[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



 
                   CYBERSECURITY ACTIVITIES AT NIST'S
                   INFORMATION TECHNOLOGY LABORATORY

=======================================================================



                               HEARING

                               BEFORE THE

               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

                  COMMITTEE ON SCIENCE AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 22, 2009

                               __________

                           Serial No. 111-59

                               __________

     Printed for the use of the Committee on Science and Technology


     Available via the World Wide Web: http://www.science.house.gov

                                 ______



                  U.S. GOVERNMENT PRINTING OFFICE
52-857                    WASHINGTON : 2009
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                  COMMITTEE ON SCIENCE AND TECHNOLOGY

                   HON. BART GORDON, Tennessee, Chair
JERRY F. COSTELLO, Illinois          RALPH M. HALL, Texas
EDDIE BERNICE JOHNSON, Texas         F. JAMES SENSENBRENNER JR., 
LYNN C. WOOLSEY, California              Wisconsin
DAVID WU, Oregon                     LAMAR S. SMITH, Texas
BRIAN BAIRD, Washington              DANA ROHRABACHER, California
BRAD MILLER, North Carolina          ROSCOE G. BARTLETT, Maryland
DANIEL LIPINSKI, Illinois            VERNON J. EHLERS, Michigan
GABRIELLE GIFFORDS, Arizona          FRANK D. LUCAS, Oklahoma
DONNA F. EDWARDS, Maryland           JUDY BIGGERT, Illinois
MARCIA L. FUDGE, Ohio                W. TODD AKIN, Missouri
BEN R. LUJAN, New Mexico             RANDY NEUGEBAUER, Texas
PAUL D. TONKO, New York              BOB INGLIS, South Carolina
PARKER GRIFFITH, Alabama             MICHAEL T. MCCAUL, Texas
STEVEN R. ROTHMAN, New Jersey        MARIO DIAZ-BALART, Florida
JIM MATHESON, Utah                   BRIAN P. BILBRAY, California
LINCOLN DAVIS, Tennessee             ADRIAN SMITH, Nebraska
BEN CHANDLER, Kentucky               PAUL C. BROUN, Georgia
RUSS CARNAHAN, Missouri              PETE OLSON, Texas
BARON P. HILL, Indiana
HARRY E. MITCHELL, Arizona
CHARLES A. WILSON, Ohio
KATHLEEN DAHLKEMPER, Pennsylvania
ALAN GRAYSON, Florida
SUZANNE M. KOSMAS, Florida
GARY C. PETERS, Michigan
VACANCY
                                 ------                                

               Subcommittee on Technology and Innovation

                      HON. DAVID WU, Oregon, Chair
DONNA F. EDWARDS, Maryland           ADRIAN SMITH, Nebraska
BEN R. LUJAN, New Mexico             JUDY BIGGERT, Illinois
PAUL D. TONKO, New York              W. TODD AKIN, Missouri
DANIEL LIPINSKI, Illinois            PAUL C. BROUN, Georgia
HARRY E. MITCHELL, Arizona               
GARY C. PETERS, Michigan                 
BART GORDON, Tennessee               RALPH M. HALL, Texas
                 MIKE QUEAR Subcommittee Staff Director
        MEGHAN HOUSEWRIGHT Democratic Professional Staff Member
            TRAVIS HITE Democratic Professional Staff Member
            HOLLY LOGUE Democratic Professional Staff Member
             DAN BYERS Republican Professional Staff Member
                  VICTORIA JOHNSTON Research Assistant


                            C O N T E N T S

                            October 22, 2009

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative David Wu, Chairman, Subcommittee on 
  Technology and Innovation, Committee on Science and Technology, 
  U.S. House of Representatives..................................     6
    Written Statement............................................     6

Statement by Representative Adrian Smith, Ranking Minority 
  Member, Subcommittee on Technology and Innovation, Committee on 
  Science and Technology, U.S. House of Representatives..........     7
    Written Statement............................................     7

Prepared Statement by Representative Harry E. Mitchell, Member, 
  Subcommittee on Technology and Innovation, Committee on Science 
  and Technology, U.S. House of Representatives..................     8

                               Witnesses:

