b"<html>\n<title> - AGENCIES IN PERIL: ARE WE DOING ENOUGH TO PROTECT FEDERAL IT AND SECURE SENSITIVE INFORMATION?</title>\n<body><pre>[Senate Hearing 110-417]\n[From the U.S. Government Printing Office]\n\n\n\n                                                        S. Hrg. 110-417\n \n                    AGENCIES IN PERIL: ARE WE DOING\n                ENOUGH TO PROTECT FEDERAL IT AND SECURE\n                         SENSITIVE INFORMATION?\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT\n                   INFORMATION, FEDERAL SERVICES, AND\n                  INTERNATIONAL SECURITY SUBCOMMITTEE\n\n                                 of the\n\n                              COMMITTEE ON\n                         HOMELAND SECURITY AND\n                          GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 12, 2008\n\n                               __________\n\n       Available via http://www.gpoaccess.gov/congress/index.html\n\n       Printed for the use of the Committee on Homeland Security\n                        and Governmental Affairs\n\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n41-458 PDF                 WASHINGTON DC:  2008\n---------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n               JOSEPH I. LIEBERMAN, Connecticut, Chairman\nCARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine\nDANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska\nTHOMAS R. CARPER, Delaware           GEORGE V. VOINOVICH, Ohio\nMARK L. PRYOR, Arkansas              NORM COLEMAN, Minnesota\nMARY L. LANDRIEU, Louisiana          TOM COBURN, Oklahoma\nBARACK OBAMA, Illinois               PETE V. DOMENICI, New Mexico\nCLAIRE McCASKILL, Missouri           JOHN WARNER, Virginia\nJON TESTER, Montana                  JOHN E. SUNUNU, New Hampshire\n\n                  Michael L. Alexander, Staff Director\n     Brandon L. Milhorn, Minority Staff Director and Chief Counsel\n                  Trina Driessnack Tyrer, Chief Clerk\n\n\nFEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, FEDERAL SERVICES, \n                AND INTERNATIONAL SECURITY SUBCOMMITTEE\n\n                  THOMAS R. CARPER, Delaware, Chairman\nCARL LEVIN, Michigan                 TOM COBURN, Oklahoma\nDANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska\nBARACK OBAMA, Illinois               GEORGE V. VOINOVICH, Ohio\nCLAIRE McCASKILL, Missouri           PETE V. DOMENICI, New Mexico\nJON TESTER, Montana                  JOHN E. SUNUNU, New Hampshire\n\n                    John Kilvington, Staff Director\n                  Katy French, Minority Staff Director\n                       Monisha Smith, Chief Clerk\n\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Carper...............................................     1\n    Senator Coburn...............................................    10\n    Senator Coleman..............................................    20\n\n                               WITNESSES\n                       Wednesday, March 12, 2008\n\nHon. Karen S. Evans, Administrator for Electronic Government and \n  Information Technology, U.S. Office of Management and Budget...     5\nGregory C. Wilshusen, Director, Information Security Issues, U.S. \n  Government Accountability Office...............................     6\nTim Bennett, President, Cyber Security Industry Alliance (CSIA)..     8\nHon. Robert T. Howard, Assistant Secretary for Information and \n  Technology, U.S. Department of Veterans Affairs................    31\nSusan Swart, Chief Information Officer, Bureau of Information \n  Resource Management, U.S. Department of State..................    33\nDarren B. Ash, Deputy Executive Director for Information Services \n  and Chief Information Officer, U.S. Nuclear Regulatory \n  Commission.....................................................    35\nPhilip Heneghan, Chief Information Security Officer, U.S. Agency \n  for International Development (USAID)..........................    36\n\n                     Alphabetical List of Witnesses\n\nAsh, Darren B.:\n    Testimony....................................................    35\n    Prepared statement...........................................   115\nBennett, Tim:\n    Testimony....................................................     8\n    Prepared statement...........................................    92\nEvans, Hon. Karen S.:\n    Testimony....................................................     5\n    Prepared statement...........................................    49\nHeneghan, Philip:\n    Testimony....................................................    36\n    Prepared statement...........................................   124\nHoward, Hon. Robert T.:\n    Testimony....................................................    31\n    Prepared statement...........................................    98\nSwart, Susan:\n    Testimony....................................................    33\n    Prepared statement...........................................   106\nWilshusen, Gregory C.:\n    Testimony....................................................     6\n    Prepared statement...........................................    54\n\n                                APPENDIX\n\nQuestions and Responses submitted for the Record from:\n    Ms. Evans....................................................   130\n    Mr. Wilshusen................................................   140\n    Mr. Howard...................................................   147\n    Ms. Swart....................................................   155\n    Mr. Ash......................................................   174\n    Mr. Heneghan.................................................   189\n\n\n                 AGENCIES IN PERIL: ARE WE DOING ENOUGH\n                    TO PROTECT FEDERAL IT AND SECURE\n                         SENSITIVE INFORMATION?\n\n                              ----------                              \n\n\n                       WEDNESDAY, MARCH 12, 2008\n\n                                   U.S. Senate,    \n          Subcommittee on Federal Financial Management,    \n                Government Information, Federal Services,  \n                                and International Security,\n                            of the Committee on Homeland Security  \n                                          and Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 2:32 p.m., in \nRoom SD-342, Dirksen Senate Office Building, Hon. Thomas R. \nCarper, Chairman of the Subcommittee, presiding.\n    Present: Senators Carper, Coleman, and Coburn.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Welcome one and all. It is good to see you, \nand we thank you for making time in your schedules today to \nvisit with us.\n    I believe this hearing was originally scheduled for \ntomorrow, and we have asked you to come a day early, and we are \ngrateful that you are able to fit us into your schedule.\n    We get to do something tomorrow that we call in the Senate \n``Vote-a-Rama,'' and it is all day, all night that we vote. And \nwe are working on the budget resolution this week, and from \ntime to time, we stack votes. And we are going to stack a whole \nlot of votes. We did not vote Monday. We did not vote Tuesday. \nWe did not vote today. We probably will not vote today. And, \ninstead, we are going to just save it all until tomorrow. When \nwe vote every 15 minutes tomorrow, all day long, it would be \npretty hard to squeeze in a hearing. We would just get little \nsnippets from the witnesses, and we would be back to vote, so \nthis works out a lot better for us and hopefully for you, too.\n    But I appreciate or apologize for any inconvenience that \nhas come from this.\n    I think we are going to be joined by Senator Coleman of \nMinnesota in a little bit.\n    Senator Coburn is involved on the floor with the budget, \nand so he may or may not be able to join us, but he is \ncertainly interested in this issue. He and I have talked about \nit any number of times, and I suspect that you will be \nreceiving some questions from him if he does not come in person \nto ask questions. I am sure you will be hearing from him in the \nfuture.\n    But our thanks to our witnesses for joining us today. This \nhearing marks what I hope will be really the beginning of our \nproactive efforts to secure one of our most threatened and \nimportant national resources, and that is our sensitive \ninformation, not just about us as individuals, as human beings, \nbut our businesses and our governmental units, and so forth.\n    Every day our government's computers experience thousands \nof attacks, led by individuals seeking to gain access, and in \nsome cases, to taxpayer records. In other cases, to our medical \nrecords; in some cases to our Social Security numbers, to \nproprietary business information, and to military secrets, just \nto name a few.\n    Our public expects that agencies holding this information, \nparticularly their personal information, will take every \nprecaution necessary to ensure that it is secured, and well \nprotected.\n    However, despite the progress report in the Office of \nManagement and Budget's most recent report, I feel like we are \nstill very much at risk.\n    Our inability to secure Federal information networks and \nprotect the information they contain leaves American citizens \nopen to threats that involve identity theft. And I guess if we \ngo around the room here, we could ask do you know who has been \na victim of identity theft. And let me just ask the audience. \nDo you know somebody who has been a victim of identity theft? \nRaise your hand, if you have. That was 17 hands that went up.\n    That is about a third of the hands of the people that are \nhere.\n    But not only do we have worries and concerns about our \npersonal identity and identity theft, but the threat that we \nface even places our national security at risk.\n    For example, according to a report released I believe last \nMonday by the Department of Defense, the U.S. Government and \nour allies around the world have come under attack in the past \nyear by hackers from addresses that appear to originate from \nthe Chinese government. Maybe we will have something to talk \nwith them about at the Olympics. We can sort of--cocktail talk \nwith the Chinese we will raise this as we go through the \nOlympics.\n    But these hackers were able to compromise information \nsystems at government agencies, our government agencies, at \ndefense-related think tanks, at contractors and at financial \ninstitutions as well.\n    Germany's domestic intelligence agency, the German Office \nfor the Protection of the Constitution, has accused China of \nsponsoring these attacks almost daily in an attempt to \nintensively gather political, military, corporate, strategic, \nand scientific information in order to bridge their \ntechnological gaps as quickly as possible.\n    Actually most of that last sentence that I gave or that I \nread was, I think, a quote from the Germans themselves and sort \nof pointing out what they think is going on here.\n    The threat of a Nation state cyber attack is very real, \ntoo. Last year, in Estonia, an attack led by Russian \nnationalists was coordinated through online chat rooms and Web \nsites. This cyber war, if you will, as the newspapers called \nit, shut down Web sites of Estonian organizations, including \nthe Estonian parliament, banks, ministries, newspapers, and \nbroadcasters.\n    But we do not have to look overseas to find threats to our \ninformation security. Sometimes we only have to look in our own \nbackyard. Just last year, the Veterans Affairs Department had \nan external hard drive stolen, exposing sensitive personal \ninformation on close to, I think, two million of my fellow \nveterans. But the Veterans Affairs is not the only example. The \nDepartment of Defense, the Department of Transportation, the \nDepartment of Commerce, the Department of Health and Human \nServices, Homeland Security, Education, Agriculture, and the \nDepartment of State were all compromised by current or former \nemployees. And I understand that in many cases, it is the \nformer employees or former contractors that are doing us in in \nsome of these instances.\n    But these incidents are not simply unacceptable. They are \nmore than unacceptable. I have a feeling that if a private \nsector company, like a bank or an insurance company, that is \nentrusted with sensitive data were as vulnerable as some of our \nFederal agencies seem to be, they would be out of business \npretty quick.\n    The Federal Information Security Act (FISMA), came out of a \nrecognition a few years ago, I want to say about 2002, the \nrecognition of the critical importance of protecting our \ninformation systems. Since then, agencies have made \nextraordinary progress in implementing crucial information \nsecurity measures, and they should be acknowledged and \ncomplimented for their efforts. And we acknowledge those \nefforts, and we compliment them where they have occurred.\n    Having said that, I am concerned that 5 years after the \npassage or enactment of FISMA, agencies may be falling into the \ntrap of complacency and just checking boxes to show compliance \nwith requirements written into a bill.\n    So once again, I want to thank our witnesses today for \njoining us, for your preparation for your testimonies today, \nand we look forward to hearing how Congress, how we in the \nLegislative Branch of this government can help in protecting \nour sensitive information for domestic threats and from foreign \nthreats as well.\n    We are going to leave the record open for Senator Coburn \nand others on the Subcommittee who would like to submit opening \nstatements.\n    We have done a lot of research on each of the witnesses and \ncome up with some interesting things about your past.\n    But let me just say our first witness will be Hon. Karen \nEvans, the Administrator for E-Government and Information \nTechnology for the Office of Management and Budget. You have \ntestified before this Subcommittee on several occasions. We are \ngrateful for that and for you being here today.\n    Ms. Evans directs the activities of the Chief Information \nOfficer Council and oversees the implementation of IT \nthroughout the Federal Government, including responsibilities \nin the areas of capital planning and investment control, \ninformation security, privacy, and the preservation of \ngovernment information.\n    Prior to becoming Administrator, Ms. Evans was the Chief \nInformation for the Department of Energy. What years were you \nthere?\n    Ms. Evans. I was there for a total of 20 months, so it was \n2002.\n    Senator Carper. OK.\n    Ms. Evans. From 2002.\n    Senator Carper. All right. There, Ms. Evans was responsible \nfor the design, implementation, and continuing successful \noperation of information technology programs and issues \nthroughout the Department.\n    In addition, Ms. Evans was Director of the Information \nResources Management Division, the Office of Justice Programs \nat the U.S. Department of Justice, and there she was \nresponsible for the management and successful operation of \ninformation technology programs.\n    She holds a bachelors in chemistry and a Masters of \nBusiness Administration from a college located in the State \nwhere I was born, West Virginia--the University of West \nVirginia--a Mountaineer. I just had an emotional conversation \nwith some folks earlier today about your football coach, who's \nheaded off to Michigan. I went to Ohio State, so we had a good \ntime on this conversation. But about your football coach--\nheaded off to Michigan, and they--it looks like West Virginia \nlost all their top five recruits, so people are not too happy.\n    Our next witness is Greg Wilshusen, Director of Information \nSecurity Issues at the Government Accountability Office, where \nhe leads information security-related studies and audits of the \nFederal Government.\n    He has over 26 years of auditing, financial management, and \ninformation systems experience and is a certified public \naccount, a certified internal auditor, and certified \ninformation systems auditor. That is a lot of certifieds.\n    But he holds a B.S. degree in Business Administration and \nAccounting from the University of Missouri, and an M.S. in \nInformation Management from George Washington University School \nof Engineering and Applied Sciences. Welcome.\n    Our final witness is Tim Bennett, President of the Cyber \nSecurity Industry Alliance. Mr. Bennett has served as chief \noperating officer--I read your bio. I said to Dr. Coburn, I \nsaid this guy is going to be really old. I am pretty amazed \nthat you are not. Either you are well preserved or not, but you \nhave done a lot in your life, a lot of interesting stuff, too.\n    As President of Cyber Security Industry Alliance, Mr. \nBennett has served as chief operating officer, executive vice \npresident, senior vice president, international, of the \nAmerican Electronics Association for 7 years, where he directed \nall operations for 18 U.S. offices and 2,500 members among \nother responsibilities.\n    In addition, Mr. Bennett has worked at the Office of the \nU.S. Trade Representative as the Deputy Assistant for 8 years, \nserving as a chief U.S. trade negotiator with Mexico, and one \nof the lead negotiators for the GATT Uruguay round of multi-\nlateral trade negotiations. He is here to share with us why \nNAFTA was a good idea--no that will be testimony for another \nday.\n    Earlier in his career, Mr. Bennett was an international \neconomist for the U.S. Department of Labor's Bureau of Internal \nLabor Affairs and served on the U.S. negotiating team during \nthe Tokyo round of multi-lateral GATT negotiations.\n    So you are all welcome, and Ms. Evans, before you start, \nlet me just say a special welcome to my friend, Senator Coburn, \nand to recognize him for any comments he might want to offer.\n    Senator Coburn. I think you have covered it. Let us hear \nthe testimony. Thank you.\n    Senator Carper. All right. Thank you so much.\n    Each of you, your full testimony will be made a part of the \nrecord, and without objection, and we will just have you take \nit away. Well, if you can hold it to 5, 6, or 7 minutes, that \nwould be fine, but we are not going to run the clock very \ntightly. Thank you.\n    Ms. Evans. Before I start, though, Mr. Chairman, I do want \nto thank you for the acknowledgement of being a die-hard \nMountaineer fan, because I am. So, anyway.\n\n   TESTIMONY OF HON. KAREN S. EVANS,\\1\\ ADMINISTRATOR FOR E-\n     GOVERNMENT AND INFORMATION TECHNOLOGY, U.S. OFFICE OF \n                     MANAGEMENT AND BUDGET\n\n    Ms. Evans. Good afternoon, and I appreciate the opportunity \nand thank you for inviting me to speak about the state of \nFederal information security.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Evans appears in the Appendix on \npage 49.\n---------------------------------------------------------------------------\n    Securing Federal information and information systems has \nbeen an Administration priority, and over the last several \nyears, we have focused management attention through a risk-\nbased security framework.\n    In my written testimony, we highlighted our results from \nthe Annual Federal Information Security Management Act Report. \nHowever, I would like to briefly describe some of our \ninitiatives intended to close the remaining performance gaps.\n    In June 2006, OMB made recommendations to agencies to \ncompensate for the lack of physical security controls when \nremotely accessing sensitive information. These recommendations \nwere reiterated in OMB Memo 07-17. The recommended actions were \nto encrypt all sensitive data on mobile computers and devices, \nallow remote access only with two-factor authentication, use a \ntime out function for remote access in mobile devices, and log \nand verify use of all computer readable data extracts from \ndatabases holding sensitive information.\n    In order to assist agencies, we are leveraging our buying \npower. GSA and DOD established a Smart Buy agreement for \nproducts certified through the National Institute of Standards, \nFIPS 140-2 Crypto Module Validation Program.