b"<html>\n<title> - FEDERAL IT SECURITY: A REVIEW OF H.R. 4791</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n \n               FEDERAL IT SECURITY: A REVIEW OF H.R. 4791\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               before the\n\n                  SUBCOMMITTEE ON INFORMATION POLICY,\n                     CENSUS, AND NATIONAL ARCHIVES\n\n                                and the\n\n                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,\n                     ORGANIZATION, AND PROCUREMENT\n\n                                 of the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             SECOND SESSION\n\n                                   ON\n\n                               H.R. 4791\n\n TO AMEND TITLE 44, UNITED STATES CODE, TO STRENGTHEN REQUIREMENTS FOR \n   ENSURING THE EFFECTIVENESS OF INFORMATION SECURITY CONTROLS OVER \n INFORMATION RESOURCES THAT SUPPORT FEDERAL OPERATIONS AND ASSETS, AND \n                           FOR OTHER PURPOSES\n\n                               __________\n\n                           FEBRUARY 14, 2008\n\n                               __________\n\n                           Serial No. 110-72\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n                     http://www.oversight.house.gov\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n44-178 PDF                 WASHINGTON DC:  2008\n---------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                 HENRY A. WAXMAN, California, Chairman\nEDOLPHUS TOWNS, New York             TOM DAVIS, Virginia\nPAUL E. KANJORSKI, Pennsylvania      DAN BURTON, Indiana\nCAROLYN B. MALONEY, New York         CHRISTOPHER SHAYS, Connecticut\nELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York\nDENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida\nDANNY K. DAVIS, Illinois             MARK E. SOUDER, Indiana\nJOHN F. TIERNEY, Massachusetts       TODD RUSSELL PLATTS, Pennsylvania\nWM. LACY CLAY, Missouri              CHRIS CANNON, Utah\nDIANE E. WATSON, California          JOHN J. DUNCAN, Jr., Tennessee\nSTEPHEN F. LYNCH, Massachusetts      MICHAEL R. TURNER, Ohio\nBRIAN HIGGINS, New York              DARRELL E. ISSA, California\nJOHN A. YARMUTH, Kentucky            KENNY MARCHANT, Texas\nBRUCE L. BRALEY, Iowa                LYNN A. WESTMORELAND, Georgia\nELEANOR HOLMES NORTON, District of   PATRICK T. McHENRY, North Carolina\n    Columbia                         VIRGINIA FOXX, North Carolina\nBETTY McCOLLUM, Minnesota            BRIAN P. BILBRAY, California\nJIM COOPER, Tennessee                BILL SALI, Idaho\nCHRIS VAN HOLLEN, Maryland           JIM JORDAN, Ohio\nPAUL W. HODES, New Hampshire\nCHRISTOPHER S. MURPHY, Connecticut\nJOHN P. SARBANES, Maryland\nPETER WELCH, Vermont\n------ ------\n\n                     Phil Schiliro, Chief of Staff\n                      Phil Barnett, Staff Director\n                       Earley Green, Chief Clerk\n                  David Marin, Minority Staff Director\n\n   Subcommittee on Information Policy, Census, and National Archives\n\n                   WM. LACY CLAY, Missouri, Chairman\nPAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio\nCAROLYN B. MALONEY, New York         CHRIS CANNON, Utah\nJOHN A. YARMUTH, Kentucky            BILL SALI, Idaho\nPAUL W. HODES, New Hampshire\n                      Tony Haywood, Staff Director\n\n  Subcommittee on Government Management, Organization, and Procurement\n\n                   EDOLPHUS TOWNS, New York, Chairman\nPAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California\nCHRISTOPHER S. MURPHY, Connecticut   TODD RUSSELL PLATTS, Pennsylvania,\nPETER WELCH, Vermont                 JOHN J. DUNCAN, Jr., Tennessee\nCAROLYN B. MALONEY, New York\n                    Michael McCarthy, Staff Director\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on February 14, 2008................................     1\nText of H.R. 4791................................................     5\nStatement of:\n    Evans, Karen S., Administrator for Electronic Government and \n      Information Technology, Office of Management and Budget; \n      Gregory C. Wilshusen, Director, Information Security \n      Issues, Government Accountability Office; Alan Paller, \n      director of research, the Sans Institute; Bruce W. \n      McConnell, president, McConnell International, LLC; and Tim \n      Bennett, president, Cyber Security Industry Alliance.......    23\n        Bennett, Tim.............................................    93\n        Evans, Karen S...........................................    23\n        McConnell, Bruce W.......................................    82\n        Paller, Alan.............................................    65\n        Wilshusen, Gregory C.....................................    33\nLetters, statements, etc., submitted for the record by:\n    Bennett, Tim, president, Cyber Security Industry Alliance, \n      prepared statement of......................................    96\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................     3\n    Davis, Hon. Tom, a Representative in Congress from the State \n      of Virginia:\n        Letter dated July 27, 2007...............................   104\n        Prepared statement of....................................   108\n    Evans, Karen S., Administrator for Electronic Government and \n      Information Technology, Office of Management and Budget, \n      prepared statement of......................................    26\n    McConnell, Bruce W., president, McConnell International, LLC, \n      prepared statement of......................................    84\n    Paller, Alan, director of research, the Sans Institute, \n      prepared statement of......................................    67\n    Wilshusen, Gregory C., Director, Information Security Issues, \n      Government Accountability Office, prepared statement of....    35\n\n\n               FEDERAL IT SECURITY: A REVIEW OF H.R. 4791\n\n                              ----------                              \n\n\n                      THURSDAY, FEBRUARY 14, 2008\n\n        House of Representatives, Subcommittee on \n            Information Policy, Census, and National \n            Archives, joint with the Subcommittee on \n            Government Management, Organization, and \n            Procurement, Committee on Oversight and \n            Government Reform,\n                                                    Washington, DC.\n    The subcommittees met, pursuant to notice, at 11:30 a.m., \nin room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay \n(chairman of the Subcommittee on Information Policy, Census, \nand National Archives) presiding.\n    Present: Representatives Clay, Davis of Virginia, and \nPlatts.\n    Staff present from the Information Policy, Census, and \nNational Archives Subcommittee: Darryl Piggee, staff director/\ncounsel; Jean Gosa, clerk; and Adam Bordes, professional staff \nmember.\n    Staff present from the Government Management, Organization, \nand Procurement Subcommittee: Mike McCarthy, staff director; \nVelvet Johnson, counsel; Bill Jusino, professional staff \nmember; and Kwane Drabo, clerk.\n    Mr. Clay. Good morning. This hearing of the Oversight and \nGovernment Reform Committee is being held this morning by the \nInformation Policy, Census, and National Archives Subcommittee, \nwhich I chair, and the Subcommittee on Government Management, \nOrganization, and Procurement, chaired by Congressman Ed Towns \nof New York, who is under the weather this week and is not in \ntown. But we will proceed without Mr. Towns.\n    This hearing will now come to order. Today's hearing will \nexamine the important topic of Federal information security. \nOur subcommittees are holding this hearing because security is \nboth a management and technology challenge.\n    Without objection, the Chair and ranking minority member \nwill have 5 minutes to make opening statements, followed by \nopening statements not to exceed 3 minutes by other Members who \nwish to seek recognition.\n    Without objection, Members and witnesses may have 5 \nlegislative days to submit a written statement or extraneous \nmaterials for the record.\n    Briefly, I would like to discuss some of the challenges \nthat I see, and then I will yield to anyone else that shows up \nfor comments.\n    Let me say that today's joint subcommittee hearing on the \nCurrent State of Federal Information Security and Legislation \nto Strengthen the Federal Information Security Management Act, \nI am especially pleased to be teaming up with the Subcommittee \non Government Management, Organization, and Procurement, \nchaired by Mr. Towns, for this critical issue.\n    For fiscal year 2009, the President's budget proposes \nspending of roughly $70 billion on information technology \nproducts alone. Yet according to OMB's 2006 FISMA report to \nCongress, agency efforts to implement effective information \nsecurity programs are inconsistent throughout Government. These \nproblems go beyond isolated data breaches and have exposed \nsystemic information security vulnerabilities that have gone \nunmitigated by our agencies and the IT contracting community \nthat serves them.\n    Having experienced 5 years of detailed OMB reporting \nthrough the FISMA process, I am certain that some real progress \nhas been made in securing our agencies' IT assets. What I am \nunsure of, however, is whether our current requirements and OMB \npolicies under FISMA are providing us enough tools to effective \nidentify the inherent vulnerabilities in our systems, now or in \nthe future.