentleman from Maryland, any opening statement?
    Mr. Cummings. Yes, thank you very much.
    Mr. Chairman, I, too, thank you for calling this important 
hearing on the effectiveness of the Federal Government's 
ongoing attempt to strengthen the security and reliability of 
its information and information systems.
    Decades ago, the necessity of such a hearing would have 
been questionable as information technology and the Internet 
were not as prevalent nor as indispensable in the Federal 
Government as they are today. In the 21st century, one need not 
look very far to see how ambiguous information technology and 
the Internet have become in the day-to-day operations of the 
Federal Government. Communications now travel as fast and as 
far as the Internet allows. The electronic processing of 
information allows delivery of services to function with 
unprecedented ease and accuracy. The sharing of information 
intergovernmentally and across sectors can permit the Federal 
Government to operate with renewed effectiveness.
    However, with all the advantages that accompany the Federal 
Government's information technology capabilities, there still 
exist critical areas of concern. The terms ``computer virus,'' 
``worm'' and ``hacker'' are now part of the modern day lexicon 
for good reason. Given the sensitivity of personal and 
confidential data found in Federal information systems in 
agencies such as the Internal Revenue Service and the 
Department of Defense, the potential exists for cyber criminal, 
terrorist or foreign nation to wreak havoc.
    The American people are acutely aware that such 
vulnerabilities could not only result in identity theft and a 
loss of privacy, but also endanger our economy and undermine 
our national security.
    Due to these concerns, information security has become a 
top governmental priority. To that end, Congress passed the 
Federal Information Security Management Act [FISMA], in 2002. 
This legislation established a comprehensive framework to 
safeguard the Federal Government's information and information 
systems.
    Agencies are mandated to implement an information security 
program, which includes performing risk assessments, accounting 
for utilized information systems, and developing procedures to 
ensure the accessibility and continuity of information. 
Agencies must also furnish the Office of Management and Budget 
with an annual report on the effectiveness of their program. 
These agency reports form the basis of the Government Reform 
Committee's Federal computer security report card. 
Specifically, the FISMA report for 2004 acknowledges some 
improvements and perennial challenges in this area.
    It states that agencies have made substantial progress in 
the certification and accreditation of systems, the 
incorporation of built-in security costs, the annual testing of 
system controls, the development of contingency plans to ensure 
operational continuity, and the implementation of security 
configuration requirements. This progress is commendable, 
however, given that the 2004 government-wide grade for 
information security is a D+, information technology is too 
early to celebrate. Critically important agencies such as the 
Department of Homeland Security, the Department of Health and 
Human Services and the Department of Veteran Affairs all 
received Fs.
    I would argue no one here would be satisfied if their child 
brought home these grades from school. How can we afford to 
have a lower standard for the Federal Government? The American 
people demand excellence, and Cs, Ds and Fs in securing the 
Federal Government's information just won't do.
    Today's hearing will serve as an avenue to identify what 
needs to occur to assist Federal agencies in realizing the 
goals of FISMA. I hope the witnesses will provide insight to 
help Congress determine whether agencies require additional 
guidance in order to meet FISMA requirements, the 
responsibilities of agency Inspectors General in this process, 
and the need to possibly provide increased flexibility in 
assessing agency compliance with FISMA mandates.
    With that, Mr. Chairman, I again thank you for calling the 
hearing, and I yield back.
    [The prepared statement of Hon. Elijah E. Cummings 
follows:]

[GRAPHIC] [TIFF OMITTED] T0562.010

[GRAPHIC] [TIFF OMITTED] T0562.011

[GRAPHIC] [TIFF OMITTED] T0562.012

[GRAPHIC] [TIFF OMITTED] T0562.013

[GRAPHIC] [TIFF OMITTED] T0562.014

    Chairman Tom Davis. Well, thank you very much.
    For our first panel we have Greg Wilshusen, who is the 
Director of Information Security Issues, at the Government 
Accountability Office, who is no stranger to this committee. 
And we have Karen Evans, who is the Administrator of the Office 
of E-Government and Information Technology at the Office of 
Management and Budget. I'm not sure if this is your first time 
in a full committee, you have done a lot in the subcommittee, 
but we welcome you, we're happy to hear from you, and we 
appreciate the job that you are doing.
    You know it is our policy to swear witnesses in, so would 
you rise and raise your right hands.
    [Witnesses sworn.]
    Chairman Tom Davis. Thank you very much.

 STATEMENTS OF GREG WILSHUSEN, DIRECTOR, INFORMATION SECURITY 
  ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND KAREN S. 
 EVANS, ADMINISTRATOR, OFFICE OF E-GOVERNMENT AND INFORMATION 
        TECHNOLOGY, U.S. OFFICE OF MANAGEMENT AND BUDGET

                  STATEMENT OF GREG WILSHUSEN

    Mr. Wilshusen. Mr. Chairman, and members of the committee, 
I am pleased to be here today to discuss Federal efforts to 
implement requirements of the Federal Information Security 
Management Act of 2002 [FISMA]. This act requires each agency 
to develop, document, and implement an agency-wide information 
security program that provides security for the information and 
information systems that support the operations and assets of 
the agency, including those provided and/or managed by another 
agency or contractor. Agency programs are to include eight 
components, such as periodic assessment of risks and periodic 
testing and evaluation of controls. FISMA also requires OMB, 
Federal agencies and Inspectors General [IGs], to report each 
year on efforts to implement these programs.
    Mr. Chairman, my bottom-line message today is that 
continued efforts are needed to sustain progress made by the 
agencies in implementing the requirements of FISMA.
    In my testimony today, I will note areas where agencies 
have made significant progress and those areas where challenges 
remain. In addition, I will discuss opportunities for improving 
the annual FISMA reporting process.
    Our reviews of information security controls at Federal 
agencies have found that significant information security 
weaknesses continue to place a broad array of Federal 
operations and assets at risk of misuse and disruption. As a 
result, we continue to designate Federal information security 
as a government-wide high risk area in our recent update to 
GAO's high-risk series.
    In its fiscal year 2004 report to the Congress, OMB noted 
that the 24 major Federal agencies continued to make 
significant progress in implementing key information security 
requirements. For example, OMB reported that the percentage of 
Federal information systems that have been certified and 
accredited rose 15 points to 77 percent. Systems certification 
and accreditation is a process by which agency officials 
authorize systems to operate. It is to include a security of 
the management, operational and technical security controls in 
the system.
    However, OMB, the agencies, and IGs also reported several 
areas where implementing effective information security 
practices remains a challenge. For example, seven IGs assessed 
the quality of their agency's certification and accreditation 
processes as poor. As a result, agency reported performance 
data may not accurately reflect the status of the agency's 
efforts to implement this requirement.
    As another example, 43 percent of Federal systems did not 
have a tested contingency plan. These plans provide specific 
instructions for restoring critical systems, business 
processes, and information in the event of a disruption of 
service. The testing of contingency plans is essential to 
determine whether the plans will function as intended. Without 
testing, agencies can have only minimal assurance that they 
will be able to recover mission-critical systems and processes 
in the event of an interruption.
    Opportunities exist to improve the annual FISMA reporting 
process. For example, in the absence of an independent 
verification of agency-reported data, having a senior agency 
official attest to the accuracy of data could provide 
additional assurance.
    In addition, performance measurement data do not indicate 
the relevant importance or risk of the systems for which FISMA 
requirements have been met. Reporting performance data by 
system risk would provide better information about whether 
agencies are prioritizing their information security efforts 
according to risk.
    Finally, developing and adopting a commonly accepted 
framework for conducting the annual IG reviews mandated by 
FISMA could help to ensure consistency and usefulness of these 
reviews.
    Mr. Chairman, this concludes my opening statement. I will 
be happy to answer any questions you or the members of the 
committee may have.
    [The prepared statement of Mr. Wilshusen follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.015
    
    [GRAPHIC] [TIFF OMITTED] T0562.016
    
    [GRAPHIC] [TIFF OMITTED] T0562.017
    
    [GRAPHIC] [TIFF OMITTED] T0562.018
    
    [GRAPHIC] [TIFF OMITTED] T0562.019
    
    [GRAPHIC] [TIFF OMITTED] T0562.020
    
    [GRAPHIC] [TIFF OMITTED] T0562.021
    
    [GRAPHIC] [TIFF OMITTED] T0562.022
    
    [GRAPHIC] [TIFF OMITTED] T0562.023
    
    [GRAPHIC] [TIFF OMITTED] T0562.024
    
    [GRAPHIC] [TIFF OMITTED] T0562.025
    
    [GRAPHIC] [TIFF OMITTED] T0562.026
    
    [GRAPHIC] [TIFF OMITTED] T0562.027
    
    [GRAPHIC] [TIFF OMITTED] T0562.028
    
    [GRAPHIC] [TIFF OMITTED] T0562.029
    
    [GRAPHIC] [TIFF OMITTED] T0562.030
    
    [GRAPHIC] [TIFF OMITTED] T0562.031
    
    [GRAPHIC] [TIFF OMITTED] T0562.032
    
    [GRAPHIC] [TIFF OMITTED] T0562.033
    
    [GRAPHIC] [TIFF OMITTED] T0562.034
    
    [GRAPHIC] [TIFF OMITTED] T0562.035
    
    [GRAPHIC] [TIFF OMITTED] T0562.036
    
    [GRAPHIC] [TIFF OMITTED] T0562.037
    
    [GRAPHIC] [TIFF OMITTED] T0562.038
    
    [GRAPHIC] [TIFF OMITTED] T0562.039
    
    [GRAPHIC] [TIFF OMITTED] T0562.040
    
    [GRAPHIC] [TIFF OMITTED] T0562.041
    
    [GRAPHIC] [TIFF OMITTED] T0562.042
    
    Chairman Tom Davis. Thank you. We do have a number of 
questions.
    Ms. Evans, thanks for being with us.

