[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]





 NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER 
                          SECURITY SCORECARDS

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 16, 2006

                               __________

                           Serial No. 109-139

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                      http://www.house.gov/reform


                                 _____

                     U.S. GOVERNMENT PRINTING OFFICE
                             WASHINGTON: 2006        
27-511 PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001




                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
CHRISTOPHER SHAYS, Connecticut       HENRY A. WAXMAN, California
DAN BURTON, Indiana                  TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
GIL GUTKNECHT, Minnesota             CAROLYN B. MALONEY, New York
MARK E. SOUDER, Indiana              ELIJAH E. CUMMINGS, Maryland
STEVEN C. LaTOURETTE, Ohio           DENNIS J. KUCINICH, Ohio
TODD RUSSELL PLATTS, Pennsylvania    DANNY K. DAVIS, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
JOHN J. DUNCAN, Jr., Tennessee       DIANE E. WATSON, California
CANDICE S. MILLER, Michigan          STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio              CHRIS VAN HOLLEN, Maryland
DARRELL E. ISSA, California          LINDA T. SANCHEZ, California
JON C. PORTER, Nevada                C.A. DUTCH RUPPERSBERGER, Maryland
KENNY MARCHANT, Texas                BRIAN HIGGINS, New York
LYNN A. WESTMORELAND, Georgia        ELEANOR HOLMES NORTON, District of 
PATRICK T. McHENRY, North Carolina       Columbia
CHARLES W. DENT, Pennsylvania                    ------
VIRGINIA FOXX, North Carolina        BERNARD SANDERS, Vermont 
JEAN SCHMIDT, Ohio                       (Independent)
------ ------

                      David Marin, Staff Director
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel



                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 16, 2006...................................     1
Statement of:
    Hughes, Thomas P., Chief Information Officer, U.S. Social 
      Security Administration; Thomas Wiesner, Deputy Chief 
      Information Officer, U.S. Department of Labor; Robert F. 
      Lentz, Director, Information Assurance, U.S. Department of 
      Defense; and Scott Charbo, Chief Information Officer, U.S. 
      Department of Homeland Security............................    53
        Charbo, Scott............................................    86
        Hughes, Thomas P.........................................    53
        Lentz, Robert F..........................................    68
        Wiesner, Thomas..........................................    62
    Wilshusen, Gregory C., Director, Information Security Issues, 
      U.S. Government Accountability Office; and Karen S. Evans, 
      Administrator, Office of Electronic Government and 
      Information Technology, Office of Management and Budget....     6
        Evans, Karen S...........................................    39
        Wilshusen, Gregory C.....................................     6
Letters, statements, etc., submitted for the record by:
    Charbo, Scott, Chief Information Officer, U.S. Department of 
      Homeland Security, prepared statement of...................    88
    Davis, Chairman Tom, a Representative in Congress from the 
      State of Virginia, prepared statement of...................     4
    Evans, Karen S., Administrator, Office of Electronic 
      Government and Information Technology, Office of Management 
      and Budget, prepared statement of..........................    40
    Hughes, Thomas P., Chief Information Officer, U.S. Social 
      Security Administration, prepared statement of.............    55
    Lentz, Robert F., Director, Information Assurance, U.S. 
      Department of Defense, prepared statement of...............    70
    Waxman, Hon. Henry A., a Representative in Congress from the 
      State of California, prepared statement of.................   100
    Wiesner, Thomas, Deputy Chief Information Officer, U.S. 
      Department of Labor, prepared statement of.................    64
    Wilshusen, Gregory C., Director, Information Security Issues, 
      U.S. Government Accountability Office, prepared statement 
      of.........................................................     8




 
 NO COMPUTER SYSTEM LEFT BEHIND: A REVIEW OF THE 2005 FEDERAL COMPUTER 
                          SECURITY SCORECARDS

                              ----------                              


                        THURSDAY, MARCH 16, 2006

                          House of Representatives,
                            Committee on Government Reform,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 12:16 p.m., in 
room 2154, Rayburn House Office Building, Hon. Tom Davis 
(chairman of the committee) presiding.
    Present: Representatives Tom Davis, Platts, Cummings, Clay, 
and Watson.
    Staff present: David Marin, staff director; Keith Ausbrook, 
chief counsel; Chas Phillips, policy counsel; Rob White, press 
secretary; Drew Crockett, deputy director of communication; 
Victoria Proctor, senior professional staff member; Teresa 
Austin, chief clerk; Sarah D'Orsie, deputy clerk; Leneal Scott, 
computer systems manager; Michael McCarthy, minority counsel; 
Earley Green, minority chief clerk; and Jean Gosa, minority 
assistant clerk.
    Chairman Tom Davis. Good afternoon and welcome. The 
committee will come to order.
    Today, the committee is releasing its Federal computer 
security scorecards and will examine the status of agency 
compliance with the Federal Information Security Management Act 
[FISMA].
    Information technology and the Internet drive our economy 
and help the Federal Government to operate with greater 
efficiency and cost savings. E-commerce, information sharing, 
and Internet transactions, such as online tax filings, are so 
common that we take them for granted. Not until an incident 
such as the potential BlackBerry shutdown--which was recently 
settled--are we reminded of our dependence on IT and how 
difficult it is for us to function without it.
    In the past year or so, we have heard stories about 
identity theft, security breaches in large commercial data 
bases, and phishing scams such as those identified by the 
Internal Revenue Service this tax season. We have also seen an 
increase in education and awareness campaigns for online safety 
spearheaded by the private and public sectors. But in my 
experience, when it comes to Federal IT policy and information 
security, it is still difficult to get people--even Members of 
Congress--engaged. For most people this is an abstract, inside-
the-Beltway issue. And FISMA is still viewed by some Federal 
agencies as a paperwork exercise. But these are short-sighted 
observations. As a result of the Government's aggressive push 
to advance e-government, many Government information systems 
hold personal information about citizens and employees, in 
addition to other types of data. Maintaining the integrity, 
privacy, and availability of all information in these systems 
is vital to our national security, continuity of operations, 
and economy.
    Furthermore, in order to successfully fight the war on 
terror, we must be able to move information to the right people 
at the right place at the right time. Information needs to move 
seamlessly, securely, and efficiently within agencies, across 
departments, and across jurisdictions of Government as well.
    Due to the nature of our cyber infrastructure, an attack 
could originate anywhere at any time. We know that Government 
systems are prime targets for hackers, terrorists, hostile 
foreign governments, and identity thieves. Malicious or 
unintended security threats come in varied forms: denial of 
service attacks, malware, worms and viruses, phishing scams, 
and software weaknesses, to just name a few. Any of these 
threats can compromise our information systems. The results can 
be costly, disruptive, and erode public trust in Government.
    One of the best ways to defend against attacks is to have a 
strong, yet flexible, protection policy in place. We want 
agencies to actively protect their systems instead of just 
reacting to the latest threat with patches and other responses. 
FISMA accomplishes this goal by requiring each agency to create 
a comprehensive risk-based approach to agency-wide information 
security management. FISMA strengthens Federal cyber 
preparedness, evaluation, and reporting requirements. It is 
intended to make security management an integral part of an 
agency's operations and to ensure that we are actively using 
best practices to secure our systems and prevent devastating 
damage.
    The committee, with technical assistance from GAO, releases 
annual scorecards based on the FISMA reports submitted to us by 
agency Chief Information Officers and Inspectors General. This 
year, the Federal Government as a whole hardly improved, 
receiving a D+ yet again. Our analysis reveals that the scores 
for the Departments of Defense, Homeland Security, Justice, 
State--the agencies on the front lines in the war on terror--
remained unacceptably low or in some cases dropped 
precipitously. Meanwhile, several agencies improved their 
information security or maintained a consistently high level of 
security from previous years.
    The 2005 FISMA grades indicate that agencies have made 
improvements in developing configuration management plans, 
employee security training, developing and maintaining an 
inventory, certifying and accrediting systems, and annual 
testing. Despite these advances, there are still some areas of 
concern to the committee, including implementation of 
configuration management policies, specialized security 
training for employees with significant security 
responsibilities, inconsistent incident reporting, 
inconsistencies in contingency plan testing, annual testing of 
security controls, and agency responsibility for contractor 
systems.
    At today's hearing, we will evaluate the results of the 
agencies' 2005 FISMA reports, identify strengths and weaknesses 
in Government information security, and learn whether FISMA 
provisions and the OMB guidance are sufficient to help secure 
Government information systems. Witnesses from GAO and OMB will 
help us understand what obstacles impede the Government's 
ability to comply with FISMA. DOD and DHS witnesses will 
discuss the challenges they face in their departments and their 
plans to improve FISMA compliance. We will also hear about best 
practices and lessons learned from the Social Security 
Administration and Department of Labor, two agencies that have 
demonstrated consistent improvements in their information 
security since the scorecard process was initiated in 2001.
    If FISMA was the No Child Left Behind Act, a lot of 
critical agencies would be part of the list of low performers. 
None of us would accept D+ grades on our children's report 
cards. We can't accept these either.
    [The prepared statement of Chairman Tom Davis follows:]
    [GRAPHIC] [TIFF OMITTED] T7511.001
    
    [GRAPHIC] [TIFF OMITTED] T7511.002
    
    Chairman Tom Davis. Are there any other Members who wish to 
make opening statements? If not, I am going to note that 
Members will have 7 days to submit opening statements for the 
record.
    We are going to recognize our first panel of distinguished 
witnesses. We have Mr. Gregory Wilshusen, the Director of 
Information Security Issues for the U.S. Government 
Accountability Office, and the Honorable Karen Evans, the 
Administrator of the Office of E-Government and Information 
Technology at the Office of Management and Budget. You know it 
is our policy we swear you in before your testimony, so if you 
would just rise and raise your right hands.
    [Witnesses sworn.]
    Chairman Tom Davis. Thank you. Let me thank you for your 
perseverance on this.
    Mr. Wilshusen, thank you for being with us.

   STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
  SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND 
KAREN S. EVANS, ADMINISTRATOR, OFFICE OF ELECTRONIC GOVERNMENT 
  AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET

                 STATEMENT OF GREGORY WILSHUSEN

    Mr. Wilshusen. Thank you, Mr. Chairman.
    I am pleased to be here once again to discuss the efforts 
by Federal agencies to implement the requirements of FISMA. For 
many years, we have reported that inadequate information 
security is a widespread problem that could have devastating 
consequences. Since 1997, we have identified information 
security as a government-wide high-risk issue.
    Today, the Federal Government is facing increasingly 
sophisticated and complex threats to its sensitive information 
systems and information. The need for agencies to implement the 
strong information security controls required by FISMA has 
never been greater.
    My testimony is based, in part, on our analysis of the 
fiscal year 2005 FISMA reports by OMB and 24 major Federal 
agencies and their Inspectors General.
    Mr. Chairman, my bottom-line message is that progress made 
by the agencies in implementing FISMA is mixed, at best. 
Agencies have made progress in several areas but have slipped 
in others.
    Today, I will note areas where agencies have made progress 
and those areas where weaknesses remain. In addition, I will 
discuss actions that agencies can take to improve their 
information security controls.
    Before I do, I would like to recognize OMB for taking steps 
to improve the quality of the FISMA reports. For example, OMB 
required agencies to report, for the first time, certain 
performance measures by system risk level. This provides better 
information about whether agencies are prioritizing their 
information security efforts according to system risk.
    Mr. Chairman, agency FISMA reports present a mixed picture 
of FISMA implementation. The agencies generally reported an 
increasing number of systems meeting key security performance 
measures, such as the percentage of systems certified and 
accredited, and the percentage of contingency plans tested.
    Nevertheless, progress was uneven. For example, the 
percentage of agency systems reviewed declined from 96 percent 
in 2004 to 84 percent in 2005, and the percentage of employees 
and contractors receiving security awareness training also 
declined.
    The reports indicated other challenges as well. Only 13 IGs 
reported that their agencies' inventories of major systems were 
substantially complete. A complete inventory is a key element 
of managing the agency's IT resources, including the security 
of those resources. Without complete inventories, the agencies, 
the administration, and the Congress cannot be fully assured of 
the agencies' progress in implementing FISMA.
    Eight IGs also assessed the quality of their agency's 
certification and accreditation processes as ``poor.'' As a 
result, agency-reported performance data may not accurately 
reflect the status of the agency's efforts to implement this 
requirement.
    And 39 percent of Federal systems did not have a tested 
contingency plan. Without a tested plan, increased risk exists 
that agencies will not be able to recover mission-critical 
systems in a timely manner if an interruption occurs.
    Beyond assessing FISMA requirements, our audits of 
information security at Federal agencies have found significant 
weaknesses related to access controls and other information 
security controls that place a broad array of Federal 
operations and assets at risk of misuse and disruption.
    However, agencies can take several actions to fully 
implement their FISMA-mandated programs and improve security 
controls. Such actions include completing and maintaining 
accurate inventories of major systems, prioritizing information 
security efforts based on system risk levels, and strengthening 
controls that are to prevent, limit, and detect access to its 
information and information systems.
    Mr. Chairman, this concludes my statement. I will be happy 
to answer your questions.
    [The prepared statement of Mr. Wilshusen follows:]
    [GRAPHIC] [TIFF OMITTED] T7511.005
    
    [GRAPHIC] [TIFF OMITTED] T7511.006
    
    [GRAPHIC] [TIFF OMITTED] T7511.007
    
    [GRAPHIC] [TIFF OMITTED] T7511.008
    
    [GRAPHIC] [TIFF OMITTED] T7511.009
    
    [GRAPHIC] [TIFF OMITTED] T7511.010
    
    [GRAPHIC] [TIFF OMITTED] T7511.011
    
    [GRAPHIC] [TIFF OMITTED] T7511.012
    
    [GRAPHIC] [TIFF OMITTED] T7511.013
    
    [GRAPHIC] [TIFF OMITTED] T7511.014
    
    [GRAPHIC] [TIFF OMITTED] T7511.015
    
    [GRAPHIC] [TIFF OMITTED] T7511.016
    
    [GRAPHIC] [TIFF OMITTED] T7511.017
    
    [GRAPHIC] [TIFF OMITTED] T7511.018
    
    [GRAPHIC] [TIFF OMITTED] T7511.019
    
    [GRAPHIC] [TIFF OMITTED] T7511.020
    
    [GRAPHIC] [TIFF OMITTED] T7511.021
    
    [GRAPHIC] [TIFF OMITTED] T7511.022
    
    [GRAPHIC] [TIFF OMITTED] T7511.023
    
    [GRAPHIC] [TIFF OMITTED] T7511.024
    
    [GRAPHIC] [TIFF OMITTED] T7511.025
    
    [GRAPHIC] [TIFF OMITTED] T7511.026
    
    [GRAPHIC] [TIFF OMITTED] T7511.027
    
    [GRAPHIC] [TIFF OMITTED] T7511.028
    
    [GRAPHIC] [TIFF OMITTED] T7511.029
    
    [GRAPHIC] [TIFF OMITTED] T7511.030
    
    [GRAPHIC] [TIFF OMITTED] T7511.031
    
    [GRAPHIC] [TIFF OMITTED] T7511.032
    
    [GRAPHIC] [TIFF OMITTED] T7511.033
    
    [GRAPHIC] [TIFF OMITTED] T7511.034
    
    [GRAPHIC] [TIFF OMITTED] T7511.035
    
    Chairman Tom Davis. Thank you.
    Ms. Evans.

                  STATEMENT OF KAREN S. EVANS

    Ms. Evans. Good afternoon, Mr. Chairman. Thank you for 
inviting me to speak about the status of the Federal 
Government's efforts to safeguard our information and our 
systems.
    My comments today will focus on the progress we have made 
in improving the security of the Government's information 
technology as well as our strategy for addressing continuing 
security challenges.
    This is an extremely important issue for the 
administration, and it is equally important to me both 
professionally and personally because some of the government-
wide security performance metrics that we use to evaluate the 
agencies are also included in my personal performance plan.
    On March 1st, OMB issued our third annual report to 
Congress on the implementation of the Federal Information 
Security Management Act [FISMA]. Much of the information I will 
be discussing today is provided in more detail in our report. 
So based on that, sir, I would be happy to answer any questions 
that you may have about the report and the status and what we 
are doing going forward.
    [The prepared statement of Ms. Evans follows:]
    [GRAPHIC] [TIFF OMITTED] T7511.036
    
