b"<html>\n<title> - NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER SECURITY SCORECARDS</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER \n                          SECURITY SCORECARDS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 16, 2006\n\n                               __________\n\n                           Serial No. 109-139\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n                      http://www.house.gov/reform\n\n\n                                 _____\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n                             WASHINGTON: 2006        \n27-511 PDF\n\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nCHRISTOPHER SHAYS, Connecticut       HENRY A. WAXMAN, California\nDAN BURTON, Indiana                  TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nGIL GUTKNECHT, Minnesota             CAROLYN B. MALONEY, New York\nMARK E. SOUDER, Indiana              ELIJAH E. CUMMINGS, Maryland\nSTEVEN C. LaTOURETTE, Ohio           DENNIS J. KUCINICH, Ohio\nTODD RUSSELL PLATTS, Pennsylvania    DANNY K. DAVIS, Illinois\nCHRIS CANNON, Utah                   WM. LACY CLAY, Missouri\nJOHN J. DUNCAN, Jr., Tennessee       DIANE E. WATSON, California\nCANDICE S. MILLER, Michigan          STEPHEN F. LYNCH, Massachusetts\nMICHAEL R. TURNER, Ohio              CHRIS VAN HOLLEN, Maryland\nDARRELL E. ISSA, California          LINDA T. SANCHEZ, California\nJON C. PORTER, Nevada                C.A. DUTCH RUPPERSBERGER, Maryland\nKENNY MARCHANT, Texas                BRIAN HIGGINS, New York\nLYNN A. WESTMORELAND, Georgia        ELEANOR HOLMES NORTON, District of \nPATRICK T. McHENRY, North Carolina       Columbia\nCHARLES W. DENT, Pennsylvania                    ------\nVIRGINIA FOXX, North Carolina        BERNARD SANDERS, Vermont \nJEAN SCHMIDT, Ohio                       (Independent)\n------ ------\n\n                      David Marin, Staff Director\n                       Teresa Austin, Chief Clerk\n          Phil Barnett, Minority Chief of Staff/Chief Counsel\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on March 16, 2006...................................     1\nStatement of:\n    Hughes, Thomas P., Chief Information Officer, U.S. Social \n      Security Administration; Thomas Wiesner, Deputy Chief \n      Information Officer, U.S. Department of Labor; Robert F. \n      Lentz, Director, Information Assurance, U.S. Department of \n      Defense; and Scott Charbo, Chief Information Officer, U.S. \n      Department of Homeland Security............................    53\n        Charbo, Scott............................................    86\n        Hughes, Thomas P.........................................    53\n        Lentz, Robert F..........................................    68\n        Wiesner, Thomas..........................................    62\n    Wilshusen, Gregory C., Director, Information Security Issues, \n      U.S. Government Accountability Office; and Karen S. Evans, \n      Administrator, Office of Electronic Government and \n      Information Technology, Office of Management and Budget....     6\n        Evans, Karen S...........................................    39\n        Wilshusen, Gregory C.....................................     6\nLetters, statements, etc., submitted for the record by:\n    Charbo, Scott, Chief Information Officer, U.S. Department of \n      Homeland Security, prepared statement of...................    88\n    Davis, Chairman Tom, a Representative in Congress from the \n      State of Virginia, prepared statement of...................     4\n    Evans, Karen S., Administrator, Office of Electronic \n      Government and Information Technology, Office of Management \n      and Budget, prepared statement of..........................    40\n    Hughes, Thomas P., Chief Information Officer, U.S. Social \n      Security Administration, prepared statement of.............    55\n    Lentz, Robert F., Director, Information Assurance, U.S. \n      Department of Defense, prepared statement of...............    70\n    Waxman, Hon. Henry A., a Representative in Congress from the \n      State of California, prepared statement of.................   100\n    Wiesner, Thomas, Deputy Chief Information Officer, U.S. \n      Department of Labor, prepared statement of.................    64\n    Wilshusen, Gregory C., Director, Information Security Issues, \n      U.S. Government Accountability Office, prepared statement \n      of.........................................................     8\n\n\n\n\n \n NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER \n                          SECURITY SCORECARDS\n\n                              ----------                              \n\n\n                        THURSDAY, MARCH 16, 2006\n\n                          House of Representatives,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The committee met, pursuant to notice, at 12:16 p.m., in \nroom 2154, Rayburn House Office Building, Hon. Tom Davis \n(chairman of the committee) presiding.\n    Present: Representatives Tom Davis, Platts, Cummings, Clay, \nand Watson.\n    Staff present: David Marin, staff director; Keith Ausbrook, \nchief counsel; Chas Phillips, policy counsel; Rob White, press \nsecretary; Drew Crockett, deputy director of communication; \nVictoria Proctor, senior professional staff member; Teresa \nAustin, chief clerk; Sarah D'Orsie, deputy clerk; Leneal Scott, \ncomputer systems manager; Michael McCarthy, minority counsel; \nEarley Green, minority chief clerk; and Jean Gosa, minority \nassistant clerk.\n    Chairman Tom Davis. Good afternoon and welcome. The \ncommittee will come to order.\n    Today, the committee is releasing its Federal computer \nsecurity scorecards and will examine the status of agency \ncompliance with the Federal Information Security Management Act \n[FISMA].\n    Information technology and the Internet drive our economy \nand help the Federal Government to operate with greater \nefficiency and cost savings. E-commerce, information sharing, \nand Internet transactions, such as online tax filings, are so \ncommon that we take them for granted. Not until an incident \nsuch as the potential BlackBerry shutdown--which was recently \nsettled--are we reminded of our dependence on IT and how \ndifficult it is for us to function without it.\n    In the past year or so, we have heard stories about \nidentity theft, security breaches in large commercial data \nbases, and phishing scams such as those identified by the \nInternal Revenue Service this tax season. We have also seen an \nincrease in education and awareness campaigns for online safety \nspearheaded by the private and public sectors. But in my \nexperience, when it comes to Federal IT policy and information \nsecurity, it is still difficult to get people--even Members of \nCongress--engaged. For most people this is an abstract, inside-\nthe-Beltway issue. And FISMA is still viewed by some Federal \nagencies as a paperwork exercise. But these are short-sighted \nobservations. As a result of the Government's aggressive push \nto advance e-government, many Government information systems \nhold personal information about citizens and employees, in \naddition to other types of data. Maintaining the integrity, \nprivacy, and availability of all information in these systems \nis vital to our national security, continuity of operations, \nand economy.\n    Furthermore, in order to successfully fight the war on \nterror, we must be able to move information to the right people \nat the right place at the right time. Information needs to move \nseamlessly, securely, and efficiently within agencies, across \ndepartments, and across jurisdictions of Government as well.\n    Due to the nature of our cyber infrastructure, an attack \ncould originate anywhere at any time. We know that Government \nsystems are prime targets for hackers, terrorists, hostile \nforeign governments, and identity thieves. Malicious or \nunintended security threats come in varied forms: denial of \nservice attacks, malware, worms and viruses, phishing scams, \nand software weaknesses, to just name a few. Any of these \nthreats can compromise our information systems. The results can \nbe costly, disruptive, and erode public trust in Government.\n    One of the best ways to defend against attacks is to have a \nstrong, yet flexible, protection policy in place. We want \nagencies to actively protect their systems instead of just \nreacting to the latest threat with patches and other responses. \nFISMA accomplishes this goal by requiring each agency to create \na comprehensive risk-based approach to agency-wide information \nsecurity management. FISMA strengthens Federal cyber \npreparedness, evaluation, and reporting requirements. It is \nintended to make security management an integral part of an \nagency's operations and to ensure that we are actively using \nbest practices to secure our systems and prevent devastating \ndamage.\n    The committee, with technical assistance from GAO, releases \nannual scorecards based on the FISMA reports submitted to us by \nagency Chief Information Officers and Inspectors General. This \nyear, the Federal Government as a whole hardly improved, \nreceiving a D+ yet again. Our analysis reveals that the scores \nfor the Departments of Defense, Homeland Security, Justice, \nState--the agencies on the front lines in the war on terror--\nremained unacceptably low or in some cases dropped \nprecipitously. Meanwhile, several agencies improved their \ninformation security or maintained a consistently high level of \nsecurity from previous years.\n    The 2005 FISMA grades indicate that agencies have made \nimprovements in developing configuration management plans, \nemployee security training, developing and maintaining an \ninventory, certifying and accrediting systems, and annual \ntesting. Despite these advances, there are still some areas of \nconcern to the committee, including implementation of \nconfiguration management policies, specialized security \ntraining for employees with significant security \nresponsibilities, inconsistent incident reporting, \ninconsistencies in contingency plan testing, annual testing of \nsecurity controls, and agency responsibility for contractor \nsystems.\n    At today's hearing, we will evaluate the results of the \nagencies' 2005 FISMA reports, identify strengths and weaknesses \nin Government information security, and learn whether FISMA \nprovisions and the OMB guidance are sufficient to help secure \nGovernment information systems. Witnesses from GAO and OMB will \nhelp us understand what obstacles impede the Government's \nability to comply with FISMA. DOD and DHS witnesses will \ndiscuss the challenges they face in their departments and their \nplans to improve FISMA compliance. We will also hear about best \npractices and lessons learned from the Social Security \nAdministration and Department of Labor, two agencies that have \ndemonstrated consistent improvements in their information \nsecurity since the scorecard process was initiated in 2001.