[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]




 
               FEDERAL IT SECURITY: A REVIEW OF H.R. 4791

=======================================================================

                             JOINT HEARING

                               before the

                  SUBCOMMITTEE ON INFORMATION POLICY,
                     CENSUS, AND NATIONAL ARCHIVES

                                and the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                     ORGANIZATION, AND PROCUREMENT

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                                   ON

                               H.R. 4791

 TO AMEND TITLE 44, UNITED STATES CODE, TO STRENGTHEN REQUIREMENTS FOR 
   ENSURING THE EFFECTIVENESS OF INFORMATION SECURITY CONTROLS OVER 
 INFORMATION RESOURCES THAT SUPPORT FEDERAL OPERATIONS AND ASSETS, AND 
                           FOR OTHER PURPOSES

                               __________

                           FEBRUARY 14, 2008

                               __________

                           Serial No. 110-72

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                     http://www.oversight.house.gov


                     U.S. GOVERNMENT PRINTING OFFICE
44-178 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092104 Mail: Stop IDCC, Washington, DC 20402ï¿½090001

              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 HENRY A. WAXMAN, California, Chairman
EDOLPHUS TOWNS, New York             TOM DAVIS, Virginia
PAUL E. KANJORSKI, Pennsylvania      DAN BURTON, Indiana
CAROLYN B. MALONEY, New York         CHRISTOPHER SHAYS, Connecticut
ELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida
DANNY K. DAVIS, Illinois             MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts       TODD RUSSELL PLATTS, Pennsylvania
WM. LACY CLAY, Missouri              CHRIS CANNON, Utah
DIANE E. WATSON, California          JOHN J. DUNCAN, Jr., Tennessee
STEPHEN F. LYNCH, Massachusetts      MICHAEL R. TURNER, Ohio
BRIAN HIGGINS, New York              DARRELL E. ISSA, California
JOHN A. YARMUTH, Kentucky            KENNY MARCHANT, Texas
BRUCE L. BRALEY, Iowa                LYNN A. WESTMORELAND, Georgia
ELEANOR HOLMES NORTON, District of   PATRICK T. McHENRY, North Carolina
    Columbia                         VIRGINIA FOXX, North Carolina
BETTY McCOLLUM, Minnesota            BRIAN P. BILBRAY, California
JIM COOPER, Tennessee                BILL SALI, Idaho
CHRIS VAN HOLLEN, Maryland           JIM JORDAN, Ohio
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont
------ ------

                     Phil Schiliro, Chief of Staff
                      Phil Barnett, Staff Director
                       Earley Green, Chief Clerk
                  David Marin, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York         CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky            BILL SALI, Idaho
PAUL W. HODES, New Hampshire
                      Tony Haywood, Staff Director

  Subcommittee on Government Management, Organization, and Procurement

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California
CHRISTOPHER S. MURPHY, Connecticut   TODD RUSSELL PLATTS, Pennsylvania,
PETER WELCH, Vermont                 JOHN J. DUNCAN, Jr., Tennessee
CAROLYN B. MALONEY, New York
                    Michael McCarthy, Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 14, 2008................................     1
Text of H.R. 4791................................................     5
Statement of:
    Evans, Karen S., Administrator for Electronic Government and 
      Information Technology, Office of Management and Budget; 
      Gregory C. Wilshusen, Director, Information Security 
      Issues, Government Accountability Office; Alan Paller, 
      director of research, the Sans Institute; Bruce W. 
      McConnell, president, McConnell International, LLC; and Tim 
      Bennett, president, Cyber Security Industry Alliance.......    23
        Bennett, Tim.............................................    93
        Evans, Karen S...........................................    23
        McConnell, Bruce W.......................................    82
        Paller, Alan.............................................    65
        Wilshusen, Gregory C.....................................    33
Letters, statements, etc., submitted for the record by:
    Bennett, Tim, president, Cyber Security Industry Alliance, 
      prepared statement of......................................    96
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     3
    Davis, Hon. Tom, a Representative in Congress from the State 
      of Virginia:
        Letter dated July 27, 2007...............................   104
        Prepared statement of....................................   108
    Evans, Karen S., Administrator for Electronic Government and 
      Information Technology, Office of Management and Budget, 
      prepared statement of......................................    26
    McConnell, Bruce W., president, McConnell International, LLC, 
      prepared statement of......................................    84
    Paller, Alan, director of research, the Sans Institute, 
      prepared statement of......................................    67
    Wilshusen, Gregory C., Director, Information Security Issues, 
      Government Accountability Office, prepared statement of....    35


               FEDERAL IT SECURITY: A REVIEW OF H.R. 4791

                              ----------                              


                      THURSDAY, FEBRUARY 14, 2008

        House of Representatives, Subcommittee on 
            Information Policy, Census, and National 
            Archives, joint with the Subcommittee on 
            Government Management, Organization, and 
            Procurement, Committee on Oversight and 
            Government Reform,
                                                    Washington, DC.
    The subcommittees met, pursuant to notice, at 11:30 a.m., 
in room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay 
(chairman of the Subcommittee on Information Policy, Census, 
and National Archives) presiding.
    Present: Representatives Clay, Davis of Virginia, and 
Platts.
    Staff present from the Information Policy, Census, and 
National Archives Subcommittee: Darryl Piggee, staff director/
counsel; Jean Gosa, clerk; and Adam Bordes, professional staff 
member.
    Staff present from the Government Management, Organization, 
and Procurement Subcommittee: Mike McCarthy, staff director; 
Velvet Johnson, counsel; Bill Jusino, professional staff 
member; and Kwane Drabo, clerk.
    Mr. Clay. Good morning. This hearing of the Oversight and 
Government Reform Committee is being held this morning by the 
Information Policy, Census, and National Archives Subcommittee, 
which I chair, and the Subcommittee on Government Management, 
Organization, and Procurement, chaired by Congressman Ed Towns 
of New York, who is under the weather this week and is not in 
town. But we will proceed without Mr. Towns.
    This hearing will now come to order. Today's hearing will 
examine the important topic of Federal information security. 
Our subcommittees are holding this hearing because security is 
both a management and technology challenge.
    Without objection, the Chair and ranking minority member 
will have 5 minutes to make opening statements, followed by 
opening statements not to exceed 3 minutes by other Members who 
wish to seek recognition.
    Without objection, Members and witnesses may have 5 
legislative days to submit a written statement or extraneous 
materials for the record.
    Briefly, I would like to discuss some of the challenges 
that I see, and then I will yield to anyone else that shows up 
for comments.
    Let me say that today's joint subcommittee hearing on the 
Current State of Federal Information Security and Legislation 
to Strengthen the Federal Information Security Management Act, 
I am especially pleased to be teaming up with the Subcommittee 
on Government Management, Organization, and Procurement, 
chaired by Mr. Towns, for this critical issue.
    For fiscal year 2009, the President's budget proposes 
spending of roughly $70 billion on information technology 
products alone. Yet according to OMB's 2006 FISMA report to 
Congress, agency efforts to implement effective information 
security programs are inconsistent throughout Government. These 
problems go beyond isolated data breaches and have exposed 
systemic information security vulnerabilities that have gone 
unmitigated by our agencies and the IT contracting community 
that serves them.
    Having experienced 5 years of detailed OMB reporting 
through the FISMA process, I am certain that some real progress 
has been made in securing our agencies' IT assets. What I am 
unsure of, however, is whether our current requirements and OMB 
policies under FISMA are providing us enough tools to effective 
identify the inherent vulnerabilities in our systems, now or in 
the future.
    With this in mind, I, along with Chairman Towns and 
Chairman Waxman, have put forward a bill that would move us 
toward more rigid security requirements for agency systems 
while staying with in the current FISMA framework. Furthermore, 
our bill will add consistency and robustness to the current 
program performance evaluation process by requiring an annual 
audit of agency programs. Last, this legislation begins to 
recognize the duty of care responsibilities that must be shared 
between both Federal agencies and the contracts providing 
services to them.
    As technology evolves and the perimeters of IT enterprises 
expand, we must have a flexible security framework to harness 
such advances while ensuring that our networks remain secure. I 
am hopeful that our witnesses today will be ale to address 
these issues through the context of their experiences, and I 
look forward to their testimony.
    [The prepared statement of Hon. Wm. Lacy Clay and the text 
of H.R. 4791 follow:]