    [GRAPHIC] [TIFF OMITTED] T7511.037
    
    [GRAPHIC] [TIFF OMITTED] T7511.038
    
    [GRAPHIC] [TIFF OMITTED] T7511.039
    
    [GRAPHIC] [TIFF OMITTED] T7511.040
    
    [GRAPHIC] [TIFF OMITTED] T7511.041
    
    Chairman Tom Davis. Ms. Evans, let me start with you. Do 
you plan to issue new or updated guidance regarding your 
Circular A-130?
    Ms. Evans. We do not plan to issue updated guidance on A-
130 because we believe that it is based on sound principles 
that are already reflected in FISMA. With NIST issuing new 
standards and guidance, we really don't think that we need to 
revise A-130 at this time, but we will continue to review it.
    Chairman Tom Davis. All right. In this year's report, just 
like last year's report, you mentioned that reporting to US-
CERT is sporadic and not complete. What steps are you and US-
CERT taking to ensure that agencies are more compliant in these 
incidents?
    Ms. Evans. In May 2005, we did issue a reporting concept of 
operations out to the agencies, and so what OMB and DHS are 
planning to do is followup specifically with the agencies that 
did not report any incidences to US-CERT to make sure that we 
all are operating from the same understanding so that we can go 
back and double-check that an incident is an incident based on 
this concept of operations that was approved by all the 
agencies as well.
    Chairman Tom Davis. Now, although there has been 
improvement, there are still several agencies that don't have 
complete inventories. These include some of the largest: DOD, 
USDA, Treasury, HHS, and VA.
    You know, without accurate inventories, how can you be sure 
that the agencies are making progress? And while C&As are an 
important component of security, knowing what systems you are 
running is even more essential. Have you emphasized or has OMB 
emphasized to the agencies the necessity of a complete 
inventory? And what challenges have they reported to you in 
trying to create and maintain an accurate inventory?
    Ms. Evans. Yes, sir, we have worked with the agencies, and 
in the places where the agencies haven't had a completed 
inventory based on what the IGs have reported, we are meeting 
specifically with those agencies to be able to address what 
issues are keeping them from meeting the inventory. But, also, 
we have included this in the President's management agenda as 
one of the criteria and that we do assess the agencies on a 
quarterly basis of their progress on performance.
    So once an agency makes green, in order to maintain green 
they have to have a completed inventory.
    Chairman Tom Davis. Thank you. Identity theft continues to 
be a growing problem, especially with the loss of personal and 
sensitive information. Data breach laws at the State level 
which require companies to inform individuals when the 
organization suffers a breach that exposes their personal 
information have improved our understanding of this problem. 
Congress is considering a national data breach notification 
standard. Currently, there is no requirement for Federal 
agencies to notify citizens in case there is a breach. I have a 
few questions along those lines.
    One, do Federal agencies notify citizens when a breach of 
personally identifiable information occurs on Government data 
bases?
    Ms. Evans. In responding to that question, sir, we believe 
the Privacy Act has provisions that address this. But what I 
would like to do is be able to go back and do a more in-depth 
analysis and be able to take this question for the record and 
give you a more thoughtful response about how we should be 
responding to this.
    Chairman Tom Davis. I appreciate that, because that is 
something that comes up time and time again.
    What, if any, guidelines exist to determine if a breach 
requires notification?
    Ms. Evans. Again, sir, I need to go back and further 
research this based on what we have put in place with the 
Privacy Act, and I would like to take this question for the 
record so that I can give you a more thoughtful response.
    Chairman Tom Davis. Let me ask you something on RFID 
technology, radiofrequency. RFID technology is being 
implemented by DOD for tracking supplies. It is being 
implemented by the State Department for immigration documents 
and passports. Other agencies may choose to use the technology 
to control access to physical and logical assets to comply with 
Homeland Security Presidential Directive 12. A May 2005 GAO 
report on the Federal Government's use of RFID highlighted 
FISMA security practices in the context of security concerns 
with RFID technologies.
    What agencies within the Federal Government are using RFID 
technologies for applications that involve sensitive personal 
information?
    Ms. Evans. You have mentioned the State Department, 
Department of Defense, DHS. What we would like to do is go back 
and look more completely at each of the agencies to see what 
their plans are as it relates to the deployment of RFID beyond 
what we already have planned.
    Chairman Tom Davis. Do you think there is a need for a 
national standard for maintaining the security and privacy of 
personal information collected using RFID technology?
    Ms. Evans. We believe that if you currently implement the 
security policies and practices that are in place, if you 
implement them adequately, those practices and policies would 
be able to protect the information regardless of the 
technology, whether it was RFID or any other new emerging 
technology that would come out.
    Chairman Tom Davis. So how do you fine-tune FISMA regarding 
the use of RFID technology given its increased adoption by 
Federal agencies that are required to meet FISMA standards?
    Ms. Evans. Well, I would recommend at this point that FISMA 
is about good security practices. It is about managing the risk 
associated with your security program and your information 
technology and assets. And it is really not specifically about 
technologies but about our ability to manage those technologies 
as we implement them.
    So in conjunction with working with NIST and having NIST 
issue policies, guidelines, the standards that they do, I think 
FISMA is adequate the way that it is, and it is up to us and 
then the agencies to manage that risk as new technologies come 
out.
    Chairman Tom Davis. OK. Mr. Wilshusen, let me just ask, it 
seems that when we look over the grades, the largest agencies 
or those agencies with diverse missions seem to be at the 
bottom of the grading while the smaller of the major agencies 
or those with single, well-defined missions seem to improve 
their grades. How do you think the diverse mission and size 
play into the issue of information security?
    Mr. Wilshusen. Well, I think certainly that size and the 
complexity of the organization influences the way an 
organization organizes, manages, and secures its information 
technologies. Large Federal departments have multiple, 
sometimes semi-autonomous operating bureaus and divisions that 
may have separate missions, business processes, cultures, and 
technologies that support those processes.
    However, at some level those technologies interconnect with 
other systems and networks with other bureaus, and 
consequently, there might be vulnerabilities in one particular 
agency or bureau that has an impact on others. Thus, there is 
really a need for strong security management over that area. 
However, because these bureaus may be somewhat semi-autonomous 
and have separate funding, they may not necessarily be 
conducive to implementing or ceding some of their authority for 
securing these systems.
    It is going to take--and the departments might have a more 
challenging role in trying to create and develop and implement 
an agency-wide information security program. It is going to 
require that agency top management and the management of the 
different bureaus be held accountable and support and be 
committed to implementing an agency-wide information security 
program.
    Chairman Tom Davis. I think there is a perception in some 
circles, it seems to me, that FISMA is largely a paperwork 
exercise. What is your reaction to that?
    Mr. Wilshusen. FISMA is designed to be a comprehensive 
framework for ensuring the effectiveness of information 
security controls over the information resources that support 
Federal operations and assets. It requires Federal agencies to 
develop, document, and implement an agency-wide information 
security program that contains various elements. Each of these 
elements is based on best industry practices. These include 
assessing the risk, developing risk-based policies and 
procedures that cost-effectively reduce those risks to an 
acceptable level. It also requires that agencies provide the 
training to their employees and contractors to inform them of 
what these risks are and their responsibilities for practicing 
and implementing strong security throughout the organizations.
    It also requires that agencies test and evaluate the 
effectiveness of their controls over their systems on a 
periodic basis, and if there are problems, if there are 
weaknesses, to take corrective actions.
    These are just basic information security principles and 
practices that should be implemented. If agencies are reducing 
FISMA implementation to a paperwork exercise, then they are not 
going to enjoy the benefits offered by implementing them.
    Chairman Tom Davis. Can you think of any incentives or 
penalties that should be added to improve the agency scorecard 
ratings?
    Mr. Wilshusen. One might be looking at the funding. I 
believe at one point in time there was discussion on whether 
agencies, you know, should be looking at the funding, should 
they be adjusted, should--for agencies that do well versus 
those that do not.
    Chairman Tom Davis. How about the----
    Mr. Wilshusen. But that is a double-edged sword.
    Chairman Tom Davis. Of course it is. You are taking money 
from the people who need it the most.
    Ms. Evans, do you have any thought on that?
    Ms. Evans. When we do the analysis for the President's 
budget every year, one of the key priorities is the cyber 
security program of each of the agencies. So we do continue to 
put a priority on that and make sure that agencies that don't 
have a good security program, that the priority for the funding 
going forward is spent on that first and that--and we have 
broken out the budget this year when we submitted the 2007 
budget, broke out and showed the relationship of their overall 
IT budget to the percentage that they spend on IT security as 
well, and continue to put the priority on that.
    The thought from the administration is that you should not 
layer new things on top of bad things. And so you need to fix 
the cyber security aspects of that based on all the issues that 
you brought up already today about implementing new 
technologies and those types of things.
    So the incentive is the more efficient you are at getting 
it done, not just generating the paperwork but really fixing 
the security and mitigating the risk, then you can move forward 
and use the funds that you had planned to use for those new 
activities within your agency or department.
    Chairman Tom Davis. And you think the budget reflects that 
to some extent, is what you are saying?
    Ms. Evans. Yes, sir. Yes, sir.
    Chairman Tom Davis. Ms. Watson.
    Ms. Watson. I missed most of the testimony. I want to thank 
the chair for having this hearing. But what stands in our way 
from preventing the hacking and the taking of information and 
putting illegal information into the process in our computers? 
What stands in our way from stopping that?
    Mr. Wilshusen. One is making sure that the agencies have 