\n    If FISMA was the No Child Left Behind Act, a lot of \ncritical agencies would be part of the list of low performers. \nNone of us would accept D+ grades on our children's report \ncards. We can't accept these either.\n    [The prepared statement of Chairman Tom Davis follows:]\n    [GRAPHIC] [TIFF OMITTED] T7511.001\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.002\n    \n    Chairman Tom Davis. Are there any other Members who wish to \nmake opening statements? If not, I am going to note that \nMembers will have 7 days to submit opening statements for the \nrecord.\n    We are going to recognize our first panel of distinguished \nwitnesses. We have Mr. Gregory Wilshusen, the Director of \nInformation Security Issues for the U.S. Government \nAccountability Office, and the Honorable Karen Evans, the \nAdministrator of the Office of E-Government and Information \nTechnology at the Office of Management and Budget. You know it \nis our policy we swear you in before your testimony, so if you \nwould just rise and raise your right hands.\n    [Witnesses sworn.]\n    Chairman Tom Davis. Thank you. Let me thank you for your \nperseverance on this.\n    Mr. Wilshusen, thank you for being with us.\n\n   STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION \n  SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND \nKAREN S. EVANS, ADMINISTRATOR, OFFICE OF ELECTRONIC GOVERNMENT \n  AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET\n\n                 STATEMENT OF GREGORY WILSHUSEN\n\n    Mr. Wilshusen. Thank you, Mr. Chairman.\n    I am pleased to be here once again to discuss the efforts \nby Federal agencies to implement the requirements of FISMA. For \nmany years, we have reported that inadequate information \nsecurity is a widespread problem that could have devastating \nconsequences. Since 1997, we have identified information \nsecurity as a government-wide high-risk issue.\n    Today, the Federal Government is facing increasingly \nsophisticated and complex threats to its sensitive information \nsystems and information. The need for agencies to implement the \nstrong information security controls required by FISMA has \nnever been greater.\n    My testimony is based, in part, on our analysis of the \nfiscal year 2005 FISMA reports by OMB and 24 major Federal \nagencies and their Inspectors General.\n    Mr. Chairman, my bottom-line message is that progress made \nby the agencies in implementing FISMA is mixed, at best. \nAgencies have made progress in several areas but have slipped \nin others.\n    Today, I will note areas where agencies have made progress \nand those areas where weaknesses remain. In addition, I will \ndiscuss actions that agencies can take to improve their \ninformation security controls.\n    Before I do, I would like to recognize OMB for taking steps \nto improve the quality of the FISMA reports. For example, OMB \nrequired agencies to report, for the first time, certain \nperformance measures by system risk level. This provides better \ninformation about whether agencies are prioritizing their \ninformation security efforts according to system risk.\n    Mr. Chairman, agency FISMA reports present a mixed picture \nof FISMA implementation. The agencies generally reported an \nincreasing number of systems meeting key security performance \nmeasures, such as the percentage of systems certified and \naccredited, and the percentage of contingency plans tested.\n    Nevertheless, progress was uneven. For example, the \npercentage of agency systems reviewed declined from 96 percent \nin 2004 to 84 percent in 2005, and the percentage of employees \nand contractors receiving security awareness training also \ndeclined.\n    The reports indicated other challenges as well. Only 13 IGs \nreported that their agencies' inventories of major systems were \nsubstantially complete. A complete inventory is a key element \nof managing the agency's IT resources, including the security \nof those resources. Without complete inventories, the agencies, \nthe administration, and the Congress cannot be fully assured of \nthe agencies' progress in implementing FISMA.\n    Eight IGs also assessed the quality of their agency's \ncertification and accreditation processes as ``poor.'' As a \nresult, agency-reported performance data may not accurately \nreflect the status of the agency's efforts to implement this \nrequirement.\n    And 39 percent of Federal systems did not have a tested \ncontingency plan. Without a tested plan, increased risk exists \nthat agencies will not be able to recover mission-critical \nsystems in a timely manner if an interruption occurs.\n    Beyond assessing FISMA requirements, our audits of \ninformation security at Federal agencies have found significant \nweaknesses related to access controls and other information \nsecurity controls that place a broad array of Federal \noperations and assets at risk of misuse and disruption.\n    However, agencies can take several actions to fully \nimplement their FISMA-mandated programs and improve security \ncontrols. Such actions include completing and maintaining \naccurate inventories of major systems, prioritizing information \nsecurity efforts based on system risk levels, and strengthening \ncontrols that are to prevent, limit, and detect access to its \ninformation and information systems.\n    Mr. Chairman, this concludes my statement. I will be happy \nto answer your questions.\n    [The prepared statement of Mr. Wilshusen follows:]\n    [GRAPHIC] [TIFF OMITTED] T7511.005\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.006\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.007\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.008\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.009\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.010\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.011\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.012\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.013\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.014\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.015\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.016\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.017\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.018\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.019\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.020\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.021\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.022\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.023\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.024\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.025\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.026\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.027\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.028\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.029\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.030\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.031\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.032\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.033\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.034\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.035\n    \n    Chairman Tom Davis. Thank you.\n    Ms. Evans.\n\n                  STATEMENT OF KAREN S. EVANS\n\n    Ms. Evans. Good afternoon, Mr. Chairman. Thank you for \ninviting me to speak about the status of the Federal \nGovernment's efforts to safeguard our information and our \nsystems.\n    My comments today will focus on the progress we have made \nin improving the security of the Government's information \ntechnology as well as our strategy for addressing continuing \nsecurity challenges.\n    This is an extremely important issue for the \nadministration, and it is equally important to me both \nprofessionally and personally because some of the government-\nwide security performance metrics that we use to evaluate the \nagencies are also included in my personal performance plan.\n    On March 1st, OMB issued our third annual report to \nCongress on the implementation of the Federal Information \nSecurity Management Act [FISMA]. Much of the information I will \nbe discussing today is provided in more detail in our report. \nSo based on that, sir, I would be happy to answer any questions \nthat you may have about the report and the status and what we \nare doing going forward.\n    [The prepared statement of Ms. Evans follows:]\n    [GRAPHIC] [TIFF OMITTED] T7511.036\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.037\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.038\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.039\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.040\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.041\n    \n    Chairman Tom Davis. Ms. Evans, let me start with you. Do \nyou plan to issue new or updated guidance regarding your \nCircular A-130?\n    Ms. Evans. We do not plan to issue updated guidance on A-\n130 because we believe that it is based on sound principles \nthat are already reflected in FISMA. With NIST issuing new \nstandards and guidance, we really don't think that we need to \nrevise A-130 at this time, but we will continue to review it.\n    Chairman Tom Davis. All right. In this year's report, just \nlike last year's report, you mentioned that reporting to US-\nCERT is sporadic and not complete. What steps are you and US-\nCERT taking to ensure that agencies are more compliant in these \nincidents?\n    Ms. Evans. In May 2005, we did issue a reporting concept of \noperations out to the agencies, and so what OMB and DHS are \nplanning to do is followup specifically with the agencies that \ndid not report any incidences to US-CERT to make sure that we \nall are operating from the same understanding so that we can go \nback and double-check that an incident is an incident based on \nthis concept of operations that was approved by all the \nagencies as well.\n    Chairman Tom Davis. Now, although there has been \nimprovement, there are still several agencies that don't have \ncomplete inventories. These include some of the largest: DOD, \nUSDA, Treasury, HHS, and VA.\n    You know, without accurate inventories, how can you be sure \nthat the agencies are making progress? And while C&As are an \nimportant component of security, knowing what systems you are \nrunning is even more essential. Have you emphasized or has OMB \nemphasized to the agencies the necessity of a complete \ninventory? And what challenges have they reported to you in \ntrying to create and maintain an accurate inventory?\n    Ms. Evans. Yes, sir, we have worked with the agencies, and \nin the places where the agencies haven't had a completed \ninventory based on what the IGs have reported, we are meeting \nspecifically with those agencies to be able to address what \nissues are keeping them from meeting the inventory. But, also, \nwe have included this in the President's management agenda as \none of the criteria and that we do assess the agencies on a \nquarterly basis of their progress on performance.