Ms. Cita M. Furlani, Director, Information Technology Laboratory, 
  National Institute of Standards and Technology
    Oral Statement...............................................     9
    Written Statement............................................    10
    Biography....................................................    15

Dr. Susan Landau, Distinguished Engineer, Sun Microsystems, 
  Burlington, MA
    Oral Statement...............................................    16
    Written Statement............................................    17
    Biography....................................................    20

Dr. Phyllis Schneck, Vice President, Threat Intelligence, McAfee 
  Corporation
    Oral Statement...............................................    21
    Written Statement............................................    23
    Biography....................................................    26

Mr. William Wyatt Starnes, Founder, CEO, and President, 
  SignaCert, Inc.; Founder, Tripwire, Inc.
    Oral Statement...............................................    27
    Written Statement............................................    28
    Biography....................................................    36

Dr. Fred B. Schneider, Samuel B. Eckert Professor of Computer 
  Science, Cornell University
    Oral Statement...............................................    37
    Written Statement............................................    38
    Biography....................................................    41

Mr. Mark Bohannon, General Counsel and Senior Vice President for 
  Public Policy, Software & Information Industry Association 
  (SIIA)
    Oral Statement...............................................    42
    Written Statement............................................    44
    Biography....................................................    47

Discussion.......................................................    47

              Appendix: Answers to Post-Hearing Questions

Ms. Cita M. Furlani, Director, Information Technology Laboratory, 
  National Institute of Standards and Technology.................    58

Dr. Susan Landau, Distinguished Engineer, Sun Microsystems, 
  Burlington, MA.................................................    59

Dr. Phyllis Schneck, Vice President, Threat Intelligence, McAfee 
  Corporation....................................................    60

Mr. William Wyatt Starnes, Founder, CEO, and President, 
  SignaCert, Inc.; Founder, Tripwire, Inc........................    61

Dr. Fred B. Schneider, Samuel B. Eckert Professor of Computer 
  Science, Cornell University....................................    63

Mr. Mark Bohannon, General Counsel and Senior Vice President for 
  Public Policy, Software & Information Industry Association 
  (SIIA).........................................................    65


  CYBERSECURITY ACTIVITIES AT NIST'S INFORMATION TECHNOLOGY LABORATORY

                              ----------                              


                       THURSDAY, OCTOBER 22, 2009

                  House of Representatives,
         Subcommittee on Technology and Innovation,
                       Committee on Science and Technology,
                                                    Washington, DC.

    The Subcommittee met, pursuant to call, at 2:07 p.m., in 
Room 2318 of the Rayburn House Office Building, Hon. David Wu 
[Chairman of the Subcommittee] presiding.


                            hearing charter

               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

                  COMMITTEE ON SCIENCE AND TECHNOLOGY

                     U.S. HOUSE OF REPRESENTATIVES

                   Cybersecurity Activities at NIST's

                   Information Technology Laboratory

                       thursday, october 22, 2009
                          2:00 p.m.-4:00 p.m.
                   2318 rayburn house office building

1. Purpose

    On Thursday, October 22, 2009 the Subcommittee on Technology and 
Innovation of the Committee on Science and Technology will hold a 
hearing to review the recommendations made in the Cyberspace Policy 
Review that may be appropriate for the National Institute of Standards 
and Technology (NIST) and the proposed reorganization of the NIST 
Information Technology Laboratory.

2. Witnesses

Ms. Cita Furlani is the Director of the Information Technology 
Laboratory at NIST.

Dr. Susan Landau is a Distinguished Engineer at Sun Microsystems. She 
is a former member of the Commission on Cyber Security for the 44th 
Presidency and the NIST Information Security and Privacy Advisory 
Board.

Dr. Fred Schneider is the Samuel B. Eckert Professor of Computer 
Science at Cornell University and a current NIST Information Security 
and Privacy Advisory Board member.

Dr. Phyllis Schneck is the Vice President of Threat Intelligence at 
McAfee. She served as a commissioner for the Commission on Cyber 
Security for the 44th Presidency and on the National Board of Directors 
for the Federal Bureau of Investigation's InfraGuard.

Mr. William Wyatt Starnes is the Founder and CEO of SignaCert, Inc. He 
is formerly a member of the NIST Visiting Committee on Advanced 
Technology.