\n    With this in mind, I, along with Chairman Towns and \nChairman Waxman, have put forward a bill that would move us \ntoward more rigid security requirements for agency systems \nwhile staying with in the current FISMA framework. Furthermore, \nour bill will add consistency and robustness to the current \nprogram performance evaluation process by requiring an annual \naudit of agency programs. Last, this legislation begins to \nrecognize the duty of care responsibilities that must be shared \nbetween both Federal agencies and the contracts providing \nservices to them.\n    As technology evolves and the perimeters of IT enterprises \nexpand, we must have a flexible security framework to harness \nsuch advances while ensuring that our networks remain secure. I \nam hopeful that our witnesses today will be ale to address \nthese issues through the context of their experiences, and I \nlook forward to their testimony.\n    [The prepared statement of Hon. Wm. Lacy Clay and the text \nof H.R. 4791 follow:]\n\n[GRAPHIC] [TIFF OMITTED] T4178.001\n\n[GRAPHIC] [TIFF OMITTED] T4178.002\n\n[GRAPHIC] [TIFF OMITTED] T4178.003\n\n[GRAPHIC] [TIFF OMITTED] T4178.004\n\n[GRAPHIC] [TIFF OMITTED] T4178.005\n\n[GRAPHIC] [TIFF OMITTED] T4178.006\n\n[GRAPHIC] [TIFF OMITTED] T4178.007\n\n[GRAPHIC] [TIFF OMITTED] T4178.008\n\n[GRAPHIC] [TIFF OMITTED] T4178.009\n\n[GRAPHIC] [TIFF OMITTED] T4178.010\n\n[GRAPHIC] [TIFF OMITTED] T4178.011\n\n[GRAPHIC] [TIFF OMITTED] T4178.012\n\n[GRAPHIC] [TIFF OMITTED] T4178.013\n\n[GRAPHIC] [TIFF OMITTED] T4178.014\n\n[GRAPHIC] [TIFF OMITTED] T4178.015\n\n[GRAPHIC] [TIFF OMITTED] T4178.016\n\n[GRAPHIC] [TIFF OMITTED] T4178.017\n\n[GRAPHIC] [TIFF OMITTED] T4178.018\n\n[GRAPHIC] [TIFF OMITTED] T4178.019\n\n[GRAPHIC] [TIFF OMITTED] T4178.020\n\n    Mr. Clay. We will now receive testimony from the witnesses \nbefore us today. On today's panel, the subcommittees are \npleased to have the following witnesses: Karen Evans, \nAdministrator for the Office of E-Government and Information \nTechnology. Ms. Evans is an experienced IT professional and \nleads the administration's programs on information security. \nWelcome back to the committee, Ms. Evans.\n    We also have Greg Wilshusen, Director for Information \nSecurity Issues at the Government Accountability Office. Mr. \nWilshusen is also a long-time expert and has testified on this \ntopic before the Information Policy Subcommittee several times. \nThank you for being here.\n    Alan Paller is the director of research at the SANS \nInstitute and is responsible for overseeing all research \nprojects. Mr. Paller founded the CIO Institute and earned \ndegrees in computer science and engineering from Cornell and \nMIT. Welcome to the committee hearing.\n    Bruce McConnell, the president and founder of McConnell \nInternational. Prior to his current position, Mr. McConnell was \nchief of information and technology policy at the White House \nOffice of Management and Budget, where he led several IT and \nsecurity initiatives. Thank you for being here, too, Mr. \nMcConnell.\n    Rounding us out is Tim Bennett, president of Cyber Security \nIndustry Alliance. Mr. Bennett served as the vice VP of the \nAmerican Electronics Association and worked in senior roles \nwithin the Office of the U.S. Trade. Thank you also, Mr. \nBennett, for coming today.\n    I thank all of you for appearing before the subcommittee. \nIt is the policy of the committee to swear in all witnesses \nbefore they testify, so I will ask you to please rise and raise \nyour right hands.\n    [Witnesses sworn.]\n    Mr. Clay. Thank you, and let the record reflect that the \nwitnesses answered in the affirmative.\n    I ask that each witness now give a brief summary of their \ntestimony and to keep the summary under 5 minutes in duration. \nBear in mind your complete written statement will be included \nin the hearing record. I will let you know if you go over the \n5. We will start with Ms. Evans. You may proceed.\n\n  STATEMENTS OF KAREN S. EVANS, ADMINISTRATOR FOR ELECTRONIC \nGOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND \n BUDGET; GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY \nISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; ALAN PALLER, DIRECTOR \nOF RESEARCH, THE SANS INSTITUTE; BRUCE W. MCCONNELL, PRESIDENT, \nMCCONNELL INTERNATIONAL, LLC; AND TIM BENNETT, PRESIDENT, CYBER \n                   SECURITY INDUSTRY ALLIANCE\n\n                  STATEMENT OF KAREN S. EVANS\n\n    Ms. Evans. Good morning, Chairman Clay. Thank you for \ninviting me to speak about the status of the Federal \nGovernment's efforts to safeguard our information and systems. \nMy remarks today will highlight a few of the initiatives \nunderway to manage the risk associated with our Government \nservices in this ever-changing IT environment. The details are \nincluded in my written statement. I will conclude with our \nthoughts on your proposed bill, H.R. 4791.\n    Information security and privacy are extremely important \nissues for the administration. On March 1st, the Office of \nManagement and Budget [OMB], will provide our fifth annual \nreport to Congress on the implementation of the Federal \nInformation Security Management Act [FISMA], which will detail \nour improvements and remaining weaknesses for both security and \nprivacy.\n    Over the past year, departments and agencies continue to \nimprove their security programs, manage their risks and become \nmore fully compliant with FISMA. To enhance information \nsecurity programs, OMB continues to use the oversight \nmechanisms to improve performance, including the President's \nmanagement agenda score card and the agencies' capital planning \nprocesses. We are also engaging agencies in a variety of \ninformation security and privacy initiatives to close any \nremaining performance gaps.\n    Over the past year, in collaboration with the National \nInstitute for Standards and Technology [NIST], the Department \nof Defense, the National Security Agency, and Microsoft, we \nhave developed a set of information security controls to be \nimplemented on all Federal desktops, which are running \nMicrosoft Windows XP or Vista, known as the Federal Desktop \nCore Configuration [FDCC]. By implementing a common \nconfiguration, we are gaining better control of our Federal \ndesktops, allowing for closer monitoring and correction of \npotential vulnerabilities. We are also working with the vendor \ncommunity to make their applications safer.\n    NIST has developed testing tools for use both by the \nFederal agencies and the vendors and three independent \nlaboratories have been accredited by NIST's National Voluntary \nLaboratory Accreditation Program, to provide the validation \ntesting. We are very optimistic this program will greatly \nenhance the security of our Federal desktops and applications.\n    To help agency procurement officers with the validation \nrequirement, we are working with the Federal Acquisition \nCouncil to incorporate language into the Federal Acquisition \nRegister. Agencies connect to the internet to develop timely \ninformation and to deliver services to the public. However, our \nGovernment systems are continuously operating under increasing \nlevels of risk. Through the Trusted Internet Connections \nInitiative, we are working with agencies to reduce the overall \nnumber of external Federal connections to manage risk in a more \ncost-effective and efficient manner, while providing better \nawareness of our environment. Agencies turned in plans of \naction and milestones to fully optimize agency connections with \na target completion date of June 2008.\n    Recently, we provided the opportunity for all departments \nand agencies to review the proposed legislation, H.R. 4791. The \nbill contains several provisions which aim to enhance the \nprotection of Federal information and personally identifiable \ninformation, as well as several provisions that propose changes \nto FISMA. While we strongly support enhancing protections for \nsuch information, we share several concerns expressed across \nthe Federal agencies about the effect of this legislation.\n    The administration believes the foundation and the \nframework established by FISMA is sound and also believes there \nis still much we can accomplish to improve the security and \nmanage the risk associated with our information and information \nservices. Nonetheless, we are concerned with the unintended \nconsequences of the proposed change which would seriously \nimpact established agency security and privacy practices, while \nnot necessarily achieving the outcomes of improved privacy or \nsecurity.\n    While we understand technologies which are improperly \nimplemented introduce increased risk, we recommend any \npotential changes to the statute be technology-neutral. We \nrecognize that the IT landscape is ever-changing. As we deploy \ncommon, Government-wide solutions, departments and agencies \nincreasingly are requiring services instead of procuring \ninfrastructure.\n    We welcome the opportunity to further discuss potential \ngaps which may need to be addressed through future FISMA \nenhancements if appropriate. We look forward to discussing our \nongoing information security and privacy activities in greater \ndetail. We feel our current activities and initiatives as \nincluded in my written statement already are beginning to close \nperformance gaps H.R. 4791 attempts to address.\n    I would be happy to answer questions at the appropriate \ntime.\n    [The prepared statement of Ms. Evans follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4178.021\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.022\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.023\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.024\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.025\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.026\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.027\n    \n    Mr. Clay. Thank you, Ms. Evans.\n    Mr. Wilshusen, you may proceed.