fully implemented an information security program within that 
particular agency.
    Ms. Watson. Why haven't they?
    Mr. Wilshusen. Well, that is a good question and that is 
one that we constantly seek the answer to. In our reviews we 
look, when we conduct an information security audit at the 
Federal agencies, we look at the type of controls that they 
have in place, the effectiveness of those controls, and we have 
often found that numerous vulnerabilities exist within their 
access controls that are designed to prevent limit and detect 
access to their information resources. We also find other types 
of general controls related to their physical security over 
their computing resources that also could lead to the 
unauthorized disclosure, deletion, alteration of sensitive 
information. And these types of weaknesses have been identified 
at numerous agencies that we have done audits at.
    Ms. Watson. Well, is it that we don't have the technology 
knowledge to do something? I mean, I know you are auditing, you 
are looking. Is it lack of technology knowledge? Is it lack of 
setting a priority? Is it lack of the funding? Did you--where 
would you put your finger, if we were to correct this and do it 
in a hurry? Because I flip on CNN or I flip on one of the 
morning programs and I find that in our Federal computers 
people have pornography, etc. How does that happen?
    Mr. Wilshusen. Well, certainly there are technical controls 
that need to be improved and in place to help protect that from 
happening. But first and foremost, we see information security 
as a management issue and that it receives sufficient attention 
and implementation throughout the organization, from top-level 
management through all layers of the organization, because each 
and every person has responsibility for information security. 
But in terms of the management, we do look at various different 
aspects in terms of is the organization assessing the risk 
accordingly for the type of information that it collects and 
processes and maintains; are they developing those policies and 
controls that are needed to protect that information?
    And what we often find is, yes, they do that to an extent, 
and they may develop policies and procedures that are designed, 
at least, to protect the information and implement strong 
controls, but a lot of times they are not implementing it. And 
this often occurs even though at the department level they 
might have strong policies----
    Ms. Watson. Well, let me just stop you there. Does it go to 
incompetence? You know, I am reading here, each agency is also 
required to do an annual independent evaluation--let's say of 
information security. Why would it not be done? And why could 
they not address it?
    You know, we are the policymakers here. You are in front of 
this committee. Maybe you can give us some idea of what our 
next piece of legislation needs to be.
    Mr. Wilshusen. I would like to answer the first question 
you had there first.
    Ms. Watson. OK.
    Mr. Wilshusen. Certainly one of the reasons why there 
continue to be information security weaknesses at the 
organizations that we audit is that it is a complex and 
challenging job. Many of these computing environments, 
particularly at the larger agencies, have highly complex 
distributive information systems and networks that are, because 
of their interconnectivity, vulnerabilities that exist on one 
server can affect an entire network. And some of these agencies 
have thousands of servers. And so it is a very dynamic 
environment in which new applications, new servers, new 
technologies are being implemented. And if the agencies are not 
effectively assessing their risk and monitoring the 
implementation of these technologies on a regular basis, 
vulnerabilities crop up. And that is how hackers, that is how 
individuals within the organization can exploit those 
vulnerabilities for either personal or--gain.
    Ms. Watson. I heard the key words: effectively assessing.
    Mr. Wilshusen. Yes.
    Ms. Watson. And, you know, we ought to be looking at 
systems before we contract and bring them in to see if they 
would fit in. Otherwise--you know, we need to plan and we need 
to assess and evaluate that plan, and we need to have a report. 
I think that is a requirement. And certainly, you know, new 
technology adds to the complexities of these systems, but we 
have to have an overall plan, a master plan.
    Mr. Wilshusen. Right. And that is one of the benefits of 
FISMA, of what it provides, is that it requires that agencies 
implement an agency-wide information security program, and that 
includes addressing security throughout the entire life cycle 
of any new technologies or its applications or systems that are 
being introduced into the department.
    Ms. Watson. Thank you very much. Appreciate it.
    Chairman Tom Davis. Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman.
    For Mr. Wilshusen, GAO recently completed a draft report 
for me on the impact the National Information Assurance 
Partnership program is having on information security within 
classified programs. Can you speak to the merits of extending 
NIAP product validation out to those agencies in the non-
national security community?
    Mr. Wilshusen. Sure. All these results are--as you 
mentioned, we do have a draft report out. It is presently out 
for comment with the DOD and the agencies. We have not yet 
received their comment. We anticipate issuing that report later 
this month in final.
    But let me just at least talk about the observations that 
we have identified so far with that program. We identified that 
the NIAP program does indeed provide and offer some benefits. 
One, it provides another set of eyes and ears to look and test 
the security features of information security or systems 
products that an agency is considering procuring. It also, 
through the evaluation process, has identified and uncovered 
flaws within those products. And what we have found and based 
on our interviews with vendors, the participants in the 
program, is that the vendor is often correct in those flaws 
that are identified.
    And another benefit is that, after going through these 
processes, some of the vendors decided that they--actually 
changed their development processes to accommodate the new 
strength and to mitigate any weaknesses that were identified as 
their products were evaluated.
    But at the same time, there are still a number of 
challenges associated with that program. These also include 
that, for one, the product is not evaluated against a set of 
particular requirements. It is more looked at the--it is 
evaluated based on the procedures that are used to develop the 
product. Another vulnerability is--or I should say another 
challenge deals with the cost and time that is involved in 
processing and evaluating these products. We have found that 
vendors thought it was too costly and took a long period of 
time to do so.
    Some of the agencies felt that they did not have a really 
full population or a pool of evaluated products to choose from. 
Sometimes, because of the length of the evaluation process, new 
versions of the product under evaluation were being issued, so 
they couldn't necessarily get the latest and greatest version 
of the product.
    So there are a couple of challenges associated with that 
program.
    Mr. Clay. On finding the weaknesses and coming back and 
correcting it, who gets the bill for that? Do the vendors eat 
the cost, or do the taxpayers pay the cost?
    Mr. Wilshusen. I don't know if I can answer that. It is up 
to the vendors. It depends on, I guess, the contractual 
requirements, but it is up to the vendors to take the 
corrective actions on that. Whether they subsequently pass the 
costs along to the procurers of the product, I can't answer 
that.
    Mr. Clay. Thank you. Thank you for your response.
    Ms. Evans, perhaps you may be able to shed some light on 
that. But let me ask you, you know, the number of annual risk 
assessments conducted last year declined when compared to 
fiscal year 2004 even though the number of systems online 
increased by nearly 20 percent. DHS--first, what were the 
factors contributing to this problem at first? Talk to me about 
DHS, which once again--well, go ahead.
    Ms. Evans. Well, as you stated, the risk assessments did go 
down, but we did get an increase in the number of systems that 
are out there. However, this is also the first year where we 
did ask the agencies to also assess the systems that they had 
based on impact, like high, medium, and low impact of those 
systems. And the agencies did focus their risk assessments on 
the high-impact systems. And 88 percent of those, I believe, 
were the ones where the risk assessments going forward on that.
    So we did ask them to make sure that their priority was 
done the high-impact systems as they were doing the risk 
assessments, going through and doing the certifications and 
accreditations, because that is one piece of the certification 
and accreditation that the agencies do.
    Mr. Clay. OK, let me stop you there since----
    Ms. Evans. Sure.
    Mr. Clay. Real quickly, give me your impression of 
ineptitude at DHS in this whole arena. Talk to me about that, 
as far as them being the coordinator of key information-sharing 
responsibilities, or a legacy system, are the 22 agencies 
proving to be too difficult to bring into compliance, or are 
there other factors?
    Ms. Evans. Well, DHS is a challenging environment. By 
bringing all the departments and agencies together there, this 
really does exemplify the complexity of an environment of a 
large department that would have to be managed to make sure 
that you have a good program in place. So what DHS is doing is 
moving forward trying to bring all that management in place to 
ensure that they have a good cyber security program and that 
they can move forward and protect that information and those 
assets.
    It does take some time to really be able to demonstrate 
that progress. And I would say that the things that DHS is 
doing we may not necessarily see in all the metrics as we 
measure them in FISMA. But you have brought up that the 
independent audit is also an essential piece so that they can 
feed back the results of that from their IG into their 
programming, to make sure that they are improving that as they 
go forward.
    Mr. Clay. Yes. Thank you, but it sounds as though you are 
defending the incompetence of DHS. Thank you.
    Chairman Tom Davis. Anything else you want to add?
    We will dismiss this panel, take a 2 minute recess, and we 
will come to the next one.
    Thank you all very much.
    [Recess.]
    Chairman Tom Davis. Thank you all for your patience.
    We are going to now recognize our second distinguished 
panel. We have Mr. Thomas P. Hughes, Chief Information Officer, 
U.S. Social Security Administration; we have Mr. Thomas 
Wiesner, the Deputy Chief Information Officer, U.S. Department 
of Labor; Mr. Robert Lentz, Information Assurance Director at 
the U.S. Department of Defense; and Mr. Scott Charbo, the Chief 
Information Officer at the U.S. Department of Homeland 
Security.
    It is our policy we swear you in before your testimony, so 
if you would just rise and raise your right hands.
    [Witnesses sworn.]
    Chairman Tom Davis. Thank you very much.
    Well, you know our rules. We try to hold to 5 minutes. Your 
entire statement is in the record. We very much appreciate your 
being with us today. I apologize for the delay with the floor 
votes, but I think we will be able to move ahead fairly 
expeditiously here, uninterrupted.
    Mr. Hughes, we will start with you and we will work 
straight on down the line. Thank you again for being with us.