\n    So once an agency makes green, in order to maintain green \nthey have to have a completed inventory.\n    Chairman Tom Davis. Thank you. Identity theft continues to \nbe a growing problem, especially with the loss of personal and \nsensitive information. Data breach laws at the State level \nwhich require companies to inform individuals when the \norganization suffers a breach that exposes their personal \ninformation have improved our understanding of this problem. \nCongress is considering a national data breach notification \nstandard. Currently, there is no requirement for Federal \nagencies to notify citizens in case there is a breach. I have a \nfew questions along those lines.\n    One, do Federal agencies notify citizens when a breach of \npersonally identifiable information occurs on Government data \nbases?\n    Ms. Evans. In responding to that question, sir, we believe \nthe Privacy Act has provisions that address this. But what I \nwould like to do is be able to go back and do a more in-depth \nanalysis and be able to take this question for the record and \ngive you a more thoughtful response about how we should be \nresponding to this.\n    Chairman Tom Davis. I appreciate that, because that is \nsomething that comes up time and time again.\n    What, if any, guidelines exist to determine if a breach \nrequires notification?\n    Ms. Evans. Again, sir, I need to go back and further \nresearch this based on what we have put in place with the \nPrivacy Act, and I would like to take this question for the \nrecord so that I can give you a more thoughtful response.\n    Chairman Tom Davis. Let me ask you something on RFID \ntechnology, radiofrequency. RFID technology is being \nimplemented by DOD for tracking supplies. It is being \nimplemented by the State Department for immigration documents \nand passports. Other agencies may choose to use the technology \nto control access to physical and logical assets to comply with \nHomeland Security Presidential Directive 12. A May 2005 GAO \nreport on the Federal Government's use of RFID highlighted \nFISMA security practices in the context of security concerns \nwith RFID technologies.\n    What agencies within the Federal Government are using RFID \ntechnologies for applications that involve sensitive personal \ninformation?\n    Ms. Evans. You have mentioned the State Department, \nDepartment of Defense, DHS. What we would like to do is go back \nand look more completely at each of the agencies to see what \ntheir plans are as it relates to the deployment of RFID beyond \nwhat we already have planned.\n    Chairman Tom Davis. Do you think there is a need for a \nnational standard for maintaining the security and privacy of \npersonal information collected using RFID technology?\n    Ms. Evans. We believe that if you currently implement the \nsecurity policies and practices that are in place, if you \nimplement them adequately, those practices and policies would \nbe able to protect the information regardless of the \ntechnology, whether it was RFID or any other new emerging \ntechnology that would come out.\n    Chairman Tom Davis. So how do you fine-tune FISMA regarding \nthe use of RFID technology given its increased adoption by \nFederal agencies that are required to meet FISMA standards?\n    Ms. Evans. Well, I would recommend at this point that FISMA \nis about good security practices. It is about managing the risk \nassociated with your security program and your information \ntechnology and assets. And it is really not specifically about \ntechnologies but about our ability to manage those technologies \nas we implement them.\n    So in conjunction with working with NIST and having NIST \nissue policies, guidelines, the standards that they do, I think \nFISMA is adequate the way that it is, and it is up to us and \nthen the agencies to manage that risk as new technologies come \nout.\n    Chairman Tom Davis. OK. Mr. Wilshusen, let me just ask, it \nseems that when we look over the grades, the largest agencies \nor those agencies with diverse missions seem to be at the \nbottom of the grading while the smaller of the major agencies \nor those with single, well-defined missions seem to improve \ntheir grades. How do you think the diverse mission and size \nplay into the issue of information security?\n    Mr. Wilshusen. Well, I think certainly that size and the \ncomplexity of the organization influences the way an \norganization organizes, manages, and secures its information \ntechnologies. Large Federal departments have multiple, \nsometimes semi-autonomous operating bureaus and divisions that \nmay have separate missions, business processes, cultures, and \ntechnologies that support those processes.\n    However, at some level those technologies interconnect with \nother systems and networks with other bureaus, and \nconsequently, there might be vulnerabilities in one particular \nagency or bureau that has an impact on others. Thus, there is \nreally a need for strong security management over that area. \nHowever, because these bureaus may be somewhat semi-autonomous \nand have separate funding, they may not necessarily be \nconducive to implementing or ceding some of their authority for \nsecuring these systems.\n    It is going to take--and the departments might have a more \nchallenging role in trying to create and develop and implement \nan agency-wide information security program. It is going to \nrequire that agency top management and the management of the \ndifferent bureaus be held accountable and support and be \ncommitted to implementing an agency-wide information security \nprogram.\n    Chairman Tom Davis. I think there is a perception in some \ncircles, it seems to me, that FISMA is largely a paperwork \nexercise. What is your reaction to that?\n    Mr. Wilshusen. FISMA is designed to be a comprehensive \nframework for ensuring the effectiveness of information \nsecurity controls over the information resources that support \nFederal operations and assets. It requires Federal agencies to \ndevelop, document, and implement an agency-wide information \nsecurity program that contains various elements. Each of these \nelements is based on best industry practices. These include \nassessing the risk, developing risk-based policies and \nprocedures that cost-effectively reduce those risks to an \nacceptable level. It also requires that agencies provide the \ntraining to their employees and contractors to inform them of \nwhat these risks are and their responsibilities for practicing \nand implementing strong security throughout the organizations.\n    It also requires that agencies test and evaluate the \neffectiveness of their controls over their systems on a \nperiodic basis, and if there are problems, if there are \nweaknesses, to take corrective actions.\n    These are just basic information security principles and \npractices that should be implemented. If agencies are reducing \nFISMA implementation to a paperwork exercise, then they are not \ngoing to enjoy the benefits offered by implementing them.\n    Chairman Tom Davis. Can you think of any incentives or \npenalties that should be added to improve the agency scorecard \nratings?\n    Mr. Wilshusen. One might be looking at the funding. I \nbelieve at one point in time there was discussion on whether \nagencies, you know, should be looking at the funding, should \nthey be adjusted, should--for agencies that do well versus \nthose that do not.\n    Chairman Tom Davis. How about the----\n    Mr. Wilshusen. But that is a double-edged sword.\n    Chairman Tom Davis. Of course it is. You are taking money \nfrom the people who need it the most.\n    Ms. Evans, do you have any thought on that?\n    Ms. Evans. When we do the analysis for the President's \nbudget every year, one of the key priorities is the cyber \nsecurity program of each of the agencies. So we do continue to \nput a priority on that and make sure that agencies that don't \nhave a good security program, that the priority for the funding \ngoing forward is spent on that first and that--and we have \nbroken out the budget this year when we submitted the 2007 \nbudget, broke out and showed the relationship of their overall \nIT budget to the percentage that they spend on IT security as \nwell, and continue to put the priority on that.\n    The thought from the administration is that you should not \nlayer new things on top of bad things. And so you need to fix \nthe cyber security aspects of that based on all the issues that \nyou brought up already today about implementing new \ntechnologies and those types of things.\n    So the incentive is the more efficient you are at getting \nit done, not just generating the paperwork but really fixing \nthe security and mitigating the risk, then you can move forward \nand use the funds that you had planned to use for those new \nactivities within your agency or department.\n    Chairman Tom Davis. And you think the budget reflects that \nto some extent, is what you are saying?\n    Ms. Evans. Yes, sir. Yes, sir.\n    Chairman Tom Davis. Ms. Watson.\n    Ms. Watson. I missed most of the testimony. I want to thank \nthe chair for having this hearing. But what stands in our way \nfrom preventing the hacking and the taking of information and \nputting illegal information into the process in our computers? \nWhat stands in our way from stopping that?\n    Mr. Wilshusen. One is making sure that the agencies have \nfully implemented an information security program within that \nparticular agency.\n    Ms. Watson. Why haven't they?\n    Mr. Wilshusen. Well, that is a good question and that is \none that we constantly seek the answer to. In our reviews we \nlook, when we conduct an information security audit at the \nFederal agencies, we look at the type of controls that they \nhave in place, the effectiveness of those controls, and we have \noften found that numerous vulnerabilities exist within their \naccess controls that are designed to prevent limit and detect \naccess to their information resources. We also find other types \nof general controls related to their physical security over \ntheir computing resources that also could lead to the \nunauthorized disclosure, deletion, alteration of sensitive \ninformation. And these types of weaknesses have been identified \nat numerous agencies that we have done audits at.\n    Ms. Watson. Well, is it that we don't have the technology \nknowledge to do something? I mean, I know you are auditing, you \nare looking. Is it lack of technology knowledge? Is it lack of \nsetting a priority? Is it lack of the funding? Did you--where \nwould you put your finger, if we were to correct this and do it \nin a hurry? Because I flip on CNN or I flip on one of the \nmorning programs and I find that in our Federal computers \npeople have pornography, etc. How does that happen?