\n\n               STATEMENT OF GREGORY C. WILSHUSEN\n\n    Mr. Wilshusen. Mr. Chairman, I am pleased to be here today \nto testify on FISMA and the state of Federal information \nsecurity. Rarely has the need for the Federal Government to \nimplement effective controls over its information systems and \ninformation been more important. Virtually all Federal \noperations are supported by automated systems and electronic \ninformation, and agencies would find it difficult, if not \nimpossible, to carry out their missions and account for their \nresources without them.\n    At the same time, Federal systems and critical \ninfrastructures are increasingly being targeted for \nexploitation by a growing array of adversaries, including \ncriminal groups, foreign nation states, hackers, terrorists and \ndisgruntled insiders. Thus, it is imperative that agencies \nsafeguard their systems to protect against such risks as loss \nor theft to resources, disclosure or modification of sensitive \ninformation, including national security, law enforcement, \nproprietary business and personally identifiable information \nand disruption of critical operations.\n    Today, I will summarize agency progress in performing key \ninformation security control activities, the effectiveness of \ninformation security at Federal agencies, and opportunities to \nstrengthen security. In fiscal year 2007, the Federal \nGovernment reported improved security performance relative to \nkey performance metrics established by OMB for FISMA reporting. \nFor example, the percentage of certified and accredited systems \nGovernment-wide reportedly increased from 88 percent to 92 \npercent. These gains continue a historical trend that we \nreported on last year.\n    Despite reported progress, 20 of 24 major Federal agencies \ncontinue to experience significant information security control \ndeficiencies. Most agencies did not implement controls to \nsufficiently prevent, limit or detect access to computer \nnetworks, systems or information. Moreover, agencies do not \nalways configure network devices to prevent unauthorized access \nand ensure system integrity, patch key servers and workstations \nin a timely manner, and maintain complete continuity of \noperations plans for key information systems.\n    An underlying cause for these weaknesses is that agencies \nhave not fully or effectively implemented the agency-wide \ninformation security programs required by FISMA. As a result, \nFederal systems and information are at increased risk of \nunauthorized access to and disclosure, modification or \ndestruction of sensitive information as well as the inadvertent \nor deliberate disruption of system operations and services. \nSuch risks are illustrated in part by an increasing number of \nsecurity incidents reported by Federal agencies.\n    Nevertheless, opportunities exist to bolster information \nsecurity. Federal agencies could implement the hundreds of \nrecommendations made by GAO and agency IGs to resolve \npreviously reported control deficiencies and information \nsecurity program shortfalls.\n    In addition, OMB and other Federal agencies have initiated \nseveral Government-wide initiatives that are intended to \nimprove security over Federal systems and information. For \nexample, OMB has established an information systems security \nline of business to share common processes and functions for \nmanaging information system security across Federal agencies, \nand it has directed agencies to adopt the security \nconfigurations developed by NIST, DOD and DHS for certain \nWindows operating systems. Consideration could also be given to \nenhancing policies and practices related to security control \ntesting and evaluation, FISMA reporting and the independent \nannual evaluations of agency information security programs \nrequired by FISMA.\n    In summary, although Federal agencies report performing key \ncontrol activities on an increasing percentage of their \nsystems, persistent weaknesses in agency information security \ncontinues to threaten the confidentiality, integrity and \navailability of Federal systems and information. Until Federal \nagencies resolve their significant deficiencies and implement \neffective security programs, their systems and information will \nremain at undue and unnecessary risk.\n    Mr. Chairman, this concludes my statement. I would be happy \nto answer your questions.\n    [The prepared statement of Mr. Wilshusen follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4178.028\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.029\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.030\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.031\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.032\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.033\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.034\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.035\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.036\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.037\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.038\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.039\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.040\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.041\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.042\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.043\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.044\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.045\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.046\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.047\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.048\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.049\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.050\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.051\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.052\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.053\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.054\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.055\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.056\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.057\n    \n    Mr. Clay. Thank you so much, Mr. Wilshusen.\n    Mr. Paller.\n\n                    STATEMENT OF ALAN PALLER\n\n    Mr. Paller. Thank you, and thank you for having me.\n    I have been to St. Louis a bunch of times, first with \nMcDonnell Douglas and later with Boeing. It is a wonderful, \nhigh-tech city.\n    Mr. Clay. Thank you so much.\n    Mr. Paller. It is very impressive. Actually, what we are \ntalking about today directly affects Boeing, too, so it is not \njust a Federal discussion because of the change that our other \nwitnesses mentioned.\n    I am just going to tell you a couple of stories. First of \nall, I am the research director at SANS, so we have about \n68,000 people who are alumni who actually run security at most \nlarge organizations. Their job is almost completely impossible. \nIt just isn't out in the public, but we are losing this war \nagainst cyber-crime at an accelerating rate, meaning we are \nfalling farther behind every week.\n    What we are talking about today actually will make a \ndifference. It is not something nice to do for Federal \nagencies, it actually is a major war, it is involving \nespionage, it is involving a lot of things that deserve to be \ntreated with more attention. I am here actually with the hope \nthat you can do that by making the Federal Government lead by \nexample. So where the Federal Government uses its procurement, \nyou mentioned in your opening statement $70 billion, that is \nenough to do an amazing amount of good in security. You don't \nactually spend the money on security, you use the leverage of \nthe Federal procurement to make the change.\n    Just to clarify how FISMA became a compliance exercise \ninstead of a security exercise, it wasn't the way the law was \nintended. It actually was a mistake that was made in GISRA \nbefore it became FISMA, the original law that got changed, it \nwas written in the Senate and got changed into FISMA. What \nhappened was that NIST wrote a catalog of things that every \nagency had to do. They don't even call it a road map or a blue \nprint. They wrote a catalog. And then the IGs and others said, \nwell, now you have to do everything in the catalog. And the \nproblem is, if you had a catalog of things your kids had to do, \nand one of them was finish their homework and another one was \ncheck on the dog, but they were graded on how many things they \ndid, they are going to do all the check on the dogs quick, \nbecause the do your homework is hard. And that is what happened \nwith FISMA, because they got graded on how many things they did \ninstead of the important things.\n    So the leaders are smart, you guys, between Karen and the \nHill, you guys made it impossible for them not to do \neverything. They got Fs on all their report cards. And because \nof that, they are smart enough to know, they have to get you \noff their back. So the CIO said, I don't care what you need to \ndo for security, you have to get those reports done, because I \nhave to go see Clay Johnson in the White House and he is going \nto--well, what they said isn't public. But he will do bad \nthings to me if I don't get all my systems certified.\n    So the key change, it is a very small change, I have \nprovided your staff with some language that might be better, it \nwill be made better by your people. But the key change is to \nprioritize. If homework is more important than checking on the \ndog, don't say you are going to do these 500 things, say, do \nyour homework. Then if you get your homework done, then do \nthese other things and we will give you bonuses for the other \nthings. But let's make sure we prioritize the actions.\n    That is what the companies that do security well do. It is \nall attack-based. They find out where the attacks are coming \nin, then make sure their defenses can stop those attacks. We \ndon't do that in the Federal Government. So I put all that in \nthe statement.