STATEMENTS OF THOMAS P. HUGHES, CHIEF INFORMATION OFFICER, U.S. 
 SOCIAL SECURITY ADMINISTRATION; THOMAS WIESNER, DEPUTY CHIEF 
INFORMATION OFFICER, U.S. DEPARTMENT OF LABOR; ROBERT F. LENTZ, 
 DIRECTOR, INFORMATION ASSURANCE; U.S. DEPARTMENT OF DEFENSE; 
AND SCOTT CHARBO, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

                   STATEMENT OF THOMAS HUGHES

    Mr. Hughes. Chairman Davis and members of the committee, 
thank you for inviting me here today to discuss information 
security at the Social Security Administration. As Chief 
Information Officer for the agency, I appreciate the 
opportunity to discuss our implementation of FISMA, the Federal 
Information Security Management Act of 2002, and our agency's 
accomplishments in securing and protecting the information in 
the records we maintain.
    SSA has always recognized the importance of protecting the 
security and privacy of the people we serve and ensuring the 
integrity and accuracy of the records we maintain. The Social 
Security Board's first regulation, published in 1937, dealt 
with confidentiality of records. For more than 70 years we have 
honored our commitment to the American people to maintain the 
confidentiality of these records. This longstanding emphasis on 
privacy has led to a strong commitment in information security.
    While we have always safeguarded our records, we also work 
continuously to ensure that our information technology programs 
remain responsive to evolving conditions, and we use a variety 
of proactive security measures, plus independent testing and 
evaluation security controls, to protect these records. We take 
an agency-wide approach to information technology security at 
SSA. SSA's deputy commissioners, along with the CIO, are 
accountable for the certification of our major IT systems and 
help to ensure that our IT assets are adequately secured.
    Here are some of the major highlights of our FISMA 2005 
report: All 20 of SSA's major IT systems were certified and 
accredited.
    SSA had incorporated National Institute of Standards and 
Technology security controls into our System Development Life 
Cycle process.
    SSA provided IT security awareness to all of our employees, 
including contractors, and gave specialized in-depth training 
for those with significant IT security responsibilities.
    The Office of Inspector General's independent evaluation of 
our information security program for 2005 confirmed that SSA's 
remediation, certification and accreditation, and inventory 
processes are sound. The OIG made a number of recommendations 
for improvement that we are implementing.
    For instance, first, we developed security documents for 
every enterprise architecture platform in the agency and 
expanded this initiative into the data base environment as 
well. In addition, we implemented a monitoring program for each 
system configuration standard and risk model.
    Second, we agreed with the IG recommendation that SSA 
should regularly update our continuity of operations plan 
[COOP], with a disaster recovery plan. SSA also has and will 
participate in disaster recovery exercises, which help validate 
key elements of our COOP.
    Finally, to respond to the recommendation regarding 
improving how we monitor contract security awareness training, 
we are implementing a process where all contractors with 
systems access will complete a security awareness training 
module that will allow us to monitor the process.
    You asked us to describe the way SSA identifies and tracks 
information technology security weaknesses. The answer is that 
SSA is using an automated software tool that allows us to 
follow corrective security actions all the way to completion. 
In addition, the system generates detailed reports which then 
allow management to better evaluate the security status of 
their systems.
    You also asked about guidance--resources and/or procedures 
agencies need to comply with FISMA. I believe that agencies 
need to constantly challenge the traditional status quo if we 
are to maintain and enhance our security procedures and comply 
with FISMA. This is critical in any security environment, but 
particularly important in today's challenging information 
environment.
    While we are proud of our accomplishments, Commissioner 
Barnhart and all of us at SSA recognize that we must be 
vigilant in every way to assure that the personal information 
SSA collects remains secure, the taxpayer dollars are 
protected, and that public confidence in the Social Security 
system is maintained.
    Mr. Chairman, thank you for the opportunity to speak before 
this committee. I will be pleased to answer any questions.
    [The prepared statement of Mr. Hughes follows:]
    [GRAPHIC] [TIFF OMITTED] T7511.042
    
    [GRAPHIC] [TIFF OMITTED] T7511.043
    
    [GRAPHIC] [TIFF OMITTED] T7511.044
    
    [GRAPHIC] [TIFF OMITTED] T7511.045
    
    [GRAPHIC] [TIFF OMITTED] T7511.046
    
    [GRAPHIC] [TIFF OMITTED] T7511.047
    
    [GRAPHIC] [TIFF OMITTED] T7511.048
    
    Chairman Tom Davis. Mr. Hughes, thank you.
    Mr. Wiesner, thanks for being with us.

                  STATEMENT OF THOMAS WIESNER

    Mr. Wiesner. Good afternoon, Chairman Davis and members of 
the committee. Thank you for inviting me here today to discuss 
the Department of Labor's implementation of the Federal 
Information Security Management Act and the lessons learned 
over the past several years.
    Today I will first speak on the challenges the Department 
has faced over the last few years in implementing its computer 
security program. I will then expand on the current status of 
our program and highlight many of the significant improvements. 
Last, I will provide a snapshot of opportunities for 
improvement and labor strategy to address those areas.
    Labor's organizational components, including the Office of 
the CIO, had different viewpoints FISMA compliance. 
Additionally, we were an organization of distinct agencies that 
in many cases operated independently and accomplished 
individual goals through various IT solutions. Labor agencies, 
the OIG, and the Office of the CIO were all focused on 
different and sometimes conflicting priorities. We had to 
change this culture, including attention to IT security as a 
key part of everyday business. Under the CIO's direction, the 
Department arrived at a consensus and we have moved forward to 
ensure our compliance with FISMA.
    To that end, the following actions were carried out: In 
2001, a security manager was hired and placed in the Office of 
the CIO to manage the Department-wide security program.
    In 2002, our IT security policies and procedures were 
updated to incorporate current OMB and NIST guidance.
    In 2003, the Department established a Technical Review 
Board IT Committee subcommittee comprised of agency security 
managers. This board serves as the Department's first tier of 
investment review for major IT investments and as a forum to 
identify and resolve Department-wide IT-related issues, 
including computer security.
    In 2003, Secretary Elaine Chao institutionalized a culture 
of policy and strong computer security under a Secretary's 
order issued in May 2003. This order outlines the roles and 
responsibilities for managing information technology at the 
Department, to include IT security responsibilities.
    In 2003, the Department developed an eGovernment Strategic 
Plan that ties IT security to the Department's mission.
    In 2005, the Department updated its IT Strategic Plan, 
where IT security goals and direction were incorporated.
    At Labor our computer security program has progressed from 
a grade of F in 2001 to a B- in 2004. Additionally, our 
computer security program was a significant contributor to the 
Department's achieving and maintaining a ``Green'' rating on 
Expanded Electronic Government on the President's management 
agenda scorecard.
    The successes we have achieved to date can be attributed to 
strong oversight of Department-wide security issues, 
cooperation at the IT senior management level, and continuous 
collaboration through Department-wide reviews. The efforts of 
the Labor IT Security Subcommittee results in sound security 
practices that enable consistent FISMA reporting from the CIO 
and the OIG. This is attributed to the following successes: A 
fully integrated computer security program with capital 
planning and enterprise architecture programs. A revised system 
development life cycle management manual to include security 
requirements at each phase. An OIG-approved plan of action and 
milestones program since 2003. Quarterly capital planning 
program reviews that ensures adequate IT security expenditures 
and semiannual eGovernment reviews of all DOL agencies modeled 
on the PMA scorecard and FISMA performance metrics.
    Correspondingly, the Department has maintained a 
comprehensive Certification and Accreditation program, 
achieving authority to operate for 100 percent of our major 
information systems, up from 97 percent in fiscal year 2004.
    Despite this progress in securing our IT systems at DOL, we 
recognize that security is a constant challenge and a task that 
can never be considered complete. We have identified three 
areas for strengthening our computer security program: general 
and application security controls, patch management, and IT 
security manager skill competencies.
    The Department has developed a comprehensive work plan to 
address these issues, to include the implementation of NIST 
800-53 and a Certified Information Systems Security 
Professional training program and certification exam for DOL 
security managers.
    In conclusion, computer security is a core element of our 
business and culture at the Department of Labor. Secretary 
Chao, Deputy Secretary Law, agency senior management, and the 
dedicated DOL IT professionals are committed to the 
Department's computer security program. As we face the 
evolution of FISMA compliance, we will strive to maintain a 
balance of FISMA reporting requirements and the implementation 
of sound security practices.
    Mr. Chairman, thank you for the opportunity to provide this 
brief outline. I would be happy to answer any questions. Thank 
you.
    [The prepared statement of Mr. Wiesner follows:]
    [GRAPHIC] [TIFF OMITTED] T7511.049
    
    [GRAPHIC] [TIFF OMITTED] T7511.050
    
    [GRAPHIC] [TIFF OMITTED] T7511.051
    
    [GRAPHIC] [TIFF OMITTED] T7511.052
    
    Chairman Tom Davis. Thank you very much.
    Mr. Lentz.