[GRAPHIC] [TIFF OMITTED] T4178.001

[GRAPHIC] [TIFF OMITTED] T4178.002

[GRAPHIC] [TIFF OMITTED] T4178.003

[GRAPHIC] [TIFF OMITTED] T4178.004

[GRAPHIC] [TIFF OMITTED] T4178.005

[GRAPHIC] [TIFF OMITTED] T4178.006

[GRAPHIC] [TIFF OMITTED] T4178.007

[GRAPHIC] [TIFF OMITTED] T4178.008

[GRAPHIC] [TIFF OMITTED] T4178.009

[GRAPHIC] [TIFF OMITTED] T4178.010

[GRAPHIC] [TIFF OMITTED] T4178.011

[GRAPHIC] [TIFF OMITTED] T4178.012

[GRAPHIC] [TIFF OMITTED] T4178.013

[GRAPHIC] [TIFF OMITTED] T4178.014

[GRAPHIC] [TIFF OMITTED] T4178.015

[GRAPHIC] [TIFF OMITTED] T4178.016

[GRAPHIC] [TIFF OMITTED] T4178.017

[GRAPHIC] [TIFF OMITTED] T4178.018

[GRAPHIC] [TIFF OMITTED] T4178.019

[GRAPHIC] [TIFF OMITTED] T4178.020

    Mr. Clay. We will now receive testimony from the witnesses 
before us today. On today's panel, the subcommittees are 
pleased to have the following witnesses: Karen Evans, 
Administrator for the Office of E-Government and Information 
Technology. Ms. Evans is an experienced IT professional and 
leads the administration's programs on information security. 
Welcome back to the committee, Ms. Evans.
    We also have Greg Wilshusen, Director for Information 
Security Issues at the Government Accountability Office. Mr. 
Wilshusen is also a long-time expert and has testified on this 
topic before the Information Policy Subcommittee several times. 
Thank you for being here.
    Alan Paller is the director of research at the SANS 
Institute and is responsible for overseeing all research 
projects. Mr. Paller founded the CIO Institute and earned 
degrees in computer science and engineering from Cornell and 
MIT. Welcome to the committee hearing.
    Bruce McConnell, the president and founder of McConnell 
International. Prior to his current position, Mr. McConnell was 
chief of information and technology policy at the White House 
Office of Management and Budget, where he led several IT and 
security initiatives. Thank you for being here, too, Mr. 
McConnell.
    Rounding us out is Tim Bennett, president of Cyber Security 
Industry Alliance. Mr. Bennett served as the vice VP of the 
American Electronics Association and worked in senior roles 
within the Office of the U.S. Trade. Thank you also, Mr. 
Bennett, for coming today.
    I thank all of you for appearing before the subcommittee. 
It is the policy of the committee to swear in all witnesses 
before they testify, so I will ask you to please rise and raise 
your right hands.
    [Witnesses sworn.]
    Mr. Clay. Thank you, and let the record reflect that the 
witnesses answered in the affirmative.
    I ask that each witness now give a brief summary of their 
testimony and to keep the summary under 5 minutes in duration. 
Bear in mind your complete written statement will be included 
in the hearing record. I will let you know if you go over the 
5. We will start with Ms. Evans. You may proceed.

  STATEMENTS OF KAREN S. EVANS, ADMINISTRATOR FOR ELECTRONIC 
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND 
 BUDGET; GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY 
ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; ALAN PALLER, DIRECTOR 
OF RESEARCH, THE SANS INSTITUTE; BRUCE W. MCCONNELL, PRESIDENT, 
MCCONNELL INTERNATIONAL, LLC; AND TIM BENNETT, PRESIDENT, CYBER 
                   SECURITY INDUSTRY ALLIANCE

                  STATEMENT OF KAREN S. EVANS

    Ms. Evans. Good morning, Chairman Clay. Thank you for 
inviting me to speak about the status of the Federal 
Government's efforts to safeguard our information and systems. 
My remarks today will highlight a few of the initiatives 
underway to manage the risk associated with our Government 
services in this ever-changing IT environment. The details are 
included in my written statement. I will conclude with our 
thoughts on your proposed bill, H.R. 4791.
    Information security and privacy are extremely important 
issues for the administration. On March 1st, the Office of 
Management and Budget [OMB], will provide our fifth annual 
report to Congress on the implementation of the Federal 
Information Security Management Act [FISMA], which will detail 
our improvements and remaining weaknesses for both security and 
privacy.
    Over the past year, departments and agencies continue to 
improve their security programs, manage their risks and become 
more fully compliant with FISMA. To enhance information 
security programs, OMB continues to use the oversight 
mechanisms to improve performance, including the President's 
management agenda score card and the agencies' capital planning 
processes. We are also engaging agencies in a variety of 
information security and privacy initiatives to close any 
remaining performance gaps.
    Over the past year, in collaboration with the National 
Institute for Standards and Technology [NIST], the Department 
of Defense, the National Security Agency, and Microsoft, we 
have developed a set of information security controls to be 
implemented on all Federal desktops, which are running 
Microsoft Windows XP or Vista, known as the Federal Desktop 
Core Configuration [FDCC]. By implementing a common 
configuration, we are gaining better control of our Federal 
desktops, allowing for closer monitoring and correction of 
potential vulnerabilities. We are also working with the vendor 
community to make their applications safer.
    NIST has developed testing tools for use both by the 
Federal agencies and the vendors and three independent 
laboratories have been accredited by NIST's National Voluntary 
Laboratory Accreditation Program, to provide the validation 
testing. We are very optimistic this program will greatly 
enhance the security of our Federal desktops and applications.
    To help agency procurement officers with the validation 
requirement, we are working with the Federal Acquisition 
Council to incorporate language into the Federal Acquisition 
Register. Agencies connect to the internet to develop timely 
information and to deliver services to the public. However, our 
Government systems are continuously operating under increasing 
levels of risk. Through the Trusted Internet Connections 
Initiative, we are working with agencies to reduce the overall 
number of external Federal connections to manage risk in a more 
cost-effective and efficient manner, while providing better 
awareness of our environment. Agencies turned in plans of 
action and milestones to fully optimize agency connections with 
a target completion date of June 2008.
    Recently, we provided the opportunity for all departments 
and agencies to review the proposed legislation, H.R. 4791. The 
bill contains several provisions which aim to enhance the 
protection of Federal information and personally identifiable 
information, as well as several provisions that propose changes 
to FISMA. While we strongly support enhancing protections for 
such information, we share several concerns expressed across 
the Federal agencies about the effect of this legislation.
    The administration believes the foundation and the 
framework established by FISMA is sound and also believes there 
is still much we can accomplish to improve the security and 
manage the risk associated with our information and information 
services. Nonetheless, we are concerned with the unintended 
consequences of the proposed change which would seriously 
impact established agency security and privacy practices, while 
not necessarily achieving the outcomes of improved privacy or 
security.
    While we understand technologies which are improperly 
implemented introduce increased risk, we recommend any 
potential changes to the statute be technology-neutral. We 
recognize that the IT landscape is ever-changing. As we deploy 
common, Government-wide solutions, departments and agencies 
increasingly are requiring services instead of procuring 
infrastructure.
    We welcome the opportunity to further discuss potential 
gaps which may need to be addressed through future FISMA 
enhancements if appropriate. We look forward to discussing our 
ongoing information security and privacy activities in greater 
detail. We feel our current activities and initiatives as 
included in my written statement already are beginning to close 
performance gaps H.R. 4791 attempts to address.
    I would be happy to answer questions at the appropriate 
time.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC] [TIFF OMITTED] T4178.021
    
    [GRAPHIC] [TIFF OMITTED] T4178.022
    
    [GRAPHIC] [TIFF OMITTED] T4178.023
    
    [GRAPHIC] [TIFF OMITTED] T4178.024
    
    [GRAPHIC] [TIFF OMITTED] T4178.025
    
    [GRAPHIC] [TIFF OMITTED] T4178.026
    
    [GRAPHIC] [TIFF OMITTED] T4178.027
    
    Mr. Clay. Thank you, Ms. Evans.
    Mr. Wilshusen, you may proceed.