\n    I want to tell you one more story, because it is a ``Karen \nis a hero'' story, and it is really quite a good story. It is \nthe other half of what you can do. John Gilligan was the CIO at \nthe Air Force, he got up in front of 200 people and said, we \ncan't secure our Windows boxes. In fact, we spend more money to \nclean up after the mess than we do to buy this stuff in the \nfirst place, and I am going to change that. He took $500 \nmillion over 7 years, so it is not much per year. That is \nrelative to your $70 billion you are talking about. This is the \nexample of how your money makes a difference, $500 million over \n7 years.\n    He said to Microsoft, hey, we want you to configure the \nsystem securely when you sell it to us instead of selling it to \nus open and making every one of our people try to do it after \nwe buy it. And he got it done. Over 400,000 systems now are out \nof the box secure. The key is, they just reported this, they \ncut the patching time from 7 weeks to 3 days. And all the \nattacks come out in the first few days. So if you don't get it \ndone fast, you might as well not patch at all. And they saved \ntens of millions of dollars. It is the only example where you \nsave money and you improve security. It is what you can do with \nthe leverage you have in your money.\n    So I am happy to answer questions about any of this. Thank \nyou for letting me come.\n    [The prepared statement of Mr. Paller follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4178.058\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.059\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.060\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.061\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.062\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.063\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.064\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.065\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.066\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.067\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.068\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.069\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.070\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.071\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.072\n    \n    Mr. Clay. Thank you so much for that enlightening report.\n    Mr. McConnell.\n\n                STATEMENT OF BRUCE W. MCCONNELL\n\n    Mr. McConnell. Thank you, Mr. Chairman and members of the \nsubcommittees for the privilege and opportunity to testify \ntoday on Federal information security.\n    The jurisdiction of this committee is so broad and its work \nis so important to the critical functioning of our Federal \nGovernment, it is a real pleasure.\n    I am here today bringing you the perspective of 20 years of \nwork in information policy and technology, including 15 years \nat OMB, serving 3 Presidents. I am also on a commission for \ncyber security for the 44th Presidency, which has been co-\nchaired by Congressman Jim Langevin and Congressman Michael \nMcCaul. I am not speaking on behalf of that commission.\n    You asked in your invitation that I provide policy \nrecommendations for potential legislative consideration and to \ncomment on the state of FISMA compliance and the provisions of \nH.R. 4791. I have done that in my written statement.\n    But in my oral remarks, I wish to focus in on what I \nconsider to be the most significant development in Federal \ninformation security in many years. My analysis is based solely \non information that is in the public domain.\n    On January 8th, President Bush issued a new National \nSecurity Homeland Security directive. This order establishes a \ncomprehensive national cyber-security initiative. The issuance \nof this national security order shows that information security \nis receiving serious attention at the highest levels of the \nexecutive branch. I believe this is good news.\n    The so-called Cyber Initiative recognizes the serious \nthreats to the Nation's information infrastructure coming from \nState and non-State actors, including sophisticated criminals. \nIt lays out the need to take proactive measures in cyberspace \nto detect and prevent intrusions from whatever source in real \ntime before they can do significant damage. These tenets are \nimportant, and while the details are not yet public, they \nclearly include an increased role for the intelligence \ncommunity, in particular the National Security Agency [NSA], in \nprotecting Federal systems.\n    Let me explain why I believe this expanded NSA role is \ngermane to this committee's work. The Cyber Initiative relates \ndirectly to two statutes under your jurisdiction: FISMA and the \nPrivacy Act. When this committee wrote FISMA's predecessor, the \nComputer Security Act of 1987, you vested the National \nInstitute of Standards and Technology [NIST], with primary \nauthority in the security of civilian agency information \nsystems. You also explicitly limited the role of NSA with \nrespect to civilian agency systems. There were several reasons \nfor this differentiation of responsibilities.\n    Foremost in the mind of Congress was the potential chilling \neffect on the free flow of information between Government and \nthe public, including the information technology industry, if a \nmilitary agency became too closely involved with civilian \nagency systems. As the committee's report in 1987 notes, \n``Since it is a natural tendency of DOD to restrict access to \ninformation through the classification process, it would be \nalmost impossible for the Department to strike an objective \nbalance between the need to safeguard information and the need \nto maintain the free exchange of information.''\n    Civilian agency missions, such as those at the Census \nBureau, the Internal Revenue Service and the Centers for \nMedicare and Medicaid Services, depend on the trust of the \nAmerican people to operate successfully. These missions require \nthe free and efficient flow of information to and from the \npublic in order to deliver important public benefits and \nprograms.\n    In addition to the potential chilling effect on information \nflows, the statute also reflected potential concerns about \nprivacy and civil liberties. This statutory framework \nseparating civilian and military systems has been confirmed and \nstrengthened three times in the last two decades.\n    Now, Mr. Chairman, it may be that the world has changed so \nmuch that this historic distinction between civilian agency \nsystems and national security systems no longer serves the \nNation's interest. Certainly the current computer security \nregime in Government is not working adequately. There is a big \ngap between what the agencies need and what they are getting. \nThe gap extends beyond Government systems to the U.S. \ninformation infrastructure.\n    Therefore, there is a substantial argument that you need to \nput resources from the intelligence community against this \nproblem, because that is where the most resources are on the \nFederal side. Of course, there is also substantial resources in \nthe private sector in this area.\n    So what is really needed is a partnership of trust between \nthe Government and the private sector to address the Nation's \ninformation security needs. Many of the information security \nprofessionals I talk to suggest that this trust is at a \nrelatively low point in our history and it needs to be \nstrengthened if we are going to be able to address this \ncritical issue. We need to determine who in the Government can \nmost effectively foster trust and cooperation with industry and \nwith the American people.\n    So I encourage the committee to look at these roles and \nresponsibilities in the context of FISMA and the Privacy Act. \nThank you, sir.\n    [The prepared statement of Mr. McConnell follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4178.073\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.074\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.075\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.076\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.077\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.078\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.079\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.080\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.081\n    \n    Mr. Clay. Thank you so much, Mr. McConnell. Our final \nwitness will be Mr. Bennett. Mr. Bennett, you may proceed.\n\n                    STATEMENT OF TIM BENNETT\n\n    Mr. Bennett. Thank you, Mr. Chairman, Congressman Davis. \nThank you for the opportunity to share the views of the Cyber \nSecurity Industry Alliance on improvements in FISMA.\n    CSIA is a group of leading security technology vendors that \nare dedicated to ensuring the privacy, reliability and \nintegrity of information systems through public policy, \ntechnology, education and awareness. It is our belief that a \ncomprehensive approach for enhancing the security and \nresilience of information systems is fundamental to economic \nsecurity.\n    Mr. Clay. Excuse me, Mr. Bennett, is your microphone on?\n    Mr. Bennett. Allow me to commend this subcommittee and its \nparent committee for the sustained attention that has been \ngiven in recent years to the critical objective of \nstrengthening information security within the Federal \nGovernment. As we have painfully learned and heard from a \ncouple of the other witnesses this morning, Federal systems are \nfrequently vulnerable to cyber attacks, and the oversight of \nthis subcommittee and full committee are an important element \nin holding Federal agencies accountable for improved \ninformation security as well as highlighting ongoing challenges \nand vulnerabilities.