Mr. Mark Bohannon is the General Counsel and Senior Vice President, 
Public Policy at Software & Information Industry Association (SIIA). 
Prior to working at SIIA, Mr. Bohannon was the Chief Counsel for 
Technology at the U.S. Department of Commerce where he helped oversee 
NIST cybersecurity activities.

3. Brief Overview

    On May 29, 2009, the Administration released its 60-day review of 
federal cybersecurity activities entitled, ``Cyberspace Policy 
Review.'' The review team acknowledged the difficult task of addressing 
cybersecurity concerns in a comprehensive fashion due to the large 
number of federal departments and agencies with cybersecurity 
responsibilities and overlapping authorities. The document detailed a 
number of near-term and mid-term action plans and stated that it would 
not only take increased organization and coordination within the 
Federal Government, but extensive public-private partnerships and 
international collaboration to achieve these recommendations.
    The witnesses were asked to address any recommendations from the 
Cyberspace Policy Review, focusing on three specific recommendations: 
the need for a single locus for Federal Government involvement in 
international standards, an increased public awareness and education 
campaign, and a larger focus on identity management.

4. NIST Background

    The NIST Information Technology Laboratory (ITL) is currently 
organized into six divisions that perform research and development in 
the areas of network technology, computer security, information access, 
mathematics, statistics, software and systems. ITL has a budget request 
of $72 million for FY 2010.

Computer Security Division (CSD)
    CSD is tasked with protecting the federal non-classified 
information technology network by developing and promulgating cyber 
security standards for federal civilian network systems. CSD developed 
minimum security requirements for these systems in Federal Information 
Processing Standard (FIPS) 200. CSD also does work in cryptology, 
electronic identity management, methodology for assessing effectiveness 
of security requirements, and developing tests to validate security in 
information systems. Cybersecurity tasks were appointed to NIST in the 
Computer Security Act of 1987 (P.L. 100-235), the Cyber Security 
Research and Development Act of 2002 (P.L. 107-305), and the Federal 
Information Security Management Act of 2002 (P.L. 107-347).

Advanced Network Technologies Division (ANTD)
    ANTD works to improve the quality of networking specifications and 
is currently focusing on advanced areas of cryptography, domain name 
system security, and evaluation of wireless networks for first 
responder communication.

Information Access Division (IAD)
    IAD provides measurements and standards in areas such as speech 
recognition, biometrics, and inter-operability of interactive 
technologies.

Mathematical and Computational Sciences Division (MCSD)
    MCSD performs research and development in areas of mathematical 
modeling, mathematical software, and their scientific applications.

Software and Systems Division (SSD)
    SSD develops software testing tools and methods to improve the 
quality of software and testing in areas such as health care 
information technology, computer forensics, and voting systems.

Statistical Engineering Division (SED)
    SED provides statistical consulting to the NIST laboratories and 
performs statistical research to improve statistical modeling and data 
analysis.

5. Issues and Concerns

Recommendations from the Cyberspace Policy Review
    The Technology and Innovation Subcommittee has asked the witnesses 
to discuss recommendations from the Cyberspace Policy Review that may 
be appropriate for NIST and to specifically address three of the 
recommendations:

          The need for a single locus for Federal Government 
        involvement in international cybersecurity technical 
        standards--Currently, the United States is represented by an 
        array of standards setting organizations, both federal and 
        private industry. The Cyberspace Policy Review calls for a 
        single entity to coordinate federal representation for 
        cybersecurity technical standards and develop an engagement 
        plan for use with international standards bodies.

          The need for an increased public awareness and 
        education campaign--the CSD currently conducts limited 
        cybersecurity outreach and education through its Small Business 
        Corner. Also, NIST has a well-established program called the 
        Manufacturing Extension Partnership (MEP) that provides 
        services and information to businesses from regional MEP 
        Centers. NIST can expand upon these resources to increase 
        cybersecurity education and public awareness amongst private 
        citizens and small business, as well State, local, and Federal 
        governments.

          The need for a larger focus on identity management--
        The Cyberspace Policy Review states that cybersecurity cannot 
        be improved without improving identity management. It goes on 
        to say that identity management is not only about 
        authenticating people, but that online transactions involve 
        trustworthy data, hardware, and software for networks and 
        devices. As noted above, NIST has extensive expertise in 
        identity management areas throughout its six divisions.