                  STATEMENT OF KAREN S. EVANS

    Ms. Evans. Good morning, Mr. Chairman, and members of the 
committee. Thank you for inviting me to speak about the status 
of the Federal Government's efforts to safeguard our 
information and systems.
    In March 2005 OMB issued our second annual report on 
implementing the Federal Information Security Management Act 
[FISMA]. We continue to believe FISMA provides a sound 
foundation for improving and maintaining a strong Federal 
information technology security program. In short, FISMA is 
working. Results are apparent. Agencies and Inspectors General 
are becoming more acclimated to its requirements, and new 
technical guidelines from the National Institute of Standards 
and Technology are coming online to promote further progress. 
We see no need at this time to revise it in any significant 
way, in fact, substantial revision could delay additional 
progress.
    Across the Federal Government, most agencies have shown 
substantial progress in improving their information security 
programs. In addition, for the first time agencies reported the 
degree to which they've implemented security configurations for 
operating systems and software applications. We found that all 
agencies have begun developing and implementing security 
configuration policies for at least some of their operating 
systems.
    While progress has been made, deficiencies in agency 
security procedures and practices remain. Two common 
deficiencies noted by the agency's Inspector Generals include 
weaknesses in agency-wide plans of actions and milestones, and 
the lack of quality in some of the agencies' certification and 
accreditation processes.
    In addition, we have identified other areas of concern; 
they include overall inconsistency in agency and government-
wide FISMA implementation, self and IG evaluations. Potentially 
unnecessary duplication of effort and resources across the 
government, ensuring adequate security of contractor-provided 
services, and a transition to Internet protocol version 6.
    While we believe FISMA itself, along with the implementing 
guidance from OMB, NIST, and the national security authorities 
are sufficiently comprehensive and detailed to address these 
concerns at a policy level. Consistent implementation is 
difficult and requires considerable expertise and resources at 
the agency.
    I would like to answer directly one of the questions asked 
in your invitation letter, whether there is a need for the 
Inspector General auditing framework similar to that used in 
financial audits. We have found the IG's analysis extremely 
valuable in gaining additional insight into the agency's IT 
security programs and operations. Much of the analysis in our 
annual report comes from the IG's findings, but at the same 
time, like agency CIOs and operational program officials, IGs 
have varying capacities in the areas of resource available and 
security expertise.
    And across the IG community, there are differing 
methodologies and perspectives on what comprises a sound 
security program, including the proper way to implement FISMA. 
Therefore, to the extent that an IG framework would promote 
greater consistency, we would support it; but we do note a few 
concerns; first and foremost, we strongly believe that the work 
of the IG should, to the maximum extent practical, be 
integrated with and not separate from agency IT security 
programs; and second, we're concerned with the adoption of a 
strict and specific review requirement for FISMA purposes if 
they would, in any way, limit the essential interaction needed 
between IGs and CIOs.
    In addition to ongoing discussions to promote consistency 
in oversight and reporting, we have asked the IGs to 
participate in the newly formed IT security line of business. 
We expect this line of business will not only lead to a de 
facto IG and CIO reporting framework, but more importantly, a 
stronger Federal Government-wide IT security program.
    While the task force performs its work, OMB will continue 
to use our existing oversight mechanisms to improve agency and 
government-wide IT security performance. Information technology 
security is one of the No. 1 critical components that agencies 
must implement in order to achieve green for the e-government 
initiative of the President's management agenda. If the 
security criteria are not successfully met, agencies cannot 
move forward regardless of their performance against the other 
criteria.
    In conclusion, over the past year agencies have made 
significant progress in closing the Federal Government 
information technology security performance gaps.
    I would like to acknowledge the significant work of the 
agencies and the IGs in conducting the annual reviews and 
evaluations. While notable progress in resolving IT security, 
weaknesses have been made, problems continue, and new threats 
and vulnerabilites continue to materialize. To address these 
challenges OMB will continue to work with the agencies, GAO and 
Congress to promote appropriate risk-based and cost-effective 
IT security programs, policies and procedures to adequately 
secure our operations and assets. But again, we believe FISMA 
is more than adequate in its current form to support all the 
needed improvement efforts. I would be glad to take any 
questions at this time.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.043
    