               STATEMENT OF GREGORY C. WILSHUSEN

    Mr. Wilshusen. Mr. Chairman, I am pleased to be here today 
to testify on FISMA and the state of Federal information 
security. Rarely has the need for the Federal Government to 
implement effective controls over its information systems and 
information been more important. Virtually all Federal 
operations are supported by automated systems and electronic 
information, and agencies would find it difficult, if not 
impossible, to carry out their missions and account for their 
resources without them.
    At the same time, Federal systems and critical 
infrastructures are increasingly being targeted for 
exploitation by a growing array of adversaries, including 
criminal groups, foreign nation states, hackers, terrorists and 
disgruntled insiders. Thus, it is imperative that agencies 
safeguard their systems to protect against such risks as loss 
or theft to resources, disclosure or modification of sensitive 
information, including national security, law enforcement, 
proprietary business and personally identifiable information 
and disruption of critical operations.
    Today, I will summarize agency progress in performing key 
information security control activities, the effectiveness of 
information security at Federal agencies, and opportunities to 
strengthen security. In fiscal year 2007, the Federal 
Government reported improved security performance relative to 
key performance metrics established by OMB for FISMA reporting. 
For example, the percentage of certified and accredited systems 
Government-wide reportedly increased from 88 percent to 92 
percent. These gains continue a historical trend that we 
reported on last year.
    Despite reported progress, 20 of 24 major Federal agencies 
continue to experience significant information security control 
deficiencies. Most agencies did not implement controls to 
sufficiently prevent, limit or detect access to computer 
networks, systems or information. Moreover, agencies do not 
always configure network devices to prevent unauthorized access 
and ensure system integrity, patch key servers and workstations 
in a timely manner, and maintain complete continuity of 
operations plans for key information systems.
    An underlying cause for these weaknesses is that agencies 
have not fully or effectively implemented the agency-wide 
information security programs required by FISMA. As a result, 
Federal systems and information are at increased risk of 
unauthorized access to and disclosure, modification or 
destruction of sensitive information as well as the inadvertent 
or deliberate disruption of system operations and services. 
Such risks are illustrated in part by an increasing number of 
security incidents reported by Federal agencies.
    Nevertheless, opportunities exist to bolster information 
security. Federal agencies could implement the hundreds of 
recommendations made by GAO and agency IGs to resolve 
previously reported control deficiencies and information 
security program shortfalls.
    In addition, OMB and other Federal agencies have initiated 
several Government-wide initiatives that are intended to 
improve security over Federal systems and information. For 
example, OMB has established an information systems security 
line of business to share common processes and functions for 
managing information system security across Federal agencies, 
and it has directed agencies to adopt the security 
configurations developed by NIST, DOD and DHS for certain 
Windows operating systems. Consideration could also be given to 
enhancing policies and practices related to security control 
testing and evaluation, FISMA reporting and the independent 
annual evaluations of agency information security programs 
required by FISMA.
    In summary, although Federal agencies report performing key 
control activities on an increasing percentage of their 
systems, persistent weaknesses in agency information security 
continues to threaten the confidentiality, integrity and 
availability of Federal systems and information. Until Federal 
agencies resolve their significant deficiencies and implement 
effective security programs, their systems and information will 
remain at undue and unnecessary risk.
    Mr. Chairman, this concludes my statement. I would be happy 
to answer your questions.
    [The prepared statement of Mr. Wilshusen follows:]

    [GRAPHIC] [TIFF OMITTED] T4178.028
    
    [GRAPHIC] [TIFF OMITTED] T4178.029
    
    [GRAPHIC] [TIFF OMITTED] T4178.030
    
    [GRAPHIC] [TIFF OMITTED] T4178.031
    
    [GRAPHIC] [TIFF OMITTED] T4178.032
    
    [GRAPHIC] [TIFF OMITTED] T4178.033
    
    [GRAPHIC] [TIFF OMITTED] T4178.034
    
    [GRAPHIC] [TIFF OMITTED] T4178.035
    
    [GRAPHIC] [TIFF OMITTED] T4178.036
    
    [GRAPHIC] [TIFF OMITTED] T4178.037
    
    [GRAPHIC] [TIFF OMITTED] T4178.038
    
    [GRAPHIC] [TIFF OMITTED] T4178.039
    
    [GRAPHIC] [TIFF OMITTED] T4178.040
    
    [GRAPHIC] [TIFF OMITTED] T4178.041
    
    [GRAPHIC] [TIFF OMITTED] T4178.042
    
    [GRAPHIC] [TIFF OMITTED] T4178.043
    
    [GRAPHIC] [TIFF OMITTED] T4178.044
    
    [GRAPHIC] [TIFF OMITTED] T4178.045
    
    [GRAPHIC] [TIFF OMITTED] T4178.046
    
    [GRAPHIC] [TIFF OMITTED] T4178.047
    
    [GRAPHIC] [TIFF OMITTED] T4178.048
    
    [GRAPHIC] [TIFF OMITTED] T4178.049
    
    [GRAPHIC] [TIFF OMITTED] T4178.050
    
    [GRAPHIC] [TIFF OMITTED] T4178.051
    
    [GRAPHIC] [TIFF OMITTED] T4178.052
    
    [GRAPHIC] [TIFF OMITTED] T4178.053
    
    [GRAPHIC] [TIFF OMITTED] T4178.054
    
    [GRAPHIC] [TIFF OMITTED] T4178.055
    
    [GRAPHIC] [TIFF OMITTED] T4178.056
    
    [GRAPHIC] [TIFF OMITTED] T4178.057
    
    Mr. Clay. Thank you so much, Mr. Wilshusen.
    Mr. Paller.

                    STATEMENT OF ALAN PALLER

    Mr. Paller. Thank you, and thank you for having me.
    I have been to St. Louis a bunch of times, first with 
McDonnell Douglas and later with Boeing. It is a wonderful, 
high-tech city.
    Mr. Clay. Thank you so much.
    Mr. Paller. It is very impressive. Actually, what we are 
talking about today directly affects Boeing, too, so it is not 
just a Federal discussion because of the change that our other 
witnesses mentioned.
    I am just going to tell you a couple of stories. First of 
all, I am the research director at SANS, so we have about 
68,000 people who are alumni who actually run security at most 
large organizations. Their job is almost completely impossible. 
It just isn't out in the public, but we are losing this war 
against cyber-crime at an accelerating rate, meaning we are 
falling farther behind every week.
    What we are talking about today actually will make a 
difference. It is not something nice to do for Federal 
agencies, it actually is a major war, it is involving 
espionage, it is involving a lot of things that deserve to be 
treated with more attention. I am here actually with the hope 
that you can do that by making the Federal Government lead by 
example. So where the Federal Government uses its procurement, 
you mentioned in your opening statement $70 billion, that is 
enough to do an amazing amount of good in security. You don't 
actually spend the money on security, you use the leverage of 
the Federal procurement to make the change.
    Just to clarify how FISMA became a compliance exercise 
instead of a security exercise, it wasn't the way the law was 
intended. It actually was a mistake that was made in GISRA 
before it became FISMA, the original law that got changed, it 
was written in the Senate and got changed into FISMA. What 
happened was that NIST wrote a catalog of things that every 
agency had to do. They don't even call it a road map or a blue 
print. They wrote a catalog. And then the IGs and others said, 
well, now you have to do everything in the catalog. And the 
problem is, if you had a catalog of things your kids had to do, 
and one of them was finish their homework and another one was 
check on the dog, but they were graded on how many things they 
did, they are going to do all the check on the dogs quick, 
because the do your homework is hard. And that is what happened 
with FISMA, because they got graded on how many things they did 
instead of the important things.
    So the leaders are smart, you guys, between Karen and the 
Hill, you guys made it impossible for them not to do 
everything. They got Fs on all their report cards. And because 
of that, they are smart enough to know, they have to get you 
off their back. So the CIO said, I don't care what you need to 
do for security, you have to get those reports done, because I 
have to go see Clay Johnson in the White House and he is going 
to--well, what they said isn't public. But he will do bad 
things to me if I don't get all my systems certified.
    So the key change, it is a very small change, I have 
provided your staff with some language that might be better, it 
will be made better by your people. But the key change is to 
prioritize. If homework is more important than checking on the 
dog, don't say you are going to do these 500 things, say, do 
your homework. Then if you get your homework done, then do 
these other things and we will give you bonuses for the other 
things. But let's make sure we prioritize the actions.
    That is what the companies that do security well do. It is 
all attack-based. They find out where the attacks are coming 
in, then make sure their defenses can stop those attacks. We 
don't do that in the Federal Government. So I put all that in 
the statement.
    I want to tell you one more story, because it is a ``Karen 
is a hero'' story, and it is really quite a good story. It is 
the other half of what you can do. John Gilligan was the CIO at 
the Air Force, he got up in front of 200 people and said, we 
can't secure our Windows boxes. In fact, we spend more money to 
clean up after the mess than we do to buy this stuff in the 
first place, and I am going to change that. He took $500 
million over 7 years, so it is not much per year. That is 
relative to your $70 billion you are talking about. This is the 
example of how your money makes a difference, $500 million over 
7 years.
    He said to Microsoft, hey, we want you to configure the 
system securely when you sell it to us instead of selling it to 
us open and making every one of our people try to do it after 
we buy it. And he got it done. Over 400,000 systems now are out 
of the box secure. The key is, they just reported this, they 
cut the patching time from 7 weeks to 3 days. And all the 
attacks come out in the first few days. So if you don't get it 
done fast, you might as well not patch at all. And they saved 
tens of millions of dollars. It is the only example where you 
save money and you improve security. It is what you can do with 
the leverage you have in your money.
    So I am happy to answer questions about any of this. Thank 
you for letting me come.
    [The prepared statement of Mr. Paller follows:]