\n    These certified products are used to encrypt data at rest, \nand we are currently using the management oversight of the \nPresident's Management Agenda Scorecard to ensure \nimplementation and oversight of these recommendations.\n    While strong security controls can reduce the number of \nincidences, experience shows some incidences and attacks cannot \nbe prevented. Consequently, an effective detection and response \ncapability is critical.\n    In Fiscal Year 2007, 12,986 incidences were reported to the \nDepartment of Homeland Security Incident Response Center, which \nis more than twice the number that was reported in Fiscal Year \n2006.\n    While the increasing number seems alarming, we are finding \nthis increase to be partially attributable to improved incident \nidentification and reporting.\n    To further improve situational awareness and incident \ndetection, we are working with agencies to reduce the overall \nnumber of external connections, including Internet points of \npresence. As agencies optimize their external connections, \nsecurity controls to monitor threats will be deployed and \ncorrelated to create a government-wide perspective of our \nnetworks.\n    Deployment of Einstein, an intrusion detection system, to \nall external access points will allow us to collect, analyze, \nand share aggregate computer security information across the \nFederal Government.\n    Einstein will enhance current incident detection abilities, \nand will raise awareness of threats and vulnerabilities, \nallowing for corrective action in a timely manner.\n    These initiatives described in my testimony today, in \ncombination with other Administration initiatives, including \nIPV-6, Homeland Security Presidential Directive 12, Minimum \nComputer Communications Capabilities for Continuity of \nGovernment and Continuity of Operations Plans, the Federal \nDesktop Core Configuration, and the IT Infrastructure Line of \nBusiness, address our potential security gaps, help agencies \noptimize their information infrastructure, and facilitate \nappropriate network consolidation and configuration.\n    In turn, agencies will be better able to manage their \ninformation infrastructure, allowing them to reduce risk to an \nacceptable level.\n    In conclusion, there is evidence agencies are making \nprogress in the area of information security and protection of \nsensitive information. We are improving the quality of \ninformation security processes across the Federal Government \nwhile concurrently improving our reported performance metrics \nand compliance with FISMA.\n    I will be happy to take questions at the appropriate time.\n    Senator Carper. Ms. Evans, thank you very much. Mr. \nWilshusen.\n\n TESTIMONY OF GREGORY C. WILSHUSEN,\\1\\ DIRECTOR OF INFORMATION \n    TECHNOLOGY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Mr. Chairman, Ranking Member Coburn, I am \npleased to be here today to testify on FISMA and the state of \nfederal information security.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Wilshusen appears in the Appendix \non page 54.\n---------------------------------------------------------------------------\n    Rarely has the need for the Federal Government to implement \neffective controls over its information systems and information \nbeen more important.\n    Virtually all Federal operations are supported by automated \nsystems and electronic information, and agencies would find it \ndifficult, if not impossible, to carry out their missions, and \naccount for their resources without them.\n    At the same time, Federal systems and critical \ninfrastructures are increasingly being targeted for \nexploitation by a growing array of adversaries, including \ncriminal groups, foreign nation states, hackers, terrorists, \nvirus writers and disgruntled insiders.\n    Thus, it is imperative that agencies safeguard these \nsystems to protect against such risks as the loss or theft of \nresources, the disclosure or modification of sensitive \ninformation, including national security, law enforcement, \nproprietary business, and personally identifiable information, \nand the disruption of critical operations.\n    Today, I will summarize agency progress in performing key \ninformation security control activities, the effectiveness of \ninformation security of Federal agencies, and opportunities to \nstrengthen security.\n    In Fiscal Year 2007, the Federal Government reported \nimproved information security performance relative to key \nperformance metrics established by OMB.\n    For example, the percent of certified and accredited \nsystems government-wide reportedly increased from 88 percent to \n92 percent. These gains continue historical trends that we \nreported on last year.\n    Despite reported progress, 20 of 24 major Federal agencies \ncontinue to experience significant information security control \ndeficiencies. Most agencies did not implement controls to \nsufficiently prevent, limit, or detect access to computer \nnetworks, systems, or information.\n    Moreover, agencies did not always configure network devices \nto prevent unauthorized access and ensure system integrity; \npatch key servers and workstations in a timely manner; and \nmaintain complete continuity of operations plans for key \ninformation systems.\n    An underlying cause for these weaknesses is that agencies \nhave not fully or effectively implemented the agency-wide \ninformation security programs required by FISMA.\n    As a result, Federal systems and information are at \nincreased risk of unauthorized access to and disclosure, \nmodification, or destruction of sensitive information as well \nas the inadvertent or deliberate disruption of system \noperations and services.\n    Such risks are illustrated in part by an increasing number \nof security incidents reported by Federal agencies. \nNevertheless, opportunities exist to bolster Federal \ninformation security. Federal agencies can implement the \nhundreds of recommendations made by GAO and their IGs to \nresolve previously reported control deficiencies and \ninformation security program shortfalls.\n    In addition, OMB and other Federal agencies have initiated \nseveral government-wide initiatives that are intended to \nimprove security over Federal systems and information.\n    For example, OMB has established an information systems \nline of business to share common processes and functions for \nmanaging information system security, and it has directed \nagencies to adopt the security configurations developed by \nNIST, DOD, and DHS for certain Windows operating systems.\n    Consideration could also be given to enhancing policies and \npractices related to security control testing and evaluations \nof agencies' information security programs required by FISMA.\n    In summary, although Federal agencies report performing key \ncontrol activities on an increasing percentage of their \nsystems, persistent weaknesses in agencies' information \nsecurity continue to threaten the confidentiality, integrity, \nand availability of Federal systems and information.\n    Until Federal agencies resolve their significant \ndeficiencies and implement effective security programs, their \nsystems and information will remain at undue and unnecessary \nrisk.\n    Mr. Chairman, this concludes my statement. I would be happy \nto answer your questions.\n    Senator Carper. Mr. Wilshusen, thank you very much. Mr. \nBennett, you are recognized. Thanks for joining us.\n\nTESTIMONY OF TIM BENNETT,\\1\\ PRESIDENT, CYBER SECURITY INDUSTRY \n                        ALLIANCE (CSIA)\n\n    Mr. Bennett. Thank you. Chairman Carper, Ranking Member \nCoburn, thank you for this opportunity to appear before the \nSubcommittee to discuss the Cyber Security Industry Alliance's \nthoughts on how to possibly improve FISMA. I know, Mr. \nChairman, data security is an issue that you have been \ninterested in and followed on a sustained basis, both in this \nSubcommittee and in the Banking Committee, and we appreciate \nthat. I would also like to note, in light of prior comments, \nwhether on the record or off the record, ``Go Bucks.''\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Bennett appears in the Appendix \non page 92.\n---------------------------------------------------------------------------\n    This hearing is most timely and further bolsters current--\n--\n    Senator Carper. After I met Senator Coburn, I found out \nthere was another OSU.\n    Mr. Bennett. Yes.\n    Senator Carper. There is another OSU in Oregon, and the guy \nwho used to be President of Ohio State is now the President of \nOregon State. He says he is sticking with the OSUs. He still \nhas Oklahoma, though.\n    Senator Coburn. No, we just got a new president.\n    Senator Carper. All right. OK.\n    Mr. Bennett. Well, this hearing is most timely and further \nbolsters current congressional consideration of the need for \nstrengthening information security within the Federal \nGovernment. As we have painfully learned, Federal systems are \nfrequently vulnerable to the now relentless onslaught of cyber \nattacks, and the oversight by the Congress is an important \nelement in holding Federal agencies accountable for improved \ninformation security, as well as highlighting ongoing \nchallenges and vulnerabilities.\n    While today's hearing is not focused on a specific \nlegislative proposal, we believe the 110th Congress has an \nimportant opportunity to enhance FISMA to improve the \ninformation security posture of Federal Government agencies. \nEven though the last few years have yielded some improvements \nin Federal information security, there are unacceptable \nvulnerabilities in Federal Government information systems that \nurgently need to be addressed. The Federal Government should be \nthe leader in adopting effective information system practices \nbased on understanding and addressing risks to sensitive \ninformation and not be the poster child for what can go wrong.\n    The time for strengthening FISMA is now, given the \nescalating, large-scale information security intrusions and \ndata losses that have occurred at our Federal agencies over the \npast several years. Unsurprisingly, the Information Technology \nAssociation of America's recent report based on its annual \nsurvey of Federal CIOs found for the second year in a row, that \nthe broad area of IT security and cyber security remains the \ntop challenge faced by Federal CIOs.\n    CISA member company Symantec revealed in its 2007 Internet \nSecurity Threat Report that the government sector is the third \nmost targeted sector for global cyber attacks and wholly \nresponsible for 26 percent of all data breaches that may lead \nto identity theft.\n    Mr. Chairman, you mentioned in your opening statement the \nseries of attacks perpetrated by hackers operating through \nChinese Internet server against our computer systems at several \nFederal agencies. Hackers were able to penetrate Federal \nsystems and use rootkits, a form of software that allows \nhackers to mask their presence, to send information back out of \nthe Federal agency systems.\n    Federal agencies scored an average grade of C-minus on \n2007's information security report card. Last year's average \ngrade was a very small improvement over 2006 when the agencies \nscored an average of D-plus. These are barely passing grades.\n    Some argue that FISMA does not adequately measure \ninformation security. A high FISMA grade does not mean the \nagency is secure, or vice versa. That is because FISMA grades \nreflect compliance with mandated processes. They do not, in my \nview, measure how much these processes have actually increased \ninformation security. In particular, the selection of \ninformation security controls is subjective and, thus, not \nconsistent across Federal agencies.\n    Agencies determine on their own what level of risk is \nacceptable for a given system. They can then implement the \ncorresponding controls, certify and accredit them, and thus be \ncompliant and receive a high grade, regardless of the level of \nrisk they have deemed acceptable.\n    There were encouraging signs of progress in the 2007 \nreport, but we continue to be concerned that many mission \ncritical agencies like DOD and DHS are still lagging in their \ncompliance. These and other agencies are lacking in \nimplementing configuration plans, in performing annual tests of \nsecurity controls, and are inconsistent in reporting incidents. \nThe annual report card does, however, indicate that the Federal \nGovernment overall has made some improvements in the areas of \ndeveloping configuration plans, employee security training, and \ncertifying and accrediting systems.\n    FISMA does not tell the whole story when it comes to \nagencies' information security practices. Nowhere is an \nagency's ability to detect and respond to intrusions measured \nin FISMA. In fact, a senior DHS official testified before the \nHouse Homeland Security Committee on February 28, 2008 that \nintrusion detection is inconsistent across the Federal \nGovernment.\n    FISMA is a great baseline log, but clearly much needs to be \ndone in this area. We need to incentivize strong information \nprotection policies and pursue a goal of security rather than \ncompliance.\n    We need to ask ourselves if we can make FISMA better as new \nthreats evolve. Certainly, we want to avoid a check-the-box \nmentality, and do not want FISMA to be reduced to a largely \npaperwork drill among departments and agencies, consuming an \ninordinate amount of resources for reporting progress while \nyielding few genuine security improvements.\n    Unfortunately, in some cases, that is what it has become.\n    With the benefit of 5 years' experience under FISMA and \nseveral insightful reports by GAO, it is now possible to \nidentify possible improvements that can address those \nweaknesses in FISMA implementation that have now become \napparent. With global attacks on data networks increasing at an \nalarming rate, in a more organized and sophisticated manner, \nand often originating from state-sponsored sources, there is \nprecious little time to lose.\n    CSIA believes that amending legislation is needed to give \nthe weight and suasion of law to the eight improvements that we \nare recommending in our written testimony.\n    In closing, I commend the Subcommittee for examining \nwhether enough is being done to protect Federal IT and secure \nsensitive information systems, and asking how we can improve \nFISMA and Federal agency information security practices going \nforward.\n    FISMA can be strengthened if we develop processes and \nmetrics that truly measure information security and help guide \ninvestments in personnel, capabilities, and information \nsecurity safeguards that can more effectively secure our \ncomplex Federal computing enterprises. We need to get beyond \nfocusing only on compliance processes. We need to encourage \nrisk-based approaches to information security. We need to \nembrace the public-private partnership that information \nsecurity requires, and we need to take steps immediately that \nimprove both the policy and the practice of information \nsecurity. The overriding objective should be to move Federal \nagencies to act in a manner that equates strong information \nsecurity practices with overall mission accomplishment. We all \nknow what is at stake. Thank you.\n    Senator Carper. Mr. Bennett, thank you very much. And \nSenator Coburn has another pressing engagement. He is going to \nhave to slip out of here in a little bit, but I have asked him \nto lead off with questions. I am just happy you are here.\n\n              OPENING STATEMENT OF SENATOR COBURN\n\n    Senator Coburn. Thank you, Chairman. Let me thank each of \nyou for what you do and for being here. Ms. Evans, I appreciate \nso much the work you do. How much of the work of FISMA is \npaperwork versus real security protection? And how much of a \nmeasurement of compliance is measurement of compliance of \npaperwork rather than security protection?\n    Ms. Evans. Well, the way that I would prefer to answer the \nquestion is that it all depends on how the agency goes about \ndoing the work. If the agency is going about doing the work \nbecause OMB is telling them they have to do it, then it is a \npaperwork exercise. If the agency is going about the work in \norder to achieve the goal, which is better information \nsecurity, then it is measuring the information security of what \nis happening there at that Department.\n    FISMA has put together a framework. The policy supporting \nit has put together a framework, but it really is about if you \nare going to do it just to comply with OMB and to comply with \nthe annual reporting requirement, then it is purely a paperwork \nexercise at that agency.\n    Senator Coburn. So it does not mean anything. If they are \ncompliant with FISMA, it does not necessarily have a reflection \nof how compliant we are in terms of security, cyber security?\n    Ms. Evans. Well, the way that I would say it is is that you \nneed to use FISMA as an indicator. It is an indicator, just \nlike any of the other types of metrics that we would collect; \nand that the other thing that FISMA has, which some of the \nother metrics that we do not have, is that the law itself put \nthe independent evaluation in there, which allows the IGs to \ncome in and measure the value or the quality of that process.\n    So it is not just an agency reporting mechanism but it is \nalso an evaluation of the quality of that process. So if you \nlook at the information that when you start looking at it \noverall and then looking department by department, then you \nwould be able to see this particular department is doing it, \nmay be doing it as a compliance exercise or is not necessarily \nas mature.\n    For example, we have picked certain areas where we have \nasked the IG to go in and evaluate the quality. One, which is \ncontroversial, is certification and accreditation.\n    If an agency says I have a 100 percent of my systems \ncertified and accredited, but the IG says that process is poor, \nthen we need to go in and work with that agency because the \nagency is going about that process. We need to figure out is it \njust compliance or----\n    Senator Coburn. Well, that is what I am trying to get to. \nHow much of it is doing the paperwork, meeting the \ncertification? The goal is secure networks.\n    Ms. Evans. Sure.\n    Senator Coburn. And so what do we need to do in terms of \nthe reauthorization of this bill to make sure that everybody is \nworking towards security, not compliance?\n    Ms. Evans. Well, my view is that the bill itself is fine \nwith the way that the framework is set up. I think some of the \ndiscussions of what we have talked about, the types of metrics \nthat we are collecting or maybe some improvement in the \nguidance that comes from NIST to help agencies work through \nthat process and be more definitive.\n    For example, a good example where an agency can choose and \nthey need to choose the risk, we got more specific with some of \nthe policy memos as it related to personally identifiable \ninformation, where we worked specifically with NIST. NIST went \nthrough and did a checklist, a very specific checklist and \npointed to very discrete portions of their guidance, which \nreally helped agencies get through that instead of looking at a \ndocument this big and then trying to figure it out on their \nown.\n    Senator Coburn. OK. So let us say we got an agency that is \ncompliant that's not secure. What does OMB do?\n    Ms. Evans. Well, what we would do is we would go through \nand see what that actually means, when you say they're \ncompliant because----\n    Senator Coburn. I am saying they filled out the paperwork. \nThey are certifiable, but when the IG comes in to test to see \nif they are secure, they are not. What do you do?\n    Ms. Evans. Well, then what we do is we use the authorities \nthat we have, for example, all the investments go on the \nmanagement watch list. The existing projects will also go on \nthe high-risk list, because what we want to do is make sure \nthat you are not spending more money to put out new investments \non top of infrastructure that is not secure.\n    Senator Coburn. OK.