    [GRAPHIC] [TIFF OMITTED] T0562.044
    
    [GRAPHIC] [TIFF OMITTED] T0562.045
    
    [GRAPHIC] [TIFF OMITTED] T0562.046
    
    [GRAPHIC] [TIFF OMITTED] T0562.047
    
    [GRAPHIC] [TIFF OMITTED] T0562.048
    
    [GRAPHIC] [TIFF OMITTED] T0562.049
    
    [GRAPHIC] [TIFF OMITTED] T0562.050
    
    Chairman Tom Davis. Well, thank you both.
    Ms. Evans, what changes or improvements is your office 
proposing for the 2005 FISMA guidance? And do you plan to issue 
new updated guidance regarding your circular A-130?
    Ms. Evans. We are working right now with the IG community 
and NIST, CNSS and GAO to revise the reporting requirements. 
It's going to be similar to last year. We are going to focus 
this year more on performance metrics, and we are we going to 
include a new reporting requirement this year dealing with 
privacy of the information that the agencies are collecting.
    Chairman Tom Davis. Well, some agencies have expressed 
concern that the term ``system'' is not well defined; for 
instance, how should an agency classify a state system that 
contains Federal data? Does OMB plan to address this in the new 
guidance?
    Ms. Evans. The definition of a system--and I want to answer 
this question both from my past experience as an agency CIO, 
and now as the policy official.
    The reason why I believe that we have allowed the 
definition to be the way that it is is that it provides maximum 
flexibility. So as agencies would potentially view this as 
ambiguous, we view it from a policy perspective as giving the 
agencies flexibility that they need to be able to determine and 
analyze what risk is appropriate for assets within their 
control that they have that they are responsible for.
    So there is an ambiguous nature to the definition of 
system, but we look at it as it allows the flexibility for the 
agency to define that so that they can then go forward and 
implement the management policies and procedures they need in 
order to deal with that.
    You could do something very small and say one piece--there 
could be an application on one piece that has enormous risk 
that it would impose if it was connected to a network; you may 
determine that should be called a system, and go through the 
full certification and accreditation for that. And a system 
could be as huge as a network, where the whole department's 
network, that can constitute a system because there are certain 
rules of engagement that you would want to have, rules of 
behavior on that system before you would go forward and allow 
other resources to be connected to it. So we don't necessarily 
want to go down and be so proscriptive in our definitions as to 
restrict the ability of the agency to be able to go forward and 
determine what is the best posture for them.
    Chairman Tom Davis. But you could have agencies defining it 
differently, basically.
    Ms. Evans. They may, and that is why the evaluation that is 
being done by the IG, the independent evaluation coming in, 
looks at how they apply that definition, how they have a 
methodology within their department to see if the thought 
process that they put behind it to determine it is sound to 
address the risk.
    Chairman Tom Davis. OK. Mr. Wilshusen, what do agencies 
have to do to get information security removed from the GAO 
high-risk list? This is, as you know, the list was expanded to 
include cyber security--well, cyber critical infrastructure 
protection. Information security has been on the list since 
1997. Can you briefly discuss what you think needs to be done 
to get this off the high-risk list?
    Mr. Wilshusen. Well, first of all, what they need to do--
and where we have consistently found on our review--is to 
implement at each agency an effective agency-wide information 
security program, such as those principles and requirements 
embodied in FISMA. And we have found that many of the agencies 
have not done that. This in turn has allowed and has resulted 
in many of their systems being insecure.
    Chairman Tom Davis. Now why don't they do that? Is it lack 
of money, they've got so many priorities at this point this is 
just one, without additional resources, that they're reluctant 
to do?
    Mr. Wilshusen. It is probably a couple of issues. Certainly 
the emphasis and level of attention since the passage of FISMA 
has helped and has improved both awareness and accountability 
of the highest levels of each of the agencies, and that has 
been a positive thing. But in many cases it's primarily 
management issues, even though security has technical aspects 
to it. Many of the findings and issues that we identify are the 
result of management issues where certain requirements are just 
not being implemented.
    Chairman Tom Davis. OK. Thank you very much. I'm going to 
have some more questions, but Mr. Ruppersberger is going to get 
a turn here.
    Mr. Ruppersberger. Well, after looking at the reports and 
the grades, I see that some agencies have improved. Is there 
any effort to have a departmental roundtable to share best 
practices? I mean, what we are really here for today is to try 
to get us to a level where we are going to be a lot more 
efficient, and we have to find a way to do this. And it seems 
to me, when you have agencies that are doing well and agencies 
that aren't doing well, let's look at it and share information.
    Could either one of you address that issue?
    Ms. Evans. Yes, sir, I would be glad to.
    There is actually two efforts underway. One the chairman 
already noted, which is the cyber security line of business. 
This is an interagency government-wide task force that OMB has 
brought together under the leadership of the Department of 
Homeland Security as well as it is being co-chaired by NSA. And 
what we are doing there is looking at all of the issues. There 
are four particular areas that we are looking at, like 
training, like management practices of framework, those types 
of activities which get to the heart of your question, what is 
working, and what can we take that is working within the 
agencies and move it out government-wide?
    The one thing that when we set up this task force is, 
because of the way FISMA is set up and the way that a cyber 
security program should work, a good IT program should work 
within a department is you still have to look at the risk. Each 
department may have a different level of risk, so you can't 
necessarily think that one size would fit all. But that is what 
the security line of business is looking at.
    Also, on the CIO council, the Department of Justice Vance 
Hitch, is our cyber security liaison; he works very closely 
with our Best Practices Committee on topics, and topics such as 
security have always been on the forefront to bring together 
the appropriate groups so that we can share best practices. And 
then also, there is a newly named forum that we are--the CIO 
council is co-chairing with Congressman Davis' staff, which is 
the Chief Information Security Officers Forum.
    So we are trying to bring it together at multiple levels 
within an organization, and across the government as a whole, 
so that practices can be identified----
    Mr. Ruppersberger. Let me ask you this question: So much of 
whatever we do in management, managing large organizations, 
whatever, is accountability, and also giving the resources to 
the people that we want to perform the mission. How about the 
issue of maybe a government-wide audit standard? Do you think 
that would help in this situation? It seems that we need a 
standard for all of our agencies. Now we have different 
missions and different areas that we move into. What do you 
think of that issue?
    Ms. Evans. Well, I believe, through the President's 
management agenda, that we have added specific criteria into 
the score card under e-government, so we are holding the 
agencies accountable for their performance.
    Mr. Ruppersberger. But these failing grades are just not 
acceptable.
    Ms. Evans. I believe that the progress and the way that we 
are measuring progress--we have the same goals in mind, both 
the committee as well as the administration. How we are 
measuring progress may be a little bit different based on what 
the rating factors are based on what the committee has. You are 
specifically asking me about an auditing standard, and FISMA 
specifically makes a difference between audit and evaluation. 
And we really think that it's more of an evaluation because 
this really needs to be a collaborative effort within the 
entire department, because as you are talking about it, it is a 
management issue as well. If it turns into an audit situation, 
our concern is is that there won't be as much exchange, that it 
is more an evaluation----
    Mr. Ruppersberger. That's a good point. I'm near the end of 
my 5 minutes, I want to keep moving down another area.
    I am very concerned about the issue of the failing grade 
with Homeland Security, and I guess it is your turn, Mr. 
Wilshusen. Why do you feel at this point that Department of 
Homeland Security has a failing grade? What can we do to move 
that to another level to get them a lot more proficient in this 
subject matter today?
    Mr. Wilshusen. Well, first of all, Homeland Security does--
and I guess you will talk to the CIO and IG on the next panel 
as well, but they have had a number of challenges that they 
need to overcome just in the creation of the department to----
    Mr. Ruppersberger. No question.
    Mr. Wilshusen. And that has been pretty much a key factor 
in some of the challenges that they face. However, at the same 
time, only just recently have they established key positions 
within that department in terms of having a chief information 
security officer, and they have identified key individuals to 
be responsible for information security. But it will take quite 
a bit of an effort for them to kind of meld different systems 
to make sure there is appropriate accountability, and the 
alignment of the information security program at the department 
level with different operating entities. Right now there is 
apparently quite a bit of autonomy between the two.
    Mr. Ruppersberger. And we can develop that in the next 
panel also, I see my time is up.
    Chairman Tom Davis. Ms. Norton.
    Ms. Norton. Thank you, Mr. Chairman.
    I'm sorry I was detained and I did not hear the entire 
testimony, but what concerns me is the unevenness among the 
agencies. Mr. Ruppersberger asked about homeland security and 
there may be some reason why they haven't gotten most of their 
act together, but some of these agencies you would expect to do 
better, you would expect the Department of State to do better, 
you would expect the Nuclear Regulatory Agency not to go down.
    And I note that the agencies look like they are in charge 
of this entire process. They are required to take the steps to 
do the inventory of their systems. And apparently in the 
survey, 70 percent of them said they wanted greater guidance in 
meeting the requirements. The report cards signify nothing, if 
not the need for greater guidance. I'm wondering if too much of 
this is left to agencies who have no expertise here either in 
choosing consultants in security aspects of computer systems; 
in fact, no agency really does have that expertise. I'm 
wondering if simply saying to the agencies, do this, has been 
sufficient, particularly when they themselves say they want 
greater guidance in meeting the requirements. And I suppose the 
obvious question is, do you agree, and where would such 
guidance come from? Are any steps being taken to offer greater 
guidance, given the rather pathetic reports that are indicated 
in the Federal computer security report card?
    Ms. Evans. First off, what we are trying to do from an 
administration perspective is avoid being very, very 
proscriptive in the policy because what we want to avoid is 
people just going down and cranking through--mechanically 
cranking through and getting checkmarks because you really want 
the practice to be engrained, and we were talking about 
management practices.
    So in order to meet what we are hearing from the agencies 
about additional guidance, we did take that to heart, and that 
is why the cyber security line of business was announced. They 
are looking at very specific areas, and we are bringing in the 
expertise in order to complement the team that has been put 
together government-wide. There will be recommendations that 
come out of that task force, specifically about how to identify 
problems, how to move forward, how to make sure that we have 
consistent and measurable types of statistics, how to do good 
certification and accreditation, and how to achieve the things 
that they are being measured upon, because I do agree with you, 
you just can't say, here are the requirements, go out and do 
it, and not provide the help and assistance that they need, 
especially when they are asking for it.
    So the products that will come out of the cyber security 
line of business we are very hopeful will address the issue of 
giving further guidance, without issuing new policies.
    Ms. Norton. I don't understand what you mean about policy--
being proscriptive as to policy. As I understand it, they want 
greater guidance in meeting the requirements and a 
clarification of FISMA's assessment guidelines. I don't see 
where there is policy proscription involved in that.
    Mr. Wilshusen. One of the sources that the agencies can 
look to is NIST. Since FISMA was enacted, it placed 
specifically a responsibility to NIST in preparing and 
providing guidance and requirements to agencies and 
implementing the various aspects of FISMA. Over the last 
several--2 years, NIST has come out with guidance, and indeed 
they are going to be coming out with some additional guidance 
in different areas going forward.
    Ms. Norton. Well, they can look to that, and they could 
have looked to that all along, I take it.
    Mr. Wilshusen. Over the last couple of years they have 
issued new guidance.
    Ms. Norton. Well, all I can say is if the agency--if this 
large percentage of the agencies that is, a super majority say 
we need greater guidance, it does seem to me that whatever is 
in place is insufficient, and that the responsibility of the 
administration centrally is to assure that they get that 
guidance so that these pathetic grades do not come before the 
committee again.
    Thank you very much, Mr. Chairman.
    Chairman Tom Davis. Thank you very much.
    The gentleman from Tennessee.
    Mr. Duncan. Well, thank you, Mr. Chairman.
    I remember when we passed the one agriculture bill, farm 
bill a few years ago, 2 or 3 years ago, the Wall Street Journal 
had an editorial--and the bill was called the Farm Security 
Act--and it said any time we have the word ``security'' in a 
bill, we ought to give it 4 times the scrutiny because they 
were putting the word ``security'' in every bill, and we were 
going to great, great expense, and not getting a lot of bang 
for the buck, so to speak.
    And then I have also read and heard that every computer 
system is obsolete the day it's taken out of the box now 
because the technology is moving so fast. So the concerns I 
have--and I know Governor Gilmore from Virginia, who chaired 
the President's Commission on Security and Terrorism, he said--
in his cover letter to the President, he said we must resist 
the urge to try to achieve total and complete computer because 