\n    The 110th Congress now has an important opportunity to \namend FISMA to improve the information security climate at our \nFederal Government agencies. Even though the last few years \nhave yielded a number of successes, there are certain \nweaknesses in our Government's critical infrastructure which \nstill urgently need to be addressed.\n    It has become clear that the infiltration of Federal \nGovernment networks and the possible theft and/or exploitation \nof information are among the most critical issues confronting \nour Federal Government. While progress has been made, much work \nremains to be done in order to truly secure our Government's IT \ninfrastructure.\n    FISMA has been fairly successful at getting agencies in \ngeneral to pay closer attention to their information security \nobligations. Before FISMA, information security was not a top \npriority at Federal agencies. FISMA has been successful in \nraising awareness of information security in the agencies and \nalso in Congress.\n    However, Federal agencies scored an average grade of C \nminus in 2007's Information Security Report Card. Some argue \nthat FISMA does not adequate measure information security. A \nhigh FISMA grade doesn't mean the agency is secure and vice \nversa. That is because FISMA grades reflect compliance with \nmandated processes. They do not measure how much these \nprocesses have actually increased information security.\n    In particular, the selection of information security \ncontrols is subjective and not consistent across Federal \nagencies. Agencies determine on their own what level of risk is \nacceptable for a given system. They can then implement the \ncorresponding controls, certify and accredit them and thus be \ncompliant and receive a high grade regardless of the level of \nrisk they have deemed acceptable.\n    Certainly we want to avoid a check the box mentality and \ndon't want FISMA to be reduced to a largely paperwork drill \namong the departments and agencies, consuming an inordinate \namount of resources for reporting progress while yielding few \ngenuine security improvements. Unfortunately, in some cases, \nthat is what it has become.\n    Some Federal agency chief information security officers are \nmeasured on their compliance scores with FISMA, not on whether \nthey have adequately assessed risk in their respective agency \nor prevented breaches of sensitive information. Instead, we \nwant agencies to actively protect their systems instead of just \nreacting to the latest threat with patches and other responses. \nWith the benefit of 5 years' experience under FISMA and several \ninsightful reports by the U.S. Government Accountability \nOffice, it is now possible to identify possible improvements \nthat can address those weaknesses in FISMA implementation that \nhave now become apparent.\n    With global attacks on data networks increasing at an \nalarming rate and in a more organized and sophisticated manner, \nthere is precious little time to lose. Faced with this urgent \nneed, we applaud the bill that you have introduced, H.R. 4791. \nWe strongly support this bill. It would undertake the important \nstep of codifying many of the recommended steps that OMB took \nin a series of memos to Federal agencies after a series of \nsignificant data breaches in recent years. The legislation \nprovides much-needed common sense obligations to require \nagencies to develop policies and plans to identify and protect \npersonal information, develop requirements for reporting data \nbreaches and report to Congress a summary of information \nsecurity breaches reported by Federal agencies.\n    We recommend that the proposed legislation also include \nlanguage requiring that data breaches of information systems \nmaintained by contractors and other sources working on Federal \nprojects be promptly notified to the Secretary and the CIO of \nthe contracting agency. Federal contractors are responsible for \nmany of the data breaches that agencies reported. CSIA believes \nthat it is important to reaffirm that FISMA applies to Federal \ncontractors.\n    We also commend the chairman for having the insight to \nincorporate language into this legislation requiring that \nFederal Government agencies encrypt or make unusable and \nunreadable personal data and to establish minimum requirements \nfor protection of information or mobile devices. H.R. 4791 also \nprudently establishes security requirements for peer-to-peer \nnetworks. We believe that agencies should be required to \ndevelop a plan to protect against the risks of peer-to-peer \nnetworks and provide detailed technology and the policy \nprocedures they should take.\n    To assist further consideration of this bill, we offer \nadditional recommendations. One, align responsibilities and \nauthorities to vest the CIO and CISO with specific power over \ninformation security. The current authority of agency CIOs to \nensure should be the power to enforce cost effective measures \nof security.\n    Two, require improvements to assessment, continuous \nmonitoring and remediation in order to develop a comprehensive \napproach to information systems security. Three, mandate \npreparation of the complete inventory of all Federal agency IT \nassets by a certain date. Four, improvement performance \nmeasurement and provide incentives to agencies that give \ninformation security a high priority. Five, institutionalize \nsecurity within Federal agency culture. Six, increase Federal \nagency IT security funding. Seven, reaffirm objective \nassessments of commercially available information technologies. \nAnd eight, narrow the scope of the privacy definition provided \nfor in the proposed legislation.\n    In closing, I commend the subcommittee for highlighting the \nimportance of information security, for examining how we can \nimprove FISMA and Federal agency information security practices \ngoing forward. The overriding objective should be to move \nFederal agencies to act in a manner that equates strong \ninformation security practices with overall mission \naccomplishment. We all know what is at stake.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Bennett follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4178.082\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.083\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.084\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.085\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.086\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.087\n    \n    Mr. Clay. Thank you, Mr. Bennett. I thank the entire panel \nfor their testimony today.\n    Now we will proceed under the 5-minute rule to questions \nfor the panel. I will recognize the ranking minority member of \nthe full committee, from Virginia, my good friend, Tom Davis. \nMr. Davis.\n    Mr. Davis of Virginia. Thank you, Chairman Clay. I want to \nthank you for holding this important hearing.\n    We are here to talk about information security from the \nFederal perspective. But these are issues and challenges we \nface at all levels of Government and even as individuals. \nSecure information is the lifeblood of effective Government \npolicymaking, good program management and a thriving economy. \nProtecting that information has to be a priority, not an after-\nthought.\n    The evolving nature of cyber threats requires constant \nvigilance. The Federal Government's information security \nprogram should be proactive, not reactive. If we keep chasing \nyesterday's problems, we will never be able to stop tomorrow's \nsophisticated challenges.\n    When it comes to information security, all it takes is one \nweak link to break the data chain. One successful cyber attack \ncould strike a stunning blow to an agency's operations and \ndamage citizens' trust in electronic Government initiatives.\n    Continued vulnerability puts personal information at risk. \nThe loss of Blackberry service a few days ago reminded us of \nour dependence on IT, how difficult it is for us to function \nwithout it, and how fragile some key systems remain.\n    One of the best ways to defend against attacks is to have a \nstrong and yet a very flexible protection policy in place, not \noverly prescriptive. We want agencies to active protect their \nsystems, instead of simply reacting to the latest threat with \npatches and other responses.\n    On the Government Reform Committee, I focused on \nGovernment-wide information management and security for many \nyears. The Privacy Act and the E-Government Act of 2002 \noutlined the parameters for the protection of personal \ninformation and the Federal Information Security Management Act \n[FISMA], requires each agency to create a comprehensive risk-\nbased approach to agency-wide information security management \nthrough preparedness, evaluation and reporting requirements. It \nis intended to make security management an integral part of an \nagency's operation and to ensure that we are actively using \nbest practices to secure our systems.\n    Certainly, FISMA has its critics. We have heard from some \nof them today. But I think we also will hear that it still \nprovides the necessary tools to secure our information, and has \nmade information security a priority mention at agencies. We \nwant to avoid that check the box mentality that has been \ncriticized, and we need to incentivize strong information \nprotection policies. We need to pursue a goal of security \nrather than compliance.\n    Nearly 5 years after FISMA was enacted, there is always the \nrisk of complacency. The basic FISMA concept and process \nremains sound. But we should ask if we can make it better. I \nthink we can.