    [GRAPHIC] [TIFF OMITTED] T4178.058
    
    [GRAPHIC] [TIFF OMITTED] T4178.059
    
    [GRAPHIC] [TIFF OMITTED] T4178.060
    
    [GRAPHIC] [TIFF OMITTED] T4178.061
    
    [GRAPHIC] [TIFF OMITTED] T4178.062
    
    [GRAPHIC] [TIFF OMITTED] T4178.063
    
    [GRAPHIC] [TIFF OMITTED] T4178.064
    
    [GRAPHIC] [TIFF OMITTED] T4178.065
    
    [GRAPHIC] [TIFF OMITTED] T4178.066
    
    [GRAPHIC] [TIFF OMITTED] T4178.067
    
    [GRAPHIC] [TIFF OMITTED] T4178.068
    
    [GRAPHIC] [TIFF OMITTED] T4178.069
    
    [GRAPHIC] [TIFF OMITTED] T4178.070
    
    [GRAPHIC] [TIFF OMITTED] T4178.071
    
    [GRAPHIC] [TIFF OMITTED] T4178.072
    
    Mr. Clay. Thank you so much for that enlightening report.
    Mr. McConnell.

                STATEMENT OF BRUCE W. MCCONNELL

    Mr. McConnell. Thank you, Mr. Chairman and members of the 
subcommittees for the privilege and opportunity to testify 
today on Federal information security.
    The jurisdiction of this committee is so broad and its work 
is so important to the critical functioning of our Federal 
Government, it is a real pleasure.
    I am here today bringing you the perspective of 20 years of 
work in information policy and technology, including 15 years 
at OMB, serving 3 Presidents. I am also on a commission for 
cyber security for the 44th Presidency, which has been co-
chaired by Congressman Jim Langevin and Congressman Michael 
McCaul. I am not speaking on behalf of that commission.
    You asked in your invitation that I provide policy 
recommendations for potential legislative consideration and to 
comment on the state of FISMA compliance and the provisions of 
H.R. 4791. I have done that in my written statement.
    But in my oral remarks, I wish to focus in on what I 
consider to be the most significant development in Federal 
information security in many years. My analysis is based solely 
on information that is in the public domain.
    On January 8th, President Bush issued a new National 
Security Homeland Security directive. This order establishes a 
comprehensive national cyber-security initiative. The issuance 
of this national security order shows that information security 
is receiving serious attention at the highest levels of the 
executive branch. I believe this is good news.
    The so-called Cyber Initiative recognizes the serious 
threats to the Nation's information infrastructure coming from 
State and non-State actors, including sophisticated criminals. 
It lays out the need to take proactive measures in cyberspace 
to detect and prevent intrusions from whatever source in real 
time before they can do significant damage. These tenets are 
important, and while the details are not yet public, they 
clearly include an increased role for the intelligence 
community, in particular the National Security Agency [NSA], in 
protecting Federal systems.
    Let me explain why I believe this expanded NSA role is 
germane to this committee's work. The Cyber Initiative relates 
directly to two statutes under your jurisdiction: FISMA and the 
Privacy Act. When this committee wrote FISMA's predecessor, the 
Computer Security Act of 1987, you vested the National 
Institute of Standards and Technology [NIST], with primary 
authority in the security of civilian agency information 
systems. You also explicitly limited the role of NSA with 
respect to civilian agency systems. There were several reasons 
for this differentiation of responsibilities.
    Foremost in the mind of Congress was the potential chilling 
effect on the free flow of information between Government and 
the public, including the information technology industry, if a 
military agency became too closely involved with civilian 
agency systems. As the committee's report in 1987 notes, 
``Since it is a natural tendency of DOD to restrict access to 
information through the classification process, it would be 
almost impossible for the Department to strike an objective 
balance between the need to safeguard information and the need 
to maintain the free exchange of information.''
    Civilian agency missions, such as those at the Census 
Bureau, the Internal Revenue Service and the Centers for 
Medicare and Medicaid Services, depend on the trust of the 
American people to operate successfully. These missions require 
the free and efficient flow of information to and from the 
public in order to deliver important public benefits and 
programs.
    In addition to the potential chilling effect on information 
flows, the statute also reflected potential concerns about 
privacy and civil liberties. This statutory framework 
separating civilian and military systems has been confirmed and 
strengthened three times in the last two decades.
    Now, Mr. Chairman, it may be that the world has changed so 
much that this historic distinction between civilian agency 
systems and national security systems no longer serves the 
Nation's interest. Certainly the current computer security 
regime in Government is not working adequately. There is a big 
gap between what the agencies need and what they are getting. 
The gap extends beyond Government systems to the U.S. 
information infrastructure.
    Therefore, there is a substantial argument that you need to 
put resources from the intelligence community against this 
problem, because that is where the most resources are on the 
Federal side. Of course, there is also substantial resources in 
the private sector in this area.
    So what is really needed is a partnership of trust between 
the Government and the private sector to address the Nation's 
information security needs. Many of the information security 
professionals I talk to suggest that this trust is at a 
relatively low point in our history and it needs to be 
strengthened if we are going to be able to address this 
critical issue. We need to determine who in the Government can 
most effectively foster trust and cooperation with industry and 
with the American people.
    So I encourage the committee to look at these roles and 
responsibilities in the context of FISMA and the Privacy Act. 
Thank you, sir.
    [The prepared statement of Mr. McConnell follows:]

    [GRAPHIC] [TIFF OMITTED] T4178.073
    
    [GRAPHIC] [TIFF OMITTED] T4178.074
    
    [GRAPHIC] [TIFF OMITTED] T4178.075
    
    [GRAPHIC] [TIFF OMITTED] T4178.076
    
    [GRAPHIC] [TIFF OMITTED] T4178.077
    
    [GRAPHIC] [TIFF OMITTED] T4178.078
    
    [GRAPHIC] [TIFF OMITTED] T4178.079
    
    [GRAPHIC] [TIFF OMITTED] T4178.080
    
    [GRAPHIC] [TIFF OMITTED] T4178.081
    
    Mr. Clay. Thank you so much, Mr. McConnell. Our final 
witness will be Mr. Bennett. Mr. Bennett, you may proceed.