he said it's not attainable, and if we aren't careful, we will 
drain our resources from other things that are achievable.
    So I guess the two concerns I have is, No. 1, the cost of 
some of these things, because what I read repeatedly, I 
remember the FBI came up with a computer system that we spent 
hundreds of millions on, and then they said it was a disaster 
after we had paid for it. So what do we do on the cost of some 
of these things? Are we looking at those costs and what we are 
getting for our money so we don't just go ridiculously 
overboard? And second, are we settling for a Mercedes instead 
of constantly seeking to get Rolls Royces in regard to these 
systems?
    You've always got these companies that want to sell you 
more and better and newer, and I'm just wondering are we using 
a little common sense in regard to some of these things?
    Mr. Wilshusen. Well, certainly you are absolutely right, 
there is no way to provide absolute assurance that you are 
going to prevent any particular security infractions or 
violations and the like. You can never give 100 percent 
assurance that you are going to be able to thwart all security 
threats.
    What you have to do, and what FISMA requires, is that you 
have a risk-based program and process in which you assess the 
risk to your systems, and then come up with cost-effective 
measures to protect against those particular risks. And 
certainly, that is one of the key underpinnings of any 
information security program is having it based on risk.
    Mr. Duncan. All right.
    Yes, ma'am.
    Ms. Evans. As far as your question about evaluating the 
cost based on the cyber security program, every agency is 
required, as they bring forth their IT investments, to ensure 
that the cyber security aspect, the risk associated with 
implementing that system, is addressed, and the costs are 
included in the cost of that business case coming forward.
    So they have to look at how to secure the system against 
the benefits that they are going to achieve for implementing 
that system to ensure that there is an adequate return on 
investment as they go forward.
    So the business case process does get to your other concern 
about ensuring that cost is being adequately addressed as they 
go forward.
    Mr. Duncan. Well, I just don't want to see us go 
ridiculously overboard on the costs, or in any other direction, 
and have to buy new computer systems at hundreds of millions or 
even billions of dollars worth of cost just because somebody 
comes up with a little better system the next year than we had 
the year before. I mean, we just can't afford to keep doing 
that. And then have us read and hear at hearings and read in 
the paper that systems that some department or agency bought 1 
year, as soon as it's taken--as soon as it's put on line, it's 
not what it was promised to be. So I just hope you will take 
those considerations--those concerns into consideration.
    Thank you very much, Mr. Chairman.
    Chairman Tom Davis. Thank you very much. Let me do a couple 
of followups.
    The annual scorecard reflects that many of the larger 
agencies have--consistently are poor performers, it may be 
because of the complexity of their system. Has OMB identified a 
trend here?
    Ms. Evans. We have gone through and looked at the issues 
associated with the larger agencies. I think it does get back 
to some of the other high level issues that have been raised by 
the committee themselves, which is proper attention from 
management and ensuring that the priorities are established 
within the Department to be able to move forward. And a lot of 
it has to do with the leadership aspect of giving the proper 
attention to the program.
    So the way that we are trying to address that, again, is 
back to the accountability issue, putting the proper tools in 
place, working with the agencies, but using the President's 
management agenda to hold the cabinet secretaries accountable 
for their performance in this area.
    Chairman Tom Davis. And CIOs could be great, but if the 
cabinet secretaries aren't paying attention, or the managers, 
it makes it a lot tougher, doesn't it?
    Ms. Evans. Right. So we are trying to make sure--the 
administration is trying to make sure--and is making sure 
through the President's management agenda--that the cyber 
security aspect of anything that they do is brought to the 
level of the attention of the Deputy Secretary and the 
Secretary, who are responsible for the overall programs of 
their department.
    Chairman Tom Davis. Let me just talk about the 
certification and accreditation, this C and A process, so to 
speak. I know that one of OMB's objectives in its plan of 
action is having all the systems C and A'd. But many IGs are 
reported on a very inconsistent quality of agencies C and A 
process. If the number of certified and accredited systems is 
increased, but there is a question about the quality of the 
processes, should we question the value of that information? 
And I will ask Mr. Wilshusen to also respond.
    Ms. Evans. Well, I was going to say the shorter answer is 
yes, you should question the quality of that based on the IG's 
finding; and that gets back to making sure that we provide 
better guidance where the agencies are asking for that, and 
working with the IG community and working with the CIOs as to 
having a good credible certification and accreditation program 
so that it does insert the discipline of always constantly 
looking at the risk.
    Mr. Wilshusen. And I would agree, you certainly do need to 
question those statistics.
    You know, just looking at what the agencies have reported 
in terms of 77 percent of all the systems have been certified 
and accredited, but one of the key aspects of that is to have a 
testing contingency plan that you need in order to be certified 
and accredited, and yet the agencies are also reporting that 
only 57 percent of their systems have testing contingency 
plans. So just that, in and of itself, shows that there is some 
question about the reliability of that data.
    Chairman Tom Davis. We are going to hear Daniel Matthews, 
who is the DOT's CIO, suggest in his testimony eliminating 
timing differences between the IG and the agency reports in 
order to create a common point in time for measuring the status 
of an agency's IT security program. I can see the merit of that 
change; I would appreciate any comments either of you might 
have on that.
    Mr. Wilshusen. OK. In terms of having an as-of date, what 
that would typically allow would allow the IGs to be able to 
perhaps verify the information that the agencies are reporting 
on their report cards in their performance measures, if that is 
the goal of having such an as-of date. Similar to like on the 
financial statement report where we have the end of the fiscal 
year, and then the IGs have another 45 days to make the report 
on it. But other than that, you know, I'm not sure what the 
benefit would be.
    Chairman Tom Davis. All right.
    Ms. Evans. I was going to say, I concur with that. And we 
are just--we would proceed with caution on an as-of date 
because we want to make sure that interaction between the IGs 
and the CIOs for their programs are ongoing, even while they 
are still doing this annual reporting as well. So there is 
nothing wrong with getting an as-of date in order to have 
consistency for reporting, as long as the other goals are met.
    Chairman Tom Davis. OK. Thank you very much.
    Mr. Ruppersberger.
    Mr. Ruppersberger. I just have one question of you, Ms. 
Evans.
    The Federal Information Security Management Act extends a 
requirement from the Paperwork Reduction Act that agencies 
develop detailed inventories of their systems, and this seems 
to be a requirement that agencies have a struggle with. One 
official from the Department of Energy recently remarked that 
unless that agency overhaul gets decentralized structure, poor 
assessment under FISMA were guaranteed for years to come.
    Do you think that there are ways that FISMA's inventory 
requirement could be changed to address such concerns, without 
compromising security?
    Ms. Evans. That is an issue that we are attempting to 
address with the change in the scorecard criteria as well. 
Chairman Davis brought up the fact that we are saying all 
systems need be to certified and accredited. At the heart of 
that requirement is getting to how agencies are identifying 
their inventory.
    What we intend, and the issue that we brought forward to 
the Interagency Task Force is to get a best practice or lessons 
learned from the agencies that are scoring really well on how 
they got a handle on their inventory process, and be able to 
apply that out to the agency.
    If at the end of that task force effort that is not 
possible, then we will look at other alternatives and make 
recommendations or changes to address the inventory issue.
    Mr. Ruppersberger. OK. And for 2004, three agencies did not 
submit independent IG reports to OMB for their annual report. 
Can you explain why agencies are not complying with the IG 
independent evaluation, and if they're not, what 
recommendations will you have so that we make sure they do?
    Mr. Wilshusen. Well, one I think was in the case where 
they--I think that was from the previous year, when DOD and VA 
did not submit their report.
    Mr. Ruppersberger. And that is not an issue now?
    Mr. Wilshusen. Not as much this year, I don't think.
    Mr. Ruppersberger. Well, you say not as much though; if 
it's not, let's talk about----
    Mr. Wilshusen. OK. I'm sorry, right. No, I don't think that 
was a major issue.
    Mr. Ruppersberger. For any of the agencies.
    Mr. Wilshusen. That's correct.
    Mr. Ruppersberger. OK. That's good news then.
    Chairman Tom Davis. Anyone else with questions? Anything 
you would like to add to clarify anything?
    Ms. Evans. Well, the only thing, sir, I would like to add 
is that we appreciate the focus of the committee on this issue 
because, as you know, it is a continuing priority for the 
administration in that we want to continue to make sure that 
cyber security is at the forefront of everything that we do. 
You have to have this going forward and manage the risk as we 
continue to take more and more information and move more and 
more--and deploy more and more in technology. So thank you for 
your oversight.
    Chairman Tom Davis. And thanks for what you're doing. I'll 
just say, all you need is a bad adverse cyber event and 
everybody is going to be all over this thing and asking the 
questions that we're asking now, why wasn't this done. And I'm 
not sure who the fall guy will be, but it ain't gonna be me.
    And the difficulty in the private sector in many ways are 
ahead of us because they always are looking at the downside, 
they have to look at that. In government, many times the 
managers will take the risk that it won't happen on my watch, 
and they will go ahead with some of their other priorities; and 
yet we know we're talking so people out there--for their 
reasons are trying get in. So we appreciate your efforts on 
this, and the CIO's efforts. I think a lot of this depends on 
how close our CIOs are working with the agency heads at the end 
of the day.
    The other thing is, I think ultimately these FISMA report 
cards are going to have to be tied to funding because sometimes 
that's the only thing people understand, you can preach, you 
can give them boxes to check, but if you tie it to funding, 
that really gets their attention, and that may have to be the 
next step if we continue to see the occurrences we do with some 
of these report cards.
    We're going to hear from some very good CIOs in the next 
panel that have just very difficult jobs. These are difficult 
jobs in some of these agencies where you are putting a lot of 
their elements together, some of them that have been not 
working well for a long time, but we'll get to that.
    Anything you want to add?
    Mr. Wilshusen. Right. And I would just like to also express 
my appreciation for these oversight hearings because this 
certainly does help to hold the agencies accountable for 
implementing information security, and also with light comes 
heat, and heat usually brings action. And hopefully the 
increase of attention that this committee brings will help to 
improve that as well----
    Chairman Tom Davis. And a lot of times we're just 
oversight; in this case we have jurisdiction as well. The FISMA 
came out of this committee. We do share oversight 
responsibilities with the Commerce Committee and with the 
Homeland Security Committee on which I serve. And that's good, 
I think we want everybody looking at this. I want to see more 
focus on this from more committees and more questions answered, 
that's what gets agency heads' attention.
    But Ms. Evans, we appreciate your efforts on this. 
Sometimes you're the voice out there in the wilderness crying, 
but I know you have--your bosses are behind what you're doing 
and everything as well, and we want to make sure you have the 
tools to get the job done.
    Thank you very much. We will take about a 2-minute recess 
and set up for the next panel.
    [Recess.]
    Chairman Tom Davis. We are now going to move to our second 
panel, and it is a distinguished panel indeed. We appreciate 
having everybody back. Mr. Wilshusen, who is here to stay on to 
answer questions but doesn't need to be sworn in again. We have 
Bruce Crandlemire, who is the Assistant Inspector General for 
Audit, U.S. Agency for International Development. John 
Streufert, the Acting Chief Information Officer of the U.S. 
Agency for International Development. Mr. Frank Deffer, who is 
the Assistant Inspector General for Information Technology, 
Department of Homeland Security. Steve Cooper, no stranger to 
this committee, the Chief Information Officer, Department of 
Homeland Security. Ted Alves, the Assistant Inspector General 
for IT and Financial Management, Department of Transportation. 
Daniel Matthews, the Chief Information Officer, Department of 
Transportation.
    It is our policy that we swear all the witnesses in, so if 
you could just rise and raise your right hands. Can we identify 
the folks in the back who will be answering questions, too?
    Mr. Wilshusen. Ms. Melinda Dempsey, USAID. Mark Norman, who 
is the Audit Manager who has all the detail knowledge.
    Chairman Tom Davis. Great. Thank you.
    Mr. Crandlemire. Phil Heneghan, the Information Systems 
Security Officer, USAID.
    Mr. Deffer. Edward Coleman, my Security Director.
    Chairman Tom Davis. Excellent.
    Mr. Alves. Rebecca Leng, Deputy Assistant Director.
    Mr. Matthews. This is Ed Densmore, Director of IT Security, 
Department of Transportation, and Dr. Dan Mehan who is the CIO 
of the Federal Aviation.
    Chairman Tom Davis. You have enough help there, don't you?
    And how about in the back? I just need to make sure the 
clerk gets everybody down for the record.
    OK. Thank you.
    [Witnesses sworn.]
    Chairman Tom Davis. Thank you all very much for being here. 
We've got a 5-minute rule we try to follow. The goal is to get 
out of here about noon, so it will be 5 minutes apiece. So that 
leaves us time for questions and we'll be fine.
    Your entire statement is in the record, so it will be based 
on that.
    Mr. Crandlemire, we will start with you, and thank you for 
being with us today.