\n    Ms. Evans. And that you do not have the proper controls in \nplace that in order to ensure that you are monitoring then on a \nconsistent basis and on the constant basis. So we would then \nwork with the agency to make sure that there is a good \nremediation plan in place, looking at what are the weaknesses \nthe IG has defined, and then work through that to make sure \nthat they can then close that gap of what the IG has said is \nkeeping them from having a good security program in place where \nthey are constantly assessing the risk.\n    Senator Coburn. OK. Let me ask this of Mr. Wilshusen. You \nsaid their compliance has gone from 88 to 92 percent. Mr. \nBennett said when we measure performance, they have gone from \nD-plus to C-minus. We are measuring two different things, are \nwe not?\n    One is compliance, which does not necessarily mean \nsecurity. And Mr. Bennett's performance measurement is about \nsecurity, is that correct? Am I understanding that right?\n    Mr. Wilshusen. Well, I would say that in terms of the \ncompliance, many of the performance metrics that OMB has \nestablished for FISMA reporting, on which agencies are supposed \nto report on their compliance with the Act, they are, in fact, \njust identifying the number or the percentage of systems that \nmeet a particular control activity.\n    Senator Coburn. Right.\n    Mr. Wilshusen. It does not reflect how well or how \neffective that control----\n    Senator Coburn. Right.\n    Mr. Wilshusen [continuing]. Activity is in many of the \ncases. And, as a result, you do have that dichotomy of agencies \nreporting significant improvements in terms of the number of \nsystems and number of personnel performing control activities. \nWhereas the effectiveness of their security controls is still \nquestionable.\n    Senator Coburn. It could be going down?\n    Mr. Wilshusen. It could be. One measure of that we look at \nis the 20 out of 24 of the CFO Act agencies that----\n    Senator Coburn. Yes, I saw it.\n    Mr. Wilshusen [continuing]. Identified significant or their \nIGs identified significant control deficiencies or material \nweaknesses as part of their financial statement audits, the \ndifference being is that in those reviews, in those audits, the \nIGs are assessing the effectiveness of information system \ncontrols or the financial systems, not just merely compliance \nwith particular control activities.\n    Senator Coburn. OK. In your assessment, give me short \nanswers because I am running out of time.\n    Mr. Wilshusen. OK. Sorry.\n    Senator Coburn. Yes, but I am out of time. They have been \nwaiting on me 15 minutes.\n    Mr. Wilshusen. I see.\n    Senator Coburn. We have had almost a doubling of reported \nevents. What percentage of that you think is increased \nreporting that were there anyway versus actually a worsening of \na security situation--just a guess. I am not holding you to it. \nWhat do you think, Mr. Wilshusen?\n    Mr. Wilshusen. I would say I do not know that answer \nspecifically.\n    Senator Coburn. Does anybody know that answer?\n    Ms. Evans. Actually, we have the numbers based on what \nU.S.-CERT has given to us. The increased reporting based on our \nenhanced reporting requirements for personally identifiable \ninformation has increased. When you look at the report, it ends \nup that the actual number is about 348 actual incidences, when \nyou start looking at unauthorized access, when you look at \nthese numbers that are in the chart.\n    So because the rest of the reporting comes from lost and \nstolen equipment, and so there is an increase in lost and \nstolen equipment based on the way that we clarified the \nreporting requirements. But that leads to other issues dealing \nwith security, which is the focus of this, and so what we are \nable to do then is see based on the types of reporting that \ncomes in what type of corrective actions we need to take \ngovernment-wide.\n    But to the question that you are asking about compliance \nand the metrics and this is one area where we do take a lot of \nfeedback. We pick certification and accreditation because we \nbelieve that measures the lifecycle of what an agency is \nsupposed to do from start to finish when they collect \ninformation and how they protect it. So if you do it right, \nthat you are assessing the risk saying this kind of information \nI am having, this is the type of IT system I am going to use, \nthese are the types of controls, these are what the users do, \nthis is the residual risk, and the owner has to sign off and \nsay I accept that.\n    So that is why we picked that process. When you start \npulling out D-minus, C-plus, 92 percent and all those, you \nstill have to get to the quality, which is the independent \nevaluation of the IG. So that is why we look at that in \nconjunction with the two. The D-minus grade that you are \ntalking about that the House has given us.\n    Senator Coburn. Actually, it was C-minus. You are doing \nbetter than D-minus.\n    Ms. Evans. We had a D-minus. We had a C, and I agree I \nwould not accept that from my children. You can ask them.\n    So that is why we have worked to put in more of these \ngovernment-wide solutions that are getting to the root cause of \nthe issue.\n    Senator Coburn. So when IG comes or GAO come to look at \nthis, do they actually test for security or do you test for \ncompliance to the law? Which are you testing for?\n    Mr. Wilshusen. Well, when we do our reviews, we test for \nsecurity. We test the actual----\n    Senator Coburn. So you are actually testing to see----\n    Mr. Wilshusen [continuing]. Security.\n    Senator Coburn [continuing]. If, in fact--you are trying to \nprobe it and break it?\n    Mr. Wilshusen. That is correct.\n    Senator Coburn. And see if they can catch you?\n    Mr. Wilshusen. That is exactly right.\n    Senator Coburn. And so, on the basis of that, are we better \noff than we were a year ago?\n    Mr. Wilshusen. I would say we are not better off than we \nwere, say, a year ago.\n    Senator Coburn. OK. That is a key answer.\n    Mr. Wilshusen. In that we continue to find significant \ncontrol deficiencies on the audits that we perform.\n    Senator Coburn. Twenty out of 24?\n    Mr. Wilshusen. And that would include those that the IGs \nhave identified, too.\n    Senator Coburn. All right.\n    Mr. Wilshusen. But I could just--if I may just--and I know \nyou have----\n    Senator Coburn. OK.\n    Mr. Wilshusen [continuing]. To leave. I have two comments \nbased on what Ms. Evans mentioned.\n    One is that most of the performance measures relate to \nstrictly identifying whether control activity has been \nperformed. There are a few instances where OMB asked the IG to \ncomment on the quality of certain processes, but there are a \nnumber of other processes that are not asked or requested to \ncomment on the quality of them, including, for example, \nsecurity testing and evaluation of controls, which is a key \ncritical control activity in which we often find during our \naudits where agencies' control activities or testing activities \nare insufficient because we identify a number of \nvulnerabilities that they do not on the same systems.\n    Senator Coburn. OK.\n    Mr. Wilshusen. In addition, the patch management, as well \nas the incident detection capabilities, are not necessarily \nassessed as part of the independent evaluation.\n    There is also a concern about the consistency of the \nindependent evaluations performed by the IGs across the 24 \nagencies.\n    Senator Coburn. In other words, some are tougher probes \nthan others?\n    Mr. Wilshusen. Yes, sir.\n    Senator Coburn. OK. The last question, and I am going to \nleave and let you answer it and my staff will give it to me, \nbecause I just received a notice my contact is getting ready to \nleave.\n    Do you think that the U.S.-CERT has captured data on all \nattacks or are they only on what is reported? And is there a \ndifference? Mr. Bennett.\n    Mr. Bennett. Only on what is reported.\n    Senator Coburn. Yes, so we do not know?\n    Mr. Bennett. That is correct.\n    Senator Coburn. So basically, we are not to the point where \nwe can really assess our security?\n    Mr. Bennett. That is correct, and I am going to grab you \nreal quick. On the OMB report released earlier this week about \nthe doubling of the number of incidences reported, that does \nreflect improved reporting. But what we have seen--certainly in \nthe private sector--is the number of attacks exploded in 2007.\n    Senator Coburn. Yes.\n    Mr. Bennett. The chart goes like this. So, there is no \ndoubt----\n    Senator Coburn. So some of it is real and some of it is \nnot?\n    Mr. Bennett. It is real, and the Federal Government would \nnot be immune from that increased malicious activity.\n    Senator Coburn. Thank you. Thank you, Mr. Chairman.\n    Senator Carper. Let me sort of pick up where Dr. Coburn was \nleaving off. Why do you suppose we are seeing this explosion? \nYou said in 2007 it just sort of took off. What is going on out \nthere?\n    Mr. Bennett. Well, I'll give you my take and also the \nothers, and there are a lot of people in the audience behind me \nthat are real experts on this.\n    A number of things. One, we saw organized crime move into \nthis activity in a more sustained, organized fashion, more \nsophistication. The amount of money made in cyber crime, \naccording to FBI report, now far exceeds that made in the total \ninternational drug trade and the gap is increasing.\n    It is easier to do. It is safer. It can be done from an \noffshore location. Chances of apprehension are substantially \nreduced. So we are seeing that.\n    And a lot of it is coming from offshore locations hitting \ntargets around the world, primarily the United States, but not \njust the United States.\n    Senator Carper. Well, what are some other countries that \nare being victimized besides us?\n    Mr. Bennett. Well, the Attorney General of Australia just \nmade a public statement earlier this week that the government \nagencies of Australia have been attacked and when asked to name \na country, he mentioned China. So, there are certainly other \ngovernments.\n    You referred in your opening statement to Germany. Of \ncourse, the Estonian attack is noted. But there are also \norganized crime gangs in Russia, Romania, and Bulgaria. We have \nalso heard Indonesia and Malaysia--so it is thriving, and it is \nprofit-driven. It is a very entrepreneurial market now. And so \nit has gone away from random attacks, kiddy hacking, all these \ntypes of thing, to a very organized business activity. We have \neven seen evidence of going after certain databases, stealing \ncertain personal information with the intent to hold it for a \nnumber of years. That reflects a long-term business plan.\n    So we are seeing a rapid evolution in the type of activity.\n    Mr. Wilshusen. And I would just like to add--and I would \nagree, too, with everything that Mr. Bennett mentioned--that \nthere is probably better incident reporting on the part of the \nagencies. The May 2006, VA data theft, I think, was a Federal \nwake-up call on the importance of reporting incidents and \nreporting them promptly. And the increased emphasis on \nreporting that OMB has placed on the issue has also increased \nthe number of incidents that are reported.\n    In addition, I would like to add that the threats are \nevolving; the threats to Federal systems are evolving. They are \nbecoming more targeted, and sophisticated. And with the \nprevalence of information security weaknesses and deficiencies \nwithin the Federal systems, it makes the likelihood of \nincreased security incidents very possible; and the fact the \nFederal Government maintains and collects a lot of information \nthat is very attractive to potential adversaries.\n    Senator Carper. Ms. Evans.\n    Ms. Evans. So what I would like to address is what you do \nwhen you have this information, and it is not so much making--\n--\n    Senator Carper. When you say what you do?\n    Ms. Evans. What we do.\n    Senator Carper. What is it you do?\n    Ms. Evans. What we do when we have the----\n    Senator Carper. Who is the you?\n    Ms. Evans. The Federal Government, OMB, U.S.-CERT and how \nwhat we do with this stuff to get to the result of improved \ninformation security because that is really what we are trying \nto do. It is not so much--and I think this is the piece that we \nkeep talking about here is you can enhance and you can insist \non whether you have 100 percent reporting in here. Is the goal \nto get the 100 percent reporting or is the goal to be able to \nanalyze the information that is coming in and fix what the \nsystemic problem is?\n    And I would argue that there is enough information. We may \nnot, we are improving our reporting requirements, then using \nthis information to go forward and put solutions in place to \nreduce risk.\n    When you start looking at all of the things that my \nesteemed colleagues have talked about what is at the root of \nthat problem? What are they exploiting? Why do I have material \nweaknesses? How do they get in? What are they doing?\n    Nine times out of 10, this is a configuration management, \npatch management issue.\n    Senator Carper. When you say configuration management patch \nmanagement, just put that in English----\n    Ms. Evans. OK.\n    Senator Carper [continuing]. That even I can understand it.\n    Ms. Evans. So what will happen is if I am running an \noperation, so, say, I am back at a department and I am running \nan operation. Depending on whether I have that federated across \nthe department or whether it is being centrally managed, so \nthat only one person controls what comes in and what goes out \non a desktop, like how a desktop is set up.\n    If you have allowed a thousand different types of \nconfigurations to flourish, because that stimulates a lot of \ncreativity and innovation, that also increases your risk, \nbecause now you have to have the resources to manage a thousand \ndifferent types of configurations. You have to have the \nresources to then look at a thousand different configurations \nand see what risks that come out on a daily basis that are \nrelated to that.\n    If I manage one, can manage one more effectively, then I \ncan manage a thousand. And so what happens is then when \norganized crime comes along or any of these other ones, think \nof it as your house. You have a burglar alarm system--everyone \nknows that when you first put up that first sign and they are \ndriving down the road, and they see that your house is \nmonitored, they pass you and go to the next one.\n    Well, if everybody in your neighborhood has that sign up, \nthe threshold has now gone up; right? So now the criminals are \ngoing to come by and start rattling doors.\n    Senator Carper. What we did in our neighborhood, we went \naround the neighborhood, and we took out other people's signs.\n    Ms. Evans. Well, there you go. [Laughter.]\n    But that is how it works. And so configuration management \nis raising it up a level so then what they start doing is \ntapping around and that is what these mean, like scans and \nprobes and things. They tap around to see if a door is open or \nif a window is open.\n    If you have left the window open, and they will want to \ncome into your house. So what we are trying to do in a very \nconcerted way with what the Federal Desktop Core Configuration \nis lock down all the windows and doors; right? The sign is up, \nand then we are assessing the environment based on the risk. \nAnd then you can patch faster, if there is a vulnerability that \ncomes out; right?\n    So, say, somebody's sign fell down. You would have to put a \npatch back up. This allows us to do that faster because we know \neverybody is supposed to have the sign. One person is missing \nthe sign. We need to go back and put that sign up for the \nperson.\n    That is what we are trying to do across the board as an \nentity.\n    Senator Carper. Mr. Bennett, what is good or bad about the \napproach that Ms. Evans has just described for us?\n    Mr. Bennett. Well, let me address that by saying this is an \nenormous problem. FISMA was a wise approach by the government, \nby the Congress to try and address it, and FISMA itself was in \nevolution in prior legislation.\n    What OMB has tried to do is try to manage this enormous \nFederal Government information system, for which we do not even \nyet have a complete inventory. It is a tremendous challenge. \nThey are taking the best approach, and they have been tweaking \nand evolving over the years and putting out memoranda to guide \nthe agencies on how to improve as they learn, but what we are \nsuggesting is based upon our experience in working with the \nFederal agencies is--and the GAO reports there is too much of a \nreliance upon the procedures and the processes and despite Ms. \nEvans saying that the primary issues are just configuration, \nthere still remains a problem of addressing the issue that \nSenator Coburn was getting at--are we coming after compliance \nor are we coming after security?\n    And what we are hearing is it is not coming after security, \nand in private conversations that I have had with the CIO \noffices of certain Federal agencies and in talking with them \nhow is your FISMA compliance, enlighten me. They will say do \nyou want the official answer or do you want the off the record \nanswer. And just that response right there, I think underlines \npart of the problem that we are not getting at the primary goal \nof the mission of the agencies has to be aligned with \nprotecting their information systems.\n    The Federal Government is probably the largest collector of \ninformation in the world. This information has--lots of it has \nvalue. And a lot of it is personally identifiable information. \nThat information needs to be protected, and that needs to be \nrecognized by the most senior levels of the agencies. We feel \nthere are deficiencies. It has been pointed out in GAO reports. \nWe have recommendations, and we feel it is going to have to \ntake legislation, not administrative action.\n    Having been a Federal employee for 11\\1/2\\ years, I think a \nFederal agency, an employee responds more when something is in \nlaw rather than hearing from OMB or another agency that we are \nasking you to do such and such. So that is our bottom line on \nthat.\n    Mr. Wilshusen. May I please add a comment?\n    Senator Carper. Mr. Wilshusen, sure. We have been joined by \nSenator Coleman. Welcome, this is our first panel. It is really \nquite a fascinating discussion so far. And we are happy that \nyou are here, and, if you would like to ask questions of this \npanel, that would be great.\n    And we will let them go for a couple more minutes, and then \nI will recognize you.\n    Senator Coleman. Great. Thank you, Mr. Chairman. I may have \none or two questions.\n    Senator Carper. Good. Thanks for joining us.\n    Mr. Wilshusen. OK. I would just like to add one thing that \nMs. Evans mentioned was the Federal Desktop Core Configuration \nInitiative. We think that has a lot of promise.\n    Senator Carper. Why do you say that? Why do you think it \nhas a lot of promise?\n    Mr. Wilshusen Because in our audits, many of the security \nvulnerabilities that we identify and are able to exploit are \nones that exists due to insecure configurations of operating \nsystems.\n    And the Federal Desktop Core Configuration, for example, is \ncoming up with relatively secure configurations of the Windows \nXP and Vista operating systems. By having these operating \nsystems configured securely, particularly if we can get them \nright out of the box when they are acquired, it provides a \ngreater opportunity to improve the security than is the usual \ncase with operating systems--that come in in their least secure \nstate and require the agency then to come in and implement \nsecurity in the operating systems.\n    So by having the ability to have these core configurations \nand through the leveraged power of the Federal procurement to \nhave these configurations right out of the box will help \nstrengthen security.\n    Once it is installed, you still need to maintain that over \ntime because the computing environment is not static. It is \nvery dynamic, so there still needs to be effective monitoring \nmechanisms in place, but it is a benefit that will help reduce \nsome of the vulnerabilities of that we often find.