                   STATEMENT OF ROBERT LENTZ

    Mr. Lentz. Good afternoon, Mr. Chairman and members of the 
committee. As Chief Information Assurance Officer for the 
Department of Defense, I appreciate this opportunity to 
highlight the posture of information security within the 
Department.
    The Department leadership is fully engaged in the security 
efforts in support of FISMA. Secretary Rumsfeld considers 
information technology a critical strategic component in 
transforming America's armed forces for the 21st century 
warfare. Our recently completed Quadrennial Defense Review 
stresses networks and information security as key areas of 
focus.
    Collaboration between the CIO and the war-fighting 
community is absolutely critical. The protection of the network 
is everybody's business. This can't be overstated. We take 
specific actions to train, license, qualify, and certify pilots 
and weapons systems. We must consider no less a standard for 
the operation, security, integrity of our information systems.
    The DOD IA strategic plan has for 3 years been 
institutional component driving strategic objectives for 
improving our security posture. It also enables FISMA 
compliance. The Department of Defense uses FISMA as a critical 
management and assessment tool. We continue to enhance our 
FISMA efforts.
    The Department reviewed over 3,500 systems this past year, 
an increase of more than 1,000 systems from 2004. The 
Department increased its Authority to Operate rate from 58 
percent in 2004 to 82 percent in 2005. In addition, our Total 
Accreditation rate was at 93 percent.
    Last year, more than 2 million of the approximate 2.6 
million DOD personnel who had access to DOD networks received 
IA security awareness training. This training was accomplished 
even while larger members of the servicemembers were deployed 
to combat theaters. In addition, more than 67,000 individuals 
with significant security responsibilities received specialized 
security training.
    I have identified in the full written testimony many 
initiatives that DOD has undertaken to improve its Information 
Security Department. Let me highlight a few others.
    The Department is aggressively pursuing an enterprise 
architecture and prioritized enterprise solutions through 
centralized funding.
    The Department has comprehensive policies and process for 
system configurations, a very important area. One example is 
the distribution by the Air Force of Microsoft software with 
standard security configuration resulting in improved network 
security and management.
    Departmental components are accelerating the use of public 
key infrastructure, from network access and secure log-on, 
consistent with HSPD-12. Over 3 million personnel are outfitted 
with common access cards, enabling PKI capabilities throughout 
the Department.
    In 2005, the DOD published a comprehensive IA Workforce 
Improvement program, launching an aggressive effort to certify 
nearly 80,000 core network professionals.
    As to identified security weaknesses in this year's FISMA 
report, we are pleased to advise you of the following remedies: 
Considering the dynamic operational environment of DOD and the 
sheer number of systems deployed across the enterprise, we have 
made significant progress in the area of inventory of our IT 
systems. We believe that our inventory of major information 
systems is under control.
    Regarding the challenges of instituting a process for 
managing plans of actions and milestones, the Department has a 
PO&M process that was improved in 2005 from lessons learned and 
from IG audits. We continue to improve that process by making 
this year's guidance more detailed and integrated into our C&A 
guidance as well.
    We are also developing an automated standardized capability 
that will add greater visibility to PO&Ms.
    We believe the Department certification and accreditation 
process is very solid and getting better. FISMA delegates 
authority to the Secretary of Defense to develop security 
policy and guidelines for all of its information systems. The 
DOD C&A process is consistent with NIST guidelines but designed 
to address classified national security systems and factor in 
unique operational challenges.
    In the area of training in 2005, the DOD components 
reported a total of 79,000 employees with significant IT 
security responsibilities. In such a large, dynamic, and 
changing organization that number will always be in a state of 
flux.
    In conclusion, the Department of Defense is committed to a 
strong and comprehensive security program. Our commitment to 
improve our FISMA compliance is an essential element of the 
Department's information security strategy.
    Again, I thank you for the opportunity to comment on this 
important topic.
    [The prepared statement of Mr. Lentz follows:]
    [GRAPHIC] [TIFF OMITTED] T7511.053
    
    [GRAPHIC] [TIFF OMITTED] T7511.054
    
    [GRAPHIC] [TIFF OMITTED] T7511.055
    
    [GRAPHIC] [TIFF OMITTED] T7511.056
    
    [GRAPHIC] [TIFF OMITTED] T7511.057
    
    [GRAPHIC] [TIFF OMITTED] T7511.058
    
    [GRAPHIC] [TIFF OMITTED] T7511.059
    
    [GRAPHIC] [TIFF OMITTED] T7511.060
    
    [GRAPHIC] [TIFF OMITTED] T7511.061
    
    [GRAPHIC] [TIFF OMITTED] T7511.062
    
    [GRAPHIC] [TIFF OMITTED] T7511.063
    
    [GRAPHIC] [TIFF OMITTED] T7511.064
    
    [GRAPHIC] [TIFF OMITTED] T7511.065
    
    [GRAPHIC] [TIFF OMITTED] T7511.066
    
    [GRAPHIC] [TIFF OMITTED] T7511.067
    
    [GRAPHIC] [TIFF OMITTED] T7511.068
    
    Chairman Tom Davis. Thank you very much.
    Mr. Charbo.

                   STATEMENT OF SCOTT CHARBO

    Mr. Charbo. Thank you, Mr. Chairman and committee members. 
My remarks will cover the current status of the Department's 
implementation of FISMA.
    The mission of the Department of Homeland Security's 
information security program is to provide the Department with 
a secure and trusted computing environment that enables the 
Department to leverage information technology and effectively 
and securely share information in support of its many and 
varied missions. Statutory compliance is a top priority, and 
the Department's information security program is structured 
around compliance with FISMA as well as OMB in this guidance.
    In 2003 and 2004, the Department laid the necessary 
foundation of effective security policies and architecture 
guidance. Policies are now codified in a dedicated management 
directive and a systems security architecture is fully 
integrated with the Department's architecture.
    Security policies and architectures are both updated on a 
regular basis and compliance is enforced through the use of 
several mandatory security management tools that are now in use 
throughout the Department. Building on those efforts, the 
Department completed three major information security 
initiatives in 2005.
    First, a comprehensive systems and applications inventory 
was completed in August 2005. The inventory is based on a 
detailed methodology for identifying systems and applications 
using standard Federal definitions. This inventory now provides 
clear accreditation boundaries for each and every operational 
IT system and assigns responsibilities for those controls to 
specific individuals, thereby providing a baseline for 
measuring security compliance.
    To ensure the inventory remains accurate, annual inventory 
reviews will continue each year, with a near-term focus on 2006 
of linking the inventory to the Department's capital planning 
and investment control processes, thus allowing the Department 
to better integrate effective security controls at the 
beginning of a system's life cycle.
    In the Department's fiscal year 2005 FISMA report, the 
Inspector General acknowledged for the first time the 
completeness and accuracy of our FISMA inventory.
    Second, an enterprise certification and accreditation tool 
was successfully fielded in April 2005, and that is now fully 
integrated with a FISMA management tool fielded in 2004.
    Third, a comprehensive and repeatable set of information 
security metrics significantly improved system owner 
accountability. These metrics now measure and inform progress 
in completing the accreditation of all operational systems. 
Monthly information security scorecards provide detailed status 
updates to Department leadership, and these scorecards are 
highly successful in improving the accountability of system 
owners.
    These three initiatives build on earlier milestones and 
have now paved the way for real, measurable cyber security 
improvements. The Department implemented an aggressive 
remediation project for 2006 with a goal of 100 percent 
remediation by the end of this year. Originally announced by 
Secretary Chertoff in his keynote address at the Department's 
annual Security Conference last August, the project moved into 
full swing in October 2005 and the Department is on its way to 
full remediation.
    The Department's FISMA inventory currently includes 
approximately 700 systems, and prior to the initiation of the 
remediation project, the number of fully accredited systems was 
only 26 percent. By the end of February of this year, over 60 
percent of those systems are now fully accredited. In just 5 
months, the Department has more than doubled the number of 
accredited systems and it is on track to make the goal of full 
remediation by the end of the year. It is clear the project is 
positively affecting the security culture of the Department, 
and recent upward trends in remediation metrics support the 
view.
    The Department must also ensure those systems and 
applications are connected across a secure enterprise backbone 
providing shared IT services. To accomplish this goal, an 
aggressive infrastructure transformation program called One Net 
was initiated for 2006 to bring all legacy information 
technology infrastructures under a single enterprise. Benefits 
of One Net include network optimization and improved quality of 
service, both of which will significantly enhance information 
sharing initiatives.
    Planning for One Net began with a comprehensive security 
framework that is consistent with the detailed systems security 
architecture of the Department.
    As part of the One Net effort, the Department is also 
fielding its first enterprise-wide network operations and 
security center. The center is responsible for managing the 
Department's shared IT enterprise environment in real time, 
including the discovery and remediation of security incidents 
as they occur, and represents a significant improvement to our 
overall security posture.
    I am confident that the DHS information security program is 
moving in the right direction.
    Thank you. I look forward to your questions.
    [The prepared statement of Mr. Charbo follows:]
    [GRAPHIC] [TIFF OMITTED] T7511.069
    