STATEMENTS OF BRUCE N. CRANDLEMIRE, ASSISTANT INSPECTOR GENERAL 
  FOR AUDIT, U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT; JOHN 
 STREUFERT, ACTING CHIEF INFORMATION OFFICER, U.S. AGENCY FOR 
 INTERNATIONAL DEVELOPMENT, ACCOMPANIED BY MARK NORMAN, USAID 
  OIG; MELINDA DEMPSEY, USAID OIG; PHILIP M. HENEGHAN, USAID; 
   FRANK DEFFER, ASSISTANT INSPECTOR GENERAL FOR INFORMATION 
TECHNOLOGY, U.S. DEPARTMENT OF HOMELAND SECURITY; STEVE COOPER, 
    CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF HOMELAND 
SECURITY, ACCOMPANIED BY EDWARD G. COLEMAN, DHS OIG; TED ALVES, 
 ASSISTANT INSPECTOR GENERAL FOR IT AND FINANCIAL MANAGEMENT, 
   U.S. DEPARTMENT OF TRANSPORTATION; DANIEL MATTHEWS, CHIEF 
    INFORMATION OFFICER, U.S. DEPARTMENT OF TRANSPORTATION, 
  ACCOMPANIED BY REBECCA LENG, DOT OIG; ED DENSMORE, DOT OIG; 
NATE CUSTER, DOT OIG; VICKI LORD, DOT OCIO; AND DR. DAN MEHAN, 
                            CIO, FAA

               STATEMENT OF BRUCE N. CRANDLEMIRE

    Mr. Crandlemire. Thank you, Mr. Chairman, and other 
committee members, for the opportunity to provide testimony for 
the U.S. Agency for International Development's compliance with 
FISMA. As you requested, my testimony will focus on the state 
of information security at USAID and the methodology with which 
we used to perform our audit in 2004. In addition, I will 
discuss the need for standardized FISMA auditing framework and 
possibly what guidance would be needed for agencies to fully 
comply with FISMA.
    USAID has made many positive strides over the last several 
years in addressing information security weaknesses. In 
particular, USAID has made several improvements in response to 
audits performed by my office and in turn substantially 
improved its computer security program.
    In 1997, the Office of Inspector General identified 
information security as a material weakness at USAID; USAID 
information technology officials agreed with our conclusion and 
included it in USAID's annual report as required by FMFIA. At 
that time, USAID did not have an organizational structure that 
clearly delegated information security responsibilities, 
policies that provided for an effective information security 
program, or key management processes to ensure that security 
requirements were met. These material weaknesses remained 
outstanding for several years until fiscal year 2004, when 
USAID concluded, and we agreed, that information security was 
no longer a material weakness at the agency.
    In the recent 2 years, the most significant changes are an 
appointment of an information security officer and the 
implementation of a centralized information security framework. 
Under this framework, USAID centrally manages its Windows 2000 
domain servers, firewalls, and virus scan software for most of 
USAID's networks; instituted a process to assess information 
system security for the purchase of capital assets; and is 
continually updating its information security policies and 
procedures.
    The agency has also identified several technological 
changes to improve its computer security. For example, they 
deployed Windows 2000, which has allowed the agency to lock 
down and configure security settings and incorporate many 
security improvements in comparisons with Windows 98. They have 
installed operating network sensors to detect unauthorized 
attempts to access our network. They run daily scans of its 
worldwide network to proactively identify potential 
vulnerabilities. They have also implemented a tips of the day 
program, which is an automated security awareness program that 
provides reminders to all system network users each day as a 
prerequisite to sign into the network.
    Through these systemwide information technology and network 
changes, information security and information security 
awareness at USAID locations around the world have been 
significantly increased.
    Although USAID has made substantial progress in improving 
security, information security weaknesses still remain. As 
reported in our 2004 FISMA audit report, the agency had not 
developed a disaster recovery program for its three major 
systems and had not tested the disaster recovery programs in 
two other systems.
    The OIG methodology for assessing USAID information 
security into FISMA was to conduct an audit as opposed to an 
evaluation. For fiscal year 2004, our audit field work was 
conducted from August 19th to October 6th and involved over 600 
hours. In addition, as part of our financial statement audit, 
we incorporated about 2,800 staff hours as part of our general 
control work. This work complemented our FISMA work.
    To perform the audit, we interviewed USAID officials to 
discuss their answers to the OMB questionnaire, and then we 
tested the support for the answers. For each of USAID's 49 
answers to the questionnaire, we determined whether the 
agency's answer was supported by source documentation.
    I am going to move now to the need for an Inspector General 
auditing framework for information security. In our opinion, 
since the OIG input to the FISMA process is used to upgrade 
security among civilian agencies, there is an implicit 
assumption that there must be a defined common set of 
attributes to facilitate meaningful comparisons of independent 
evaluation or audits performed by each IG.
    Further, the establishment of these attributes or common 
security auditing framework should be developed on a 
collaborative basis among the IG community, OMB, and the 
Government Accountability Office. This framework also should 
address the resources needed to carry out the development and 
implementation of the framework along with congressional 
support for such an initiative.
    I have just a couple comments on the existing process. I 
think the agencies and the IGs need more time to prepare or 
more time to respond to the annual FISMA questionnaire. Since 
2002, the time between the issuance of the guidance until the 
time we actually start--we actually have to report in has 
gotten less. In 2002, it was 76 days, and this last year it was 
only 44 days. We need more time so we can more efficiently use 
our audit resources.
    That concludes my statement.
    [The prepared statement of Mr. Crandlemire follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.051
    
    [GRAPHIC] [TIFF OMITTED] T0562.052
    
    [GRAPHIC] [TIFF OMITTED] T0562.053
    
    [GRAPHIC] [TIFF OMITTED] T0562.054
    
    [GRAPHIC] [TIFF OMITTED] T0562.055
    
    Chairman Tom Davis. Thank you very much.
    Mr. Streufert, thanks for being with us.