\n    Senator Carper. All right. Well, it sounds like what we are \nup against here--and I want to go back to this scorecard you \nmentioned. D-plus to C-minus; modest improvement, but \nimprovement. Whose scorecard was that?\n    Ms. Evans. It is the House Government Reform.\n    Mr. Bennett. It is the House Government Oversight and \nReform Committee.\n    Senator Carper. All right. Each one reflects an evaluation \nfor a particular discrete year? Is that what?\n    Ms. Evans. Yes, they rank it each year, and they release \nthe methodology associated with that. It is based on--GAO also \nlooks at it, and then what will happen is they will take the \ninformation from the agencies, and they will either plus or \nminus points based on certain methodology every year, and GAO \nworks with the House side in order to come up with what that \nmethodology should be.\n    Senator Carper. And what years were covered, 2006 or 2007? \nDo you all know?\n    Mr. Wilshusen. They have not done one for 2007 yet.\n    Senator Carper. I see.\n    Mr. Wilshusen. There have been computer report cards over \nthe last several years beginning with, I think, it was \nRepresentative Horn.\n    Ms. Evans. Right. It started with Representative Horn, so \nhe did 2001 forward, because I remember that was my first \nhearing 6 weeks into the job and over at Energy.\n    But it is discrete against the report, so it is another \nview of looking at this same report. So the plus ups or the \ndiscussions with the House side again is that scorecard really \nmeasuring security, or is it just measuring the compliance with \nthe information that comes into FISMA. So it is the same \ndebate. It is just another view of looking at it.\n    Senator Carper. Yes. And we keep coming back to that issue. \nAre we measuring compliance or are we measuring security. I am \nreminded of my old job. Before Senator Coleman came here, he \nwas a mayor of a big city in Minnesota. But I was governor, and \nwe worked a lot on education reform, trying to spell out what \nstudents ought to know and be able to do in math, science, \nEnglish, and social studies. We spelled out our academic \nstandards in those subjects.\n    And we began to measure student progress toward mastering \nthose academic standards in math, science, English, and social \nstudies. Up until that point, there had been no way to judge \nacademic performance by how much money we spent per student or \nhow--what kind of degrees the teachers had. We judged inputs \nand process more than we did outputs and outcomes.\n    And this debate reminds me a little bit of what we went \nthrough in education.\n    Do you all think we are doing a better job in terms of \nmeasuring outcomes as opposed to a process? Are we measuring \nthe right stuff?\n    Mr. Wilshusen. I would say as part of the FISMA reporting \nprocess that the metrics that OMB has established that we are \nnot effectively measuring the effectiveness of security \ncontrols or the quality of the control processes because, for \nthe most part, they are measuring just the performance of a \ncontrol activity, not its effectiveness. And I think there \ncould be some other measures that are appropriate to help show \nwhat the effectiveness is.\n    OMB does ask the IGs to comment on the quality of certain \nprocesses, but there are other processes that could also be \nevaluated as related to its quality.\n    Senator Carper. All right.\n    Ms. Evans. So I would like to add to this that every year \nwhen we do the annual reporting requirements, we send out the \nupdated draft, and we ask for different metrics, if people want \nto improve the metrics or change the metrics in order to get to \nsome of the issues that we are talking about today.\n    We send it to the IG community. We also send it to GAO, to \nenhance or add additional pieces. We have added additional \nareas dealing with privacy, so we are now measuring privacy in \na government-wide capacity, and we have added those metrics.\n    But some of the suggestions that have come in when we have \nlooked at them, we have evaluated whether they have always been \naccepted or not, whether we are actually still getting to is \nthat another output metric or is that really a performance \nmetric.\n    So another example, real quick example, that I would like \nto give is what we are trying to do is use this information to \ninform solutions that get us to that result.\n    So one of the things that came in that we see, the increase \nin incident unauthorized access that we were previously talking \nabout, that is an 85 percent increase and that is from lost or \nstolen equipment.\n    That gets back to the additional guidance that we gave the \nagencies about encrypting data on devices that are mobile. And \nthen what we turned around and did was put in a BPA, a \ngovernment-wide BPA----\n    Senator Carper. What is a BPA?\n    Ms. Evans. It is a blanket purchase agreement----\n    Senator Carper. Thank you.\n    Ms. Evans [continuing]. Which allows agencies to use it so \nthat they do not have to procure their own solutions and that \neverything is on that particular contracting vehicle so that \nthey can then go, leverage our buying power, and have \nencryption tools then put in place.\n    So we are using the data that comes in that may be output \ndata to get to more solutions, more results, more performance \ntypes of activities instead of trying to really, since we have \nnot gotten good metrics--we feel good metrics that measure \nperformance and effectiveness to try to get to solutions that \nare really getting to the results, and we are using the data to \ninform those types of solutions that we are putting in place.\n    Senator Carper. All right. Let me stop right there and \nrecognize Senator Coleman. Glad that you are here. Thanks for \njoining us.\n\n              OPENING STATEMENT OF SENATOR COLEMAN\n\n    Senator Coleman. Pleasure to be here, Mr. Chairman, and \nthank you for the opportunity to participate in this \ndiscussion.\n    Mr. Chairman, I have a more complete statement I would like \nentered into the record.\n    Senator Carper. Without objection, it will be put in.\n    [The prepared statement of Senator Coleman follows:]\n             OPENING PREPARED STATEMENT OF SENATOR COLEMAN\n    I want to begin by thanking Chairman Carper and Ranking Member \nCoburn for holding this hearing and for permitting me to attend as I am \nnot a Member of this Subcommittee. As the number of cyber attacks on \nFederal Government networks continues to increase, it is important that \nwe review agency compliance with the laws in place to prevent those \nattacks such as FISMA and if they need to be strengthened.\n    One area of concern I have is what the Federal Government is doing \nto fulfill its responsibility in maintaining and protecting sensitive \nPersonally Identifiable Information (PII) that Americans are required \nto provide for a wide array of reasons, including paying taxes, \nreceiving medical and disability benefits, and obtaining retirement \ncompensation. This PII includes names, addresses, Social Security \nnumbers, biometric records, and other data that is linked or linkable \nto an individual. Identity theft and fraud are national problems that \naffect approximately 10 million Americans each year so it is critical \nthe Federal Government take steps to ensure PII does not fall into the \nwrong hands.\n    In the wake of the VA data breach in 2006, I asked GAO to conduct a \ngovernment-wide review of current policies on the books to protect \nAmerican's personal information held by government agencies. The \nfindings released in this report are very troubling--seeming to \nindicate that agency after agency is failing to make securing citizens' \npersonal information a high priority.\n    As a result of this GAO Report, Senator Collins and I sent a letter \nto every Agency requesting in writing a timeline of when they will meet \nthe recommendations put in place by the Office of Management and Budget \n(OMB) for increased cyber-security. I want to thank the VA who has \nresponded and indicated they are compliant or have achieved significant \nmilestones with the OMB memoranda. I also want to thank USAID who has \nresponded and offered details for compliance. I look forward to \nreceiving responses from other agencies as well so we can get an \naccurate picture of where things stand.\n    The fact is the clock is ticking and we need to know when the \nagencies are going to have the protections in place to stop the \nnumerous data breaches we have seen over the past few years. Our \ncitizens deserve nothing less. The bottom line is the Federal \nGovernment has a responsibility to ensure the personal information it \ncollects from its citizens is properly secured and protected. The \nsooner the Federal Government acts, the sooner Americans will be \nprotected from the damaging consequences these breaches can have on \ntheir personal lives.\n\n    Senator Coleman. In wake of the Veterans Affairs data \nbreach in 2006, I had asked GAO to conduct a government-wide \nreview of current policies on the books to protect America's \npersonal information held by government agencies.\n    And I think the findings here--Ms. Evans, I appreciate the \nwork that has been done. The findings are troubling. It still \nseems to indicate that we are moving forward at the pace that \nwe need to move forward.\n    Senator Collins and I, as a result of the GAO report, sent \na letter to every agency asking in writing and timeline of when \nthey will meet recommendations put in place by OMB for \nincreased cyber security, and I am not going to get into all \nthe details of that. Certain agencies have done very well and \nresponded, and others are still not there. And I think the \nclock is ticking, and we have to move forward.\n    But my more complete statement will touch upon that. The \nquestion I have is about looking for solutions and just so I \ncan tell two anecdotes, Mr. Chairman, before the question.\n    One is in some of my dealings with IRS and other agencies \nwhat I have found consistently as folks come back and saying we \ncannot move quickly enough on the text because we do not have \nthe capacity. We do not have the people, the skills to do the \nsoftware, to do the kind of things that need to be done. I find \nthat troubling. I tied that into a discussion that I had as a \nMember of Homeland Security and Governmental Affairs Committee \nand doing oversight of Hurricane Katrina. And a witness was the \nIG for one of the Inspector General--I think Homeland Security, \nand he was saying that we had all this food in the pipeline, \nbut we did not know where it was. We did not have the technical \ncapacity. And my question was literally well, why do you not \ncall FEDEX or UPS--that the capacity is out there in the \nprivate side.\n    And so my question is that so many of the things that we \nare discussing here are not unique to government--the \nchallenges are not unique to government. The private sector \nfaces similar challenges. In many instances, they may have \ngreater capacity to come up with solutions than we do for \nwhatever reason. And so my question is what degrees are \ndepartments and agencies partnering with the private sector? \nAre there vehicles passed to do that? And does the same hold \ntrue for a State and local government agencies?\n    Ms. Evans. OK. So first, on State and local government \nagencies, they can work right off of the same solutions that we \nhave. So when I talked about the encryption that we had in \nplace and that blanket purchase agreement that we put in place, \nwe use the authorities under the E-Government Act to extend \nthat out to State and local governments beyond what is normally \navailable to them under what they call Schedule 70, which are \nthe IT schedules that are managed by the General Services \nAdministration.\n    So what happened in that particular case was all the tools \nthat we identified that we worked with DOD--was key in this--\nthat is all extended out to State and local governments. They \nhave exercised that. They have the same problems that we have \ndone.\n    As a matter of fact, the State person from New York who \nworks on cyber security sent me a note before the hearing last \nweek and 15 States have used that. They have had a savings of \nover $34 million using the encryption products that are \navailable there.\n    So we have done that so that they can learn from us on \nthat.\n    As far as public and private partnerships, the E-Government \nAct, all of our authorities currently now allow us to do that.\n    And the Federal Desktop Core Configuration, what we were \njust talking about, is a prime example of public-private \npartnership. We went to Microsoft, building off of existing \nrelationships that the Department of Defense had and the \nDepartment of Homeland Security and said OK, now Defense has \ndone this. This is a best practice.\n    We want to take this to the entire Federal Government. What \nis the impact of that? And they worked with us jointly. When we \ntalk about a secure desktop configuration, that is 700 security \nconfigurations that are being set on the desktop.\n    And what Microsoft is doing is supporting that through the \nregular distribution channels. So there is no impact to the \nmarket on this, other than the Federal Government improves from \nthat. And the way that we have done it is in a very transparent \nway using NIST and so all of that is published. All that \ninformation is out on the NIST Web site. All of it is available \nfor everyone, not just us--countries, anyone--can download that \ninformation and use the same secure configurations that we are \nand work with Microsoft through the same existing types of \napplications and contracts that they had to do it.\n    Senator Coleman. Mr. Wilshusen, would you--and perhaps what \nI would add to that is are we--and I appreciate the fact that \nStates and locals can kind of work off what we are developing. \nAre we confident that the systems that we are using are, in \nfact, the best practices that equal those practices that are \nbeing employed in the most high tech, fully funded private \ncompanies?\n    Mr. Wilshusen. Well, I would say in terms of the IT \ncontractor Federal Government partnership is that in most of \nthe Federal agencies they do rely extensively on contractors to \nprovide IT services and in many cases even information security \nservices.\n    And one of the key requirements for the Federal agencies, \nthough, is to make sure and provide the appropriate oversight \nand monitoring of the activities of the contractors, to make \nsure that if they are operating systems is on the agency's \nbehalf that those systems are also adequately protected.\n    We did a review a couple of years ago in which we found \nthat many of the agencies at that time had not developed \npolicies and procedures for effectively monitoring the \nactivities of the contractors to assure that they were \nimplementing the security requirements under FISMA and the \nlike.\n    That probably does not answer your question.\n    Senator Coleman. No, what you are telling me is even as we \ndo with contracts, is we have to have some of the same concerns \nabout access to data----\n    Ms. Evans. Yes.\n    Mr. Wilshusen. Absolutely.\n    Senator Coleman [continuing]. And security. My question \nwent to the concern that I have had in dealing with technology \nto see the Federal Government saying we are not using, always \nusing, the best practice, not using the highest level of \nmaterial that is available. And I just want to make sure as we \ntackle this area that we are not just kind of inventing the \nwheel--reinventing the wheel here, but if it has been invented \nand used somewhere else that we are able to absorb it and use \nit quickly.\n    Well, I think the example that Ms. Evans provided with \nregard to the Federal Desktop Core Configuration is one of \nthose instances where the Federal Government and Microsoft and \nits partners are taking a leading role in identifying basic \nsecurity requirements that can be applied on a mass basis.\n    Senator Coleman. Thank you, Mr. Chairman.\n    Senator Carper. You bet. Those are really good questions. \nAre there not other companies or organizations that use outcome \nmetrics to measure security? I think we touched on this, but \nlet me just go back. Are there not? Can somebody respond to \nthat?\n    Mr. Wilshusen. We have not done a review of what private \nsector organizations have done in terms of conducting and \nidentifying meaningful, useful performance outcome-based \nperformance metrics. But that would certainly be something that \nwe would be willing to do with you.\n    Senator Carper. Are the policies that are in place set up \nto be responsible to the new emerging threats? This has to be \ntough, because there are more and more bad guys out there. They \nare not just hackers and young people looking for a thrill. \nThey are governments, or the Chinese or others, Russian \nnationalists. They are folks that have criminal intent, and \nthey are looking to hit the jackpot and taking advantage of \nthese situations.\n    In terms of the threats that we see, just give us some \nideas. Has half of this activity, attempts to penetrate our \nsystem, is it coming from hackers? How much is coming from, \nlike foreign nationals? How much might be coming from criminal \norganizations? Any sense for at least for our systems, the \nstuff that we are trying to protect?\n    Ms. Evans. I would refer us back to the report itself, \nwhich categorizes the different types of incidences. So some of \nthe specific examples that you are giving would fall under the \ncategory that we have under investigation. And that shows an \nincrease from last year of 912 incidences to 4,000 incidences. \nAnd it can be that it is under investigation----\n    Senator Carper. Sorry. Say those numbers again?\n    Ms. Evans. Last year, we reported. So all the different \ncategories that you just talked about would be in what we \ncategorize in the report as under investigation. And so last \nyear, for Fiscal Year 2006, we reported 912, and this year \n(2007) we were----\n    Senator Carper. This year being 2007?\n    Ms. Evans [continuing]. Reporting 4,056.\n    Senator Carper. OK.\n    Ms. Evans. Now several of those are related again to the \nincreased reporting that we had because of the lost and stolen \nequipment, so it is under investigation because we involved law \nenforcement from that perspective.\n    So a lot of what you are asking falls into that category, \nand I think that without getting into all the specifics of what \nyou are saying is that the better category to look at is what \nis under investigation.\n    Senator Carper. All right.\n    Mr. Wilshusen. One other category potentially could be the \nunauthorized access that is reported to U.S.-CERT, too, because \nthose are actual instances where an intruder or an unauthorized \nindividual gain access to information that they did not have a \nright to.\n    Senator Carper. OK. The State of Delaware is the home to a \nnumber of large financial institutions. Some of them are credit \ncard operations, others do other kinds of financial services--\nand some of the best in the world.\n    I used to watch as MBNA, which was one of the largest \ncredit card banks in the world and now is part of Bank of \nAmerica, when I remember a dozen or so years ago, they started \nhiring people who had been in the FBI, folks who had been with \ntop folks in the Armed Services, and I was struck by how they \nwere really going after people with a law enforcement \nbackground.\n    And what they were doing back in the last decade was \nbeefing up their ability to protect their sensitive information \nfrom these kinds of threats. I did not realize it at the time, \nbut eventually I did.