\n    Mr. Wilshusen. Well, certainly there are technical controls \nthat need to be improved and in place to help protect that from \nhappening. But first and foremost, we see information security \nas a management issue and that it receives sufficient attention \nand implementation throughout the organization, from top-level \nmanagement through all layers of the organization, because each \nand every person has responsibility for information security. \nBut in terms of the management, we do look at various different \naspects in terms of is the organization assessing the risk \naccordingly for the type of information that it collects and \nprocesses and maintains; are they developing those policies and \ncontrols that are needed to protect that information?\n    And what we often find is, yes, they do that to an extent, \nand they may develop policies and procedures that are designed, \nat least, to protect the information and implement strong \ncontrols, but a lot of times they are not implementing it. And \nthis often occurs even though at the department level they \nmight have strong policies----\n    Ms. Watson. Well, let me just stop you there. Does it go to \nincompetence? You know, I am reading here, each agency is also \nrequired to do an annual independent evaluation--let's say of \ninformation security. Why would it not be done? And why could \nthey not address it?\n    You know, we are the policymakers here. You are in front of \nthis committee. Maybe you can give us some idea of what our \nnext piece of legislation needs to be.\n    Mr. Wilshusen. I would like to answer the first question \nyou had there first.\n    Ms. Watson. OK.\n    Mr. Wilshusen. Certainly one of the reasons why there \ncontinue to be information security weaknesses at the \norganizations that we audit is that it is a complex and \nchallenging job. Many of these computing environments, \nparticularly at the larger agencies, have highly complex \ndistributive information systems and networks that are, because \nof their interconnectivity, vulnerabilities that exist on one \nserver can affect an entire network. And some of these agencies \nhave thousands of servers. And so it is a very dynamic \nenvironment in which new applications, new servers, new \ntechnologies are being implemented. And if the agencies are not \neffectively assessing their risk and monitoring the \nimplementation of these technologies on a regular basis, \nvulnerabilities crop up. And that is how hackers, that is how \nindividuals within the organization can exploit those \nvulnerabilities for either personal or--gain.\n    Ms. Watson. I heard the key words: effectively assessing.\n    Mr. Wilshusen. Yes.\n    Ms. Watson. And, you know, we ought to be looking at \nsystems before we contract and bring them in to see if they \nwould fit in. Otherwise--you know, we need to plan and we need \nto assess and evaluate that plan, and we need to have a report. \nI think that is a requirement. And certainly, you know, new \ntechnology adds to the complexities of these systems, but we \nhave to have an overall plan, a master plan.\n    Mr. Wilshusen. Right. And that is one of the benefits of \nFISMA, of what it provides, is that it requires that agencies \nimplement an agency-wide information security program, and that \nincludes addressing security throughout the entire life cycle \nof any new technologies or its applications or systems that are \nbeing introduced into the department.\n    Ms. Watson. Thank you very much. Appreciate it.\n    Chairman Tom Davis. Mr. Clay.\n    Mr. Clay. Thank you, Mr. Chairman.\n    For Mr. Wilshusen, GAO recently completed a draft report \nfor me on the impact the National Information Assurance \nPartnership program is having on information security within \nclassified programs. Can you speak to the merits of extending \nNIAP product validation out to those agencies in the non-\nnational security community?\n    Mr. Wilshusen. Sure. All these results are--as you \nmentioned, we do have a draft report out. It is presently out \nfor comment with the DOD and the agencies. We have not yet \nreceived their comment. We anticipate issuing that report later \nthis month in final.\n    But let me just at least talk about the observations that \nwe have identified so far with that program. We identified that \nthe NIAP program does indeed provide and offer some benefits. \nOne, it provides another set of eyes and ears to look and test \nthe security features of information security or systems \nproducts that an agency is considering procuring. It also, \nthrough the evaluation process, has identified and uncovered \nflaws within those products. And what we have found and based \non our interviews with vendors, the participants in the \nprogram, is that the vendor is often correct in those flaws \nthat are identified.\n    And another benefit is that, after going through these \nprocesses, some of the vendors decided that they--actually \nchanged their development processes to accommodate the new \nstrength and to mitigate any weaknesses that were identified as \ntheir products were evaluated.\n    But at the same time, there are still a number of \nchallenges associated with that program. These also include \nthat, for one, the product is not evaluated against a set of \nparticular requirements. It is more looked at the--it is \nevaluated based on the procedures that are used to develop the \nproduct. Another vulnerability is--or I should say another \nchallenge deals with the cost and time that is involved in \nprocessing and evaluating these products. We have found that \nvendors thought it was too costly and took a long period of \ntime to do so.\n    Some of the agencies felt that they did not have a really \nfull population or a pool of evaluated products to choose from. \nSometimes, because of the length of the evaluation process, new \nversions of the product under evaluation were being issued, so \nthey couldn't necessarily get the latest and greatest version \nof the product.\n    So there are a couple of challenges associated with that \nprogram.\n    Mr. Clay. On finding the weaknesses and coming back and \ncorrecting it, who gets the bill for that? Do the vendors eat \nthe cost, or do the taxpayers pay the cost?\n    Mr. Wilshusen. I don't know if I can answer that. It is up \nto the vendors. It depends on, I guess, the contractual \nrequirements, but it is up to the vendors to take the \ncorrective actions on that. Whether they subsequently pass the \ncosts along to the procurers of the product, I can't answer \nthat.\n    Mr. Clay. Thank you. Thank you for your response.\n    Ms. Evans, perhaps you may be able to shed some light on \nthat. But let me ask you, you know, the number of annual risk \nassessments conducted last year declined when compared to \nfiscal year 2004 even though the number of systems online \nincreased by nearly 20 percent. DHS--first, what were the \nfactors contributing to this problem at first? Talk to me about \nDHS, which once again--well, go ahead.\n    Ms. Evans. Well, as you stated, the risk assessments did go \ndown, but we did get an increase in the number of systems that \nare out there. However, this is also the first year where we \ndid ask the agencies to also assess the systems that they had \nbased on impact, like high, medium, and low impact of those \nsystems. And the agencies did focus their risk assessments on \nthe high-impact systems. And 88 percent of those, I believe, \nwere the ones where the risk assessments going forward on that.\n    So we did ask them to make sure that their priority was \ndone the high-impact systems as they were doing the risk \nassessments, going through and doing the certifications and \naccreditations, because that is one piece of the certification \nand accreditation that the agencies do.\n    Mr. Clay. OK, let me stop you there since----\n    Ms. Evans. Sure.\n    Mr. Clay. Real quickly, give me your impression of \nineptitude at DHS in this whole arena. Talk to me about that, \nas far as them being the coordinator of key information-sharing \nresponsibilities, or a legacy system, are the 22 agencies \nproving to be too difficult to bring into compliance, or are \nthere other factors?\n    Ms. Evans. Well, DHS is a challenging environment. By \nbringing all the departments and agencies together there, this \nreally does exemplify the complexity of an environment of a \nlarge department that would have to be managed to make sure \nthat you have a good program in place. So what DHS is doing is \nmoving forward trying to bring all that management in place to \nensure that they have a good cyber security program and that \nthey can move forward and protect that information and those \nassets.\n    It does take some time to really be able to demonstrate \nthat progress. And I would say that the things that DHS is \ndoing we may not necessarily see in all the metrics as we \nmeasure them in FISMA. But you have brought up that the \nindependent audit is also an essential piece so that they can \nfeed back the results of that from their IG into their \nprogramming, to make sure that they are improving that as they \ngo forward.\n    Mr. Clay. Yes. Thank you, but it sounds as though you are \ndefending the incompetence of DHS. Thank you.\n    Chairman Tom Davis. Anything else you want to add?\n    We will dismiss this panel, take a 2 minute recess, and we \nwill come to the next one.\n    Thank you all very much.\n    [Recess.]\n    Chairman Tom Davis. Thank you all for your patience.\n    We are going to now recognize our second distinguished \npanel. We have Mr. Thomas P. Hughes, Chief Information Officer, \nU.S. Social Security Administration; we have Mr. Thomas \nWiesner, the Deputy Chief Information Officer, U.S. Department \nof Labor; Mr. Robert Lentz, Information Assurance Director at \nthe U.S. Department of Defense; and Mr. Scott Charbo, the Chief \nInformation Officer at the U.S. Department of Homeland \nSecurity.\n    It is our policy we swear you in before your testimony, so \nif you would just rise and raise your right hands.\n    [Witnesses sworn.]\n    Chairman Tom Davis. Thank you very much.\n    Well, you know our rules. We try to hold to 5 minutes. Your \nentire statement is in the record. We very much appreciate your \nbeing with us today. I apologize for the delay with the floor \nvotes, but I think we will be able to move ahead fairly \nexpeditiously here, uninterrupted.\n    Mr. Hughes, we will start with you and we will work \nstraight on down the line. Thank you again for being with us.