                  STATEMENT OF JOHN STREUFERT

    Mr. Streufert. Thank you, Mr. Chairman, and members of the 
committee. I want to thank you for the opportunity to testify 
on the status of our FISMA implementation and our security 
program. We submitted detailed information in response to your 
questions. What I would like to do in my oral remarks is 
address the 10 reasons that helped us improve our IT scores 
during the past period.
    No. 10, our industry partnerships. USAID has teamed with 
industry both in services and in our tools to increase 
performance. There has been a commitment to continuous 
improvement that has now spread over a 2-year period.
    No. 9, managing risk. Our agency information system 
security officer defined risk as critical. We want to be 
compliant with the rules but make sure that compliance does not 
overshadow our responsibility to attend to threats and impact 
on our business results.
    No. 8, central administration. USAID IT security sensitive 
settings have been drawn from 80 countries and 20 time zones to 
be administered centrally at AID headquarters. This would not 
have happened without executive support at all levels. We have 
one organization and one approach when it comes to security.
    Continuous awareness. As Bruce mentioned, we have a product 
called tips of the day implemented worldwide where 135,000 
instances of training and awareness came into effect. Our 
awareness also includes the followup on every action item we 
have of a finding of a security improvement.
    Item 6, rules of behavior. The agency has defined that the 
use of the network and our systems is a privilege and not a 
right. Though our employees have overwhelmingly supported IT 
security for the imperative it is, a handful of employees who 
have violated IT rules of behavior have been submitted for 
disciplinary action and, where warranted, recommended for 
removal for the reasons of that improper conduct.
    Continuous measurement. USAID has 15,000 devices connected 
to it worldwide, 5,000 software tools and packages, 8 major 
applications and 3 what we call general support systems against 
which our disciplines are applied. These devices are centrally 
checked worldwide 10 times a month for among 33,000 possible IT 
security weaknesses using the same tool that protects worldwide 
international credit card transactions. We felt that the most 
sophisticated tool was in fact important for our purposes.
    Management accountability, to refer to an item one of the 
members drew attention to. We give the boss of our 90 technical 
managers worldwide a grade of A to F once a month, because it 
is their business at risk in addition to ours collectively. 
Regions and bureaus who represent these 90 technical managers 
and their bosses receive grades A through F for all their 
reporting units, which has created a competition for 
excellence. Our managers have performed this work in harm's 
way, Afghanistan, Iraq, and other hardship posts, and among 
operating environments where power and other circumstances such 
as interrupted telecommunication lines have made it difficult. 
Notwithstanding these difficulties and including setting up for 
tsunami relief, we have been able to implement a security 
program and found significant benefits for it.
    Item No. 3, correlation of threats. We have found it 
essential to install sensors throughout our networks to capture 
those critical events and submit them to a statistical 
correlation so that we may find whether systematic attacks in 
fact are occurring which otherwise would be hidden from visual 
inspection.
    Item No. 2, continuous audit review. We have forged over 
the past 7 years a partnership with our Inspector General who 
has in fact audited every significant IT initiative of our 
organization for the past 7 years. We have come to learn that 
the harshest criticism from our auditors and others, GAO and 
externally, is a source for building on strength, and we have 
chosen to respond to those items of improvement in just that 
way.
    Last and perhaps most importantly, our Administrator Andrew 
Natsios defined IT security as critical to success of the 
agency. He has defined the need to improve management systems 
across the board, and information technology was one of those 
areas of improvement. In each of the cases where a critical 
issue was facing the agency in the area of IT security, when we 
carried it forward to him we received his full support. We 
believe the correct decisions were made, which in fact has been 
critical to the success of our organization and our security 
effort.
    Thank you very much.
    [The prepared statement of Mr. Streufert follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.056
    
    [GRAPHIC] [TIFF OMITTED] T0562.057
    
    [GRAPHIC] [TIFF OMITTED] T0562.058
    
    [GRAPHIC] [TIFF OMITTED] T0562.059
    
    [GRAPHIC] [TIFF OMITTED] T0562.060
    
    [GRAPHIC] [TIFF OMITTED] T0562.061
    
    [GRAPHIC] [TIFF OMITTED] T0562.062
    
    [GRAPHIC] [TIFF OMITTED] T0562.063
    
    Chairman Tom Davis. Thank you very much.
    Mr. Deffer.

                   STATEMENT OF FRANK DEFFER

    Mr. Deffer. Thank you, Mr. Chairman, and members of the 
committee, for the opportunity to be here today to discuss the 
status of FISMA implementation in the Department of Homeland 
Security.
    Mr. Chairman, I would note at the outset that we in the 
Inspector General's office have developed an effective working 
relationship with the DHS CIO and his staff in order to 
facilitate FISMA compliance at DHS.
    As we reported last year, DHS has made significant progress 
in developing and implementing its information security program 
at the headquarters level. For example, DHS developed the 
necessary plans such as the information security program 
management plan to provide the foundation for an agencywide 
program. Based on our review of those plans, DHS has 
established an adequate structure, blueprint, and process to 
implement and manage its program. Also, the Department has 
developed an adequate process to report security weaknesses in 
its plan of action and milestones, or POA&M, and has adopted an 
enterprise management tool, trusted agent FISMA, to collect and 
track data related to all POA&M activities.
    Even with these efforts, however, there are a number of 
factors that are hindering further progress. Specifically, one 
of the impediments to implementing DHS's program is that the 
CIO is not a member of the department's senior management team. 
Therefore, the CIO does not have the authority to strategically 
manage agencywide IT programs, systems, or investments. 
Furthermore, there is no formal reporting relationship between 
the DHS CIO and the component CIOs or between the DHS CISO and 
the department security managers.
    Also, DHS does not have an accurate and complete system 
inventory. An initial attempt at developing an inventory in 
2003 did not provide an accurate picture of DHS's information 
systems. In September 2004, DHS began a second effort using an 
outside contractor to establish a system inventory.
    Finally, while DHS has developed an adequate process to 
report security weaknesses in its POA&M, DHS components have 
not established verification processes to ensure that all IT 
security weaknesses are included. Overall, DHS is on the right 
track to create and maintain an effective program. However, the 
Department and its components still have much work to do to 
become fully FISMA compliant.
    Mr. Chairman, as you know, annual information security 
evaluations began 4 years ago with the Government Information 
Security Reform Act [GISRA]. And I would say that, after being 
involved in four of these efforts, two at the State Department 
OIG, and using a different approach each time, it is becoming 
clear that a more standard approach is needed, perhaps similar 
to that used in financial audits. This standard framework would 
ensure--help ensure that all IGs review and report on the same 
information across all agencies. Currently, each IG performs 
its FISMA evaluation based on its interpretation of FISMA and 
OMB guidance. A standard audit framework should allow OMB and 
Congress to more effectively and objectively determine the 
status of information security across the entire Federal 
Government.
    Finally, let me say a few words about what additional 
guidance or procedures are needed to help improve FISMA 
compliance. OMB issues annual guidance to agencies and IGs to 
promote consistent reporting across government and to ensure 
that agencies comply with FISMA. But this guidance needs to be 
clearer. For example, organizational components in DHS have 
struggled with the definition of a system for FISMA reporting. 
This has hindered DHS's ability to develop a reliable 
inventory.
    Another area of concern is how security of systems is 
measured by the FISMA metrics. OMB asks the agencies and IGs 
for the number of systems that have been reviewed, certified, 
and accredited, but treats all systems the same. That is, 
systems are not differentiated between routine or mission 
critical. For example, an agency may have certified and 
accredited 80 percent of its systems, but it could still be 
seriously at risk if its mission critical systems are those 
that have not been certified and accredited.
    Mr. Chairman, this concludes my prepared statement. I 
appreciate your time and attention, and welcome any questions 
from you or members of the committee.
    [The prepared statement of Mr. Deffer follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.064
    
    [GRAPHIC] [TIFF OMITTED] T0562.065
    
    [GRAPHIC] [TIFF OMITTED] T0562.066
    
    [GRAPHIC] [TIFF OMITTED] T0562.067
    
    [GRAPHIC] [TIFF OMITTED] T0562.068
    
    [GRAPHIC] [TIFF OMITTED] T0562.069
    
    [GRAPHIC] [TIFF OMITTED] T0562.070
    
    [GRAPHIC] [TIFF OMITTED] T0562.071
    
    Chairman Tom Davis. Thank you very much.
    Mr. Cooper, I understand that you announced today, at least 
from reading the trade press, that you are leaving your post.
    Mr. Cooper. I did.
    Chairman Tom Davis. I just want to say--well, I hope this 
isn't your last time before the committee; we may bring you 
back as a consultant, but we appreciate the job that you have 
done.
    Mr. Cooper. Thank you.
    Chairman Tom Davis. You have been steadfast in coming 
before us and offering your ideas, and we consider you a 
valuable asset to the committee. Thanks for being with us.