\n    What can we learn from them? This question has already been \nasked to an extent. But what can we learn from financial \ninstitutions? What did Willie Sutton used to say when they \nsaid, why do you rob banks? He said that is where the money is. \nAnd if I were a hacker and I had criminal intent and I was \nlooking to find financial gain, I do not know that I would \nnecessarily go after the government first. I might go after \nthese financial institutions. But what can we learn from them? \nWhat are we learning from them? And just as the threat changes, \nthe nature of the threat changes constantly, it sounds like, \nand we have to get better and better, I am sure the same is \ntrue for some of these financial institutions and others that \nthey are trying to protect their information.\n    All right. Mr. Bennett, anything you would like to offer?\n    Mr. Bennett. Yes. Thank you. First, I think in the private \nsector you find that the approach to information security in \nmost cases, certainly in the financial services sector, is a \ncontinuous approach. And that is something that I think the \nFederal agencies could learn; that you cannot just do a report \nonce a year or periodically, but it is a continuous effort. \nThere are thousands of attacks a day. DOD gets over a million \nprobes a day. It takes constant monitoring. That then spins off \nto the issues of adequate resources and training, budget, and \npersonnel.\n    The second thing is in the private sector, there has been a \nconvergence at the top levels, an awareness that the success of \nthe entity, of the corporation, of the business is aligned with \nits information security practices. Its reputation, the \nintellectual property, the reputation of the company should \nthere be a massive data breach, the profitability of the \norganization if the intellectual property has been stolen, its \nability to do successful merger negotiations could be \nundermined if another party has been stealing their negotiating \nposition before they even walk into that negotiating room, and \nthere are stories of that.\n    These all impact a company and can have an impact on the \nmarket and the future of that company immediately. So security \nis aligned with mission accomplishment, and I think that is an \narea that the Federal Government could learn from the Federal \nagencies.\n    The most senior officials at our agencies need to \nunderstand that protecting their information systems and the \ninformation that they contain needs to be protected on an \nongoing basis in the best possible risk-assessed fashion that \nfits within their budget.\n    You cannot have a situation where Cabinet officers go to a \nmeeting with foreign government and before they even show up, \ntheir counterpart on the other side of the table already has \ntheir briefing paper and their talking points or might even \nknow the U.S. negotiating parameters.\n    I would not be surprised if this has not already occurred.\n    And then for the Cabinet officer to return and be stunned \nand be upset with his staff who leaked that. Well, it was not \nleaked. You had a foreign party that was in your data system \nbefore you even headed out to Dulles Airport.\n    So we need the top levels to appreciate the critical \nimportance to the economic security, national security of this \ncountry, and the importance of protecting their data systems.\n    Senator Carper. All right. I want to talk about incentives. \nOne of the things we like to do in the oversight work in this \nSubcommittee, and really on our full Committee, is to look not \nin order to change behavior or to get the kind of behavior we \nwant from Federal agencies, not just to penalize them or to \nwrap them on the knuckles. We want to incentivize them to, \nwhich is a positive reinforcement of the good behavior that we \nsee and we want others to emulate. But incentives can be a \npowerful motivator, I am sure we will all agree, for achieving \ngoals. And without them, many times we are going to fall short \nof where we want to be.\n    If information security is one of our top priorities and it \nclearly needs to be, what type of incentives can we provide to \nhelp agencies put in place the policies and the procedures that \nare needed to have more effective information security \nprograms?\n    Ms. Evans. Well, I will take the first shot at this, \nbecause it is actually following back up off of what my \ncolleague, Mr. Bennett, has said, and that is having the agency \nhead, and, in this case, from the OMB Director to the President \nof the United States involved in this, which we are. This has \nbeen an Administration priority that has been demonstrated \nthrough the National Cyber Security Strategy, through our \ninvestment in cyber security in the budget and having the \nresources, looking at workforce issues--all of the things that \nwe have talked about. But one strong thing and one thing that \nthe agencies respond to that Congress could do, which we \nbelieve we are doing, is the public accountability.\n    And so through the President's management agenda, by giving \nsomething as simple as a red, yellow, and green, because we \nhave focused a lot about the scorecard that Congress issues on \ncyber security; that means a lot to Federal agencies, the \npublic acknowledgement that they are improving; that they are \nachieving the results. That is something that Congress can do \nand has done.\n    What we have a tendency to focus on are the bad things of \nwhere an agency is not doing the things that they need to do. \nThat makes better news. Those are better stories to put out \nthere, not necessarily that this agency----\n    Senator Carper. Are you suggesting that the media tends to \nreport bad news? [Laughter.]\n    Ms. Evans. Yes, sir. So what I am suggesting is what really \ndrives a lot of public service and the reason why the folks are \nthere in those agencies is to deliver that mission for the \nAmerican people. They do not want to lose the information. They \ndo not want to put citizens at risk.\n    So when an agency is doing a really good job and a \ncomprehensive job, the acknowledgement of that in a public \nforum to say they are doing a good job goes a long way, and is \na huge incentive.\n    Senator Carper. All right. Thank you. Mr. Bennett.\n    Mr. Bennett. Yes. I think what we have learned in the \nprivate sector and I am sure translates to the public sector is \nthat you are going to get the greatest return on security when \nthere is individual accountability on security. It cannot just \nbe agency-wide and such as the agency-wide grades that we have \nbeen talking about.\n    So perhaps certain metrics or parameters have to be put in \nthe individual performance appraisals, and if there is poor \nperformance, certainly in the private sector, there would be \nthe ultimate outcome of dismissal of employment, termination of \nemployment. Whether that is possible under the Federal system, \nI do not know.\n    But, that increased accountability has to be there.\n    At the same time, good performance does have to be \nrewarded, both in public recognition, but also in monetary \nbonuses to the employees, bonus vacation days, things of that \nnature that I believe are permitted under the Federal system.\n    That type of recognition is also good. There is also the \nbudgetary authority; maybe an agency should be penalized if it \nis getting a D-minus or an F; whereas, but not the spending on \nsecurity with the agency, and if they get good grades, set by \ncertain parameters, then somehow in the budget process, either \nreallocation within an agency or in the next appropriation \nprocess, that agency should be rewarded with that money \ndedicated--I know earmarks are a problem--but dedicated to \nspending for improved cyber security. And then auditing--if you \nget a good grade, maybe you will not be audited as often. You \ncome up with poor grades; we are going to start auditing you \nmore often.\n    Senator Carper. Senator Coleman.\n    Senator Coleman. Mr. Chairman, I wanted to get to the \nsecond panel. But your very question, actually the area of--and \nI am not sure if I will have time----\n    Senator Carper. Well, when we go to the second panel, we \nwill let you ask your question.\n    Senator Coleman. I appreciate this concept of a security \nline with the mission accomplished----\n    Senator Carper. Yes.\n    Senator Coleman [continuing]. That is really critical. \nThanks.\n    Senator Carper. Just one last question for this panel, and \nit is a workforce question. Ms. Evans, you said back in, I \nthink it might have been December when we held a hearing. I \nthink we were authorizing the E-Government Act--that you \nrecognized that you did not have effective measures in place to \nfill the necessary workforce gaps in IT-related positions.\n    And since then, has OMB created effective or more effective \nmeasures and is there a comprehensive plan that attempts to \naddress some or all of these shortages?\n    Ms. Evans. So we have recently released the workforce \nassessment, and what we have done is we have broken it out to \nidentify the gaps, and then each and every agency now has a \nworkforce plan. They have identified the target competency \nlevel within each of these areas; cyber security is one of \nthem, and they have a plan that closes the gap. For example, in \nthis area, what they are doing is they are measuring \ncertifications and they are putting together a training program \nassociated with that.\n    What I am now looking at is OK so we have taken it to the \nnext level. It is not just the number of people hired, but it \nis now certifications associated with cyber security. What we \nare now looking at through the cyber initiative is education \noverall so that we can look to make sure that the education \nprograms and the certifications that these agencies are getting \nfor their employees will be--and I am going to use the term \nharmonized--so that you know that if I get the education at one \nuniversity, it is going to be the same education at the other \nuniversity so that when I come into the workforce I have the \nsame set of skills.\n    And so that is a longer-term effort that we are working on \nnow. But we are working with the National Science Foundation \nand few other of the programs that we have in place to \nharmonize that education process.\n    Senator Carper. All right. Before we excuse this panel, \njust give us some good heartfelt advice for those of us in the \nLegislative Branch of what we can do to be a better partner in \nthis effort. We have a lot at stake. It is a tough battle, a \ntough challenge that we face. It sounds like it is getting \ntougher, and we want to make sure that we are being supportive.\n    Part of what we are doing is trying to play an oversight \nrole. I think the House has been doing that as well. And it is \nimportant for us to do that, too.\n    But it is not enough just to put a spotlight on the areas \nwhere we may have some disappointing performance, but it is \nimportant that we find ways that we can incentivize better \nbehavior and also ways that we can be constructive.\n    So in closing out, if you all would just share with us an \nidea or two, you might have on how we can be constructive and \nhelpful.\n    Mr. Bennett mentioned, for example, he mentioned \nlegislative--some legislative work that we had to do.\n    Mr. Bennett. Right.\n    Senator Carper. And, feel free if you agree with that or \ndisagree with that that would be helpful to hear, too. Mr. \nBennett, do you want to go ahead?\n    Mr. Bennett. Thank you, Mr. Chairman. Well, I think our \napproach would be--the overall problem of information security \nis enormous; is very difficult to get your arms around it. But \nthere are incremental steps that can be taken and should be \ntaken. With respect to protection of our Federal information \nsystems, we have made our recommendations in our written \ntestimony. We feel that they are all manageable. They are not \nby way of criticism of the men and women who are working on \nthis within the Federal agencies, but instead we are saying \nbased upon experience, this is a way now to take us forward \nbased on the past 5 years experience and lock in and improve \nsecurity to the extent we can.\n    We believe the cyber crime bill that this chamber passed in \nNovember by unanimous consent now sitting with the House will \nhelp give increased authority and increased penalties for the \nU.S Department of Justice to use in fighting cyber crime. We \nbelieve that the next Congress is going to need to take on a \nbroader data security bill that includes issues of data breach \nnotification that both you, and Senator Coleman, have been \nextremely active on in this particular chamber and that we \nsupport--protecting personally identifiable information.\n    We need to bring all entities that hold large amounts of \ninformation, our universities, which are one of the biggest \ntargets of attack. Home users, government, businesses--they all \nneed to bring their standards up such as the financial services \nsector has done with the PCI standards. We need to start \nbringing everybody's awareness up through public education, \nwhich is another component here, and also it is going to take \nlegislation; otherwise, they will not do it.\n    We need a broad data security and breach notification bill \nhopefully in the next Congress to bring the overall standard up \nagainst protection, because quite frankly, the bad guys are \nwinning. They evolve extremely rapidly. We are now even seeing \nmalicious code being tweaked on a daily basis in some cases to \nget around patching, so it is a leapfrog process. They have \ntremendous financial resources that a Federal agency cannot \nmatch. So we need to take whatever steps we can, but it is \nwarfare. It is warfare against organized crime, individual \nhackers, and state-sponsored.\n    Senator Carper. All right. Mr. Wilshusen, any parting \nadvice for us on the legislative end?\n    Mr. Wilshusen. Well, I would just say that there could be \nsome opportunities to tweak FISMA to make it more strenuous and \nclear in certain areas in terms of certain requirements that \nneed to be performed perhaps as it relates to the testing and \nevaluation security controls, some of the FISMA reporting \nrequirements, as well as the annual independent evaluations \nperformed by the IGs.\n    Senator Carper. All right. Thank you. Ms. Evans.\n    Ms. Evans. I would agree that maybe some clarification as \nagencies go forward, but I would caution against major changes \nto FISMA, only from the aspect of agencies understand it. Now \nwhether we agree with whether it is producing the right result \nor not, the framework is a sound framework.\n    And what my concern would be is to do a major change to it \nwould then mean that we have to reinstitute policies, reeducate \nthe agencies, when we are really trying to be focused on what \nthe results are.\n    I would encourage more of the types of activities that \nSenator Coleman and Senator Collins did following up on certain \nthings, going back out to see if the solutions have actually \nbeen implemented, asking agencies to produce results of that \nand show, give evidence that they have actually implemented \nthose solutions, and those types of things\n    And that is where Congress can be very helpful in making \nsure, and that follow up is very powerful, because you are \nfollowing up on policies and statutes that are in place to make \nsure the agencies are really putting those solutions in place.\n    Senator Carper. All right. Ms. Evans, Mr. Wilshusen, and \nMr. Bennett, thank you so much for being with us today, for \nyour thoughts and your willingness. One of the questions I am \ngoing to come back to you, Mr. Bennett, you gave us, I think, \nin your written testimony a number of recommendations. And I \nwould say to Ms. Evans and Mr. Wilshusen, one of the things \nthat I am going to do is come back to you, each of you, and \njust ask you to evaluate the recommendations--which one do you \nagree with, which one would you modify, which ones do you \ndisagree with, but that will be most helpful. All right. Thank \nyou very much.\n    Mr. Bennett. Thank you.\n    Senator Carper. Welcome to the four members of our second \npanel. We are glad that you are here, and we thank you for \njoining us. I am going to take just a moment and introduce each \nof you, if I can and then we will call on you to give us your \ntestimonies.\n    We just start with Hon. Robert Howard, Assistant Secretary \nfor Information and Technology. Mr. Howard serves as the \nDepartment's Chief Information Officer, advising the Secretary \nof Veterans Affairs on all matters pertaining to acquisition \nand management of IT systems.\n    Prior to his nomination, he retired as a Major General from \nthe U.s. Army in 1996, where he served for 33 years. How did \nyou get your commission?\n    Mr. Howard. ROTC, sir.\n    Senator Carper. Me, too. Good for you. Where did you go to \nschool?\n    Mr. Howard. Northeastern University.\n    Senator Carper. All right. And while on active duty, Mr. \nHoward served in a variety of command and staff assignments in \nthe continental United States, Europe, and in Asia; two tours \nof duty in Vietnam--a part of the world where I spent some time \nmyself. I think you and I must be about the same age.\n    Our next witness is Susan Swart, Chief Information Officer \nat the Department of State. Ms. Swart is a member of the Senior \nForeign Service for the rank of Minister of Counselor. What do \npeople call you when they address you--Minister-Counselor \nSwart?\n    Ms. Swart. No title.\n    Senator Carper. All right. When I was governor, they \naddressed me as excellency. And how about mayor?\n    Senator Coleman. Mayor.\n    Senator Carper. All right. But Ms. Swart is a member of the \nSenior Foreign Service with the rank of Minister-Counselor and \nwas recently appointed as the Chief Information Officer in \nFebruary 2008. Congratulations.\n    Ms. Swart. Thank you.\n    Senator Carper. Prior to assuming her new position, she was \nthe Deputy Chief Information Officer for Business Planning and \nCustomer Service and the Chief Knowledge Officer from April \n2006. I like that--the customer service. That is good.\n    Our third witness is Daren Ash, and Chief Information \nOfficer and Deputy Executive Director for Information Services \nat the Nuclear Regulatory Commission. Mr. Ash has over 15 years \nof Federal service. How many years at the NRC?\n    Mr. Ash. About 10 months.\n    Senator Carper. All right. Prior to joining the NRC, Mr. \nAsh worked as the Department of Transportation's Associate \nChief Information Officer for IT Investment Management, and for \nclose to 2 years, he led DOT's information assurance and the \nsecurity privacy and enterprise architecture, capital planning, \nand information resource management activities.\n    The final witness is Phil Heneghan, Chief Information \nSecurity Officer and Chief Privacy Officer at the U.S. Agency \nfor International Development. During the last 5 years, he has \nbeen responsible for managing the USAID Information Systems \nSecurity Program.\n    Mr. Heneghan led the development of the FISMA program that \nimproved the agency's FISMA grade from an ``F'' in 2003 to a \ngrade of ``A-plus?''\n    Mr. Heneghan. Yes, sir.\n    Senator Carper. Were they grading on a curve? What do you \nthink? No? [Laughter.]\n    That is pretty amazing--in 2005, at least that was the \ngrade appointed by the House Committee on Oversight and \nGovernment Reform.\n    USAID has maintained the A-plus for its information \nsecurity program for the past 3 years. Great fun.\n    Mr. Howard, you are recognized first, and again use 5, 6, \nor 7 minutes for your statements and then we will ask some \nquestions. All of your entire written statement will be \nadmitted for the record.\n    Mr. Howard. Thank you, sir.\n    Senator Carper. Sure. Thank you. And let me just say thank \nyou for your service in the Armed Forces of our country.\n    Mr. Howard. And for yours, sir.\n    Senator Carper. My pleasure.\n\n   TESTIMONY OF THE HON. ROBERT HOWARD,\\1\\ CHIEF INFORMATION \n          OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS\n\n    Mr. Howard. Good afternoon, Chairman Carper, Senator \nColeman. Thank you for your invitation to discuss the ability \nof the Department of Veterans Affairs to protect and secure \nsensitive data.