                    STATEMENT OF TIM BENNETT

    Mr. Bennett. Thank you, Mr. Chairman, Congressman Davis. 
Thank you for the opportunity to share the views of the Cyber 
Security Industry Alliance on improvements in FISMA.
    CSIA is a group of leading security technology vendors that 
are dedicated to ensuring the privacy, reliability and 
integrity of information systems through public policy, 
technology, education and awareness. It is our belief that a 
comprehensive approach for enhancing the security and 
resilience of information systems is fundamental to economic 
security.
    Mr. Clay. Excuse me, Mr. Bennett, is your microphone on?
    Mr. Bennett. Allow me to commend this subcommittee and its 
parent committee for the sustained attention that has been 
given in recent years to the critical objective of 
strengthening information security within the Federal 
Government. As we have painfully learned and heard from a 
couple of the other witnesses this morning, Federal systems are 
frequently vulnerable to cyber attacks, and the oversight of 
this subcommittee and full committee are an important element 
in holding Federal agencies accountable for improved 
information security as well as highlighting ongoing challenges 
and vulnerabilities.
    The 110th Congress now has an important opportunity to 
amend FISMA to improve the information security climate at our 
Federal Government agencies. Even though the last few years 
have yielded a number of successes, there are certain 
weaknesses in our Government's critical infrastructure which 
still urgently need to be addressed.
    It has become clear that the infiltration of Federal 
Government networks and the possible theft and/or exploitation 
of information are among the most critical issues confronting 
our Federal Government. While progress has been made, much work 
remains to be done in order to truly secure our Government's IT 
infrastructure.
    FISMA has been fairly successful at getting agencies in 
general to pay closer attention to their information security 
obligations. Before FISMA, information security was not a top 
priority at Federal agencies. FISMA has been successful in 
raising awareness of information security in the agencies and 
also in Congress.
    However, Federal agencies scored an average grade of C 
minus in 2007's Information Security Report Card. Some argue 
that FISMA does not adequate measure information security. A 
high FISMA grade doesn't mean the agency is secure and vice 
versa. That is because FISMA grades reflect compliance with 
mandated processes. They do not measure how much these 
processes have actually increased information security.
    In particular, the selection of information security 
controls is subjective and not consistent across Federal 
agencies. Agencies determine on their own what level of risk is 
acceptable for a given system. They can then implement the 
corresponding controls, certify and accredit them and thus be 
compliant and receive a high grade regardless of the level of 
risk they have deemed acceptable.
    Certainly we want to avoid a check the box mentality and 
don't want FISMA to be reduced to a largely paperwork drill 
among the departments and agencies, consuming an inordinate 
amount of resources for reporting progress while yielding few 
genuine security improvements. Unfortunately, in some cases, 
that is what it has become.
    Some Federal agency chief information security officers are 
measured on their compliance scores with FISMA, not on whether 
they have adequately assessed risk in their respective agency 
or prevented breaches of sensitive information. Instead, we 
want agencies to actively protect their systems instead of just 
reacting to the latest threat with patches and other responses. 
With the benefit of 5 years' experience under FISMA and several 
insightful reports by the U.S. Government Accountability 
Office, it is now possible to identify possible improvements 
that can address those weaknesses in FISMA implementation that 
have now become apparent.
    With global attacks on data networks increasing at an 
alarming rate and in a more organized and sophisticated manner, 
there is precious little time to lose. Faced with this urgent 
need, we applaud the bill that you have introduced, H.R. 4791. 
We strongly support this bill. It would undertake the important 
step of codifying many of the recommended steps that OMB took 
in a series of memos to Federal agencies after a series of 
significant data breaches in recent years. The legislation 
provides much-needed common sense obligations to require 
agencies to develop policies and plans to identify and protect 
personal information, develop requirements for reporting data 
breaches and report to Congress a summary of information 
security breaches reported by Federal agencies.
    We recommend that the proposed legislation also include 
language requiring that data breaches of information systems 
maintained by contractors and other sources working on Federal 
projects be promptly notified to the Secretary and the CIO of 
the contracting agency. Federal contractors are responsible for 
many of the data breaches that agencies reported. CSIA believes 
that it is important to reaffirm that FISMA applies to Federal 
contractors.
    We also commend the chairman for having the insight to 
incorporate language into this legislation requiring that 
Federal Government agencies encrypt or make unusable and 
unreadable personal data and to establish minimum requirements 
for protection of information or mobile devices. H.R. 4791 also 
prudently establishes security requirements for peer-to-peer 
networks. We believe that agencies should be required to 
develop a plan to protect against the risks of peer-to-peer 
networks and provide detailed technology and the policy 
procedures they should take.
    To assist further consideration of this bill, we offer 
additional recommendations. One, align responsibilities and 
authorities to vest the CIO and CISO with specific power over 
information security. The current authority of agency CIOs to 
ensure should be the power to enforce cost effective measures 
of security.
    Two, require improvements to assessment, continuous 
monitoring and remediation in order to develop a comprehensive 
approach to information systems security. Three, mandate 
preparation of the complete inventory of all Federal agency IT 
assets by a certain date. Four, improvement performance 
measurement and provide incentives to agencies that give 
information security a high priority. Five, institutionalize 
security within Federal agency culture. Six, increase Federal 
agency IT security funding. Seven, reaffirm objective 
assessments of commercially available information technologies. 
And eight, narrow the scope of the privacy definition provided 
for in the proposed legislation.
    In closing, I commend the subcommittee for highlighting the 
importance of information security, for examining how we can 
improve FISMA and Federal agency information security practices 
going forward. The overriding objective should be to move 
Federal agencies to act in a manner that equates strong 
information security practices with overall mission 
accomplishment. We all know what is at stake.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Bennett follows:]

    [GRAPHIC] [TIFF OMITTED] T4178.082
    
    [GRAPHIC] [TIFF OMITTED] T4178.083
    
    [GRAPHIC] [TIFF OMITTED] T4178.084
    
    [GRAPHIC] [TIFF OMITTED] T4178.085
    
    [GRAPHIC] [TIFF OMITTED] T4178.086
    
    [GRAPHIC] [TIFF OMITTED] T4178.087
    
    Mr. Clay. Thank you, Mr. Bennett. I thank the entire panel 
for their testimony today.
    Now we will proceed under the 5-minute rule to questions 
for the panel. I will recognize the ranking minority member of 
the full committee, from Virginia, my good friend, Tom Davis. 
Mr. Davis.
    Mr. Davis of Virginia. Thank you, Chairman Clay. I want to 
thank you for holding this important hearing.
    We are here to talk about information security from the 
Federal perspective. But these are issues and challenges we 
face at all levels of Government and even as individuals. 
Secure information is the lifeblood of effective Government 
policymaking, good program management and a thriving economy. 
Protecting that information has to be a priority, not an after-
thought.
    The evolving nature of cyber threats requires constant 
vigilance. The Federal Government's information security 
program should be proactive, not reactive. If we keep chasing 
yesterday's problems, we will never be able to stop tomorrow's 
sophisticated challenges.
    When it comes to information security, all it takes is one 
weak link to break the data chain. One successful cyber attack 
could strike a stunning blow to an agency's operations and 
damage citizens' trust in electronic Government initiatives.
    Continued vulnerability puts personal information at risk. 
The loss of Blackberry service a few days ago reminded us of 
our dependence on IT, how difficult it is for us to function 
without it, and how fragile some key systems remain.
    One of the best ways to defend against attacks is to have a 
strong and yet a very flexible protection policy in place, not 
overly prescriptive. We want agencies to active protect their 
systems, instead of simply reacting to the latest threat with 
patches and other responses.
    On the Government Reform Committee, I focused on 
Government-wide information management and security for many 
years. The Privacy Act and the E-Government Act of 2002 
outlined the parameters for the protection of personal 
information and the Federal Information Security Management Act 
[FISMA], requires each agency to create a comprehensive risk-
based approach to agency-wide information security management 
through preparedness, evaluation and reporting requirements. It 
is intended to make security management an integral part of an 
agency's operation and to ensure that we are actively using 
best practices to secure our systems.
    Certainly, FISMA has its critics. We have heard from some 
of them today. But I think we also will hear that it still 
provides the necessary tools to secure our information, and has 
made information security a priority mention at agencies. We 
want to avoid that check the box mentality that has been 
criticized, and we need to incentivize strong information 
protection policies. We need to pursue a goal of security 
rather than compliance.
    Nearly 5 years after FISMA was enacted, there is always the 
risk of complacency. The basic FISMA concept and process 
remains sound. But we should ask if we can make it better. I 
think we can.
    As a start, I introduced legislation requiring timely 
notice be provided to individuals whose sensitive personal 
information could be compromised by a breach of data security 
at a Federal agency. Despite the volume of sensitive 
information held by agencies, there is no current requirement 
for citizens to be notified if their information is 
compromised. This legislation passed the House during the 109th 
Congress. I continue to urge Chairman Waxman to make it a 
priority this year. I would ask that the two letters I have 
sent to Chairman Waxman be included in the record, Mr. 
Chairman.
    Mr. Clay. Without objection, so ordered.
    [The information referred to follows:]