\n    As a start, I introduced legislation requiring timely \nnotice be provided to individuals whose sensitive personal \ninformation could be compromised by a breach of data security \nat a Federal agency. Despite the volume of sensitive \ninformation held by agencies, there is no current requirement \nfor citizens to be notified if their information is \ncompromised. This legislation passed the House during the 109th \nCongress. I continue to urge Chairman Waxman to make it a \npriority this year. I would ask that the two letters I have \nsent to Chairman Waxman be included in the record, Mr. \nChairman.\n    Mr. Clay. Without objection, so ordered.\n    [The information referred to follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4178.088\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.089\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.090\n    \n    Mr. Davis of Virginia. Each year, I have released Federal \nAgencies Information Security score cards. Despite some \nimprovements, scores for many departments remain unacceptably \nlow. By the way, a lot of the scoring is done by GAO and OMB. \nIt is not just done by our whim.\n    The Federal Government overall received a C minus, a slight \nimprovement over prior years. I know some don't like to be \ngraded. I have actually had Cabinet secretaries call me to \nlobby about their grades. And others don't see the value.\n    But I think most of us agree 5 years later that information \nsecurity should be a priority at Federal agencies. This is how \nit should be. The Federal Government has sensitive personal \ninformation on every citizen, from health records to tax \nreturns to military records. We need to ensure that the public \nknows when its sensitive personal information has been lost or \ncompromised. Public confidence in Government in this area is \nessential.\n    As we discuss Federal information security, we should focus \non the most pressing issues and threats, remain technology-\nneutral and take care not to disrupt the progress we have made \nor the progress already underway. Not being technology-neutral, \nI think, siphons a lot of innovation from this area. That is a \nmajor concern with being overly prescriptive, something we have \nto balance.\n    In the end, the public demands effective Government and the \nfuture of effective Government and security information depends \nmore than ever on a successful future for FISMA.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Hon. Tom Davis follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4178.091\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.092\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.093\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.094\n    \n    [GRAPHIC] [TIFF OMITTED] T4178.095\n    \n    Mr. Clay. Thank you, and would the ranking member care to \nask questions?\n    Mr. Davis of Virginia. Ms. Evans, let me ask you, the \nadministration has focused unprecedented attention on the \nmundane but the very essential tasks of improving Federal \nmanagement practices, including a focus on expanding electronic \nGovernment. The President's management agenda rates agencies' \nefforts on E-Gov initiatives, OMB requires quarterly reports, \nyet we still have a long way to go before things are secure.\n    Do you have any advice or recommendations for the next \nadministration of things they should prioritize?\n    Ms. Evans. I have a lot of advice. But in particular, I \nthink that the areas that we focused on and the specific \nprocesses are good foundational activities that I think any \nadministration would want to continue. For example, on the \nscore card, one of the things that we look at, and on a \nquarterly basis as required by the guidance that has been \noutlined in FISMA, is the plan of actions and milestones which \nreally is the constant assessment of risk.\n    If an agency is in the check the box mentality, then we are \ngoing to get the results that the other panelists, my \ncolleagues, have talked about. But if the agency head and the \nCIO are really evaluating the new technologies, the services \nthat they have, that process, that monthly looking at things, \nthe daily looking at things and then making sure that you have \nan adequate way to then address it I think is a good practice \nto carry forward. We call it certification and accreditation \noverall, we call the quarterly reports, plan of actions and \nmilestones, but what it really is is getting to the culture of \nmanaging the risk.\n    Mr. Davis of Virginia. Have you found any agencies that \njust check the box and literally don't have the substance \nbehind checking it?\n    Ms. Evans. I think that there are mixed results, as we have \nsaid in our reports in the past. I work very closely with all \nthe agencies, especially through the CIO council. I do and am \nconcerned that we balance the compliance aspect of this \nlegislation and any legislation that we have against achieving \nthe actual results. So I would say there are mixed results and \nit depends on the leadership and the CIO in particular of how \nthey are managing that information security program within the \ndepartment.\n    Mr. Davis of Virginia. The report cards are not perfect, \nbut right now, nobody else is keeping track, at least up here, \nover what is happening. If you don't give a report card or at \nleast give some public embarrassment, there is no \nappropriations penalty to be paid or anything else. Ultimately \nit has to be directed from OMB. The executive branch doesn't \nneed us involved in a perfect world. We have to make this a \npriority.\n    But managers down below, given limited funds, generally \nwant to accomplish their mission first. Many of them would just \nas soon take the risk of a data breach to be able to accomplish \nthings, and if something happens, hopefully it won't happen on \ntheir watch. That is one of our concerns.\n    Ms. Evans. And I would agree with you and I think that is \nwhat we have done through the criteria that we manage and look \nat on a quarterly basis through the E-Government Score Card on \nthe President's management agenda. It is looking at all and \neverything that takes into consideration for a good information \ntechnology program in a department. If you master those \nmanagement skills, then you have the foundation to go forward \nto support any program.\n    All of this is about getting good program results and \nmaking sure that you have public confidence in your services. \nSo you have to do many things in order to do that in this \nenvironment. The way to provide those services is through the \nuse of information technology.\n    Mr. Davis of Virginia. Mr. Paller, part of your testimony \napproaches Federal IT from an international perspective. How do \nwe rank when you compare us with government IT security in \nother countries?\n    Mr. Paller. First, the breach bill that you talked about, \nthis is going to do a lot of good. Because people respond when \nthey have to make something public in ways they don't even \nthink about.\n    Mr. Davis of Virginia. No question. The tendency is to \nsweep it under a rug, fully investigate, make sure you get your \nspin on it. That is just natural. We do the same, by the way, \nwe are no different than the executive agencies.\n    Mr. Paller. In almost all areas, we are stronger than other \ngovernments. The one place we fall way behind is in information \nsharing. The British figured out how to do that. They actually \ncopied something we had called the NSIE, and spread it and we \ndidn't copy what we had and we built this thing called ISACS \nthat just don't work. So they are way ahead on information \nsharing.\n    But in terms of actually securing Government systems, we \nare not way behind anyone.\n    Mr. Davis of Virginia. We are also more of a target than \nmost government systems, aren't we?\n    Mr. Paller. We are getting hurt more, the British equally, \nthe Australians, too. These nation-state attacks are enormous. \nthe head of MI-5 actually just did a letter that it is all \nspreading to businesses now. If you do business in China, you \nare being just destroyed with cyber attacks.\n    Mr. Davis of Virginia. I hope we can sit down and work some \nlanguage out that and can all agree on this. Because a cyber \nPearl Harbor or something of that nature would just be awful. \nAnd at that point, you would say, where have we all been on \nthis. And a lot of us have been working on this for a long \ntime. It is not easy.\n    Can I just ask one other question? Mr. Wilshusen, some have \nsuggested that standardizing IG audits, their practices in the \narea of information security, would help reduce the discrepancy \nbetween the agency grades, their compliance with the act and \ntheir information security practices. Is it feasible to \nstandardize audit practices? Do you agree with that proposal?\n    Mr. Wilshusen. I think audits and in particular, with the \nindependent IG evaluations, we have noted in the pst that they \nhave been inconsistent, the scope and methodology of their \nevaluations vary across agencies. And the form and content of \nthe reports differs significantly from just repeating or \npresenting the information on the FISMA template that OMB has \nestablished to coming up with real conclusions and findings and \nissues on these security deficiencies at those agencies.\n    So by having these evaluations of performance in accordance \nwith Government auditing standards, for example, that could \nelevate and raise consistency in the content of those \nevaluations.\n    Mr. Davis of Virginia. Thank you.\n    Mr. Clay. Thank you, Mr. Davis.\n    Mr. Paller, I am very interested in your testimony's \nsupport of prioritizing the testing and evaluation activities \nthat are carried out by agencies on a regular basis. Thus, I \nhave a few practical questions on how would you get there. Does \ncurrent guidance from NIST, such as S.P. 853, provide a blue \nprint for adequate security and should this guidance simply be \nmade mandatory and binding on agencies?