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Howard appears in the Appendix on \npage 98.\n---------------------------------------------------------------------------\n    Information protection is a top priority within VA and is \nhighlighted as one of the five principal priorities in the \nFiscal Year 2006-11 VA Strategic Plan.\n    As you are well aware, May 3, 2006 was the day of the theft \nwhich led to the temporary loss of personally identifiable \ninformation of up to 17.5 million veterans, some of their \nspouses and some active duty personnel.\n    Although the follow-on investigation confirmed that \ninformation was never accessed, that day was a wake-up call, \nnot only for VA, but for the entire Federal Government as well \nas the private sector.\n    As a result of that incident, we began to improve our \nsecurity posture and create the environment needed to better \nprotect any sensitive information entrusted to us.\n    Clearly, the centralization of information and technology \nwithin VA has had a positive impact regarding the protection of \nsensitive information. Within this new structure, we have \nestablished a separate organization, called Information \nProtection and Risk Management, that is dedicated to improving \nour overall data security posture.\n    A new Deputy Assistant Secretary position has been \nestablished to lead this organization and help provide the \nimportant focus that is needed.\n    I would like to take a few moments and just mention a few \nthat are in the room with me today. This is a very important \nteam we have. Several key leaders from this organization are, \nin fact, here. Adair Martinez is my Deputy Assistant Secretary \nfor this organization. Jaren Doherty is our new Chief \nInformation Security Officer----\n    Senator Carper. Could I just ask you, as your names are \nmentioned, just raise your hand so we are able to put a face \nwith name?\n    Mr. Howard. Yes, sir.\n    Senator Carper. Adair Martinez. OK. Thank you.\n    Mr. Howard. Jaren Doherty is our new Chief Information \nSecurity Officer, which we have been seeking for 2 years. He is \nnow on board. He oversees cyber security. Kathryn Maginnis is \nin charge of incident response and risk management. Sally \nWallace leads our efforts in the area of privacy and records \nmanagement. And Charlie Gephart is our Director of Field \nSecurity Operations, who has all the field security individuals \nthroughout the organization.\n    Andy Lopez has recently established our business--Office of \nBusiness Continuity. And in addition, there is Arnie Claudio, \nthe Director of our Office of IT Oversight and Compliance, a \nvery important capability as I will explain in a moment.\n    Sir, as I mentioned, this is a very important team for VA \nbecause these individuals form the leadership core for \ninformation protection. They are all focused on the \nimplementation of a wide variety of activities that are moving \nus to a much more secure posture than which currently exists in \nVA.\n    One of the most important steps we have taken is to help \ncreate a robust information security environment, the \ndevelopment of a comprehensive action plan. We call that the \nData Security-Assessment and Strengthening of Controls program.\n    It focuses on three major areas: Managerial activities, for \nexample, the establishment of policies and directive; technical \nactivities--the example there would be better software tools, \nsuch as encrypted thumb drives; and operational activities, and \nexamples there would be establishment of procedures to provide \nan enhanced employee training environment and overarching \nprograms to enhance individual employees' awareness of their \ninformation security responsibilities.\n    This particular program, which includes several hundred \nspecific actions, is oriented on improving the position of the \nVA in the entire area of information protection.\n    To date, we have had about 40 percent of the actions \ncompleted.\n    One especially important action was the completion and \npublication of VA Handbook 6500 back in September 2007. This \nhandbook describes the VA Information Security program, and it \nalso includes the national rules of behavior, a document that \nemployees must sign before they are given access to our \ncomputer systems and sensitive information.\n    While we have made progress, there is still much to be \ndone. With respect to FISMA, there are five problematic areas \nfor VA: Annual testing and system inventory; the plan of action \nand milestone process; certification and accreditation of IT \nSystems; configuration management; and security awareness \ntraining. These are problem areas for us.\n    We continue to make progress in each of these, and the \nactions to correct related deficiencies are all included in \nthat comprehensive action plan that I just mentioned.\n    Incident response in our program for oversight and \ncompliance are two very important initiatives where we have \nmade substantial progress. And these activities I believe are \ndefinitely making a difference throughout VA. But even with all \nwe have accomplished, we still experience security and privacy \nincidents. We consider any data breach to be serious if veteran \nor employee sensitive personally identifiable information is at \nrisk. Many of these incidents are the result of human error and \ncarelessness, which is why it is so important to establish a \nculture and a strong environment of awareness and individual \nresponsibility throughout the organization.\n    In closing, we have a variety of aggressive programs in \nplace that will ultimately help us achieve the Gold Standard in \ndata security which, since the summer of 2006, has been a major \ngoal of VA. Much more remains to be done, but I remain \npersonally committed to working toward achieving this gold \nstandard goal, and I can assure you that VA senior leaders are \nequally committed.\n    Thank you for your time and attention today, and I am \nprepared to answer any questions you may have.\n    Senator Carper. General Howard, thanks very much. Ms. \nSwart. Welcome.\n\nTESTIMONY OF SUSAN SWART,\\1\\ CHIEF INFORMATION OFFICER, BUREAUM \n  OF INFORMATION RESOURES MANAGEMENT, U.S. DEPARTMENT OF STATE\n\n    Ms. Swart. Good afternoon, Chairman Carper and Senator \nColeman. I am pleased to have this opportunity to testify \nbefore the Subcommittee concerning the protection information \nand information technology. My statement will provide an \noverview of the Department of State's Information Security \nProgram, followed by a few suggestions on enhancing FISMA.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Swart appears in the Appendix on \npage 106.\n---------------------------------------------------------------------------\n    The Department employs a defense in depth security strategy \nproviding multiple levels of protection to address the global \nnature of our operations.\n    Over our global unclassified network, we process weekly \nabout 25 million e-mails and instant messages from more than \n50,000 employees and contractors at 100 domestic and 260 \noverseas locations.\n    Weekly we block 3.5 million SPAM e-mails, intercept 4,500 \nviruses, and detect over a million external probes on our \nnetwork. Cognizant of these risks, the Department leveraged \nit's experience handling classified information when we \ndeployed Internet access across the enterprise and limited \nInternet access points.\n    In a continuation of this theme, the Department has been \nactively involved with the trusted Internet connection effort. \nThe Department employs network vulnerability scanning tools \nthat provide systems administrators worldwide with daily \nvalidation reports. These reports include information on patch \nmanagement, anti-virus updates, and security configuration \ncompliance.\n    The tools provide appropriate and timely risk management \ndata to administrators who have the means to address issues at \nthe local level.\n    Now I would like to highlight some of the specific efforts \nthat support the Department's defense in depth security \nstrategy.\n    To further FISMA's goal of providing better information \nsecurity, the Department established a Deputy Assistant \nSecretary level Information Security Steering Committee \nrepresenting a cross section of Department officials.\n    The forum provides a high level opportunity to ensure that \nthe principles of sound information security management are \ninstilled upon all Department employees as they fulfill their \nroles regardless of geographic location.\n    In 2003, the Department of State was cited by an \nindependent financial auditor for having a fragmented \ninformation security program that allowed for vulnerabilities \nto arise in the areas of external and internal systems security \ncontrols. As a result, the Department's information security \nprogram was identified as a material weakness.\n    Through the efforts of numerous Department officials, \ncontinuous and measurable progress was made in addressing the \nindependent auditor's concerns, and in the span of 2 years, the \nmaterial weakness was downgraded to a reportable condition and \nthen a deficiency.\n    Given our present progress, the matter is expected to be \nformally closed at the end of this fiscal year.\n    We have also strengthened our certification and \naccreditation. In 2006, the Department restructured its process \nand allowed for appropriate ownership of certification and \naccreditation within the bureaus while providing centralized \noversight and expertise.\n    These changes have been cost effective and transparent. \nSpecifically, certification and accreditation costs were \nreduced by more than 70 percent in the second half of Fiscal \nYear 2007 while maintaining a 100 percent of system certified \nand accredited.\n    The Department has been an ardent supporter of the \ninformation systems security line of business. Presently, the \nDepartment of State and USAID information security awareness \ntraining is used by four other agencies totaling over 40,000 \ngovernment employees and contractors in addition to our own.\n    The Department's accomplishments in the area of privacy \ninclude the development of a breach notification policy, \nprocedures for a core response group in the event of a breach, \nreduction and elimination of the use or dissemination of Social \nSecurity numbers, and enhanced attention to privacy impact \nassessments in the certification and accreditation process.\n    The Department has a process in place for encrypting all of \nits mobile computing devices. Department mobile users may only \naccess the Department's unclassified network through a two-\nfactor authentication system.\n    Reauthentication is required after 15 minutes of \ninactivity, which exceeds the standard.\n    While the Department and the rest of the community has made \ngreat strides under FISMA, there is room for improvement.\n    As GAO has noted, FISMA is structured in a manner where \ndisparities in audit scope, methodology, and content exist. A \npossible FISMA enhancement is the development of a common \nInspector General evaluation framework. Another enhancement is \nthe addition of quantifiable standardized repeatable metrics \nthat allow an agency to detect and react to cyber security \nthreats and manage vulnerabilities.\n    The Department has a variety of security service including \ncontinuous network monitoring, intrusion detection, technical \ncountermeasures, threat analysis, and physical and technical \nsecurity programs, none of which are completely reflected in \nthe current FISMA metrics.\n    Mr. Chairman, I want to conclude by reiterating the State \nDepartment's unyielding commitment to information security. I \nthank you and the Subcommittee Members for this opportunity to \nspeak before you today and would be pleased to respond to any \nof your questions.\n    Senator Carper. Ms. Swart, thank you very much for that \ntestimony. And we will now turn to Mr. Ash. Welcome.\n\n TESTIMONY OF DARREN B. ASH,\\1\\ DEPUTY EXECUTIVE DIRECTOR FOR \n   INFORMATION SERVICES AND CHIEF INFORMATION OFFICER, U.S. \n                 NUCLEAR REGULATORY COMMISSION\n\n    Mr. Ash. Thank you. Mr. Chairman, thank you for the \nopportunity to appear today to discuss the U.S. Nuclear \nRegulatory Commission's efforts to protect its information \ntechnology assets and sensitive information.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Ash appears in the Appendix on \npage 115.\n---------------------------------------------------------------------------\n    The NRC is very much aware of the magnitude of the computer \nsecurity challenge and the importance of strengthening our \ndefenses to meet it.\n    While a computer security program has been in existence at \nthe NRC since 1980, in November 2007, the agency established a \nnew organization, the Computer Security Office, as the focal \npoint for agency-wide efforts. In addition to addressing the \ncore requirements of FISMA, the Computer Security Office works \nwith other NRC offices on strategies to protect sensitive \ninformation.\n    In September 2007, the NRC Inspector General identified two \nsignificant deficiencies: A lack of current certification and \naccreditation and a lack of annual contingency plan testing for \nmost of the agency's systems. The NRC declared its Information \nSecurity Program as a material weakness.\n    Over the succeeding months, the NRC has taken aggressive \naction to strengthen our Information Security Program across a \nbroad range of activities. These include the following: \nCertifying and accrediting 12 systems since April 2007, \nrepresenting 32 percent of the 37 major applications and \ngeneral support systems. The NRC plans to certify and accredit \n10 additional systems by June 2008 and expects that all \nremaining systems will be certified and accredited in Fiscal \nYear 2009; consolidating systems within our inventory, and, \nwhere possible, modernizing legacy applications sooner; and \nrequiring that tests of system contingency plans be conducted \nby the end of June 2008 as well as linking the requirement to \nSenior Executives' performance.\n    The NRC also recognizes the importance of providing staff \nthe information security training necessary to carry out their \nassigned duties effectively. Rapid technology changes make it \nnecessary to constantly refresh the skills and expertise of \nemployees to keep pace with these changes. To date, the NRC has \nprovided comprehensive information security awareness and \ngeneral security training to all employees.\n    Despite the challenges, the NRC remains firmly committed to \nmeeting the standards and requirements of FISMA. Nonetheless, I \nbelieve implementation improvements are needed. Compliance, as \ncurrently measured, does not permit an accurate view of the \neffectiveness of its implementation because metrics concentrate \non development of plans, policies, and procedures, and the \nimplementation of controls. These metrics assume that all \ncontrols are of equal weight and importance. In practice, this \nis not true. For instance, FISMA could be adjusted to include a \nrequirement to report on agency controls to prevent data leaks. \nFurthermore, reporting should give greater weight to the \nimplementation of controls that defend against high impact \nthreats and that counter the most significant vulnerabilities.\n    I believe that FISMA requirements are sufficiently \ncomprehensive and flexible to permit an agency to balance \ncompliance requirements against overall needs for security. \nHowever, overemphasis on the annual report card does not allow \nfor a clear picture of the relative security posture of \nagencies. Implementing security that aims to simply satisfy \nreporting requirements will not necessarily lead to an \neffective Information Security Program.\n    In summary, executive management at the highest levels--\nChairman Klein, the Commission, has taken responsibility for \nthe security of NRC's information systems and FISMA compliance. \nThe NRC is taking strong and deliberate steps to build a sound \nInformation Security Program to address the security of NRC's \ninformation systems and correct FISMA compliance shortfalls. My \ngoal is to provide an effective security program that weighs \nrisk, openness, and cost as an institutionalized part of NRC \nbusiness practices.\n    Again, I thank you for the opportunity to comment on this \nimportant topic and I look forward to answering any questions \nthat you may have.\n    Senator Carper. Thank you, Mr. Ash. Mr. Heneghan. I am \ninterested to hear how you guys got all those A-pluses.\n\n  TESTIMONY OF PHILIP HENEGHAN,\\1\\ CHIEF INFORMATION SECURITY \n       OFFICER, U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT\n\n    Mr. Heneghan. Thank you, Chairman Carper and Members of the \nSubcommittee, for the opportunity to testify on USAID's \ninformation security program and our implementation of FISMA.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Heneghan appears in the Appendix \non page 124.\n---------------------------------------------------------------------------\n    I would like to begin by describing USAID's mission and the \nunique information security challenges created by this mission. \nThen I would like to report on how our risk-based information \nsecurity program has successfully implemented FISMA. I will \nalso discuss how we use innovative techniques and technologies \nto measure and manage the risk to our information and systems.\n    USAID's mission requires us to work in developing countries \nand work in close partnerships with many different PVOs, \nindigenous organizations, universities, American businesses, \ninternational agencies, other governments, and NGOs.\n    USAID's Office of Foreign Disaster Assistance (OFDA) also \nresponds to complex emergencies and disasters, such as the \nrecent events in Bangladesh, Ethiopia, Kenya, and Sudan. This \nrequires USAID to support different risk models for network \noperations and creates many challenges for implementing a \nworldwide information security program.\n    Most of the USAID information technology activity occurs on \nAIDNET, which is a single worldwide network made up of 9,000 \ninterconnected workstations and 8,000 other network \ninfrastructure devices. Approximately 3,000 of the workstations \nare here in Washington, with the remaining 6,000 workstations \nlocated in more than 70 countries around the world.\n    AIDNET is constantly changing. We recently established a \nnew site in Banda, Indonesia, moved 11 other mission locations, \nwill soon set up another site in Pakistan, and are regularly \nchanging the communication channels for all sites back to \nWashington.\n    We need to understand, manage, and monitor these to our \nnetwork so that we can identify any change in the risk we have \naccepted. Our risk-based program requires us to be continually \naware of the changing structure of our network and our focus on \nmeasurement ensures we can.\n    Our information security program uses a risk-based \nmanagement approach to effectively implement appropriate \noperational, technical, and managerial controls. To support \nthis approach, we lean heavily on technologies that automate \nthe collection and reporting of security information and \nmetrics.\n    For instance, through technology we have automated our \nsecurity awareness training with a USAID-developed program we \ncall Tip of the Day. The Tip of the Day program provides a \nbrief security lesson and prompts the user to answer a question \nabout that lesson before the user logs into one of our \nnetworks. We have partnered with our colleagues at the \nDepartment of State to make this and other security training \navailable to others in the Federal Government and are proud \nthat this innovative program has been selected as a component \nof the Information System Security Line of Business.\n    For the past 4 years, we have used a robust vulnerability \nmanagement program that continually scans the 17,000 systems on \nour network to measure their security posture. This program \nensures that each system is evaluated about 10 times a month.