    [GRAPHIC] [TIFF OMITTED] T7511.070
    
    [GRAPHIC] [TIFF OMITTED] T7511.071
    
    [GRAPHIC] [TIFF OMITTED] T7511.072
    
    [GRAPHIC] [TIFF OMITTED] T7511.073
    
    Chairman Tom Davis. Thank you, all.
    Now, looking at the report card, we seem to have a reverse 
bell curve, with agencies settling at either the high end or 
the low end. For the two over here on my left, or on the right 
here, what are the major steps your agency took to achieve it? 
You didn't start off with A's, you worked steadily toward that. 
And I would say for DOD and then DHS, what are the major 
challenges you feel prevent you from progressing? Your plan for 
addressing these challenges you alluded to in your comments, 
what would you like to see your partners in this process do to 
help you? I am talking about OMB, GAO, and the IG.
    I will start with you, Mr. Hughes. You traced out the 
things you did to get your A+ and maintain it.
    Mr. Hughes. Mr. Chairman, members of the committee, really, 
at Social Security there is a strong emphasis on security. It 
has been there for many years, as I have repeated. And with 
FISMA, I can tell you we take it very seriously. We meet 
regularly, we constructively argue regularly, and we try to 
make corrections. So you have to make that commitment to keep 
challenging, as executives, the importance of security and that 
FISMA is a real exercise. And so I don't know if I can say that 
enough from a practical reality. It is not a paper report, it 
is real security that we are trying to constantly be aware of. 
And that is what FISMA teaches us.
    Chairman Tom Davis. Mr. Wiesner.
    Mr. Wiesner. At the Department of Labor I would have to say 
there are a few items that have led to our success. One is the 
strong leadership and management commitment from the 
Secretary's level through all the levels of management, 
including assistant secretaries, the various senior IT 
management staff within the Department of Labor. And it starts 
at the top and management supports us 100 percent in ensuring 
that we protect our departmental assets.
    The second step we have done over the last few years is 
really integrate IT security into our IT management processes, 
procedures, and governance models. We start looking at security 
at the capital planning stage and enterprise architecture, 
during the systems development life cycle process, the entire 
life cycle. So we put security integrating into every IT 
project that we undertake and currently the ones that are under 
way.
    And then the other thing we have worked on really hard is 
to establish a strong relationship with the OIG, recognizing 
that they have a strong compliance role and they have their 
views on how they view us as being successful and the things 
that they discover in their audits and what we should be 
focusing on, and we establish that relationship and try to form 
a partnership so we are heading in the right direction.
    Chairman Tom Davis. Thank you.
    Mr. Lentz, let me just ask you, I mean, if you had an A+ 
you would feel your agency was more secure, wouldn't you?
    Mr. Lentz. Of course, sir. I think the question you asked 
in your earlier panel, sir, I think goes to the heart of one of 
the challenges that we have, which, as you said earlier, a very 
large and a very diverse, dynamic organization that is deployed 
worldwide and things are changing all the time.
    I think the discussions that I have had with my peers, 
other chief security officers in the Department as well as 
private-sector leaders in this area, I think the point that has 
to be emphasized is that during the FISMA process, the act 
calls for an assessment, not an audit. An assessment takes into 
account a lot of factors. In a large organization like the 
Department of Defense--or Homeland Security, for that matter--
you have a changing environment. Where an audit could in fact 
pick up one or two systems that may not be accounted for or a 
certain number of personnel that may be deployed that are 
achieving certain status, you know, I think through that kind 
of dynamic environment, it makes it very difficult to, at some 
times, achieve the kind of scores that may be indicative 
through an auditive process.
    I think by working closely with the IG, which is indicated 
by my colleagues, I think that is a very important step in this 
process and one that we are continuing to strive for.
    Chairman Tom Davis. One of the things is, when we got our 
reports on DOD, we got like four different reports. We get the 
Army, Navy, Air Force. I mean, it kind of made up just the way 
that your organization is different from a lot of other 
agencies in terms of how this is compiled and so on. I mean, is 
that an obstacle?
    Mr. Lentz. I think Secretary Rumsfeld through the QDR 
process and our new CIO, Mr. Grimes, wants to remove any type 
of obstacle that may in fact be inferred by that kind of 
service-oriented environment that we live in. We are very much 
focused on an enterprise architecture, we are very much focused 
on an enterprise CIO governance model. And I think we are 
already seeing improvements in that area already that I think 
are going to be reflected very much so in next year's report, 
sir.
    Chairman Tom Davis. OK.
    Mr. Charbo, I will ask you, I mean, obviously you come from 
a--you had a number of dysfunctional agencies you are trying to 
put together. You have had a steep climb over there to begin 
with. So I concede that to you.
    Mr. Charbo. Thank you. I think the first thing that we have 
done--and our numbers, I think, are supporting that we are 
moving in the right direction right now, in the last 5 months. 
We have been able to move it more than it has moved in the last 
couple of years.
    But the first piece that we had our teams accept was where 
we were was not where we wanted to remain. So we admitted that 
we weren't in the right posture that we wanted to have moving 
forward in terms of the security of our systems. So we asked 
Secretary Chertoff to lead that charge for us at our annual 
conference and then place that accountability to those system 
owners in the multiple components that we have.
    We have seen very good response from the Coast Guard and 
Customs, ICE. Even FEMA has responded well in terms of the 
accountability for securing the systems.
    Publishing the inventory was a major milestone for us. It 
put that benchmark in the sand. Now we are focused on moving 
that forward. And I guess I would just say, we use a term 
called ``relentless'' in the Department. You will get a lot of 
excuses on how hard this is to do, but we accept that but we 
still need to move it forward. And that is what we are focused 
on.
    Chairman Tom Davis. But GAO reported that there was a very 
low level of security incident reporting in DHS. What is the 
problem? What is the deterrent here? Do we need to do anything 
to remove those barriers?
    Mr. Charbo. I think we have rallied that in here in the 
last 5 months. We have implemented policies, we have done some 
training with our systems security professionals that we have 
in the Department, and we have worked through those processes 
to assure that we are getting reporting.
    The other piece that I think will really improve that is 
how we are going to be monitoring our systems. We have had 
multiple wide-area networks. So you have different 
methodologies of reporting. That is now coming through a core 
NOC-SOC--network operations, security operations center--
through our One Net. And they will have a responsibility of 
moving that to the US-CERT.
    Chairman Tom Davis. One of the problems you have at DHS is 
you have taken all these disparate agencies, over 100 and some 
1,000 employees, and put them together, and everybody expects 
immediate results. This is a work in progress. I mean, this 
takes years, doesn't it, as a practical matter?
    Mr. Charbo. We are going to take 1 year to certify the 
systems. We will move those, a large milestone--as we say in 
our statement, we were at 26 percent that we could document and 
we are now about 60 percent. And it is on the right curve that 
we want to move through the end of the year. At that point, we 
will look at the POAMs that are generated, we will go back into 
those accreditations and do an IV&V, and we will reassess it. 
It will be an annual routine that we will follow.
    Chairman Tom Davis. Let me ask Mr. Hughes and Mr. Wiesner, 
your agency systems have to connect with State systems that are 
not covered by FISMA for information sharing purposes. How do 
you ensure that your information systems are adequately 
protected under those circumstances?
    Mr. Hughes. That is a good question. We have agreements 
with States and different agencies. We have security procedures 
and policies that they have to agree to. We have MOUs of these 
agreements. And we monitor these data exchanges that go between 
the States and the Federal Government.
    Chairman Tom Davis. All right.
    Ms. Watson.
    Ms. Watson. I want to highly commend Mr. Hughes, U.S. 
Social Security Administration, and Mr. Wiesner, U.S. 
Department of Labor, for the fact that using the criteria that 
the committee used, the number of points assigned to each 
response is proportional to the extent the element has been 
implemented. You received an A+. And you started from probably 
lower grades, but you showed your ability to focus like a laser 
beam and to make the improvements along the way.
    Going to Mr. Lentz and Mr. Charbo, U.S. Department of 
Defense defending our country, and U.S. Department of Homeland 
Security securing our country, you started in year 2005 with an 
F grade and, at the end of year 2005, you still have an F 
grade. Can either one of you gentlemen explain to me why? And 
listening to your reports, it looks like you are just moving 
along and making progress. But the criteria that the committee 
used was a methodology that was standardized, and you came up, 
started with an F, and you are still at an F.
    Let me know why that is the case. Mr. Lentz, let me start 
with you.
    Mr. Lentz. Well, ma'am, I agree that the challenges that we 
have in this very large organization will sometimes make the 
process that we use in terms of assessing our operational 
status one that creates the kind of assessments that one has to 
look very hard at, and that is what our leadership is doing 
every single day. And we take----
    Ms. Watson. Let me just stop you. Mr. Lentz, 5 years? Your 
leadership? Five years and you don't improve based on the 
methodology that is standardized? The way they judged every 
single--and I can read off all the departments. Agency for 
International Development, A+, starting from much lower grades 
before. Department of Labor, A+. Social Security, A+. Office of 