    [GRAPHIC] [TIFF OMITTED] T4178.088
    
    [GRAPHIC] [TIFF OMITTED] T4178.089
    
    [GRAPHIC] [TIFF OMITTED] T4178.090
    
    Mr. Davis of Virginia. Each year, I have released Federal 
Agencies Information Security score cards. Despite some 
improvements, scores for many departments remain unacceptably 
low. By the way, a lot of the scoring is done by GAO and OMB. 
It is not just done by our whim.
    The Federal Government overall received a C minus, a slight 
improvement over prior years. I know some don't like to be 
graded. I have actually had Cabinet secretaries call me to 
lobby about their grades. And others don't see the value.
    But I think most of us agree 5 years later that information 
security should be a priority at Federal agencies. This is how 
it should be. The Federal Government has sensitive personal 
information on every citizen, from health records to tax 
returns to military records. We need to ensure that the public 
knows when its sensitive personal information has been lost or 
compromised. Public confidence in Government in this area is 
essential.
    As we discuss Federal information security, we should focus 
on the most pressing issues and threats, remain technology-
neutral and take care not to disrupt the progress we have made 
or the progress already underway. Not being technology-neutral, 
I think, siphons a lot of innovation from this area. That is a 
major concern with being overly prescriptive, something we have 
to balance.
    In the end, the public demands effective Government and the 
future of effective Government and security information depends 
more than ever on a successful future for FISMA.
    Thank you, Mr. Chairman.
    [The prepared statement of Hon. Tom Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T4178.091
    