\n    In 2006, we moved to the next level and implemented a risk \nmodeling program that couples this vulnerability data with our \nnetwork access rules to model our network and report any \nchanges impacting the risks we have accepted.\n    This virtual modeling occurs daily and provides a true \npicture of our exposure to identified threats. We have also \ncentralized the management of our entire security \ninfrastructure in Washington to collect and analyze security \nevents and network metrics from hundreds of remote security \nsystems around the world.\n    As one of the six Einstein pilot agencies since 2006, we \nhave exchanged situational awareness information that has \nbenefited our agency and the wider Federal community.\n    This was the beginning of a strong partnership with US-\nCERT, including the GFIRST Program. GFIRST has provided a \nsecure communications channel to the Federal community for us, \nand we are an active participant. Of course, these metrics and \ntechnologies would be useless if we did not engage the \nexecutives, managers, and system administrators responsible for \nindividual systems and networks.\n    This is an area where I believe we have implemented one of \nthe foundational tenets of FISMA. For each system and network, \nwe have identified the executive who owns the system, and, as a \nresult, has responsibility for and is in the best position to \nmake risk-based decisions regarding the system's security \ncontrols.\n    Our experience has shown that if provided the right \nmetrics, system owners apply the necessary resources to ensure \nthat their systems remain at an appropriately secure level. Our \nresponsibility is to provide those system owners with the \nmetrics they need to make information security decisions based \non risk.\n    Towards the goal of keeping executives informed of their \nsecurity posture, we produce monthly security reports on our \nsystems and networks and provide them to over 100 executives \nthroughout the agency.\n    We deliver these metrics in a report card format so that \nour leadership team can readily understand and act upon the \ninformation. We have found that because our reports are \naccurate, consistently produced, and actionable, they are \nextremely effective and, as a result, USAID maintains a high \nlevel of security on all our systems.\n    Our experience with FISMA has generally been very positive. \nWe have adopted the risk management principles of the law, \nincluding the regulatory guidance, and have built a robust \ninformation security program.\n    Protecting systems and information, though, is an ongoing \neffort. The threat is constantly changing, and attack \nmethodologies are continually evolving.\n    Therefore, we are always concerned about the threats we do \nnot yet know about. However, by understanding our environment \nand our baseline through the use of technology and process, we \nare in a better position to identify deviations that may \nindicate a new threat. We can then reduce our risk exposure by \nimplementing new operational, technical, or managerial \ncontrols.\n    I appreciate the opportunity to appear before you today, \nand I look forward to any questions you may have.\n    Senator Carper. All right. Thanks very much. Do I \nunderstand that you have gotten these A-pluses for 3 years in a \nrow?\n    Mr. Heneghan. Yes.\n    Senator Carper. And the first report card that you got was \na failing grade?\n    Mr. Heneghan. Well, luckily for me, I started my job 1 week \nafter we got an F.\n    Senator Carper. One week after?\n    Mr. Heneghan. Yes. I had nowhere to go but up.\n    Senator Carper. Yes. And you have.\n    Mr. Heneghan. And we got a C-minus the next year.\n    Senator Carper. And then after that?\n    Mr. Heneghan. We have stayed at an A-plus since then.\n    Senator Carper. You already mentioned this, alluded to it, \nbut just walk us though again--why do you think we have seen \nthe original, initial improvement and then the ability to \nsustain performance at what most would say a very high level.\n    How do you explain the success?\n    Mr. Heneghan. I think agency senior management took \nsecurity seriously. And by finding the executives who are \nresponsible for the systems, I think that is the better way to \ndo it. I guess prior to the time I was there, all of the system \ncertification and accreditation happened within the CIO's \noffice, and we moved that out to the owners of the systems--the \nCFO, for example. He is responsible for accrediting the system.\n    Now the certification would happen by myself across the \nagency--so that I can accept for the agency reasonable risk, \nbut not allow the CFO or someone else to have more risk on the \nagency.\n    But giving them ownership has solved a lot of problems for \nus. That is the primary thing that we have done.\n    Our awareness program makes everyone aware of security. The \nfact that every day everyone has to answer a question has \ncreated a climate of awareness on security.\n    Senator Carper. Yes. Do other agencies come to USAID and \nsay, what is your secret here? What are you all doing and how \ncan we emulate this? Does that happen?\n    Mr. Heneghan. Yes, that has, and a number of people----\n    Senator Carper. But from whom? Anybody at this table?\n    Mr. Heneghan. Yes. State and----\n    Ms. Swart. Our Chief Information Security Officer, John \nStreuferd, used to be the Chief Information Security Officer at \nAID.\n    Senator Carper. But did you steal him?\n    Ms. Swart. Yes. And our security posture is much better.\n    Senator Carper. Is that right?\n    Senator Carper. So in the end it is about people?\n    Ms. Swart. Yes.\n    Senator Carper. Yes.\n    Ms. Swart. Can I point him out since I mentioned him?\n    Senator Carper. Sure. Thank you. All right.\n    The agencies seem to be on the front lines in protecting \nour government's data. We have a responsibility, too, but the \nactual Executive Branch agencies are really on the front line, \nand I would like to get an agency's point of view on FISMA and \nhow it has been implemented maybe for the last 5 years since it \nwas enacted.\n    And could each of you maybe just briefly summarize whether \nor not you feel FISMA has created reliable metrics to measure \nyour agency's information security programs? And, if not, what \nkind of metrics or measurements would you like to see instead? \nGeneral Howard.\n    Mr. Howard. Yes, sir. I believe the metrics are fine, in \nFISMA . . . it is really a matter of discipline in following \nthe instructions, getting full involvement from the leadership, \nas was mentioned a couple of times here at the table. The law \nitself is, I think, adequate. It is up to us now to deal with \nit and get it done, and that is where the problem is. It is not \na problem with the guidance. The guidance is pretty clear. The \nproblem is, as you well know, getting people behind it. It is a \npeople issue, whether it is leaders or all the way down to the \nindividual employees. I mean, that would be my opinion.\n    Senator Carper. And how do we address that part of the \nproblem?\n    Mr. Howard. Sir, the agencies have to address it. In the \nVA, for example, we have an intense effort to try to turn \naround awareness in the sense of individual responsibility, and \nwe are not there yet. There is no doubt about it. We got a long \nway to go.\n    In the area of FISMA, as you well know, we have not done \nwell. Last year, we got an incomplete, and we did not even get \nthe thing in.\n    This year, we at least completed all of the controls that \nwere supposed to be done. That took some doing, but we got it \ndone. We are heading up, but I can tell you right now, there is \nan awful lot of work remaining.\n    Senator Carper. All right. Thank you. Ms. Swart.\n    Ms. Swart. I think that FISMA could be improved by adding \nmetrics that look at some of the things we are doing--scanning, \nnetwork intrusion, anti-virus patching--that directly have an \nimpact on our ability to thwart attacks, that would be an \nimprovement.\n    I think FISMA--it has been good because it has raised \nawareness. I mean, 5 years ago, you would not have an Assistant \nSecretary that would pay attention to system security, and now \nwe have done what we call 90-day pushes to get some attention \nof system owners that work for those Assistant Secretaries. \nThey are engaged in that activity. And they are personally \nfollowing up. So, from an awareness point of view, across the \nagency it has been very successful. People are tuned into the \nimportance of securing our systems, so in that respect, it is \ngood.\n    It would also be helpful to have a common yardstick for the \nIGs across the Federal Government to measure our performance. I \nthink that would also give a better sense of how well agencies \nare doing compared to each other. You would get a better sense \nof whether the F that we had in 2006 is the same F that \nsomebody else had in 2006.\n    Senator Carper. All right. Mr. Ash, I saw you nodding your \nhead at something Ms. Swart was saying. Tell us what that was \nabout?\n    Mr. Ash. It goes to the point that Ms. Swart talked about \nthe IG. And is the F that the NRC has--that we have is it the \nsame F that the State Department has.\n    Is what the IG in their audit--how they assess State \nDepartment's compliance--is it the same approach that NRC's \nInspector General took?\n    I included it as part of my written testimony, but that \ngets back to the point of we need a consistent approach--it is \nnot a matter of the law. But it is a matter of how the \nInspectors General address an audit consistently across the \nFederal space.\n    It is a good way--being able to have that commonsense of, \nis an F an F across the board? Is an A an A? Is USAID's A the \nsame as another agency's?\n    Senator Carper. Theirs is an A-plus.\n    Mr. Ash. Oh, I am sorry, an A-plus.\n    But going back to your other question I want to answer--\nyour question gets back to, for me, it is commonsense metrics. \nHow effective are we in defending the perimeter, defending--\nimplementing controls? How effective are we in enforcing and \nactually applying rules of behavior, not just signing a rules \nof behavior form, but actually knowing that we are actually \nadhering to it?\n    Those are the types of real time, real metrics that give me \na better sense of how effective is it. It is not just how many \ncertification and accreditations we have implemented, how \neffective our program process is, but again the people. Are the \npeople educated? Do they understand why we are doing this? Do \nthe executives understand this and are they really following \nthrough on the rules of behavior?\n    Senator Carper. Are we measuring effectiveness now?\n    Mr. Ash. I think in some aspects yes. Probably the one area \nthat I have always been a firm believer in is what they call \nthe plan of action and milestone process, where we identify \nrisk, where we identify a vulnerability. An effective security \nprogram means that you are doing a good job identifying what \nthose risks and vulnerabilities are, tracking them, documenting \nand tracking them and ultimately resolving them; again, \naddressing ultimately those risks and vulnerabilities, but \nhaving a legitimate, managed process to do that.\n    Senator Carper. All right. Mr. Heneghan.\n    Mr. Heneghan. The eight points in the FISMA law, I think, \nare effective. I do agree that better metrics to make sure, as \nSusan was saying, that you are aware of how many intrusions are \nhappening to you; are your systems being patched. Do you have a \ngood vulnerability management system. There is a lot of metrics \nassociated with that, but I think OMB could ask for as part of \nthe current FISMA reporting process, and I think those type of \nmetrics would help get to the results that everyone here is \nlooking for.\n    Senator Carper. All right. Was there anything that folks on \nthe first panel said that you just really resonated with you \nstrongly, that you said, that is for sure? I really think that \nis a great point.\n    Was there anything that you heard from the first panel that \nyou said, I do not agree with that? Maybe a point or two from \neach of you on that. Mr. Ash, you want to go first?\n    Mr. Ash. I think the one comment that resonated with me \nfrom a negative perspective was the comment that was made by \nthe industry representative about the Inspectors General----\n    Senator Carper. Which comment was that?\n    Mr. Ash [continuing]. That if you are doing well, maybe you \ntake a pass on having an audit the following year.\n    I do not think that is a valid or an appropriate approach. \nI think the Inspectors General have a defined responsibility, \nand I think for me, for the NRC, it continues to identify--\nhaving an annual audit will always give me an opportunity to \nidentify weaknesses.\n    Senator Carper. OK. All right. That might be something on \nthe minus side. Anything on the plus side that you want to just \nunderline and underscore for us?\n    Mr. Ash. I agree with Ms. Evans' comment about FISMA \ngetting away from paper, and for agencies that are doing well, \nit means that they have really taken it to heart. It is not \njust the paper-based process. It really is you are doing \nsecurity for the right reasons. You are doing it for the \nagency, and you are doing it for the mission.\n    Senator Carper. All right. Thank you. Ms. Swart.\n    Ms. Swart. I think both of the gentlemen on the first panel \ncommented again about the metrics and the standard yardstick, \nso I definitely agree with that.\n    On the negative side, the comment that because of the way \nFISMA is viewed to be a paper exercise, which I do not think \nmost agencies view it as, that leads to complacency about \nsecurity. I do not think that is true.\n    I think that, at least based on the experience in our \nagency, security is a very important activity, growing in \nvisibility, and yes, there are improvements that we can make \nand better ways to measure it, but I do not think that agencies \nare complacent. It is too visible and becoming more visible, so \nI do not think that was an accurate statement.\n    Senator Carper. All right. Thank you. Mr. Heneghan.\n    Mr. Heneghan. This might have been a question, but I think \nthat using technology that is available in the marketplace and \nbringing that to bear on our systems. We have done that for our \nrisk modeling program, which is primarily only used by Banks, \nbut we use our vulnerability management process, again, a \ncommercial product. So I think using the commercial market--\nbecause technology is changing so fast. They are keeping up \nwith it, and we need to stay with them to keep up.\n    Senator Carper. All right. Thank you. General Howard.\n    Mr. Howard. I would like to comment on the incident report. \nAgain, I think you were the one who asked why there are so many \nincidents in the VA, there is no question as to why there are--\nwe are reporting them with rigor.\n    Incidents clearly existed before, but now we report all of \nthem as matter of policy. Do not even think twice. If you think \nyou have an incident, get it reported, because we have got one \nhour for the information to get to the US-CERT. So, when you \noperate that way, you are going to have a lot of incidents.\n    Fortunately, most of them are minor, but, every once in a \nwhile, we have one that is rather serious, requiring an \ninvestigation or whatever.\n    Every one of them, though, we pay attention to, even if it \nis only involving one veteran. We notify the individual. And if \nwe believe his information may have been compromised, credit \nmonitoring is offered.\n    Senator Carper. I guess at the VA, as you all know, and let \nme just say there are some things that you do at the VA are \nterrific--the way you have harnessed information technology for \nthe delivery of health care, something that we are emulating, \ntrying to do in Delaware, statewide, is wonderful and as a \nveteran who appreciates that we are now able to save money, \nsave lives, make employees, the agency employees, more \nproductive. I think that is just great stuff.\n    Mr. Howard. Sir, I am glad you mentioned that.\n    Senator Carper. Yes.\n    Mr. Howard. Could I make another comment on that?\n    Senator Carper. Please. Yes.\n    Mr. Howard. Because what you are talking about is a major \nchallenge for us within VA and the whole area of information \nprotection.\n    It is a balance issue. Let me give you a good example--the \nStandard Desktop Configuration that was mentioned earlier. We \nare now going through that in the VA--we are the second largest \norganization--240,000 people, desktop computers and laptops all \nover the place.\n    When we first started, we had 18,000 separate applications \nthat we had to work through. In some of these, if you apply the \nconfiguration controls, you put them out of business. I will \ngive you a specific example--blind rehabilitation was a small \ncomputer program that was put together some years back. We will \nsolve the problem, but you cannot automatically introduce some \nof these controls without testing them and being very careful \nin not shutting down some aspects of the business--a doctor \ntrying to care for a veteran.\n    That is a very real problem in the VA, to strike that \nbalance and get it right. We know what we need to do, but we \ncannot shut the business down at the same time. And we do not \nhave time. We know we have to keep moving as rapidly as we can.\n    Senator Carper. General Howard, you have been very frank \nand candid in saying that we do a much better job of \nidentifying and reporting, which is commendable, but you said \nwe have got a long way to go before where we need to be.\n    Do you all take advantage of an agency like USAID and just \nreach out to them and say well, how did you do it, and what can \nwe learn from them?\n    Mr. Howard. Sir, we have talked to other government \nagencies, not USAID. We learned the hard way in May 2006. It \nwas pretty obvious to us what needed to be done. But we have \ntalked to other government agencies, as other government \nagencies have talked to us, too, lots of them.\n    Senator Carper. OK. Mr. Heneghan, if General Howard wanted \nto talk to you before he left today, would you give him a \ncouple of minutes?\n    Mr. Heneghan. Certainly.\n    Senator Carper. So all right. Good. I think another issue \nthat is core to complying with FISMA is the--we talked a little \nbit about this, too, but the independent evaluation conducted \nby IGs. These evaluations are crucial for a number of reasons, \nbut, in part, because they allow agencies to work with their \nIGs in identifying vulnerabilities and trying to cc some of the \nweaknesses that have been uncovered.\n    Having said that, I understand that not all independent \nassessments conducted by agencies are to the same standard. And \nsome agencies receive the benefit of a thorough assessment of \ntheir IT security while other agencies frankly do not. And let \nme just ask do you feel that this is the case and, if so, \nshould there be a baseline standard for--set really for all \nindependent assessments?\n    Ms. Swart. Yes. I think that is what a lot of us just said. \nJust to give an example. If you have one inventory system that \nyou did not inventory, what should the impact be on your score \nor on the points, and that could be different agency to agency. \nOr if you are talking about awareness training, do you really \nneed to train all the employees, including an employee like a \ngardener that would never access the system.\n    Those are just two examples that show how the OIG looks at \nsomething could impact the way they evaluate system security at \none agency versus another agency.\n    But I do say it is very important to have the independent \nvalidation of the OIG and not just completely rely on the \nreporting of the IT, the CIOs.\n    Senator Carper. Right. Anybody else want to add to that \npoint?