\n\nSTATEMENTS OF THOMAS P. HUGHES, CHIEF INFORMATION OFFICER, U.S. \n SOCIAL SECURITY ADMINISTRATION; THOMAS WIESNER, DEPUTY CHIEF \nINFORMATION OFFICER, U.S. DEPARTMENT OF LABOR; ROBERT F. LENTZ, \n DIRECTOR, INFORMATION ASSURANCE; U.S. DEPARTMENT OF DEFENSE; \nAND SCOTT CHARBO, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF \n                       HOMELAND SECURITY\n\n                   STATEMENT OF THOMAS HUGHES\n\n    Mr. Hughes. Chairman Davis and members of the committee, \nthank you for inviting me here today to discuss information \nsecurity at the Social Security Administration. As Chief \nInformation Officer for the agency, I appreciate the \nopportunity to discuss our implementation of FISMA, the Federal \nInformation Security Management Act of 2002, and our agency's \naccomplishments in securing and protecting the information in \nthe records we maintain.\n    SSA has always recognized the importance of protecting the \nsecurity and privacy of the people we serve and ensuring the \nintegrity and accuracy of the records we maintain. The Social \nSecurity Board's first regulation, published in 1937, dealt \nwith confidentiality of records. For more than 70 years we have \nhonored our commitment to the American people to maintain the \nconfidentiality of these records. This longstanding emphasis on \nprivacy has led to a strong commitment in information security.\n    While we have always safeguarded our records, we also work \ncontinuously to ensure that our information technology programs \nremain responsive to evolving conditions, and we use a variety \nof proactive security measures, plus independent testing and \nevaluation security controls, to protect these records. We take \nan agency-wide approach to information technology security at \nSSA. SSA's deputy commissioners, along with the CIO, are \naccountable for the certification of our major IT systems and \nhelp to ensure that our IT assets are adequately secured.\n    Here are some of the major highlights of our FISMA 2005 \nreport: All 20 of SSA's major IT systems were certified and \naccredited.\n    SSA had incorporated National Institute of Standards and \nTechnology security controls into our System Development Life \nCycle process.\n    SSA provided IT security awareness to all of our employees, \nincluding contractors, and gave specialized in-depth training \nfor those with significant IT security responsibilities.\n    The Office of Inspector General's independent evaluation of \nour information security program for 2005 confirmed that SSA's \nremediation, certification and accreditation, and inventory \nprocesses are sound. The OIG made a number of recommendations \nfor improvement that we are implementing.\n    For instance, first, we developed security documents for \nevery enterprise architecture platform in the agency and \nexpanded this initiative into the data base environment as \nwell. In addition, we implemented a monitoring program for each \nsystem configuration standard and risk model.\n    Second, we agreed with the IG recommendation that SSA \nshould regularly update our continuity of operations plan \n[COOP], with a disaster recovery plan. SSA also has and will \nparticipate in disaster recovery exercises, which help validate \nkey elements of our COOP.\n    Finally, to respond to the recommendation regarding \nimproving how we monitor contract security awareness training, \nwe are implementing a process where all contractors with \nsystems access will complete a security awareness training \nmodule that will allow us to monitor the process.\n    You asked us to describe the way SSA identifies and tracks \ninformation technology security weaknesses. The answer is that \nSSA is using an automated software tool that allows us to \nfollow corrective security actions all the way to completion. \nIn addition, the system generates detailed reports which then \nallow management to better evaluate the security status of \ntheir systems.\n    You also asked about guidance--resources and/or procedures \nagencies need to comply with FISMA. I believe that agencies \nneed to constantly challenge the traditional status quo if we \nare to maintain and enhance our security procedures and comply \nwith FISMA. This is critical in any security environment, but \nparticularly important in today's challenging information \nenvironment.\n    While we are proud of our accomplishments, Commissioner \nBarnhart and all of us at SSA recognize that we must be \nvigilant in every way to assure that the personal information \nSSA collects remains secure, the taxpayer dollars are \nprotected, and that public confidence in the Social Security \nsystem is maintained.\n    Mr. Chairman, thank you for the opportunity to speak before \nthis committee. I will be pleased to answer any questions.\n    [The prepared statement of Mr. Hughes follows:]\n    [GRAPHIC] [TIFF OMITTED] T7511.042\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.043\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.044\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.045\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.046\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.047\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.048\n    \n    Chairman Tom Davis. Mr. Hughes, thank you.\n    Mr. Wiesner, thanks for being with us.\n\n                  STATEMENT OF THOMAS WIESNER\n\n    Mr. Wiesner. Good afternoon, Chairman Davis and members of \nthe committee. Thank you for inviting me here today to discuss \nthe Department of Labor's implementation of the Federal \nInformation Security Management Act and the lessons learned \nover the past several years.\n    Today I will first speak on the challenges the Department \nhas faced over the last few years in implementing its computer \nsecurity program. I will then expand on the current status of \nour program and highlight many of the significant improvements. \nLast, I will provide a snapshot of opportunities for \nimprovement and labor strategy to address those areas.\n    Labor's organizational components, including the Office of \nthe CIO, had different viewpoints FISMA compliance. \nAdditionally, we were an organization of distinct agencies that \nin many cases operated independently and accomplished \nindividual goals through various IT solutions. Labor agencies, \nthe OIG, and the Office of the CIO were all focused on \ndifferent and sometimes conflicting priorities. We had to \nchange this culture, including attention to IT security as a \nkey part of everyday business. Under the CIO's direction, the \nDepartment arrived at a consensus and we have moved forward to \nensure our compliance with FISMA.\n    To that end, the following actions were carried out: In \n2001, a security manager was hired and placed in the Office of \nthe CIO to manage the Department-wide security program.\n    In 2002, our IT security policies and procedures were \nupdated to incorporate current OMB and NIST guidance.\n    In 2003, the Department established a Technical Review \nBoard IT Committee subcommittee comprised of agency security \nmanagers. This board serves as the Department's first tier of \ninvestment review for major IT investments and as a forum to \nidentify and resolve Department-wide IT-related issues, \nincluding computer security.\n    In 2003, Secretary Elaine Chao institutionalized a culture \nof policy and strong computer security under a Secretary's \norder issued in May 2003. This order outlines the roles and \nresponsibilities for managing information technology at the \nDepartment, to include IT security responsibilities.\n    In 2003, the Department developed an eGovernment Strategic \nPlan that ties IT security to the Department's mission.\n    In 2005, the Department updated its IT Strategic Plan, \nwhere IT security goals and direction were incorporated.\n    At Labor our computer security program has progressed from \na grade of F in 2001 to a B- in 2004. Additionally, our \ncomputer security program was a significant contributor to the \nDepartment's achieving and maintaining a ``Green'' rating on \nExpanded Electronic Government on the President's management \nagenda scorecard.\n    The successes we have achieved to date can be attributed to \nstrong oversight of Department-wide security issues, \ncooperation at the IT senior management level, and continuous \ncollaboration through Department-wide reviews. The efforts of \nthe Labor IT Security Subcommittee results in sound security \npractices that enable consistent FISMA reporting from the CIO \nand the OIG. This is attributed to the following successes: A \nfully integrated computer security program with capital \nplanning and enterprise architecture programs. A revised system \ndevelopment life cycle management manual to include security \nrequirements at each phase. An OIG-approved plan of action and \nmilestones program since 2003. Quarterly capital planning \nprogram reviews that ensures adequate IT security expenditures \nand semiannual eGovernment reviews of all DOL agencies modeled \non the PMA scorecard and FISMA performance metrics.\n    Correspondingly, the Department has maintained a \ncomprehensive Certification and Accreditation program, \nachieving authority to operate for 100 percent of our major \ninformation systems, up from 97 percent in fiscal year 2004.\n    Despite this progress in securing our IT systems at DOL, we \nrecognize that security is a constant challenge and a task that \ncan never be considered complete. We have identified three \nareas for strengthening our computer security program: general \nand application security controls, patch management, and IT \nsecurity manager skill competencies.\n    The Department has developed a comprehensive work plan to \naddress these issues, to include the implementation of NIST \n800-53 and a Certified Information Systems Security \nProfessional training program and certification exam for DOL \nsecurity managers.\n    In conclusion, computer security is a core element of our \nbusiness and culture at the Department of Labor. Secretary \nChao, Deputy Secretary Law, agency senior management, and the \ndedicated DOL IT professionals are committed to the \nDepartment's computer security program. As we face the \nevolution of FISMA compliance, we will strive to maintain a \nbalance of FISMA reporting requirements and the implementation \nof sound security practices.\n    Mr. Chairman, thank you for the opportunity to provide this \nbrief outline. I would be happy to answer any questions. Thank \nyou.\n    [The prepared statement of Mr. Wiesner follows:]\n    [GRAPHIC] [TIFF OMITTED] T7511.049\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.050\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.051\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.052\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Lentz.\n\n                   STATEMENT OF ROBERT LENTZ\n\n    Mr. Lentz. Good afternoon, Mr. Chairman and members of the \ncommittee. As Chief Information Assurance Officer for the \nDepartment of Defense, I appreciate this opportunity to \nhighlight the posture of information security within the \nDepartment.