Personnel Management, A+. Environmental Protection Agency, A+. 
National Science Foundation, A.
    What is happening with the two most strategic and sensitive 
agencies? What is it? Is there incompetence? Is there cronyism? 
You know, I don't feel comfortable with my Department of 
Defense, based on what I see here. I don't feel comfortable 
that my homeland is secure. And I can take a lesson from 
September 11th. The perpetrators were sent--the flight school, 
as I understand, sent them their authority to take flight 
lessons after September 11th. Something went wrong along the 
way.
    Now, if you had a department, a business that made nails, 
and you put the metal in at the beginning of the process and, 
at the end, the nails came out bent, you would stop the whole 
operation and work backward to find out why those nails are 
being bent. What is happening with the Department of Defense 
and Homeland Security that in 5 years, based on the methodology 
used, you show no improvement? You tell us that the report--I 
guess the preceding 5 months will look better, but I am 
wondering what happened in those 5 years. Can you help me 
understand this?
    Mr. Lentz. Well, I think when we look at, when we open up 
our report and look at it gradually--and, as indicated in my 
testimony, I think we have shown some clear improvements in all 
the areas that FISMA is asking for. And on top of that----
    Ms. Watson. As of when? Can you help me?
    Mr. Lentz. As of starting last year and the year before.
    Ms. Watson. Well, why is it--maybe the staff is 
incompetent, because they graded you. I did not. The committee 
staff. And maybe I should ask this of the chair. You know, they 
score by a point. And I probably need to give this to you. And, 
you know, if you score within a certain range, they assign you 
a certain letter. And the scores were so low with the 
Department of Defense and Homeland Security that it resulted in 
an F. Now, maybe the math is all off.
    I am trying to be fair. I am trying to understand what is 
going on with my Department of Defense that you come and you 
ask us--you know, we have a supplement on the floor asking us 
for billions of dollars. And, you know, what are you securing, 
Iraq? Department of Homeland Security, what are you securing?
    You know, and the grade is still coming out F. I need to 
understand this so when I go back to my 650,000 constituents 
that pay taxes, and I--I didn't vote for it, and I am not going 
to--I can tell them, yeah, we need to vote for this because our 
Department of Defense says they need this so we can win the war 
10,000 miles away. We are not winning the war here. We can't 
even pick up the rubble down in New Orleans.
    So you have to prove to me that you are doing something 
that will secure us as a people and secure our country. And I 
don't see it. So I am asking for you to educate me, to 
enlighten me, so I can go back and tell my constituents why I 
would vote to use their taxpayer dollars to defend against 
Iraq--which apparently is no threat to us here, but certainly a 
threat to life and limb over there. Give me some information, 
please, that there is some competence in this organization that 
I can take back to my constituents.
    Mr. Lentz. In looking at the grading that we have recently 
seen, there were two assessments that were done, one by the CIO 
and one by the IG, in the assessment column. The Department of 
Defense got a score of 85 under the CIO column. And when you 
look at that holistically and combine that with all the other 
security measures that were undertaken, such as, as the 
chairman indicated earlier, identity protection and management 
using PKI and other methods that we are, I would say that I 
think our security posture has significantly improved. But at 
the same time, I must admit, we always in this very dynamic 
environment that we live in, we have to constantly seek for 
better improvement in these areas.
    Ms. Watson. Let me address the chair. From the response I 
just received, is there something wrong with this scoring? 
Because as I look at the information provided to us on the 
assignment of grades, it says 0 points for a response 
indicating the percentage that falls below an acceptable 
threshold. And they give us an example: 50 percent or less 
known IT security weaknesses being incorporated in the plan of 
action. That means that you fell below the 50 percent level.
    Now, if this is the methodology----
    Chairman Tom Davis. Well, the methodology is very simple. 
The CIO scores and the IG scores, and when you are in doubt, 
GAO takes the IG score. CIO score is like when you are grading 
your own paper, to some extent. So in those cases, the GAO, who 
really gives us the numbers on which we base the grade, goes 
with the IG score.
    Ms. Watson. So I still haven't heard adequate response to 
my concerns. And I just think there is something wrong in the 
process. And I would advise the two of you to take the message 
back from me individually that the Department of Defense, the 
Department of Homeland Security needs to get about the business 
of improving the process of securing our land and our people. 
From what I see, and this is information that the staff gives 
us, I did not do the research and the evaluation and the 
assignment myself. You need to know that. I can only go on the 
information that our professional staff gives us.
    I would hope the two of you, next time you come, not insult 
my intelligence. Otherwise, I have to question the competence 
of staff. But you can't tell me it is working well and the 
staff gave you and F, and for the last 5 years it has been F. 
So take that message back to the Secretaries. And Mr. Chertoff 
has not returned my call. When I was asking him to stop the 
evictions of 10,000 people, I never got a return call. So he 
would get an F- from me in terms of being effective just 
answering a call from a Congress person concerned about 
making--so I have no trust that it is going to get any better. 
Now, that is my opinion. I am speaking for myself. And you can 
take that message back.
    Thank you, Mr. Chairman, for the time.
    Chairman Tom Davis. Thank you very much. I would leave on 
that high note here, but I think that I will just ask a couple 
of other questions.
    We asked the first panel, and I guess in fairness to DHS 
and DOD, do you think there are issues that arise at the larger 
agencies that the smaller ones don't have to contend with? I 
think that has been--we talked about that in our opening 
statement and I will give you an opportunity to comment on that 
again.
    Mr. Charbo. From DHS's perspective, I think there is a 
complexity with dealing with lots of large agencies that we 
have components that we have. That still doesn't change the 
fact when we looked at our security posture coming into the 
Department, where we were was not where we wanted to be in 
terms of our security scores and our FISMA compliance. So we 
have launched an aggressive project. I see good response coming 
from those components even though it is large, it is complex. 
Currently we have the data. We have good progression moving--I 
see good response coming from those large components, as 
difficult as it is.
    I think the GAO had some good comments in the first panel 
dealing with direct appropriations, and it is difficult to get 
them to respond. But I would like to have a chance to execute 
our plan this year. And the plan that we had last year isn't 
the one we are currently working under.
    Chairman Tom Davis. I mean, you are both large 
organizations but you are very important organizations in terms 
of vulnerability and where someone who has malice aforethought 
may be looking. So that is why we focus in on you and I think 
that is why Ms. Watson is just saying to DOD and Homeland 
Security these are two agencies that are showing up as more 
vulnerable than other agencies, and obviously we are alarmed. 
But we understand there is a lot of complexity. I know in the 
case of DHS we have cobbled together these different units and 
you are as strong as your weakest unit, to some extent, the way 
this works.
    Mr. Lentz, would you--I will give you an opportunity to 
comment.
    Mr. Lentz. Yes, I completely agree that the complexity of 
the organization, the dynamics of moving forces--when you 
deploy ships out to sea, you are changing the network 
configurations constantly, you are deploying troops overseas, 
you are creating new network on the fly in global environments 
and high-risk environments. Clearly in a situation like that, 
it does represent a lot of new challenges and challenges that 
we take very seriously.
    Chairman Tom Davis. OK. Anything you would like to add?
    Mr. Hughes. I would just say that we know our mission, so 
perhaps--we are a large organization, we have 120,000 work 
stations, but our mission is clear in terms of our complexity. 
We know the way we serve our citizens. So I don't think we have 
absorbed the complexity of an organization like DHS.
    Chairman Tom Davis. OK.
    Mr. Wiesner. I agree also. We have been an organization 
around for many, many years, and perhaps that helps out a 
little bit in terms of absorbing a lot of complexity in a 
large-scale organization like DHS.
    Chairman Tom Davis. Well, of course this committee wrote 
FISMA. We don't have all the enforcement mechanisms we like, 
but you have heard Ms. Evans talk about that is something that 
they take into account as they are putting their budgets 
together. We are trying to coordinate appropriately with the 
Appropriations Committee so it is taken into account as they 
put their budgets together. You can fight the resources 
department within your own agencies. I am not asking you to 
come here and put you on the spot and saying are you getting 
enough resources with your own agency. But we understand. I 
mean, I understand the issues of this. And we are going to 
continue to push to give you the resources you need to get the 
job done.
    I just want to congratulate those of you that have shown 
great improvement. And for the others, we will keep trying. I 
know you have plans to address this. We look forward to seeing 
you up here again.
    Thank you very much.
    [Whereupon, at 1:41 p.m., the committee was adjourned.]
    [The prepared statement of Hon. Henry A. Waxman and 
additional information submitted for the hearing record 
follow:]
[GRAPHIC] [TIFF OMITTED] T7511.003

[GRAPHIC] [TIFF OMITTED] T7511.004

[GRAPHIC] [TIFF OMITTED] T7511.074

[GRAPHIC] [TIFF OMITTED] T7511.075

[GRAPHIC] [TIFF OMITTED] T7511.076

[GRAPHIC] [TIFF OMITTED] T7511.077

[GRAPHIC] [TIFF OMITTED] T7511.078

[GRAPHIC] [TIFF OMITTED] T7511.079

[GRAPHIC] [TIFF OMITTED] T7511.084

[GRAPHIC] [TIFF OMITTED] T7511.085

[GRAPHIC] [TIFF OMITTED] T7511.086

                                 