\n    Mr. Howard. One activity that we have put in place, sir, \nthat has proved to be very helpful is our oversight and \ncompliance capability. It is very robust. We put that in place \nabout a year ago. Arnie Claudio, that I introduced earlier runs \nthat. Since last January, over 155 assessments--we use the word \nassessment, not inspection or investigation, because we want it \nto be a helpful activity, identify issues and problems and help \nremediate them on the spot, if necessary. That is the way we \nhave designed it, and I can tell you that has been extremely \nhelpful to us.\n    It is also helpful not only in reporting problems, whether \nit is a rogue Internet connection, with a wire thrown out a \nwindow or helping to increase awareness among employees \nthroughout the organization.\n    Senator Carper. OK. Anybody else on this point? Yes, Mr. \nHeneghan.\n    Mr. Heneghan. Actually, I think the IGs would like to have \na standard as well. I mean, it is not----\n    Senator Carper. Why do you say that?\n    Mr. Heneghan [continuing]. Because they are struggling with \nthe same questions we are. Do you count a gardener or not.\n    Senator Carper. Gardeners or IGs?\n    Mr. Heneghan. IG types.\n    Senator Carper. Maybe both.\n    Mr. Heneghan. So I think that they would like to know and \ndo the right thing so that they could have a good measure.\n    Senator Carper. Well, that is a good point.\n    I realize the afternoon is drawing late, but a number of \nthe big incidents that we have heard about in the past and \nthere is a couple that you have alluded to several of those, \nbut some of those big incidents did not stem from a foreign \ncountry or from a disgruntled hacker, but really from current \nemployees.\n    Let me just ask how do your agencies continually test and \nevaluate your employees' knowledge of IT security? How do your \nagencies hold your employees accountable, from senior managers, \nall the way down to an intern, and finally you think what you \nare doing is enough?\n    Mr. Howard. Sir, training and education is very key, and, \nof course, there is a requirement for 100 percent training and \neducation in security and privacy every year. We go through \nthat. The other key aspect is leadership involvement. We have \ntraining programs focused on our leaders, what their \nresponsibilities really are, because you are a former military \nperson. This is a squad leader activity. If you are not looking \nat the troops and talking to them and making sure they are \ndoing what they are supposed to do, you are going to have \nproblems.\n    Senator Carper. Yes, if the leader does not think it is \nimportant, nobody else will.\n    Mr. Howard. Exactly right. And I am not talking about just \nat the top--all the way down, right at the job site, if you \nwill.\n    So the issue of training is important. And then \ndisciplinary action. We have taken disciplinary action in some \ncases. It is a people issue, no question about it.\n    But the other thing I would say you also have to provide \nthem the tools. In the VA, we have gone to encrypted thumb \ndrives, and the reason that we have done that is, our young \ndoctors and young interns, they are like your kids. It is hard \nto discipline them and get them to stay focused on the \nimportance of the information that they are walking around with \nthis thumb drive. So we mandated the use of encrypted thumb \ndrives, and they have to carry this information around to do \ntheir job.\n    Now they can do it with some degree of comfort, because if \nthey loose their thumb drive in the parking lot, it is a rock. \nI mean, it is not going to be of any value to anybody. The same \nis true with encrypted laptops--or VA laptops are encrypted \nnow. If somebody steals one, they are useless. You cannot get \ninto them.\n    Senator Carper. All right. Are there others, on the issue \nof education? Go ahead, please. Ms. Swart.\n    Ms. Swart. We are one of the providers to other agencies, \nas I mentioned, in partnership with AID. We do annual awareness \ntraining, so if you want to keep your logon to the system, you \ndo this training. You take a test. It includes both information \nsecurity questions and privacy questions on an annual basis.\n    Senator Carper. But for your employees, they cannot logon \nto their system?\n    Ms. Swart. If after a year, automatically they will be \nasked to take this online test. And if they do not take it, \nthey are locked out.\n    On the personal responsibility side, we do have a computer \nsecurity incident program that does provide for penalties for \ninformation security type infractions or violations that is \npatterned on what we do for classified information.\n    Senator Carper. OK. Mr. Ash.\n    Mr. Ash. The NRC has seen a great deal of value in not just \ncomputer-based training, but in-person training. The last \ncouple of years, the agency has used in-person training to make \nsure that employees have had the opportunity not just to hear \nwhat the requirements are and the expectations, but also have \nthe opportunity to address their concerns and ask questions.\n    It is the best opportunity in terms of just interfacing and \ndirect interaction with people that know what the requirements \nare and can help educate.\n    At times there can be--depending on how the computer-based \ntraining is set up, if you do not really test them, I mean, \nreally test them, what value is it? And that is what I have \ncome to appreciate about the NRC's approach--again, the in-\nperson training.\n    Senator Carper. Mr. Heneghan.\n    Mr. Heneghan. Our Tip of the Day program, again, from the \nheadlines news. We will put out a tip on a Washington Post \narticle that came out. Everyone gets an idea of what is going \non; that it is an important issue.\n    It is tough to know how effective training is, but I think \nwe have a greater incident reporting now from individuals \nbecause they know of this. They are much more aware of it.\n    An example I used, just last week, someone was out in the \nfood court, where there was a couple of Federal agencies, doing \na survey and asking a lot of detailed questions about how \npeople remotely login. That person immediately reported it, \nbecause we have tips out there that say be careful of people \nasking you questions like this. And GSA escorted the person off \nthe premises.\n    It gives me a good feeling that our awareness program is \neffective. It has also been used by our Office of General \nCounsel, when we take action against individuals because they \nknow they shouldn't be doing it, and, in fact, over the last \nyear, they have answered four questions that say, yes, I am not \nsupposed to do this. I know that. And our Office of General \nCounsel uses that to see people out the door, if they are prone \nto be policy violators.\n    Senator Carper. All right. You may have heard I asked the \nfirst panel at the close of their presentations and responses, \nI asked them to give some advice to us in the Legislative \nBranch, some advice on what we should do more of or less of \nthat would be constructive here. And we got a variety of ideas, \nand I think generally quite helpful ones.\n    I am going to ask you all the same question in just a \nmoment, but before I do, I have a question for Mr. Ash.\n    I was fortunate to go with Chairman Kline, the Chairman of \nthe Nuclear Regulatory Commission, up to Peach Bottom a month \nor so ago, where it had some security lapse problems, and we \nwent up there to find out what happened and see what is being \ndone to make sure it does not happen again. There are any of \n103 other nuclear power plants. I chair a subcommittee, on \nnuclear safety, along with Senator Voinovich of Ohio.\n    But one of the things that we have learned that takes place \nwithin the nuclear power plant industry and within the NRC \nitself, the Nuclear Regulatory Commission, is it sounds like \nevery 3 years there is a force on force exercise, where bad \nguys, who are really good guys that are trained to be bad guys, \nattempt to penetrate the IT systems or the electronic--they are \nnot doing anything electronically. They use real force--and to \ngo in and try to take over physically a plant, a nuclear power \nplant.\n    And then they do a fair amount of debriefing and lessons \nlearned and that sort of thing. But it is real to the extent \nnobody gets killed. But it is a very real exercise, and I think \nfrom what I hear it is actually quite informative, and you \nactually measure not process, but actually measure whether or \nnot people are secure and they are ready at one of these 104 \nplants to take on an assault.\n    When you think of that approach to security and you look at \nour approach to security with respect to protecting our \ninformation, our databases and all. Can we learn a lesson from \nthe force on force that we see in the nuclear power plants? Is \nthere something that they are doing there that could help \ninform what we are doing to protect our other information and \nthese data breaches?\n    Mr. Ash. Yes. I think the easiest answer, the easiest \nlesson, is continue to test. Force on force exercise--I told \nyou I joined the NRC a little over 10 months ago, and had the \nopportunity early on in my tenure to observe a force on force \nexercise out in Illinois. Absolutely amazing just to see the \napproach that they take. Again, the objective is to identify \nweaknesses and to measure how successful--obviously if the \nperpetrators can be successful, but how successful are the \nsecurity measures that are put in place by the plant and the \nlicensees and the security force.\n    But going back to my original point: Continue to test--\npenetration testing; social engineering testing--all \nopportunities, because those are what the bad guys are going to \nuse, opportunities to send malicious e-mails, phishing \nexpeditions. I mean, phishing with a ``ph''--means to try and \nget you as an employee of an agency to give up a password, give \nup sensitive information or give up access when you are not \nreally aware of it. That is probably the best lesson learned \nthat I think we could take from what the NRC does with the \nforce-on-force type exercises.\n    Senator Carper. All right. Good. Thank you.\n    Mr. Ash. You are welcome.\n    Senator Carper. All right. Ms. Swart, did you want to say \nsomething?\n    Ms. Swart. The government does do these cyber storm \nexercises, which do provide those kinds of testing. There is \none going on right now that we are participating in other \nagencies that are sponsored I believe by the Department of----\n    Senator Carper. You call them cyber storms?\n    Ms. Swart. Yes.\n    Senator Carper. Do they have code names or anything?\n    Ms. Swart. I think that is the code name.\n    Senator Carper. All right. Advice for us, some in the \nLegislative Branch?\n    Mr. Howard. Sir, keep the pressure on. It helps us to \nbalance the issue that I mentioned before. Keep the attention \non this important area of information protection. It is very \nhelpful to us, in spite of the fact we are up here, every once \nin a while getting beaten up, it is a good thing that you keep \nthe pressure in this area. It is helpful to us.\n    Senator Carper. Good. Thank you. Ms. Swart, what can we do \nthat might be constructive or really that would be \nconstructive?\n    Ms. Swart. I would second that about the visibility. Also \njust the things that we have said about improving the way we do \nthe measuring through the existing process, not necessarily \nchanging the law.\n    Senator Carper. All right. Thank you. Mr. Ash.\n    Mr. Ash. I will second that one; third that I guess. The \nother point that I guess that I would like to make is continue \nto encourage the Executive Branch and the Federal Government to \nlook at and implement solutions that can help us. It is \ndifficult enough for a small agency to implement trusted \nInternet connections. That is why I appreciate what OMB and the \nagencies are doing--the Desktop Configurations. Encourage that. \nSupport it. That is what I would ask.\n    Senator Carper. All right. Thank you. Mr. Heneghan.\n    Mr. Heneghan. I would just reiterate the metrics, but also \nI think not changing the law because that would cause a whole \nother process, but actually just tweaking it a little bit would \nbe the way to do it. And get more metrics out there that we can \ncompare each other against and everyone will start to feel \ncomfortable that it is a good measurement process.\n    Senator Carper. OK. Mr. Bennett, in his testimony, in his \nwritten testimony, listed a number of recommendations for our \nconsideration. And I do not know if you all have had a chance \nto look at those recommendations. I am not going to ask you to \ncomment on them today here at the hearing, as we draw to a \nclose. But one of the things that I am going to ask you in \nwriting as a follow up is just to share your comments on the \nrecommendations. Which do you like? Which do you think maybe do \nnot meet muster, and which would you tweak a little bit and \nmaybe they would meet muster?\n    If you all could help us with that, I would appreciate it.\n    Again, other Members of our Subcommittee I suspect Dr. \nCoburn and I know-- I started to say Dr. Coleman--but Mayor \nColeman, Senator Coleman, I am sure they have some questions to \nprovide in writing. My guess is that some other Members of our \nSubcommittee will, too. And we would appreciate if you would \nrespond to those as fully and as promptly as you can.\n    I am just very grateful on behalf of all of us, not just on \nthe Subcommittee, not just on our Committee, not just the \nSenate, but the work that you are doing is real important, and \nyou know that. And I understood that coming into this hearing, \nbut I am certainly reminded of it even more so today--important \nfor our country, important for our national security, important \nfor our financial security--just important for a lot of peace \nof mind for people. So those of you who are getting A-pluses \nand those that are on your way to getting those A-pluses, stay \non that glide slope and we will breathe a little bit easier in \nthe future.\n    With that having been said, this Subcommittee is adjourned, \nand we wish you a good evening. Thank you.\n    [Whereupon, at 4:55 p.m., the Subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] T1458.001\n\n[GRAPHIC] [TIFF OMITTED] T1458.002\n\n[GRAPHIC] [TIFF OMITTED] T1458.003\n\n[GRAPHIC] [TIFF OMITTED] T1458.004\n\n[GRAPHIC] [TIFF OMITTED] T1458.005\n\n[GRAPHIC] [TIFF OMITTED] T1458.006\n\n[GRAPHIC] [TIFF OMITTED] T1458.007\n\n[GRAPHIC] [TIFF OMITTED] T1458.008\n\n[GRAPHIC] [TIFF OMITTED] T1458.009\n\n[GRAPHIC] [TIFF OMITTED] T1458.010\n\n[GRAPHIC] [TIFF OMITTED] T1458.011\n\n[GRAPHIC] [TIFF OMITTED] T1458.012\n\n[GRAPHIC] [TIFF OMITTED] T1458.013\n\n[GRAPHIC] [TIFF OMITTED] T1458.014\n\n[GRAPHIC] [TIFF OMITTED] T1458.015\n\n[GRAPHIC] [TIFF OMITTED] T1458.016\n\n[GRAPHIC] [TIFF OMITTED] T1458.017\n\n[GRAPHIC] [TIFF OMITTED] T1458.018\n\n[GRAPHIC] [TIFF OMITTED] T1458.019\n\n[GRAPHIC] [TIFF OMITTED] T1458.020\n\n[GRAPHIC] [TIFF OMITTED] T1458.021\n\n[GRAPHIC] [TIFF OMITTED] T1458.022\n\n[GRAPHIC] [TIFF OMITTED] T1458.023\n\n[GRAPHIC] [TIFF OMITTED] T1458.024\n\n[GRAPHIC] [TIFF OMITTED] T1458.025\n\n[GRAPHIC] [TIFF OMITTED] T1458.026\n\n[GRAPHIC] [TIFF OMITTED] T1458.027\n\n[GRAPHIC] [TIFF OMITTED] T1458.028\n\n[GRAPHIC] [TIFF OMITTED] T1458.029\n\n[GRAPHIC] [TIFF OMITTED] T1458.030\n\n[GRAPHIC] [TIFF OMITTED] T1458.031\n\n[GRAPHIC] [TIFF OMITTED] T1458.032\n\n[GRAPHIC] [TIFF OMITTED] T1458.033\n\n[GRAPHIC] [TIFF OMITTED] T1458.034\n\n[GRAPHIC] [TIFF OMITTED] T1458.035\n\n[GRAPHIC] [TIFF OMITTED] T1458.036\n\n[GRAPHIC] [TIFF OMITTED] T1458.037\n\n[GRAPHIC] [TIFF OMITTED] T1458.038\n\n[GRAPHIC] [TIFF OMITTED] T1458.039\n\n[GRAPHIC] [TIFF OMITTED] T1458.040\n\n[GRAPHIC] [TIFF OMITTED] T1458.041\n\n[GRAPHIC] [TIFF OMITTED] T1458.042\n\n[GRAPHIC] [TIFF OMITTED] T1458.043\n\n[GRAPHIC] [TIFF OMITTED] T1458.044\n\n[GRAPHIC] [TIFF OMITTED] T1458.045\n\n[GRAPHIC] [TIFF OMITTED] T1458.046\n\n[GRAPHIC] [TIFF OMITTED] T1458.047\n\n[GRAPHIC] [TIFF OMITTED] T1458.048\n\n[GRAPHIC] [TIFF OMITTED] T1458.049\n\n[GRAPHIC] [TIFF OMITTED] T1458.050\n\n[GRAPHIC] [TIFF OMITTED] T1458.051\n\n[GRAPHIC] [TIFF OMITTED] T1458.052\n\n[GRAPHIC] [TIFF OMITTED] T1458.053\n\n[GRAPHIC] [TIFF OMITTED] T1458.054\n\n[GRAPHIC] [TIFF OMITTED] T1458.055\n\n[GRAPHIC] [TIFF OMITTED] T1458.056\n\n[GRAPHIC] [TIFF OMITTED] T1458.057\n\n[GRAPHIC] [TIFF OMITTED] T1458.058\n\n[GRAPHIC] [TIFF OMITTED] T1458.059\n\n[GRAPHIC] [TIFF OMITTED] T1458.060\n\n[GRAPHIC] [TIFF OMITTED] T1458.061\n\n[GRAPHIC] [TIFF OMITTED] T1458.062\n\n[GRAPHIC] [TIFF OMITTED] T1458.063\n\n[GRAPHIC] [TIFF OMITTED] T1458.064\n\n[GRAPHIC] [TIFF OMITTED] T1458.065\n\n[GRAPHIC] [TIFF OMITTED] T1458.066\n\n[GRAPHIC] [TIFF OMITTED] T1458.067\n\n[GRAPHIC] [TIFF OMITTED] T1458.068\n\n[GRAPHIC] [TIFF OMITTED] T1458.069\n\n[GRAPHIC] [TIFF OMITTED] T1458.070\n\n[GRAPHIC] [TIFF OMITTED] T1458.071\n\n[GRAPHIC] [TIFF OMITTED] T1458.072\n\n[GRAPHIC] [TIFF OMITTED] T1458.073\n\n[GRAPHIC] [TIFF OMITTED] T1458.074\n\n[GRAPHIC] [TIFF OMITTED] T1458.075\n\n[GRAPHIC] [TIFF OMITTED] T1458.076\n\n[GRAPHIC] [TIFF OMITTED] T1458.077\n\n[GRAPHIC] [TIFF OMITTED] T1458.078\n\n[GRAPHIC] [TIFF OMITTED] T1458.079\n\n[GRAPHIC] [TIFF OMITTED] T1458.080\n\n[GRAPHIC] [TIFF OMITTED] T1458.081\n\n[GRAPHIC] [TIFF OMITTED] T1458.082\n\n[GRAPHIC] [TIFF OMITTED] T1458.083\n\n[GRAPHIC] [TIFF OMITTED] T1458.084\n\n[GRAPHIC] [TIFF OMITTED] T1458.085\n\n[GRAPHIC] [TIFF OMITTED] T1458.086\n\n[GRAPHIC] [TIFF OMITTED] T1458.087\n\n[GRAPHIC] [TIFF OMITTED] T1458.088\n\n[GRAPHIC] [TIFF OMITTED] T1458.089\n\n[GRAPHIC] [TIFF OMITTED] T1458.090\n\n[GRAPHIC] [TIFF OMITTED] T1458.091\n\n[GRAPHIC] [TIFF OMITTED] T1458.092\n\n[GRAPHIC] [TIFF OMITTED] T1458.093\n\n[GRAPHIC] [TIFF OMITTED] T1458.094\n\n[GRAPHIC] [TIFF OMITTED] T1458.095\n\n[GRAPHIC] [TIFF OMITTED] T1458.096\n\n[GRAPHIC] [TIFF OMITTED] T1458.097\n\n[GRAPHIC] [TIFF OMITTED] T1458.098\n\n[GRAPHIC] [TIFF OMITTED] T1458.099\n\n[GRAPHIC] [TIFF OMITTED] T1458.100\n\n[GRAPHIC] [TIFF OMITTED] T1458.101\n\n[GRAPHIC] [TIFF OMITTED] T1458.102\n\n[GRAPHIC] [TIFF OMITTED] T1458.103\n\n[GRAPHIC] [TIFF OMITTED] T1458.104\n\n[GRAPHIC] [TIFF OMITTED] T1458.105\n\n[GRAPHIC] [TIFF OMITTED] T1458.106\n\n[GRAPHIC] [TIFF OMITTED] T1458.107\n\n[GRAPHIC] [TIFF OMITTED] T1458.108\n\n[GRAPHIC] [TIFF OMITTED] T1458.109\n\n[GRAPHIC] [TIFF OMITTED] T1458.110\n\n[GRAPHIC] [TIFF OMITTED] T1458.111\n\n[GRAPHIC] [TIFF OMITTED] T1458.112\n\n[GRAPHIC] [TIFF OMITTED] T1458.113\n\n[GRAPHIC] [TIFF OMITTED] T1458.114\n\n[GRAPHIC] [TIFF OMITTED] T1458.115\n\n[GRAPHIC] [TIFF OMITTED] T1458.116\n\n[GRAPHIC] [TIFF OMITTED] T1458.117\n\n[GRAPHIC] [TIFF OMITTED] T1458.118\n\n[GRAPHIC] [TIFF OMITTED] T1458.119\n\n[GRAPHIC] [TIFF OMITTED] T1458.120\n\n[GRAPHIC] [TIFF OMITTED] T1458.121\n\n[GRAPHIC] [TIFF OMITTED] T1458.122\n\n[GRAPHIC] [TIFF OMITTED] T1458.123\n\n[GRAPHIC] [TIFF OMITTED] T1458.124\n\n[GRAPHIC] [TIFF OMITTED] T1458.125\n\n[GRAPHIC] [TIFF OMITTED] T1458.126\n\n[GRAPHIC] [TIFF OMITTED] T1458.127\n\n[GRAPHIC] [TIFF OMITTED] T1458.128\n\n[GRAPHIC] [TIFF OMITTED] T1458.129\n\n[GRAPHIC] [TIFF OMITTED] T1458.130\n\n[GRAPHIC] [TIFF OMITTED] T1458.131\n\n[GRAPHIC] [TIFF OMITTED] T1458.132\n\n[GRAPHIC] [TIFF OMITTED] T1458.133\n\n[GRAPHIC] [TIFF OMITTED] T1458.134\n\n[GRAPHIC] [TIFF OMITTED] T1458.135\n\n[GRAPHIC] [TIFF OMITTED] T1458.136\n\n[GRAPHIC] [TIFF OMITTED] T1458.137\n\n[GRAPHIC] [TIFF OMITTED] T1458.138\n\n[GRAPHIC] [TIFF OMITTED] T1458.139\n\n[GRAPHIC] [TIFF OMITTED] T1458.140\n\n[GRAPHIC] [TIFF OMITTED] T1458.141\n\n[GRAPHIC] [TIFF OMITTED] T1458.142\n\n[GRAPHIC] [TIFF OMITTED] T1458.143\n\n[GRAPHIC] [TIFF OMITTED] T1458.144\n\n[GRAPHIC] [TIFF OMITTED] T1458.145\n\n[GRAPHIC] [TIFF OMITTED] T1458.146\n\n[GRAPHIC] [TIFF OMITTED] T1458.147\n\n[GRAPHIC] [TIFF OMITTED] T1458.148\n\n[GRAPHIC] [TIFF OMITTED] T1458.149\n\n[GRAPHIC] [TIFF OMITTED] T1458.150\n\n[GRAPHIC] [TIFF OMITTED] T1458.151\n\n[GRAPHIC] [TIFF OMITTED] T1458.152\n\n[GRAPHIC] [TIFF OMITTED] T1458.153\n\n[GRAPHIC] [TIFF OMITTED] T1458.154\n\n[GRAPHIC] [TIFF OMITTED] T1458.155\n\n[GRAPHIC] [TIFF OMITTED] T1458.156\n\n[GRAPHIC] [TIFF OMITTED] T1458.157\n\n[GRAPHIC] [TIFF OMITTED] T1458.158\n\n[GRAPHIC] [TIFF OMITTED] T1458.159\n\n[GRAPHIC] [TIFF OMITTED] T1458.160\n\n[GRAPHIC] [TIFF OMITTED] T1458.161\n\n[GRAPHIC] [TIFF OMITTED] T1458.162\n\n[GRAPHIC] [TIFF OMITTED] T1458.163\n\n                                 <all>\n\x1a\n</pre></body></html>\n"