\n    The Department leadership is fully engaged in the security \nefforts in support of FISMA. Secretary Rumsfeld considers \ninformation technology a critical strategic component in \ntransforming America's armed forces for the 21st century \nwarfare. Our recently completed Quadrennial Defense Review \nstresses networks and information security as key areas of \nfocus.\n    Collaboration between the CIO and the war-fighting \ncommunity is absolutely critical. The protection of the network \nis everybody's business. This can't be overstated. We take \nspecific actions to train, license, qualify, and certify pilots \nand weapons systems. We must consider no less a standard for \nthe operation, security, integrity of our information systems.\n    The DOD IA strategic plan has for 3 years been \ninstitutional component driving strategic objectives for \nimproving our security posture. It also enables FISMA \ncompliance. The Department of Defense uses FISMA as a critical \nmanagement and assessment tool. We continue to enhance our \nFISMA efforts.\n    The Department reviewed over 3,500 systems this past year, \nan increase of more than 1,000 systems from 2004. The \nDepartment increased its Authority to Operate rate from 58 \npercent in 2004 to 82 percent in 2005. In addition, our Total \nAccreditation rate was at 93 percent.\n    Last year, more than 2 million of the approximate 2.6 \nmillion DOD personnel who had access to DOD networks received \nIA security awareness training. This training was accomplished \neven while larger members of the servicemembers were deployed \nto combat theaters. In addition, more than 67,000 individuals \nwith significant security responsibilities received specialized \nsecurity training.\n    I have identified in the full written testimony many \ninitiatives that DOD has undertaken to improve its Information \nSecurity Department. Let me highlight a few others.\n    The Department is aggressively pursuing an enterprise \narchitecture and prioritized enterprise solutions through \ncentralized funding.\n    The Department has comprehensive policies and process for \nsystem configurations, a very important area. One example is \nthe distribution by the Air Force of Microsoft software with \nstandard security configuration resulting in improved network \nsecurity and management.\n    Departmental components are accelerating the use of public \nkey infrastructure, from network access and secure log-on, \nconsistent with HSPD-12. Over 3 million personnel are outfitted \nwith common access cards, enabling PKI capabilities throughout \nthe Department.\n    In 2005, the DOD published a comprehensive IA Workforce \nImprovement program, launching an aggressive effort to certify \nnearly 80,000 core network professionals.\n    As to identified security weaknesses in this year's FISMA \nreport, we are pleased to advise you of the following remedies: \nConsidering the dynamic operational environment of DOD and the \nsheer number of systems deployed across the enterprise, we have \nmade significant progress in the area of inventory of our IT \nsystems. We believe that our inventory of major information \nsystems is under control.\n    Regarding the challenges of instituting a process for \nmanaging plans of actions and milestones, the Department has a \nPO&M process that was improved in 2005 from lessons learned and \nfrom IG audits. We continue to improve that process by making \nthis year's guidance more detailed and integrated into our C&A \nguidance as well.\n    We are also developing an automated standardized capability \nthat will add greater visibility to PO&Ms.\n    We believe the Department certification and accreditation \nprocess is very solid and getting better. FISMA delegates \nauthority to the Secretary of Defense to develop security \npolicy and guidelines for all of its information systems. The \nDOD C&A process is consistent with NIST guidelines but designed \nto address classified national security systems and factor in \nunique operational challenges.\n    In the area of training in 2005, the DOD components \nreported a total of 79,000 employees with significant IT \nsecurity responsibilities. In such a large, dynamic, and \nchanging organization that number will always be in a state of \nflux.\n    In conclusion, the Department of Defense is committed to a \nstrong and comprehensive security program. Our commitment to \nimprove our FISMA compliance is an essential element of the \nDepartment's information security strategy.\n    Again, I thank you for the opportunity to comment on this \nimportant topic.\n    [The prepared statement of Mr. Lentz follows:]\n    [GRAPHIC] [TIFF OMITTED] T7511.053\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.054\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.055\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.056\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.057\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.058\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.059\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.060\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.061\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.062\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.063\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.064\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.065\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.066\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.067\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.068\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Charbo.\n\n                   STATEMENT OF SCOTT CHARBO\n\n    Mr. Charbo. Thank you, Mr. Chairman and committee members. \nMy remarks will cover the current status of the Department's \nimplementation of FISMA.\n    The mission of the Department of Homeland Security's \ninformation security program is to provide the Department with \na secure and trusted computing environment that enables the \nDepartment to leverage information technology and effectively \nand securely share information in support of its many and \nvaried missions. Statutory compliance is a top priority, and \nthe Department's information security program is structured \naround compliance with FISMA as well as OMB in this guidance.\n    In 2003 and 2004, the Department laid the necessary \nfoundation of effective security policies and architecture \nguidance. Policies are now codified in a dedicated management \ndirective and a systems security architecture is fully \nintegrated with the Department's architecture.\n    Security policies and architectures are both updated on a \nregular basis and compliance is enforced through the use of \nseveral mandatory security management tools that are now in use \nthroughout the Department. Building on those efforts, the \nDepartment completed three major information security \ninitiatives in 2005.\n    First, a comprehensive systems and applications inventory \nwas completed in August 2005. The inventory is based on a \ndetailed methodology for identifying systems and applications \nusing standard Federal definitions. This inventory now provides \nclear accreditation boundaries for each and every operational \nIT system and assigns responsibilities for those controls to \nspecific individuals, thereby providing a baseline for \nmeasuring security compliance.\n    To ensure the inventory remains accurate, annual inventory \nreviews will continue each year, with a near-term focus on 2006 \nof linking the inventory to the Department's capital planning \nand investment control processes, thus allowing the Department \nto better integrate effective security controls at the \nbeginning of a system's life cycle.\n    In the Department's fiscal year 2005 FISMA report, the \nInspector General acknowledged for the first time the \ncompleteness and accuracy of our FISMA inventory.\n    Second, an enterprise certification and accreditation tool \nwas successfully fielded in April 2005, and that is now fully \nintegrated with a FISMA management tool fielded in 2004.\n    Third, a comprehensive and repeatable set of information \nsecurity metrics significantly improved system owner \naccountability. These metrics now measure and inform progress \nin completing the accreditation of all operational systems. \nMonthly information security scorecards provide detailed status \nupdates to Department leadership, and these scorecards are \nhighly successful in improving the accountability of system \nowners.\n    These three initiatives build on earlier milestones and \nhave now paved the way for real, measurable cyber security \nimprovements. The Department implemented an aggressive \nremediation project for 2006 with a goal of 100 percent \nremediation by the end of this year. Originally announced by \nSecretary Chertoff in his keynote address at the Department's \nannual Security Conference last August, the project moved into \nfull swing in October 2005 and the Department is on its way to \nfull remediation.\n    The Department's FISMA inventory currently includes \napproximately 700 systems, and prior to the initiation of the \nremediation project, the number of fully accredited systems was \nonly 26 percent. By the end of February of this year, over 60 \npercent of those systems are now fully accredited. In just 5 \nmonths, the Department has more than doubled the number of \naccredited systems and it is on track to make the goal of full \nremediation by the end of the year. It is clear the project is \npositively affecting the security culture of the Department, \nand recent upward trends in remediation metrics support the \nview.\n    The Department must also ensure those systems and \napplications are connected across a secure enterprise backbone \nproviding shared IT services. To accomplish this goal, an \naggressive infrastructure transformation program called One Net \nwas initiated for 2006 to bring all legacy information \ntechnology infrastructures under a single enterprise. Benefits \nof One Net include network optimization and improved quality of \nservice, both of which will significantly enhance information \nsharing initiatives.\n    Planning for One Net began with a comprehensive security \nframework that is consistent with the detailed systems security \narchitecture of the Department.\n    As part of the One Net effort, the Department is also \nfielding its first enterprise-wide network operations and \nsecurity center. The center is responsible for managing the \nDepartment's shared IT enterprise environment in real time, \nincluding the discovery and remediation of security incidents \nas they occur, and represents a significant improvement to our \noverall security posture.\n    I am confident that the DHS information security program is \nmoving in the right direction.\n    Thank you. I look forward to your questions.\n    [The prepared statement of Mr. Charbo follows:]\n    [GRAPHIC] [TIFF OMITTED] T7511.069\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.070\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.071\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.072\n    \n    [GRAPHIC] [TIFF OMITTED] T7511.073\n    \n    Chairman Tom Davis. Thank you, all.