\n    Mr. Paller. No, and hell, no. It is a catalog of everything \nanybody ever thought of that might help security, 853. Not even \nthe audit guide, this is it. There is a parallel in the \ncommercial world that is what you actually have to do to secure \nall the credit cards. Because the credit card industry says, we \nare going to stop losing it. This looks smaller. And this one, \nin all of this, firewalls are a really important part of \nsecurity, lock the door, firewalls the door. In all of this, \none-200th of it talks about firewalls. In the real one, one \neighth. So 12\\1/2\\ percent talks about it.\n    If you know security, you actually know security, not know \nabout writing about security, but actually doing it, no, 853 is \nsilly.\n    Mr. Clay. How can new guidance or security controls be \nadded in a real-time environment?\n    Mr. Paller. I think again, the payment card industry does \nit. These are updated regularly. There is a massive new attack \non Web applications. They used to go against Windows and the \nother things. Now they are going against every Web site.\n    Well, this has nothing, it tells you nothing about doing \nthat. But this one is updated very regularly, almost quarterly. \nIt is not hard. All you do is you set up a council of the \npeople who actually have to protect systems, say, what are you \ndoing and then get them to agree, 10 or 12 of them, they agree \nand you write it up. It really isn't impossible. It is not \neasy, but it isn't impossible.\n    Mr. Clay. You also referred to the Air Force contracting \nwhich had required vendors to deliver minimum security \nconfigurations for a system. Should a contractual mandate along \nthese lines, with requirements defined by OMB and the Federal \nAcquisition Council be required under FISMA?\n    Mr. Paller. That is actually Karen's, she has done a lot of \nwonderful things. Taking what the Air Force did and making it a \nFederal mandate is the biggest, single biggest thing in \nimproving security we have ever done as a country.\n    Mr. Clay. Is that what Ms. Evans is pushing?\n    Mr. Paller. Yes, what Ms. Evans has done.\n    Mr. Clay. Would we have the problem of technology moving \nahead too quickly for regulations to keep up?\n    Mr. Paller. No. The Air Force, for example, has this \nabsolute mandate. You have to do it this way. And if you \ncompare the Air Force's new computers with every other agency, \nthey are ahead of the other agencies. So you can't say they are \nbehind technologically when they actually have the most \nadvanced technology and yet they are meeting the standard. It \nis because they do it together that they get all the advanced \ntechnologies.\n    Mr. Clay. Thank you for that response.\n    Let me ask Mr. McConnell, can you tell us how laws like \nFISMA and Clinger-Cohen have altered the information security \nlandscape over the past decade, and if there areas in which we \nshould try to harmonize the provisions in order to improve \nsecurity?\n    Mr. McConnell. Yes, sir. I think there have been three \nbeneficial effects of FISMA and Clinger-Cohen. They have \nincreased the level of attention that is paid to information \nsecurity, they create a management structure that can be used \nto manage it, and they have encouraged integrating security \ninto the overall program management. So you have a well-managed \nprogram that includes good security.\n    I think what is needed at this point is for the executive \nbranch to take full advantage of the authorities and structure \nthat you have provided. I have seen that work in the past \nacross administrations. The Clinger-Cohen bill set out \nauthorities in a management structure that was passed during \nthe Clinton administration. And now the current administration \nhas really exercised those authorities in a significant way.\n    I think as far as harmonization, the law that is probably \nthe most in need of harmonization and updating that is under \nthis committee's jurisdiction is the Privacy Act. That is the \nPrivacy Act of 1974. And that as you can imagine, there is much \nthat could be done to harmonize that with other things that \nhave happened.\n    Mr. Clay. Can you explain in further detail why an \nindependent audit would hinder agency efforts to root out \nsecurity vulnerabilities? Isn't one of the problems with FISMA \nrelated to the current evaluations having little consistency or \napplicability across agencies, making it a paperwork exercise?\n    Mr. McConnell. I would agree that the current evaluations \nare inconsistent and that they often focus on paperwork. But I \ndon't think those two aspects are necessarily connected. You \nhave inconsistency because you have inconsistent evaluation \ncriteria and processes. Whereas the paperwork is looking at a \ncompliance, box checking, rather than on operational security, \nas Mr. Paller was saying, let's just get the stuff done.\n    So you could have consistent processes, but still have the \npaperwork focus. The concern that I have about the mandatory \naudit is that you just exacerbate the compliance mentality. \nEverybody at that point is in a CYA thing, trying to make the \naudit right. So I think you need to have consistent evaluation \ncriteria, independent evaluation criteria, but I don't \nrecommend making it an audit.\n    Mr. Wilshusen. Mr. Chairman, may I please comment?\n    Mr. Clay. Sure.\n    Mr. Wilshusen. One thing, and i Just want to make sure that \nwe are clear on if we are talking about the annual independent \nIG evaluation or audit, if that is the change in H.R. 4791, \nversus the testing that may be done by the agencies. One thing \nthat is important, if we go to an audit by the IG as part of \nthe annual evaluation, is to make sure that the audit focuses \non and the auditors conclude on the effectiveness of the \ninformation security controls, rather than making it merely \ncompliance with the provisions of the act.\n    And so it is important to direct the focus of the audit \ntoward evaluating effectiveness as the IGs and auditors do as \npart of the consolidated financial statement or the audits of \nthe agencies' financial statements. And that is why you have a \ndisparity between why certain agencies are reporting increased \nperformance versus the various metrics established by OMB for \nFISMA reporting versus those audit results of the effectiveness \nof controls.\n    So there is a distinction there to try to make the annual \nIG evaluation by making it in accordance with audit standards \nand assuring that the auditors conclude on the effectiveness of \ncontrols, not merely compliance with the act.\n    Mr. Clay. And these should be independent audits?\n    Mr. Wilshusen. Absolutely.\n    Mr. Clay. Yes.\n    Mr. Wilshusen. And that is separate from the agencies that \nare also required under FISMA to test and evaluate the \neffectiveness of their controls. And that would be all their \ncontrols, management, operational, technical controls, on a \nfrequency based on risk. We have found problems with that \nprocess being implemented by the agencies. But those are two \nseparate issues, once performed independently by the IG or \nother auditors, others. The security tests and evaluations \nrequired as part of an agency information security program is \nperformed by agency personnel or their contractors.\n    Mr. Clay. Thank you for that response.\n    Mr. Bennett, a critical element of FISMA is for agencies to \ndevelop a risk assessment of their systems in order to develop \nor integrate effective security policies and applications for \nthem. With this in mind, please characterize the vendors' roles \nand responsibilities in developing and implementing secure \nnetworks and applications throughout an agency.\n    Mr. Bennett. Yes, Mr. Chairman. The vendor should be \nresponsible for understanding the agency's enterprise \narchitecture and the operating environment to assure that their \nsolutions will not disconnect or break the systems that are \ncurrently in place. While Government and their contractor \npersonnel, support personnel are ultimately responsible for the \nsupport and operation of the infrastructure, only the vendors \nof these enterprise solutions really understand the protocols \nand underlying infrastructure requirements that will allow \nthese products to work securely and as designed.\n    This means that implementation, testing and integration of \ncyber security and risk in the mission achievement is the \nresponsibility of the vendor in the larger context of the \nagency framework and budget.\n    Mr. Clay. Is the mitigation of risk a shared duty or \nresponsibility between both agency personnel and the vendor \ncommunity?\n    Mr. Bennett. Yes, absolutely it is a shared responsibility, \nto the extent that the vendors' products should work as \nadvertised. The agency is solely responsible for the \ndetermination of how much risk they are willing to take and \nNIST guidelines do provide some guidance in this area.\n    But once mitigation plan has been decide, the agency should \nhave every expectation that the solutions that have been \npurchased performed as advertised.\n    Mr. Clay. In actuality, and anybody on the panel can answer \nthis, how does it actually work between vendor community and \nagency? Is it pretty seamless? Is it a turf war? What have you \nfound? Ms. Evans, you can start.\n    Ms. Evans. I would like to take the opportunity to first \ntalk about that. I applaud the answer of my colleague at the \nother end of the table. But when it ultimately comes down to \nit, the agency head is ultimately responsible for the services \nthat they procure and the contracts that they let. So it is the \nresponsibility of the CIO, which is outlined in the statute, to \nensure that we manage that risk appropriately.