    [GRAPHIC] [TIFF OMITTED] T4178.092
    
    [GRAPHIC] [TIFF OMITTED] T4178.093
    
    [GRAPHIC] [TIFF OMITTED] T4178.094
    
    [GRAPHIC] [TIFF OMITTED] T4178.095
    
    Mr. Clay. Thank you, and would the ranking member care to 
ask questions?
    Mr. Davis of Virginia. Ms. Evans, let me ask you, the 
administration has focused unprecedented attention on the 
mundane but the very essential tasks of improving Federal 
management practices, including a focus on expanding electronic 
Government. The President's management agenda rates agencies' 
efforts on E-Gov initiatives, OMB requires quarterly reports, 
yet we still have a long way to go before things are secure.
    Do you have any advice or recommendations for the next 
administration of things they should prioritize?
    Ms. Evans. I have a lot of advice. But in particular, I 
think that the areas that we focused on and the specific 
processes are good foundational activities that I think any 
administration would want to continue. For example, on the 
score card, one of the things that we look at, and on a 
quarterly basis as required by the guidance that has been 
outlined in FISMA, is the plan of actions and milestones which 
really is the constant assessment of risk.
    If an agency is in the check the box mentality, then we are 
going to get the results that the other panelists, my 
colleagues, have talked about. But if the agency head and the 
CIO are really evaluating the new technologies, the services 
that they have, that process, that monthly looking at things, 
the daily looking at things and then making sure that you have 
an adequate way to then address it I think is a good practice 
to carry forward. We call it certification and accreditation 
overall, we call the quarterly reports, plan of actions and 
milestones, but what it really is is getting to the culture of 
managing the risk.
    Mr. Davis of Virginia. Have you found any agencies that 
just check the box and literally don't have the substance 
behind checking it?
    Ms. Evans. I think that there are mixed results, as we have 
said in our reports in the past. I work very closely with all 
the agencies, especially through the CIO council. I do and am 
concerned that we balance the compliance aspect of this 
legislation and any legislation that we have against achieving 
the actual results. So I would say there are mixed results and 
it depends on the leadership and the CIO in particular of how 
they are managing that information security program within the 
department.
    Mr. Davis of Virginia. The report cards are not perfect, 
but right now, nobody else is keeping track, at least up here, 
over what is happening. If you don't give a report card or at 
least give some public embarrassment, there is no 
appropriations penalty to be paid or anything else. Ultimately 
it has to be directed from OMB. The executive branch doesn't 
need us involved in a perfect world. We have to make this a 
priority.
    But managers down below, given limited funds, generally 
want to accomplish their mission first. Many of them would just 
as soon take the risk of a data breach to be able to accomplish 
things, and if something happens, hopefully it won't happen on 
their watch. That is one of our concerns.
    Ms. Evans. And I would agree with you and I think that is 
what we have done through the criteria that we manage and look 
at on a quarterly basis through the E-Government Score Card on 
the President's management agenda. It is looking at all and 
everything that takes into consideration for a good information 
technology program in a department. If you master those 
management skills, then you have the foundation to go forward 
to support any program.
    All of this is about getting good program results and 
making sure that you have public confidence in your services. 
So you have to do many things in order to do that in this 
environment. The way to provide those services is through the 
use of information technology.
    Mr. Davis of Virginia. Mr. Paller, part of your testimony 
approaches Federal IT from an international perspective. How do 
we rank when you compare us with government IT security in 
other countries?
    Mr. Paller. First, the breach bill that you talked about, 
this is going to do a lot of good. Because people respond when 
they have to make something public in ways they don't even 
think about.
    Mr. Davis of Virginia. No question. The tendency is to 
sweep it under a rug, fully investigate, make sure you get your 
spin on it. That is just natural. We do the same, by the way, 
we are no different than the executive agencies.
    Mr. Paller. In almost all areas, we are stronger than other 
governments. The one place we fall way behind is in information 
sharing. The British figured out how to do that. They actually 
copied something we had called the NSIE, and spread it and we 
didn't copy what we had and we built this thing called ISACS 
that just don't work. So they are way ahead on information 
sharing.
    But in terms of actually securing Government systems, we 
are not way behind anyone.
    Mr. Davis of Virginia. We are also more of a target than 
most government systems, aren't we?
    Mr. Paller. We are getting hurt more, the British equally, 
the Australians, too. These nation-state attacks are enormous. 
the head of MI-5 actually just did a letter that it is all 
spreading to businesses now. If you do business in China, you 
are being just destroyed with cyber attacks.
    Mr. Davis of Virginia. I hope we can sit down and work some 
language out that and can all agree on this. Because a cyber 
Pearl Harbor or something of that nature would just be awful. 
And at that point, you would say, where have we all been on 
this. And a lot of us have been working on this for a long 
time. It is not easy.
    Can I just ask one other question? Mr. Wilshusen, some have 
suggested that standardizing IG audits, their practices in the 
area of information security, would help reduce the discrepancy 
between the agency grades, their compliance with the act and 
their information security practices. Is it feasible to 
standardize audit practices? Do you agree with that proposal?
    Mr. Wilshusen. I think audits and in particular, with the 
independent IG evaluations, we have noted in the pst that they 
have been inconsistent, the scope and methodology of their 
evaluations vary across agencies. And the form and content of 
the reports differs significantly from just repeating or 
presenting the information on the FISMA template that OMB has 
established to coming up with real conclusions and findings and 
issues on these security deficiencies at those agencies.
    So by having these evaluations of performance in accordance 
with Government auditing standards, for example, that could 
elevate and raise consistency in the content of those 
evaluations.
    Mr. Davis of Virginia. Thank you.
    Mr. Clay. Thank you, Mr. Davis.
    Mr. Paller, I am very interested in your testimony's 
support of prioritizing the testing and evaluation activities 
that are carried out by agencies on a regular basis. Thus, I 
have a few practical questions on how would you get there. Does 
current guidance from NIST, such as S.P. 853, provide a blue 
print for adequate security and should this guidance simply be 
made mandatory and binding on agencies?
    Mr. Paller. No, and hell, no. It is a catalog of everything 
anybody ever thought of that might help security, 853. Not even 
the audit guide, this is it. There is a parallel in the 
commercial world that is what you actually have to do to secure 
all the credit cards. Because the credit card industry says, we 
are going to stop losing it. This looks smaller. And this one, 
in all of this, firewalls are a really important part of 
security, lock the door, firewalls the door. In all of this, 
one-200th of it talks about firewalls. In the real one, one 
eighth. So 12\1/2\ percent talks about it.
    If you know security, you actually know security, not know 
about writing about security, but actually doing it, no, 853 is 
silly.
    Mr. Clay. How can new guidance or security controls be 
added in a real-time environment?
    Mr. Paller. I think again, the payment card industry does 
it. These are updated regularly. There is a massive new attack 
on Web applications. They used to go against Windows and the 
other things. Now they are going against every Web site.
    Well, this has nothing, it tells you nothing about doing 
that. But this one is updated very regularly, almost quarterly. 
It is not hard. All you do is you set up a council of the 
people who actually have to protect systems, say, what are you 
doing and then get them to agree, 10 or 12 of them, they agree 
and you write it up. It really isn't impossible. It is not 
easy, but it isn't impossible.
    Mr. Clay. You also referred to the Air Force contracting 
which had required vendors to deliver minimum security 
configurations for a system. Should a contractual mandate along 
these lines, with requirements defined by OMB and the Federal 
Acquisition Council be required under FISMA?
    Mr. Paller. That is actually Karen's, she has done a lot of 
wonderful things. Taking what the Air Force did and making it a 
Federal mandate is the biggest, single biggest thing in 
improving security we have ever done as a country.
    Mr. Clay. Is that what Ms. Evans is pushing?
    Mr. Paller. Yes, what Ms. Evans has done.
    Mr. Clay. Would we have the problem of technology moving 
ahead too quickly for regulations to keep up?
    Mr. Paller. No. The Air Force, for example, has this 
absolute mandate. You have to do it this way. And if you 
compare the Air Force's new computers with every other agency, 
they are ahead of the other agencies. So you can't say they are 
behind technologically when they actually have the most 
advanced technology and yet they are meeting the standard. It 
is because they do it together that they get all the advanced 
technologies.
    Mr. Clay. Thank you for that response.
    Let me ask Mr. McConnell, can you tell us how laws like 
FISMA and Clinger-Cohen have altered the information security 
landscape over the past decade, and if there areas in which we 
should try to harmonize the provisions in order to improve 
security?
    Mr. McConnell. Yes, sir. I think there have been three 
beneficial effects of FISMA and Clinger-Cohen. They have 
increased the level of attention that is paid to information 
security, they create a management structure that can be used 
to manage it, and they have encouraged integrating security 
into the overall program management. So you have a well-managed 
program that includes good security.
    I think what is needed at this point is for the executive 
branch to take full advantage of the authorities and structure 
that you have provided. I have seen that work in the past 
across administrations. The Clinger-Cohen bill set out 
authorities in a management structure that was passed during 
the Clinton administration. And now the current administration 
has really exercised those authorities in a significant way.
    I think as far as harmonization, the law that is probably 
the most in need of harmonization and updating that is under 
this committee's jurisdiction is the Privacy Act. That is the 
Privacy Act of 1974. And that as you can imagine, there is much 
that could be done to harmonize that with other things that 
have happened.
    Mr. Clay. Can you explain in further detail why an 
independent audit would hinder agency efforts to root out 
security vulnerabilities? Isn't one of the problems with FISMA 
related to the current evaluations having little consistency or 
applicability across agencies, making it a paperwork exercise?
    Mr. McConnell. I would agree that the current evaluations 
are inconsistent and that they often focus on paperwork. But I 
don't think those two aspects are necessarily connected. You 
have inconsistency because you have inconsistent evaluation 
criteria and processes. Whereas the paperwork is looking at a 
compliance, box checking, rather than on operational security, 
as Mr. Paller was saying, let's just get the stuff done.
    So you could have consistent processes, but still have the 
paperwork focus. The concern that I have about the mandatory 
audit is that you just exacerbate the compliance mentality. 
Everybody at that point is in a CYA thing, trying to make the 
audit right. So I think you need to have consistent evaluation 
criteria, independent evaluation criteria, but I don't 
recommend making it an audit.
    Mr. Wilshusen. Mr. Chairman, may I please comment?
    Mr. Clay. Sure.
    Mr. Wilshusen. One thing, and i Just want to make sure that 
we are clear on if we are talking about the annual independent 
IG evaluation or audit, if that is the change in H.R. 4791, 
versus the testing that may be done by the agencies. One thing 
that is important, if we go to an audit by the IG as part of 
the annual evaluation, is to make sure that the audit focuses 
on and the auditors conclude on the effectiveness of the 
information security controls, rather than making it merely 
compliance with the provisions of the act.
    And so it is important to direct the focus of the audit 
toward evaluating effectiveness as the IGs and auditors do as 
part of the consolidated financial statement or the audits of 