\n    Now, looking at the report card, we seem to have a reverse \nbell curve, with agencies settling at either the high end or \nthe low end. For the two over here on my left, or on the right \nhere, what are the major steps your agency took to achieve it? \nYou didn't start off with A's, you worked steadily toward that. \nAnd I would say for DOD and then DHS, what are the major \nchallenges you feel prevent you from progressing? Your plan for \naddressing these challenges you alluded to in your comments, \nwhat would you like to see your partners in this process do to \nhelp you? I am talking about OMB, GAO, and the IG.\n    I will start with you, Mr. Hughes. You traced out the \nthings you did to get your A+ and maintain it.\n    Mr. Hughes. Mr. Chairman, members of the committee, really, \nat Social Security there is a strong emphasis on security. It \nhas been there for many years, as I have repeated. And with \nFISMA, I can tell you we take it very seriously. We meet \nregularly, we constructively argue regularly, and we try to \nmake corrections. So you have to make that commitment to keep \nchallenging, as executives, the importance of security and that \nFISMA is a real exercise. And so I don't know if I can say that \nenough from a practical reality. It is not a paper report, it \nis real security that we are trying to constantly be aware of. \nAnd that is what FISMA teaches us.\n    Chairman Tom Davis. Mr. Wiesner.\n    Mr. Wiesner. At the Department of Labor I would have to say \nthere are a few items that have led to our success. One is the \nstrong leadership and management commitment from the \nSecretary's level through all the levels of management, \nincluding assistant secretaries, the various senior IT \nmanagement staff within the Department of Labor. And it starts \nat the top and management supports us 100 percent in ensuring \nthat we protect our departmental assets.\n    The second step we have done over the last few years is \nreally integrate IT security into our IT management processes, \nprocedures, and governance models. We start looking at security \nat the capital planning stage and enterprise architecture, \nduring the systems development life cycle process, the entire \nlife cycle. So we put security integrating into every IT \nproject that we undertake and currently the ones that are under \nway.\n    And then the other thing we have worked on really hard is \nto establish a strong relationship with the OIG, recognizing \nthat they have a strong compliance role and they have their \nviews on how they view us as being successful and the things \nthat they discover in their audits and what we should be \nfocusing on, and we establish that relationship and try to form \na partnership so we are heading in the right direction.\n    Chairman Tom Davis. Thank you.\n    Mr. Lentz, let me just ask you, I mean, if you had an A+ \nyou would feel your agency was more secure, wouldn't you?\n    Mr. Lentz. Of course, sir. I think the question you asked \nin your earlier panel, sir, I think goes to the heart of one of \nthe challenges that we have, which, as you said earlier, a very \nlarge and a very diverse, dynamic organization that is deployed \nworldwide and things are changing all the time.\n    I think the discussions that I have had with my peers, \nother chief security officers in the Department as well as \nprivate-sector leaders in this area, I think the point that has \nto be emphasized is that during the FISMA process, the act \ncalls for an assessment, not an audit. An assessment takes into \naccount a lot of factors. In a large organization like the \nDepartment of Defense--or Homeland Security, for that matter--\nyou have a changing environment. Where an audit could in fact \npick up one or two systems that may not be accounted for or a \ncertain number of personnel that may be deployed that are \nachieving certain status, you know, I think through that kind \nof dynamic environment, it makes it very difficult to, at some \ntimes, achieve the kind of scores that may be indicative \nthrough an auditive process.\n    I think by working closely with the IG, which is indicated \nby my colleagues, I think that is a very important step in this \nprocess and one that we are continuing to strive for.\n    Chairman Tom Davis. One of the things is, when we got our \nreports on DOD, we got like four different reports. We get the \nArmy, Navy, Air Force. I mean, it kind of made up just the way \nthat your organization is different from a lot of other \nagencies in terms of how this is compiled and so on. I mean, is \nthat an obstacle?\n    Mr. Lentz. I think Secretary Rumsfeld through the QDR \nprocess and our new CIO, Mr. Grimes, wants to remove any type \nof obstacle that may in fact be inferred by that kind of \nservice-oriented environment that we live in. We are very much \nfocused on an enterprise architecture, we are very much focused \non an enterprise CIO governance model. And I think we are \nalready seeing improvements in that area already that I think \nare going to be reflected very much so in next year's report, \nsir.\n    Chairman Tom Davis. OK.\n    Mr. Charbo, I will ask you, I mean, obviously you come from \na--you had a number of dysfunctional agencies you are trying to \nput together. You have had a steep climb over there to begin \nwith. So I concede that to you.\n    Mr. Charbo. Thank you. I think the first thing that we have \ndone--and our numbers, I think, are supporting that we are \nmoving in the right direction right now, in the last 5 months. \nWe have been able to move it more than it has moved in the last \ncouple of years.\n    But the first piece that we had our teams accept was where \nwe were was not where we wanted to remain. So we admitted that \nwe weren't in the right posture that we wanted to have moving \nforward in terms of the security of our systems. So we asked \nSecretary Chertoff to lead that charge for us at our annual \nconference and then place that accountability to those system \nowners in the multiple components that we have.\n    We have seen very good response from the Coast Guard and \nCustoms, ICE. Even FEMA has responded well in terms of the \naccountability for securing the systems.\n    Publishing the inventory was a major milestone for us. It \nput that benchmark in the sand. Now we are focused on moving \nthat forward. And I guess I would just say, we use a term \ncalled ``relentless'' in the Department. You will get a lot of \nexcuses on how hard this is to do, but we accept that but we \nstill need to move it forward. And that is what we are focused \non.\n    Chairman Tom Davis. But GAO reported that there was a very \nlow level of security incident reporting in DHS. What is the \nproblem? What is the deterrent here? Do we need to do anything \nto remove those barriers?\n    Mr. Charbo. I think we have rallied that in here in the \nlast 5 months. We have implemented policies, we have done some \ntraining with our systems security professionals that we have \nin the Department, and we have worked through those processes \nto assure that we are getting reporting.\n    The other piece that I think will really improve that is \nhow we are going to be monitoring our systems. We have had \nmultiple wide-area networks. So you have different \nmethodologies of reporting. That is now coming through a core \nNOC-SOC--network operations, security operations center--\nthrough our One Net. And they will have a responsibility of \nmoving that to the US-CERT.\n    Chairman Tom Davis. One of the problems you have at DHS is \nyou have taken all these disparate agencies, over 100 and some \n1,000 employees, and put them together, and everybody expects \nimmediate results. This is a work in progress. I mean, this \ntakes years, doesn't it, as a practical matter?\n    Mr. Charbo. We are going to take 1 year to certify the \nsystems. We will move those, a large milestone--as we say in \nour statement, we were at 26 percent that we could document and \nwe are now about 60 percent. And it is on the right curve that \nwe want to move through the end of the year. At that point, we \nwill look at the POAMs that are generated, we will go back into \nthose accreditations and do an IV&V, and we will reassess it. \nIt will be an annual routine that we will follow.\n    Chairman Tom Davis. Let me ask Mr. Hughes and Mr. Wiesner, \nyour agency systems have to connect with State systems that are \nnot covered by FISMA for information sharing purposes. How do \nyou ensure that your information systems are adequately \nprotected under those circumstances?\n    Mr. Hughes. That is a good question. We have agreements \nwith States and different agencies. We have security procedures \nand policies that they have to agree to. We have MOUs of these \nagreements. And we monitor these data exchanges that go between \nthe States and the Federal Government.\n    Chairman Tom Davis. All right.\n    Ms. Watson.\n    Ms. Watson. I want to highly commend Mr. Hughes, U.S. \nSocial Security Administration, and Mr. Wiesner, U.S. \nDepartment of Labor, for the fact that using the criteria that \nthe committee used, the number of points assigned to each \nresponse is proportional to the extent the element has been \nimplemented. You received an A+. And you started from probably \nlower grades, but you showed your ability to focus like a laser \nbeam and to make the improvements along the way.\n    Going to Mr. Lentz and Mr. Charbo, U.S. Department of \nDefense defending our country, and U.S. Department of Homeland \nSecurity securing our country, you started in year 2005 with an \nF grade and, at the end of year 2005, you still have an F \ngrade. Can either one of you gentlemen explain to me why? And \nlistening to your reports, it looks like you are just moving \nalong and making progress. But the criteria that the committee \nused was a methodology that was standardized, and you came up, \nstarted with an F, and you are still at an F.\n    Let me know why that is the case. Mr. Lentz, let me start \nwith you.\n    Mr. Lentz. Well, ma'am, I agree that the challenges that we \nhave in this very large organization will sometimes make the \nprocess that we use in terms of assessing our operational \nstatus one that creates the kind of assessments that one has to \nlook very hard at, and that is what our leadership is doing \nevery single day. And we take----\n    Ms. Watson. Let me just stop you. Mr. Lentz, 5 years? Your \nleadership? Five years and you don't improve based on the \nmethodology that is standardized? The way they judged every \nsingle--and I can read off all the departments. Agency for \nInternational Development, A+, starting from much lower grades \nbefore. Department of Labor, A+. Social Security, A+. Office of \nPersonnel Management, A+. Environmental Protection Agency, A+. \nNational Science Foundation, A.