\n    So you have to have very clear and open communications. You \nhave to make sure that the contact is very clear as to what the \nroles and responsibilities are. But when it is said and done, \nthe American people hold us, the executive branch, accountable \nfor our actions and for our services. So I believe that what \nthe administration has done with our policies and the actions \nthat we are taking is trying to make that very clear and using \nthe tools that we have in place to leverage our buying power, \nso that it is clear to us and clear to those who choose to \nprovide the services for us what those expectations are, what \nthe risks are and how those products need to work in our \nenvironment.\n    Mr. Clay. Thank you.\n    Mr. Wilshusen.\n    Mr. Wilshusen. I would just like to add, FISMA requires \nthat the agency is responsible for the security over the \nsystems that are operated on its behalf by third parties and \ncontractors. It should be an integral part of the agency's \ninformation security program.\n    However, we have found in our report that we issued back \nin, I think it was April 2005, that many of the agencies did \nnot have adequate policies or actually monitoring the \neffectiveness of security over systems operated by contractors. \nSo Ms. Evans is absolutely correct, it is important that \ncontracts be, or that the requirements for information security \nbe specified in the contracts, so that the contractors know \nwhat to do. But there is also that other side of the agency \ntaking responsibility to assure that the contractors are \nupholding their end of the bargain and implementing the \nsecurity in accordance with the contract requirements and \nFederal requirements.\n    Mr. Clay. Thank you.\n    Mr. Paller.\n    Mr. Paller. We train 14,000 people a year. Lots of them are \nFederal people, lots of them are contractors, lots of them are \nBoeing people. They can't figure this out on the fly. What Ms. \nEvans is talking about, contracting for what you want, the fact \nthat we don't do that today is one of the two biggest flaws in \nall of our Federal security. What we do is we throw it over the \nwall to these contractors. And then when we find out there was \nsomething extra we needed to do for security, they say, well, \nthat is another $100 million. Then we have to make choices \nbetween spending the extra money or not.\n    We have to change the way we buy products, to buy it with \nsecurity baked in, rather than getting caught. That happens \nwith our third party, our software. Right now, if somebody does \na software development for us and we find a major security flaw \nin it, we have to pay them to now go and we have to negotiate \nwith them and now they are busy and they have something else to \ndo. The whole contracting mechanism is, give it away and then, \noh, shoot, security, we should have asked you for that. So what \nMs. Evans is talking about is not a lightweight thing. It \nactually matters.\n    Mr. Clay. Do you think in the President's proposed $70 \nbillion budget for IT, do you think there are some built-in \nprotections for that, for that security element?\n    Mr. Paller. No, the contracting officers don't like this \ntopic. So when the guys want to put it into contacts, am I \nbeing bad?\n    Ms. Evans. No, you go ahead. [Laughter.]\n    Mr. Clay. You are doing fine. Please proceed.\n    Mr. Paller. The contracting officers don't like it and so \nwhen the technical person who knows what he wants goes to the \ncontracting officer and says, can we put that in, he says, \nwell, you are not being specific enough. And then it is gone.\n    Ms. Evans. But I have good news. I bring good news, which \nis, we have, as I stated in my testimony, we have been working \nwith the Federal Acquisition Council to make modifications to \nthe FAR to do things like what we have done with the Federal \nDesktop Core Configuration. So the FAR will be amended to then \ninclude the common security configurations, which makes it a \nmandatory clause. That clause, that language is to be published \nin the Federal Register no later than Tuesday.\n    So we understand where the performance gaps are. We know we \nhave to follow through in our contracts to ensure that we can \nhold ourselves as well as the contractors accountable. So if \nyou follow this example through, we gave agencies guidance last \nyear, last June. All new contracts were to have this language \nin it if you were providing these types of operating systems or \nyou were going to provide products that were going to operate \non these operating systems.\n    What we are following through now is making sure that we \nwill be successful in spite of ourselves, because this will be \nin the FAR. It will go forward that way. So a lot of these \nthings are now coming into place where the vendors now are \nlike, OK, so what does this mean that I have to provide \ncertification? That is the point of what NIST has done by \nhaving this program out which is dealing with--the acronym is \nS-CAP, but in essence what it does is validate that those \nsecurity settings stay set when you bring them into your \nenvironment.\n    So a vendor, when you bring in new tooling to your \nenvironment or a new application or anything, you run this \ntool. And it is going to tell you, against those 700 settings, \nwhat changes and what didn't. It gives you a percentage. We are \ntalking 100 percent right now. We told the agencies that they \nhad to comply with this. There is no, like, give me 80 percent \nor so. It is zero or 100.\n    Then we thought, OK, from that perspective, how would that \nreally go forward. We have agencies that can tell you exactly \nhow many desktop have these operating environments and out of \nthe 700, 5 are problematic and they know exactly now what \napplications that affects.\n    We couldn't do that before. So now when you know what that \nis, you can now put in compensating controls. These lay the \ngood foundations for an information management program. But the \nkey was to ensure that the procurement cycle, and as these \nproducts and applications come into our environments, that they \ntoo are aware and that they are certifying against that \nenvironment.\n    Mr. Clay. Will you provide us with the language?\n    Ms. Evans. Absolutely.\n    Mr. Clay. Thank you so much.\n    Mr. McConnell, did yo have anything to add?\n    Mr. McConnell. I think this has been pretty well discussed, \nsir.\n    Mr. Clay. Mr. Bennett, one final question. You mentioned \nincentives for agency security performance in your testimony. I \nwould like to explore that idea of a carrot and stick approach. \nWould incentives such as permitting agencies that receive an \nunqualified or clean independent audit to be audited only every \nother year be appropriate, and conversely, would penalties for \nan agency such as losing procurement funding until deficiencies \nare remedied be an effective tool?\n    Mr. Bennett. Yes, Mr. Chairman. I think that might work and \nshould be given serious consideration and should be counter-\nbalanced by the concept that if there is inadequate \nperformance, that the frequency of audits should be increased \nso that it works both ways and truly becomes a carrot with also \na stick.\n    Mr. Clay. Thank you so much.\n    Do any other panelists have anything to add?\n    Mr. Paller. I just wanted to connect the dots to Boeing. \nEverything we are talking about, about compliance, spending all \nthis money, not doing security, I am getting calls all the \ntime, they are just discovering it, does this really mean us, \ntoo? So everything we are talking about, about cleaning it up, \nis about to come back across the entire Defense industrial \nbase, because a few months ago, they found out that the Chinese \nhad gotten deeply into most of their computers as well. So they \nare now part of the game, and they are subject to all of this \nand people saying, well, let's make the FISMA-compliant, and \nall this discussion about paperwork and money wasted, it is all \nabout what we are going to do to the contractors.\n    Mr. Clay. So they are watching with a keen eye?\n    Mr. Paller. They are going to scream when it hurts.\n    Mr. Clay. They are going to scream when it hurts.\n    Thank you so much, Mr. Paller. Ms. Evans.\n    Ms. Evans. On the evaluations or audits, or whatever we end \nup calling it, I do think that it is important, again, that it \nis a balance of what we are looking at and the carrot and stick \napproach. This is something that in my own position that I am \nsure you guys manage with, as I do, is that we need to be \ncareful about the compliance versus the actual results that we \nare trying to achieve. Putting timeframes on these things also \ncould drive certain behavior that we may not necessarily want \neither.\n    I really believe it gets down to, it is a culture of \nconstantly evaluating the risks associated with the information \nthat you have. And you know, to take away procurement authority \nor to take away money in some cases you might have to add money \nin order to fix these types of activities, because it is so \npervasive.\n    I really believe the way the administration puts together \nthe budget, how we evaluate the capital planing, how we send \nthis stuff forward, really allows the agencies to focus on \nmanaging that on a daily basis. It is not a time, it is not a \nquarter, it is not a year, it is not biannually. Agencies have \nto do this on a daily basis. It has to be a culture of managing \nrisk on a daily basis.\n    Mr. Clay. Thank you so much for that response, Ms. Evans.\n    Let me thank the entire panel for today's hearing and your \ntestimony. We certainly appreciate your participation in this \nhearing.\n    That concludes this hearing. Hearing adjourned.\n    [Whereupon, at 12:40 p.m., the subcommittees were \nadjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"