the agencies' financial statements. And that is why you have a 
disparity between why certain agencies are reporting increased 
performance versus the various metrics established by OMB for 
FISMA reporting versus those audit results of the effectiveness 
of controls.
    So there is a distinction there to try to make the annual 
IG evaluation by making it in accordance with audit standards 
and assuring that the auditors conclude on the effectiveness of 
controls, not merely compliance with the act.
    Mr. Clay. And these should be independent audits?
    Mr. Wilshusen. Absolutely.
    Mr. Clay. Yes.
    Mr. Wilshusen. And that is separate from the agencies that 
are also required under FISMA to test and evaluate the 
effectiveness of their controls. And that would be all their 
controls, management, operational, technical controls, on a 
frequency based on risk. We have found problems with that 
process being implemented by the agencies. But those are two 
separate issues, once performed independently by the IG or 
other auditors, others. The security tests and evaluations 
required as part of an agency information security program is 
performed by agency personnel or their contractors.
    Mr. Clay. Thank you for that response.
    Mr. Bennett, a critical element of FISMA is for agencies to 
develop a risk assessment of their systems in order to develop 
or integrate effective security policies and applications for 
them. With this in mind, please characterize the vendors' roles 
and responsibilities in developing and implementing secure 
networks and applications throughout an agency.
    Mr. Bennett. Yes, Mr. Chairman. The vendor should be 
responsible for understanding the agency's enterprise 
architecture and the operating environment to assure that their 
solutions will not disconnect or break the systems that are 
currently in place. While Government and their contractor 
personnel, support personnel are ultimately responsible for the 
support and operation of the infrastructure, only the vendors 
of these enterprise solutions really understand the protocols 
and underlying infrastructure requirements that will allow 
these products to work securely and as designed.
    This means that implementation, testing and integration of 
cyber security and risk in the mission achievement is the 
responsibility of the vendor in the larger context of the 
agency framework and budget.
    Mr. Clay. Is the mitigation of risk a shared duty or 
responsibility between both agency personnel and the vendor 
community?
    Mr. Bennett. Yes, absolutely it is a shared responsibility, 
to the extent that the vendors' products should work as 
advertised. The agency is solely responsible for the 
determination of how much risk they are willing to take and 
NIST guidelines do provide some guidance in this area.
    But once mitigation plan has been decide, the agency should 
have every expectation that the solutions that have been 
purchased performed as advertised.
    Mr. Clay. In actuality, and anybody on the panel can answer 
this, how does it actually work between vendor community and 
agency? Is it pretty seamless? Is it a turf war? What have you 
found? Ms. Evans, you can start.
    Ms. Evans. I would like to take the opportunity to first 
talk about that. I applaud the answer of my colleague at the 
other end of the table. But when it ultimately comes down to 
it, the agency head is ultimately responsible for the services 
that they procure and the contracts that they let. So it is the 
responsibility of the CIO, which is outlined in the statute, to 
ensure that we manage that risk appropriately.
    So you have to have very clear and open communications. You 
have to make sure that the contact is very clear as to what the 
roles and responsibilities are. But when it is said and done, 
the American people hold us, the executive branch, accountable 
for our actions and for our services. So I believe that what 
the administration has done with our policies and the actions 
that we are taking is trying to make that very clear and using 
the tools that we have in place to leverage our buying power, 
so that it is clear to us and clear to those who choose to 
provide the services for us what those expectations are, what 
the risks are and how those products need to work in our 
environment.
    Mr. Clay. Thank you.
    Mr. Wilshusen.
    Mr. Wilshusen. I would just like to add, FISMA requires 
that the agency is responsible for the security over the 
systems that are operated on its behalf by third parties and 
contractors. It should be an integral part of the agency's 
information security program.
    However, we have found in our report that we issued back 
in, I think it was April 2005, that many of the agencies did 
not have adequate policies or actually monitoring the 
effectiveness of security over systems operated by contractors. 
So Ms. Evans is absolutely correct, it is important that 
contracts be, or that the requirements for information security 
be specified in the contracts, so that the contractors know 
what to do. But there is also that other side of the agency 
taking responsibility to assure that the contractors are 
upholding their end of the bargain and implementing the 
security in accordance with the contract requirements and 
Federal requirements.
    Mr. Clay. Thank you.
    Mr. Paller.
    Mr. Paller. We train 14,000 people a year. Lots of them are 
Federal people, lots of them are contractors, lots of them are 
Boeing people. They can't figure this out on the fly. What Ms. 
Evans is talking about, contracting for what you want, the fact 
that we don't do that today is one of the two biggest flaws in 
all of our Federal security. What we do is we throw it over the 
wall to these contractors. And then when we find out there was 
something extra we needed to do for security, they say, well, 
that is another $100 million. Then we have to make choices 
between spending the extra money or not.
    We have to change the way we buy products, to buy it with 
security baked in, rather than getting caught. That happens 
with our third party, our software. Right now, if somebody does 
a software development for us and we find a major security flaw 
in it, we have to pay them to now go and we have to negotiate 
with them and now they are busy and they have something else to 
do. The whole contracting mechanism is, give it away and then, 
oh, shoot, security, we should have asked you for that. So what 
Ms. Evans is talking about is not a lightweight thing. It 
actually matters.
    Mr. Clay. Do you think in the President's proposed $70 
billion budget for IT, do you think there are some built-in 
protections for that, for that security element?
    Mr. Paller. No, the contracting officers don't like this 
topic. So when the guys want to put it into contacts, am I 
being bad?
    Ms. Evans. No, you go ahead. [Laughter.]
    Mr. Clay. You are doing fine. Please proceed.
    Mr. Paller. The contracting officers don't like it and so 
when the technical person who knows what he wants goes to the 
contracting officer and says, can we put that in, he says, 
well, you are not being specific enough. And then it is gone.
    Ms. Evans. But I have good news. I bring good news, which 
is, we have, as I stated in my testimony, we have been working 
with the Federal Acquisition Council to make modifications to 
the FAR to do things like what we have done with the Federal 
Desktop Core Configuration. So the FAR will be amended to then 
include the common security configurations, which makes it a 
mandatory clause. That clause, that language is to be published 
in the Federal Register no later than Tuesday.
    So we understand where the performance gaps are. We know we 
have to follow through in our contracts to ensure that we can 
hold ourselves as well as the contractors accountable. So if 
you follow this example through, we gave agencies guidance last 
year, last June. All new contracts were to have this language 
in it if you were providing these types of operating systems or 
you were going to provide products that were going to operate 
on these operating systems.
    What we are following through now is making sure that we 
will be successful in spite of ourselves, because this will be 
in the FAR. It will go forward that way. So a lot of these 
things are now coming into place where the vendors now are 
like, OK, so what does this mean that I have to provide 
certification? That is the point of what NIST has done by 
having this program out which is dealing with--the acronym is 
S-CAP, but in essence what it does is validate that those 
security settings stay set when you bring them into your 
environment.
    So a vendor, when you bring in new tooling to your 
environment or a new application or anything, you run this 
tool. And it is going to tell you, against those 700 settings, 
what changes and what didn't. It gives you a percentage. We are 
talking 100 percent right now. We told the agencies that they 
had to comply with this. There is no, like, give me 80 percent 
or so. It is zero or 100.
    Then we thought, OK, from that perspective, how would that 
really go forward. We have agencies that can tell you exactly 
how many desktop have these operating environments and out of 
the 700, 5 are problematic and they know exactly now what 
applications that affects.
    We couldn't do that before. So now when you know what that 
is, you can now put in compensating controls. These lay the 
good foundations for an information management program. But the 
key was to ensure that the procurement cycle, and as these 
products and applications come into our environments, that they 
too are aware and that they are certifying against that 
environment.
    Mr. Clay. Will you provide us with the language?
    Ms. Evans. Absolutely.
    Mr. Clay. Thank you so much.
    Mr. McConnell, did yo have anything to add?
    Mr. McConnell. I think this has been pretty well discussed, 
sir.
    Mr. Clay. Mr. Bennett, one final question. You mentioned 
incentives for agency security performance in your testimony. I 
would like to explore that idea of a carrot and stick approach. 
Would incentives such as permitting agencies that receive an 
unqualified or clean independent audit to be audited only every 
other year be appropriate, and conversely, would penalties for 
an agency such as losing procurement funding until deficiencies 
are remedied be an effective tool?
    Mr. Bennett. Yes, Mr. Chairman. I think that might work and 
should be given serious consideration and should be counter-
balanced by the concept that if there is inadequate 
performance, that the frequency of audits should be increased 
so that it works both ways and truly becomes a carrot with also 
a stick.
    Mr. Clay. Thank you so much.
    Do any other panelists have anything to add?
    Mr. Paller. I just wanted to connect the dots to Boeing. 
Everything we are talking about, about compliance, spending all 
this money, not doing security, I am getting calls all the 
time, they are just discovering it, does this really mean us, 
too? So everything we are talking about, about cleaning it up, 
is about to come back across the entire Defense industrial 
base, because a few months ago, they found out that the Chinese 
had gotten deeply into most of their computers as well. So they 
are now part of the game, and they are subject to all of this 
and people saying, well, let's make the FISMA-compliant, and 
all this discussion about paperwork and money wasted, it is all 
about what we are going to do to the contractors.
    Mr. Clay. So they are watching with a keen eye?
    Mr. Paller. They are going to scream when it hurts.
    Mr. Clay. They are going to scream when it hurts.
    Thank you so much, Mr. Paller. Ms. Evans.
    Ms. Evans. On the evaluations or audits, or whatever we end 
up calling it, I do think that it is important, again, that it 
is a balance of what we are looking at and the carrot and stick 
approach. This is something that in my own position that I am 
sure you guys manage with, as I do, is that we need to be 
careful about the compliance versus the actual results that we 
are trying to achieve. Putting timeframes on these things also 
could drive certain behavior that we may not necessarily want 
either.
    I really believe it gets down to, it is a culture of 
constantly evaluating the risks associated with the information 
that you have. And you know, to take away procurement authority 
or to take away money in some cases you might have to add money 
in order to fix these types of activities, because it is so 
pervasive.
    I really believe the way the administration puts together 
the budget, how we evaluate the capital planing, how we send 
this stuff forward, really allows the agencies to focus on 
managing that on a daily basis. It is not a time, it is not a 
quarter, it is not a year, it is not biannually. Agencies have 
to do this on a daily basis. It has to be a culture of managing 
risk on a daily basis.
    Mr. Clay. Thank you so much for that response, Ms. Evans.
    Let me thank the entire panel for today's hearing and your 
testimony. We certainly appreciate your participation in this 
hearing.
    That concludes this hearing. Hearing adjourned.
    [Whereupon, at 12:40 p.m., the subcommittees were 
adjourned.]

                                 