\n    What is happening with the two most strategic and sensitive \nagencies? What is it? Is there incompetence? Is there cronyism? \nYou know, I don't feel comfortable with my Department of \nDefense, based on what I see here. I don't feel comfortable \nthat my homeland is secure. And I can take a lesson from \nSeptember 11th. The perpetrators were sent--the flight school, \nas I understand, sent them their authority to take flight \nlessons after September 11th. Something went wrong along the \nway.\n    Now, if you had a department, a business that made nails, \nand you put the metal in at the beginning of the process and, \nat the end, the nails came out bent, you would stop the whole \noperation and work backward to find out why those nails are \nbeing bent. What is happening with the Department of Defense \nand Homeland Security that in 5 years, based on the methodology \nused, you show no improvement? You tell us that the report--I \nguess the preceding 5 months will look better, but I am \nwondering what happened in those 5 years. Can you help me \nunderstand this?\n    Mr. Lentz. Well, I think when we look at, when we open up \nour report and look at it gradually--and, as indicated in my \ntestimony, I think we have shown some clear improvements in all \nthe areas that FISMA is asking for. And on top of that----\n    Ms. Watson. As of when? Can you help me?\n    Mr. Lentz. As of starting last year and the year before.\n    Ms. Watson. Well, why is it--maybe the staff is \nincompetent, because they graded you. I did not. The committee \nstaff. And maybe I should ask this of the chair. You know, they \nscore by a point. And I probably need to give this to you. And, \nyou know, if you score within a certain range, they assign you \na certain letter. And the scores were so low with the \nDepartment of Defense and Homeland Security that it resulted in \nan F. Now, maybe the math is all off.\n    I am trying to be fair. I am trying to understand what is \ngoing on with my Department of Defense that you come and you \nask us--you know, we have a supplement on the floor asking us \nfor billions of dollars. And, you know, what are you securing, \nIraq? Department of Homeland Security, what are you securing?\n    You know, and the grade is still coming out F. I need to \nunderstand this so when I go back to my 650,000 constituents \nthat pay taxes, and I--I didn't vote for it, and I am not going \nto--I can tell them, yeah, we need to vote for this because our \nDepartment of Defense says they need this so we can win the war \n10,000 miles away. We are not winning the war here. We can't \neven pick up the rubble down in New Orleans.\n    So you have to prove to me that you are doing something \nthat will secure us as a people and secure our country. And I \ndon't see it. So I am asking for you to educate me, to \nenlighten me, so I can go back and tell my constituents why I \nwould vote to use their taxpayer dollars to defend against \nIraq--which apparently is no threat to us here, but certainly a \nthreat to life and limb over there. Give me some information, \nplease, that there is some competence in this organization that \nI can take back to my constituents.\n    Mr. Lentz. In looking at the grading that we have recently \nseen, there were two assessments that were done, one by the CIO \nand one by the IG, in the assessment column. The Department of \nDefense got a score of 85 under the CIO column. And when you \nlook at that holistically and combine that with all the other \nsecurity measures that were undertaken, such as, as the \nchairman indicated earlier, identity protection and management \nusing PKI and other methods that we are, I would say that I \nthink our security posture has significantly improved. But at \nthe same time, I must admit, we always in this very dynamic \nenvironment that we live in, we have to constantly seek for \nbetter improvement in these areas.\n    Ms. Watson. Let me address the chair. From the response I \njust received, is there something wrong with this scoring? \nBecause as I look at the information provided to us on the \nassignment of grades, it says 0 points for a response \nindicating the percentage that falls below an acceptable \nthreshold. And they give us an example: 50 percent or less \nknown IT security weaknesses being incorporated in the plan of \naction. That means that you fell below the 50 percent level.\n    Now, if this is the methodology----\n    Chairman Tom Davis. Well, the methodology is very simple. \nThe CIO scores and the IG scores, and when you are in doubt, \nGAO takes the IG score. CIO score is like when you are grading \nyour own paper, to some extent. So in those cases, the GAO, who \nreally gives us the numbers on which we base the grade, goes \nwith the IG score.\n    Ms. Watson. So I still haven't heard adequate response to \nmy concerns. And I just think there is something wrong in the \nprocess. And I would advise the two of you to take the message \nback from me individually that the Department of Defense, the \nDepartment of Homeland Security needs to get about the business \nof improving the process of securing our land and our people. \nFrom what I see, and this is information that the staff gives \nus, I did not do the research and the evaluation and the \nassignment myself. You need to know that. I can only go on the \ninformation that our professional staff gives us.\n    I would hope the two of you, next time you come, not insult \nmy intelligence. Otherwise, I have to question the competence \nof staff. But you can't tell me it is working well and the \nstaff gave you and F, and for the last 5 years it has been F. \nSo take that message back to the Secretaries. And Mr. Chertoff \nhas not returned my call. When I was asking him to stop the \nevictions of 10,000 people, I never got a return call. So he \nwould get an F- from me in terms of being effective just \nanswering a call from a Congress person concerned about \nmaking--so I have no trust that it is going to get any better. \nNow, that is my opinion. I am speaking for myself. And you can \ntake that message back.\n    Thank you, Mr. Chairman, for the time.\n    Chairman Tom Davis. Thank you very much. I would leave on \nthat high note here, but I think that I will just ask a couple \nof other questions.\n    We asked the first panel, and I guess in fairness to DHS \nand DOD, do you think there are issues that arise at the larger \nagencies that the smaller ones don't have to contend with? I \nthink that has been--we talked about that in our opening \nstatement and I will give you an opportunity to comment on that \nagain.\n    Mr. Charbo. From DHS's perspective, I think there is a \ncomplexity with dealing with lots of large agencies that we \nhave components that we have. That still doesn't change the \nfact when we looked at our security posture coming into the \nDepartment, where we were was not where we wanted to be in \nterms of our security scores and our FISMA compliance. So we \nhave launched an aggressive project. I see good response coming \nfrom those components even though it is large, it is complex. \nCurrently we have the data. We have good progression moving--I \nsee good response coming from those large components, as \ndifficult as it is.\n    I think the GAO had some good comments in the first panel \ndealing with direct appropriations, and it is difficult to get \nthem to respond. But I would like to have a chance to execute \nour plan this year. And the plan that we had last year isn't \nthe one we are currently working under.\n    Chairman Tom Davis. I mean, you are both large \norganizations but you are very important organizations in terms \nof vulnerability and where someone who has malice aforethought \nmay be looking. So that is why we focus in on you and I think \nthat is why Ms. Watson is just saying to DOD and Homeland \nSecurity these are two agencies that are showing up as more \nvulnerable than other agencies, and obviously we are alarmed. \nBut we understand there is a lot of complexity. I know in the \ncase of DHS we have cobbled together these different units and \nyou are as strong as your weakest unit, to some extent, the way \nthis works.\n    Mr. Lentz, would you--I will give you an opportunity to \ncomment.\n    Mr. Lentz. Yes, I completely agree that the complexity of \nthe organization, the dynamics of moving forces--when you \ndeploy ships out to sea, you are changing the network \nconfigurations constantly, you are deploying troops overseas, \nyou are creating new network on the fly in global environments \nand high-risk environments. Clearly in a situation like that, \nit does represent a lot of new challenges and challenges that \nwe take very seriously.\n    Chairman Tom Davis. OK. Anything you would like to add?\n    Mr. Hughes. I would just say that we know our mission, so \nperhaps--we are a large organization, we have 120,000 work \nstations, but our mission is clear in terms of our complexity. \nWe know the way we serve our citizens. So I don't think we have \nabsorbed the complexity of an organization like DHS.\n    Chairman Tom Davis. OK.\n    Mr. Wiesner. I agree also. We have been an organization \naround for many, many years, and perhaps that helps out a \nlittle bit in terms of absorbing a lot of complexity in a \nlarge-scale organization like DHS.\n    Chairman Tom Davis. Well, of course this committee wrote \nFISMA. We don't have all the enforcement mechanisms we like, \nbut you have heard Ms. Evans talk about that is something that \nthey take into account as they are putting their budgets \ntogether. We are trying to coordinate appropriately with the \nAppropriations Committee so it is taken into account as they \nput their budgets together. You can fight the resources \ndepartment within your own agencies. I am not asking you to \ncome here and put you on the spot and saying are you getting \nenough resources with your own agency. But we understand. I \nmean, I understand the issues of this. And we are going to \ncontinue to push to give you the resources you need to get the \njob done.\n    I just want to congratulate those of you that have shown \ngreat improvement. And for the others, we will keep trying. I \nknow you have plans to address this. We look forward to seeing \nyou up here again.\n    Thank you very much.\n    [Whereupon, at 1:41 p.m., the committee was adjourned.]\n    [The prepared statement of Hon. Henry A. Waxman and \nadditional information submitted for the hearing record \nfollow:]\n[GRAPHIC] [TIFF OMITTED] T7511.003\n\n[GRAPHIC] [TIFF OMITTED] T7511.004\n\n[GRAPHIC] [TIFF OMITTED] T7511.074\n\n[GRAPHIC] [TIFF OMITTED] T7511.075\n\n[GRAPHIC] [TIFF OMITTED] T7511.076\n\n[GRAPHIC] [TIFF OMITTED] T7511.077\n\n[GRAPHIC] [TIFF OMITTED] T7511.078\n\n[GRAPHIC] [TIFF OMITTED] T7511.079\n\n[GRAPHIC] [TIFF OMITTED] T7511.084\n\n[GRAPHIC] [TIFF OMITTED] T7511.085\n\n[GRAPHIC] [TIFF OMITTED] T7511.086\n\n                                 <all>\n\x1a\n</pre></body></html>\n"