                   STATEMENT OF STEVE COOPER

    Mr. Cooper. Thank you, Mr. Chairman, and members of the 
committee. It is my pleasure to appear before the committee 
again, and I wish to thank the chairman and the members for 
providing me the opportunity to update you on our efforts and 
progress in integrating and securing information systems within 
the Department of Homeland Security.
    I would like to begin by acknowledging the important role 
that our Inspector General plays in the Department. We have 
established an extremely effective and collaborative 
partnership with our Inspector General, and especially with 
respect to the development and operations of information 
technologies and support of the critical missions of the 
Department. The IG has been an important and independent voice 
as the Department formulates a strategy for building a robust 
and effective information security program.
    Mr. Deffer has provided what I believe to be an accurate 
and detailed assessment of our progress to date and rather than 
repeat what has been already said I would like to focus my 
remarks on the future.
    The DHS Information Security Program is structured around 
compliance with FISMA as well as OMB and NIST guidance. I want 
to stress that we are not proud of our failing grade. We have 
done much, and much needs to be done. Specifically, we have 
implemented and continue to implement a number of security 
performance metrics to address the issues represented by the 
FISMA grade.
    I fully understand that the success of the Department is 
dependent upon our ability to protect sensitive information 
used to secure the homeland, and to this end, the Department's 
Information Security Program has been designed to provide a 
secure and trusted computing environment based upon sound risk 
management principles and program planning. The development of 
a formal trust model within this program will eliminate 
institutional barriers that regularly divide organizations and 
will enable disparate agencies to more effectively share 
information within this common trusted framework. We have 
implemented a digital dashboard that provides us for the first 
time with the status of security performance based upon 
computed FISMA metrics, and we have implemented a security 
performance scorecard.
    Three key Information Security Program initiatives under 
way for over a year now are beginning to provide tangible 
results. As these three efforts converge, together they will 
pave the way for real and measurable security improvements in 
the near future. These include, first, completing a 
comprehensive baseline inventory for defining accreditation 
boundaries and assigning responsibilities for security controls 
for appropriate program officials throughout the Department; 
second, fielding a robust set of automated enterprise security 
management tools to optimize our security processes; and, 
third, implementing a comprehensive and repeatable set of 
metrics for holding program officials accountable.
    The baseline systems inventory project now under way has 
already identified a significant number of legacy systems that 
were not previously identified in our initial systems inventory 
that we did during the standup of the Department. At one of the 
organizational elements, this most recent system inventory 
project has now identified 106 information systems programs 
compared to the 5 that were previously identified at standup.
    In response to this legacy issue, the Department is 
developing a comprehensive remediation plan for completing all 
the required certification and accreditations by the end of 
fiscal year 2006. Related to these actions, we have implemented 
a department plan of action and milestones process and an 
enterprised system to manage that plan of action. Evidence that 
DHS is successfully institutionalizing this process is 
demonstrated by the fact that our initial fiscal year 2003 
program and milestones contained less than 100 line items, 
meaning task activities that we identified that we needed to 
do, while our current plan now contains several thousand line 
items and activities.
    Furthermore, we have implemented a certification and 
accreditation tool that will ensure C&A equality and map that 
certification and accreditation testing to our established 
policies. The C&A and remediation plan will include a 
prioritized list of systems to be certified based upon the 
system's security impact level, which means the systems with 
higher security impact levels will be the first systems that we 
will accredit if not already accredited. This remediation plan 
will identify a variety of funding alternatives for completing 
all certifications and accreditations, and our new automated 
security management tools are already designed to streamline 
this process. Use of this tool has now been mandated for all 
activity initiated after April 10th.
    This aggressive remediation effort will provide a sound 
baseline of secure systems with appropriate controls in place. 
However, we must continue to improve our security posture 
throughout the life cycle of each and every system or 
application in use in the Department. For this reason, we are 
continuing to refine the program so that we will remain 
relevant for the future. Program enhancements currently under 
way include developing a communications plan for our 
information security program, to include a Web-based 
information security portal that will improve the availability 
of information security data to all DHS employees, including 
those who do not have access to DHS Online; and, publishing an 
updated Information Security Program strategic plan outlining a 
revised vision for the future of the program based on lessons 
learned over the past 2 years.
    Finally, to sustain a viable and healthy information 
systems program and security program, I know that we must have 
strong support throughout the Department. Through the DHS Chief 
Information Officers' Council, I will work with each member to 
ensure that we not only continue to improve our security 
posture through periodic program reviews, but that we also 
implement new and improved measures wherever appropriate.
    Thank you, and I look forward to your questions.
    [The prepared statement of Mr. Cooper follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.072
    
    [GRAPHIC] [TIFF OMITTED] T0562.073
    
    [GRAPHIC] [TIFF OMITTED] T0562.074
    
    Chairman Tom Davis. Thank you very much.
    Mr. Alves.

                     STATEMENT OF TED ALVES

    Mr. Alves. Thank you. Thank you, Mr. Chairman, and members 
of the committee for the opportunity to testify on the progress 
the Department of Transportation has made and the challenges it 
faces implementing FISMA.
    This committee has been a driving force behind improvements 
made over the last several years in protecting Federal 
information and information systems. I also want to take this 
opportunity to compliment OMB, NIST, and GAO for the leadership 
roles they have played in this effort.
    With an annual IT budget of about $2.7 billion, the 
Transportation Department maintains over 480 systems to carry 
out the Department's mission. For example, the Department 
operates financial systems that process over $35 billion in 
grants to States and local governments, and the Federal 
Aviation Administration relies on about 100 systems to provide 
safe and efficient air traffic control 24 hours a day.
    As you requested, I will discuss the progress 
Transportation has made and the challenges it faces to 
strengthen information security practices, the need for a 
framework to guide Inspector General FISMA audits, and the 
approach we take to audit computer security issues.
    The commitment to improve information security begins at 
the top, and we attribute much of the Department's progress 
over the last 2 years to the support provided by Secretary 
Mineta. In early 2003, the Secretary appointed a Chief 
Information Officer and significantly strengthened his roles 
and responsibilities. Since then, the CIO has played a much 
more prominent role in managing IT issues in all DOT component 
agencies.
    Key improvements the Department has made include the 
following four areas. First, the CIO invigorated the Investment 
Review Board, which now considers security issues when 
reviewing the major systems.
    Second, the Department enhanced its ability to protect 
systems from internal and external attacks by, among other 
things, establishing an incident response center to prevent, 
detect, and analyze intrusions from the Internet.
    Third, the Department increased the number of certified and 
accredited systems from 33 percent to over 90 percent by 
dedicating resources to do the reviews and by closely 
monitoring progress.
    And fourth, the Department significantly strengthened 
background checks on contractor personnel.
    Notwithstanding this progress, DOT still faces challenges 
to secure its systems. These include: The Department needs to 
enhance security over air traffic control systems. We have 
reported that security deficiencies affect en route computer 
systems which control high altitude traffic. Because the issues 
are sensitive, we can only cover two issues today.
    First, FAA certified that en route systems were secure, but 
the review was limited to a developmental system. FAA has 
agreed to review operational systems deployed at the 20 en 
route centers.
    Second, FAA agreed to identify a contingency plan to 
restore air service in the event of a prolonged en route center 
disruption.
    We recently expressed concern about FAA's progress 
correcting these deficiencies to the FAA Administrator, the 
Office of the Secretary, and the CIO, and we are working 
closely with those officials to ensure continued progress.
    The Department needs to improve the security certification 
process. We also found some deficiencies in the quality of 
certification reviews, including inadequate risk assessments, 
lack of evidence that tests had been performed, and in one case 
a test item failed when we retested it. The Department also 
needs to continue its focus on emerging threats.
    The fact that you raised the question of whether a 
framework is needed to help standardize IG FISMA reports 
suggests that the current framework does not fully meet 
oversight requirements. This issue is being addressed by the 
President's Council on Integrity and Efficiency, a group of 
Presidentially appointed IGs, but they have not yet reached a 
consensus. We think a broader discussion involving the key 
players, congressional staff, OMB, GAO, and the IG community 
could help forge a consensus among all interested parties. The 
IG community would benefit from better understanding how our 
FISMA reports are used by oversight organizations; oversight 
organizations would benefit from understanding the challenges 
the IG community faces addressing computer security issues at 
agencies with very different system risks and missions.
    Regarding our approach to meet FISMA requirements, each 
year we do detailed tests on a subset of systems to answer 
OMB's specific questions such as the number of systems with 
contingency plans. We also perform computer security audits 
focused on specific systems of security issues. We use all of 
this work to reach conclusions about the status of DOT's 
Information Security Program when preparing our annual FISMA 
report.
    Mr. Chairman, this concludes my oral testimony. I would be 
happy to answer any questions.
    [The prepared statement of Mr. Alves follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.075
    
    [GRAPHIC] [TIFF OMITTED] T0562.076
    
    [GRAPHIC] [TIFF OMITTED] T0562.077
    
    [GRAPHIC] [TIFF OMITTED] T0562.078
    
    [GRAPHIC] [TIFF OMITTED] T0562.079
    
    [GRAPHIC] [TIFF OMITTED] T0562.080
    
    [GRAPHIC] [TIFF OMITTED] T0562.081
    
    [GRAPHIC] [TIFF OMITTED] T0562.082
    
    [GRAPHIC] [TIFF OMITTED] T0562.083
    
    [GRAPHIC] [TIFF OMITTED] T0562.084
    
    [GRAPHIC] [TIFF OMITTED] T0562.085
    
    [GRAPHIC] [TIFF OMITTED] T0562.086
    
    [GRAPHIC] [TIFF OMITTED] T0562.087
    
    [GRAPHIC] [TIFF OMITTED] T0562.088
    
    [GRAPHIC] [TIFF OMITTED] T0562.089
    
    [GRAPHIC] [TIFF OMITTED] T0562.090
    
    [GRAPHIC] [TIFF OMITTED] T0562.091
    
    Chairman Tom Davis. Thank you very much.
    Mr. Matthews, last but not least here.

                  STATEMENT OF DANIEL MATTHEWS

    Mr. Matthews. Thank you, Mr. Chairman, and members of the 
committee. I thank you for the opportunity to appear here today 
to discuss the Department of Transportation's implementation of 
the Federal Information Security Management Act of 2002 
[FISMA].
    I serve as the Department's CIO, and I also currently serve 
as the vice chair of the CIO Council. The DOT Office of the 
Chief Information Officer has operational responsibility for 
the departmental network and communications infrastructure as 
well as providing shared services for the Office of the 
Secretary and the operating administrations currently engaged 
in the Department's information technology services 
consolidation.
    FISMA compliance at DOT is moving from the intensity of the 
past year's implementation activities to a more operational 
mode. Our system inventory is mature, our certification and 
accreditation methodology is defined, and we have begun 
oversight of the remediation of weaknesses identified over the 
course of the last 2 years. Additionally, we have been in the 
process of making assessments of the Department's ongoing 
security posture. Securing the IT assets of the Department of 
Transportation is a critical responsibility that falls to the 
CIO's office.
    In striving to secure those assets, many people from 
various areas must pull together. The strides the Department 
has made over the past year occurred in large measure because 
of the support of Secretary Norman Y. Mineta. His leadership 
and guidance combined with each and every modal administrator's 
commitment are critical to the Department's success.
    We are pleased to have achieved an A-minus rating on the 
FISMA scorecard, and we note that DOT relied on teamwork across 
the agency, the establishment, refinement, and validation of 
our system inventory, good communications, comprehensive 
training, and the support of the Inspector General throughout 
the year. This last point is critical. With our Inspector 
General, who is engaged, involved, and informed throughout the 
process, DOT makes sure that it approaches FISMA requirements 
appropriately and the end products and results are supportable.
    The teamwork for FISMA compliance was established through 
the acceptance of a single departmentwide methodology in lieu 
of individual approaches established by each operating 
administration. That methodology allowed us to focus and work 
collectively on a single plan in which all participants had 
confidence. This gave us the benefit of synergy, an end greater 
than the sum of its individual parts.
    If we endeavor to proceed using agency unique approaches, 
some agencies may have been successful and some may have 
faltered. With the support of an industry-recognized security 
subject matter expert from Titan Corp., along with agencywide 
buy-in and acceptance, DOT was able to reduce overall 
certification and accreditation schedules, manpower 
requirements and costs. More importantly, DOT was able to 
ensure accuracy, consistency, and completeness of each 
accreditation package.
    The strides made over the last year to comply with FISMA 
requirements were impressive. DOT has accredited over 90 
percent of all operational IT systems, established a program to 
ensure security as part of every system's development life 
cycle, significantly reduced vulnerabilities of public facing 
systems, and improved training and communications at all levels 
of the organization.
    Moving forward, DOT is using metrics to gauge FISMA's 
implementation and compliance throughout the Department. This 
point is important. DOT recognizes that plans of actions and 
milestones, POA&Ms, are established from the certification and 
accreditation process required by FISMA and are reviewed by the 
Inspector General. DOT uses these POA&Ms as a mechanism to 
ensure we mitigate the risks and remediate vulnerabilities 
identified during the CNA process knowing full well that the 
actions taken prescribed in the POA&M will specifically improve 
DOT's overall security posture.
    To address the steps DOT is taking to further strengthen IT 
security, we are coordinating and cooperating with DHS on cyber 
exercises, we are addressing the critical need for enterprise-
wide vulnerability management, we are implementing baseline 
security configuration standards for critical software, and we 
are consolidating IT services.
    More needs to be done. The FAA's National Air Space System 
is part of the national critical infrastructure program. I am 
working directly with the FAA senior leadership and the 
Inspector General to ensure FAA secures and protects the 
important NAS systems and telecommunications infrastructure. 
Ensuring the FAA constructs are measurable plans of actions in 
conjunction with its POA&Ms, audit reports, and IG findings, 
with follow through to complete its commitments is fundamental 
to DOT's ability to maintain current FISMA scorecard ratings.
    I have included in my statement some specific observations 
and suggestions for creation of an ``as of date'' and believe 
that existing FISMA guidance is adequate but have some 
additional comments. I look forward to answering your 
questions. And, again, I thank you for this opportunity.
    [The prepared statement of Mr. Matthews follows:]

    [GRAPHIC] [TIFF OMITTED] T0562.100
    
    [GRAPHIC] [TIFF OMITTED] T0562.101
    
    [GRAPHIC] [TIFF OMITTED] T0562.102
    
    [GRAPHIC] [TIFF OMITTED] T0562.103
    
    [GRAPHIC] [TIFF OMITTED] T0562.104
    
    [GRAPHIC] [TIFF OMITTED] T0562.105
    
    Chairman Tom Davis. Thank you very much.
    I think a recurrent theme both with DOT and USAID is that 
you are getting support at the top, that this comes--it is not 
just generated from the CO, it is top down, it is holding 
people accountable. Great stories. I hope we can learn from 
that.
    Mr. Cooper, let me start with you because your department 
is great but it is down. I don't hold you accountable. You are 
one of the best CIOs in the business, and we are sorry to see 
you going. But I wonder if we could talk about, you also, as 
you could see from some of the early comments from our members, 
the area everybody wants to focus on. Homeland security is a 
hot topic. It is an area where the systems need to be up. It is 
a very difficult job given the type of systems you inherited 
when we merged the departments. I think we can--that is a 
given; this was a very, very, very tough job. But we are a long 
way from where we need to be. We are seeing improvement, and I 
appreciate your opening statement.
    What are the major obstacles you would put together that 
Homeland Security faces uniquely versus some of the other 
agencies that make it so difficult?
    Mr. Cooper. OK. Let me try to answer that question 
directly, very specifically and very candidly.
    Chairman Tom Davis. This is the last bite I get at you.
    Mr. Cooper. No, that is all right. I am happy to come back. 
And let me also try to put it within the context of the FISMA 
scorecard, because I think this will be extremely helpful, I 
hope, to the committee as well as to members of the audience 
and interested parties and my colleagues.
    The first thing that we face as the Department of Homeland 
Security is the fact that we have inherited a huge amount from 
our legacy environments. Now, that translates to the inventory 
in the FISMA scorecard. This is not a defense. We are not where 
we need to be. But the scoring in the scorecard, we get minus 
10 points against our total score until we can actually certify 
that we have inventoried 95 percent of the systems and 
applications that are in the Department. And here's what we're 
learning and here's what we found. Meaning no disrespect to my 
colleagues on the panel, DOT has identified 480, I think Dan 
said 480 significant applications or the ones that they have 
identified and accredited. And, again, no offense to AID, but I 
think you guys have nine. We have over 3,600.
    So there's a simple fact, it's a numbers game. All right? 
We move from 34 percent of that initial 3,600 to 68 percent. 
Now, the scorecard doesn't reflect the progress. 68 percent I 
admit is still a failing grade. But we know what we need to do, 
we are working with our IG, we have demonstrated that our 
certification and accreditation process is sound. We need to 
stay the course and apply it. We have committed to completing 
100 percent certification and accreditation by fiscal year 
2006.
    Another major area. Configuration management addresses the 
different parts and pieces in the FISMA scorecard. Now, what 
that translates to is how many different operating systems or 
platforms or environments does the Department have? We have 
everything that's listed in the scorecard. But I--and I am the 
one that can be held accountable. I made a tactical and 
conscious decision that we were not going to put significant 
effort into the configuration management aspect of all of the 
listed platforms for the following reason: We are also 
undergoing a major IT infrastructure transformation program. We 
are consolidating those operating platforms and the operating 
systems and the associated applications, and we are eliminating 
some of those. Therefore, I made a decision that said don't put 
any energy into publishing guidelines within the Department in 
our Information Security Program around configuration 
management for those platforms and operating systems that we 
are going to retire. I am the person, I am accountable. But it 
reflects in our score because we then don't--we legitimately 
don't have anything in that area.
    Another thing, final thing we did very quickly. The 
training of all DHS employees in information assurance and 
information security management is an extremely high value 
activity. It scores very few points on the scorecard. But we 
consciously made a decision, again. We have trained almost 100 
percent of all of our employees across the Department. That's 
180,000 people, and we accomplished that in the past 2 fiscal 
years.
    So those are very specific examples in the framework of the 
scorecard that I think help reveal some of the complexities 
that we're facing but also significant progress.
    Chairman Tom Davis. What are the most difficult parts of 
all the disparate systems that you have? You know, what are the 
most dysfunctional or most vulnerable areas that you have at 
DHS?
    Mr. Cooper. That's a tough question in that I'm not sure I 
want to put any parts of the Department on the spot.
    Chairman Tom Davis. Well, but you inherited legacy systems 
and some of these. Like we know, the old INS system just wasn't 
working. Now, we've got new--I mean, this is something that 
this committee has talked about and everything else. I am not 
trying to go out to tell terrorists where we are vulnerable or 
something. But within those confines you have some old legacy 
systems that you haven't been able to move forward on as 
quickly as others and stuff like that. Give me a priority list, 
in other words.
    Mr. Cooper. OK. I'm going to share at least the part that 
we've identified.
    Chairman Tom Davis. You're leaving now. I can't do 
anything.
    Mr. Cooper. That's true.
    Chairman Tom Davis. You are under oath, too.
    Mr. Cooper. They can fire me early, I guess.
    Chairman Tom Davis. But we will hire you. We will pick you 
up if you need it.
    Mr. Cooper. Here's what we found. And, again, please 
understand, I offer this in a very constructive way. It's not 
meant to be critical.
    Chairman Tom Davis. Absolutely.
    Mr. Cooper. One of the areas that we have found a little 
bit more challenged is in some of the legacy INS, Immigration 
and Naturalization Services, and Citizenship and Immigration 
Services, as those two entities exist now. But in fact those 
were more or less, I won't say truly combined, but they were 
all under the auspices of an organizational structure inside 
the Department of Justice that pretty much operated from the 
same or similar platforms. Now, we have broken them apart, so 
to speak. But in breaking them apart, we actually don't have 
all of the IT infrastructure and skills and personnel and 
everything fully in place yet.
    Now, again, plans are in place, we are making good 
progress, but it remains a challenge because we just don't have 
quite enough of the resources in the timeframe we would like to 
have to finish a lot of the certification and accreditation, 
some of the securing activities that we need to do.
    Our Customs and Border Protection environment has actually 
made very, very good progress in a lot of areas, and what we 
are doing is drawing upon the positive skills and the positive 
performance in CBP to now reach over and assist ICE and CIS. So 
we figured out ways that we can actually leverage where we have 
good stuff going on and address some of the challenge areas.
    Chairman Tom Davis. How many incidents--well, we don't 
really get the level of incident reporting. Am I right? We 
don't get the incident reporting that we'd like to get that we 
feel is accurate. Is that fair?
    Mr. Wilshusen. Well, OMB reported that in their 2004 report 
on FISMA that they felt that the reporting was sporadic from 
the different agencies, and they had questions and concerns 
about that.
    Chairman Tom Davis. Well, let me just go with each agency 
and ask the CIO or IG or which office; but start with AID. Are 
you getting a lot of incidents of penetrations every year, and 
do you test yourself? Do you hire people who come in and try to 
penetrate? That was inarticulate, but I think you understand.
    Mr. Streufert. We're initiating some internal testing, and 
we're constantly monitoring for intrusions, and I think that 
the most constructive part of that is that we are tracking 
precisely those patterns and trying to assess who's at us. So, 
from an internal purpose, we are doing well.
    Chairman Tom Davis. Is that reported up the food chain in 
terms of who we think is going after you?
    Mr. Streufert. We make every effort that we possibly can, 
and the comments that we collect internally on this topic are 
some of the descriptions that come out from elsewhere at 
varying degrees of descriptions, some general, some specific. 
And so we think an area of potential improvement is having a 
matching of a good taxonomy externally against what we are 
actually seeing, and we think that this will improve over time.
    Chairman Tom Davis. Let me ask Homeland Security. What are 
you seeing in that area? I don't want you to give away the 
store, but----
    Mr. Cooper. No. First of all, we see hundreds of thousands 
of attempts on an annual basis. We actually identified 214 
incidents. We reported 100 percent of the 214 both to the IG 
and up through US-CERT that passes over to OMB.
    Chairman Tom Davis. Do you have a good idea of who the 
people are that are trying to get in?
    Mr. Cooper. Yes, we do, partly because of the link into the 
intel environment and everything. So, yes, we do. We believe 
this is an area and it actually is represented in our scorecard 
where we are in very good shape.
    Chairman Tom Davis. And it helps you also target your 
resources when you know who is coming after you. Doesn't it?
    Mr. Cooper. Absolutely.
    Chairman Tom Davis. And how about Transportation?
    Mr. Matthews. Mr. Chairman, last year we had over 3,000 
incidents and reported them. We do track individuals, Web 
sites, IP addresses that are coming toward the Department as 
well as other information. We routinely----
    Chairman Tom Davis. One of them gets through and really 
gets into the system, they could run you amuck. Couldn't they? 
They could really destroy you?
    Mr. Matthews. Absolutely, no doubt, if somebody penetrates 
the shield, indeed they can run amuck. You know, TOPOFF III is 
currently going on, and when I'm sitting watching what we're 
doing in TOPOFF III I'm constantly reminded that if someone did 
a concerted effort and went after the communications of the 
Federal Government, its ability to respond could be impacted.
    Chairman Tom Davis. And it helps. I mean, I think it's 
reassuring to us to know that at least you have a pretty good 
idea of who is after you.
    Mr. Matthews. Yes.
    Chairman Tom Davis. And that helps you, doesn't it, in 
terms of where you spend your resources? It may or may not help 
your report card, but it helps you in terms of where you spend 
your resources?
    Mr. Matthews. Absolutely 100 percent. We work hand in glove 
with the IG to do the forensics and pursue and prosecute those 
individuals as well.
    Chairman Tom Davis. Mr. Alves, do you agree with that?
    Mr. Alves. Yes, I do. The Department of Transportation has 
made really significant progress in this area over the last 
couple of years, and whenever there is an intrusion they let us 
know immediately. We do some of the penetration testing 
ourselves.
    Chairman Tom Davis. Some of them are yours.
    Mr. Alves. To test the system and make sure that it's 
secure.
    Chairman Tom Davis. And Mr. Cooper, let me just ask you. 
The fact that you have an idea in most of these cases, I 
gather, who is coming, allows you to expend resources in those 
areas, maybe to the detriment of other areas but at least it 
allows you to give appropriate prioritization, and that ought 
to give the committee some assurance that you're on top of it.
    Mr. Cooper. Yes, sir. In this case, we do. And in this 
case, because of the capability within the Department, we work 
very closely with our Homeland Security Operations Centers, we 
work very closely with our Intelligence Analysis and 
Infrastructure Protection Directorate, and actually share. All 
of the key members of my team are cleared to the highest 
levels, and so we actually use a lot of the classified 
information to help us address risks, threats, and 
vulnerabilities.
    Chairman Tom Davis. OK. You feel--well, we'll have another 
conversation later. But thank you again. My 10 minutes is up.
    Mr. Ruppersberger.
    Mr. Ruppersberger. OK. Mr. Deffer, in your testimony you 
mentioned that FISMA does not differentiate between routine or 
mission critical systems.
    Mr. Deffer. Correct.
    Mr. Ruppersberger. And you continue to say that the agency 
might still be at risk if its security, a vast majority of its 
systems yet is left vulnerable, the most mission critical ones. 
Can you explain how your department has balanced meeting its 
FISMA obligations with protecting its most critical systems?
    Mr. Deffer. Well, I think the Department has sort of--
they've made an effort to get their systems certified and 
accredited. I don't know if they've--Mr. Cooper talked about 
this, trying to get them on a risk based methodology to certify 
and accredit those systems that are high priority. But the 
numbers don't tell us which systems that have been certified 
and accredited are really that important. We don't know 
whether--has their network been certified and accredited? I 
don't know. But, you know, their training management system 
FLETC may have been certified and accredited, and that's a good 
thing, but it's probably not as important as the network or 
other critical applications.
    Mr. Cooper. If I may kind of clarify. We have made a very 
conscious and deliberate decision to go after our mission 
critical systems first. So we are taking a risk-based 
prioritization approach to what we accredit.
    The good news that I can share with the committee is that 
the 68 percent that are now accredited include almost every one 
of our major mission critical systems, and we are getting to 
some that doesn't mean they're not important but lesser impact 
or risk by not accrediting them right away. That is the 
approach we're taking.
    Mr. Ruppersberger. I would like more, a little bit more 
about the questions that the chairman asked you, and I was 
going to ask you more questions but you answered some of them. 
One of the questions was, when do you expect that the 
Department of Homeland Security will come up to where they need 
to be? And you mentioned that your goal was 2006. Do you feel 
that you are on time for that goal at this point?
    Mr. Cooper. Yes, we do.
    Mr. Ruppersberger. And what is it, the end of the year, 
beginning of the year? Where are we?
    Mr. Cooper. By the end of fiscal year 2006 we expect to 
complete almost 100 percent of those items represented by the 
scorecard. Now, here's what is going to happen though, and we 
will see whether or not I'm a good prognosticator. 
Unfortunately, the way that we are going at this and the way 
that the scoring works in the scorecard, I think what we are 
going to do is we are going to jump. We may indeed be--I'm 
hoping we will get to a D in fiscal year 2005. I am being very 
candid here. Because we lose 10 points off of our total score 
because of this 95 percent requirement for inventory. And we 
will not complete 95 percent of our full inventory by the end 
of fiscal year 2005. We are going to be very, very close, but I 
am not sure we'll trip it. We are going to basically lose 20 
points of our score because of the configuration management 
approach that I explained to you. If you deduct those 30 points 
from the score and we do everything else, that's 70, which puts 
us at 70 percent, which may creep us into a D.
    What I think is going to happen is we are probably going to 
be, I hope, at a D; and then in 2006, as we complete all this 
stuff, we are going to jump significantly up. So you are going 
to kind of see, unfortunately, not much in the score, and then 
we will be there.
    Mr. Ruppersberger. There is no question the Department of 
Homeland Security has a lot of administrative issues that they 
have to deal with, you know, inheriting all these different 
agencies, you know, pulling them together, the funding issues. 
I mean, it's a very difficult job, as you know, and I 
understand that. Do you feel that the system that's being used 
now and the standards for grading are just more of a 
bureaucratic type of system of holding people accountable based 
on Homeland Security and all the issues you have, do you think 
it's fair? And what would you do to change that system based on 
where you are now and to get to the end game? Because it's 
not--the grade is a standard, but bottom line, we want to get 
to where you can provide the best national security for our 
country.
    Mr. Cooper. Exactly. Bob West, who is our Chief Information 
Security Officer, and I believe very strongly that the criteria 
are very sound. We have no issue with the criteria. Now, Bob 
and I both will grumble to you and complain about the negative 
points that kind of in this last go-round were assessed, but we 
understand them and we'll live with them. What becomes most 
important I think is how a department like the Department of 
Homeland Security kind of prioritizes and applies these 
criteria. And you've heard, I've explained the approach that we 
took, I've explained a little bit of why. I believe very 
strongly that if the committee will allow us to stay the 
course, and with support of our new Secretary and Deputy 
Secretary, the Department of Homeland Security will indeed 
arrive rather quickly, although it may be fiscal year 2006, at 
precisely where the intent of the committee and the scorecard 
and FISMA represent.
    Mr. Ruppersberger. Do you feel that you have the money or 
the resources to deal with the problem.
    Mr. Deffer. I think applied in a prioritized approach, yes. 
Now any time--again, you know, I may get beaten up, it's OK, 
the worst they can do is fire me. Any time we have additional 
funding and resource we can move faster. But we believe that 
within the funding and resource that we have, we absolutely are 
on track to succeed.
    Mr. Ruppersberger. I don't know if you can answer the 
question--I may go back to Mr. Wilshusen, who is still at the 
panel. I am concerned a little bit about what is happening with 
respect to Justice, and especially FBI within Justice. We know 
some of the issues, that FBI is having a hard time in their 
technology area. And it seems to me we have other groups--we 
talked about this in the first panel, I know CIA and NSA are 
doing very well. And we cannot afford to have our FBI that is 
so important to our national security, especially domestic 
security, not be where they need to be.
    Can you discuss some of these issues--well, I'm going to 
ask you the question basically. You said that Immigration was 
under Justice, and now they also have some issues that you are 
dealing with because they are now under Homeland Security. I'm 
concerned that we need to really refocus and prioritize in 
those arenas, especially FBI. You are doing Immigration. But 
how can, with the problems that the FBI is having, how can we 
now have a grading system where the Justice Department went 
from I think a D or an F to a B+ or B-? Could you explain that?
    Mr. Deffer. Well, I can offer a couple of thoughts. I'm not 
sure I can actually explain it. But one of the things that 
works to----
    Mr. Ruppersberger. And I'm going to ask you to answer this, 
too, Mr. Wilshusen.
    Mr. Deffer. One of the things that works to any 
department's advantage is if you have less things to do and 
less things to accredit and certify, then within the same 
resource base you can accomplish a lot more.
    Justice lost, if you will, a significant portion of what 
represented the legacy systems that weren't accredited at one 
point in time. We inherited them all. So I think that they----
    Mr. Ruppersberger. Good news for them, bad news for you, 
right?
    Mr. Deffer. Exactly. And that's one sense.
    Now the other thing that I would offer--and again, the 
right person to really talk to is Zal Azmi, who is the CIO at 
the FBI, an extremely competent professional. Zal and I have 
talked a couple different times about information assurance, 
some of the challenges that we are sharing in exchanging 
information and working together, our respective agencies.
    I believe that under Zal they do have the proper talent and 
approach, I can't really speak to the timing.
    Mr. Ruppersberger. Do you know if they are getting the 
resources to do the job, based on your conversations about it?
    Mr. Deffer. Zal and I have talked about a number of 
vacancies, key vacancies that Zal is working on to fill. I 
think that as he fills those he will be able to pick up speed.
    Mr. Ruppersberger. I think that is a very high priority, I 
would think.
    Do you want to address that issue, also, Mr. Wilshusen?
    Mr. Wilshusen. Sure. The key thing in terms of FBI and DOJ 
having an increased score this year was basically because of 
what they had reported on their FISMA report to OMB and to 
Congress. That score was based upon an analysis of what they 
had reported.
    Mr. Ruppersberger. Are you aware of the problems with 
respect to the FBI?
    Mr. Wilshusen. I am aware with regard to issues related to 
DCF a Trilogy----
    Mr. Ruppersberger. Their technology issue.
    Mr. Wilshusen [continuing]. That they had developed that or 
were in the process of developing it, and it has since been 
terminated. At least the operational pilots have been 
terminated.
    Mr. Ruppersberger. Do you feel they have a plan to move 
forward in what needs to be done to be brought up to speed?
    Mr. Wilshusen. I don't know that because we haven't looked 
at that, but we have received a request to take a look at that.
    Mr. Ruppersberger. We sure don't want to criticize the FBI. 
What we want to do is give the FBI all the resources they need 
to fix this problem. And again it seems to me--and we alluded 
to this in the first panel--when you have systems that work--
and again, I can say this, I'm on the House Select Intelligence 
Committee, I know NSA's systems are doing well. We need to make 
sure we pull together, find out what is working and not 
working, and move forward. If it's a resource problem, we have 
to fix it. If it's a money problem, we have to fix it.
    My time is up. Thank you for being here today.
    Chairman Tom Davis. Well, we've kept you a long time. We 
appreciate everything. Anybody want to add anything, add in 
anything they said along the way?
    I think it has been very helpful to the committee as we 
move forward. I want to just thank every one of you for being 
here. I want to congratulate both AID and Transportation on 
your improvements this year. I think you've talked about this 
is really a team effort, it is not the CIO.
    Mr. Cooper, thank you. It has been a good explanation for 
us. We wish you the best of luck as you move forward and 
appreciate the job you have done.
    Thank you very much. The hearing is adjourned.
    [Whereupon, at 12:03 p.m., the committee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T0562.106

[GRAPHIC] [TIFF OMITTED] T0562.107

                                 