    The report states that future cybersecurity technical standards 
plans must address the convergence of information technologies and 
infrastructures. NIST represents an opportunity to address these 
recommendations because of its broad array of expertise in 
cybersecurity technology standards and established relationships with 
private industry and international standards organizations.

Reorganization of ITL
    The ITL Director, Ms. Furlani, has proposed a reorganization that 
would, as part of its actions, split the CSD and combine its programs 
with others to form two new divisions. Cybersecurity experts are 
concerned that the split of CSD will take focus away from cybersecurity 
and are not clear on how the reorganization will improve the function 
and future capabilities of ITL. Witnesses were asked to assess the 
reorganization and discuss how it may improve the outcomes of ITL 
activities.
    Chairman Wu. This hearing will now come to order. I would 
like to welcome everybody this afternoon to this hearing on 
cybersecurity, and we increasingly put all sorts of 
information, including personal information, online. Our 
nation's entire infrastructure, from traffic systems and air 
traffic control to manufacturing to power distribution, depends 
on internet networked systems. I can think of few topics as 
important for this subcommittee to address than cybersecurity. 
And I want to welcome all witnesses here this afternoon for 
this very, very important hearing.
    As anyone who has seen movies recently, including movies 
like Ocean's Eleven, thieves have become increasingly 
sophisticated in their method of heists, and it should be no 
surprise that cybercriminals in real life are becoming also 
more sophisticated in their crimes.
    Congress realized the dangers of networked systems as far 
back as the 1980s, and in 1987, this committee wrote the 
Computer Security Act, which charged NIST (National Institute 
of Standards and Technology) with developing the technical 
standards to protect non-classified information on federal 
computer systems. Congress has remained concerned about cyber-
threats, and since 1987, Congress has passed 13 laws related to 
cybersecurity.
    Today OMB (Office of Management and Budget) reports that 
federal agencies spend approximately $6 billion per year on 
cybersecurity to protect a $72 billion IT (Information 
Technology) infrastructure. In addition, the Federal Government 
funds $356 million in cybersecurity research each year. I don't 
believe that simply spending more money or creating more 
programs is the means to improve cybersecurity. We also need to 
use our existing resources more efficiently and with specific 
achievable goals in mind. This is also the main conclusion of 
the Administration's recent cybersecurity review.
    The focus of today's hearing is not to review what NIST has 
done but to address what should be its focus going forward. 
Since NIST is the only federal agency tasked with protecting 
non-classified federal computer systems, the testimony we hear 
today will have a vital and long-lasting affect on our nation's 
economic and national security.
    We have a distinguished panel of witnesses who have a long 
history of working with NIST and detailed knowledge of NIST's 
IT activities. I want to assure them that this subcommittee is 
prepared to act on their recommendations.
    And now I would like to recognize Ranking Member 
Representative Smith for his opening statement.
    [The prepared statement of Chairman Wu follows:]
                Prepared Statement of Chairman David Wu
    I want to welcome everyone to this hearing on cybersecurity. More 
and more of our personal information is making its way online, and our 
nation's entire infrastructure--from traffic systems and air traffic 
control to manufacturing--depends on Internet networked systems. I can 
think of no topic more important for this subcommittee to address than 
cybersecurity.
    As anyone who has seen Ocean's Eleven can tell you, thieves have 
become increasingly sophisticated in their heists. It should be no 
surprise that cybercriminals are also becoming progressively 
sophisticated in their crimes.
    Congress realized the inherent dangers in networked systems as far 
back as 1987, when this committee wrote the Computer Security Act, 
which charged NIST with developing the technical standards to protect 
non-classified information on federal computer systems. Congress has 
remained alert to cyber-threats. Since 1987, Congress has passed 13 
major laws related to cybersecurity.
    Today OMB reports that Federal agencies spend $6 billion on 
cybersecurity to protect a $72 billion IT infrastructure. In addition, 
the Federal Government funds $356 million in cybersecurity research 
each year. I don't believe simply spending more money or creating more 
programs is the means to improve cybersecurity. We need to use our 
existing resources more efficiently and with specific achievable goals 
in mind. This is also the main conclusion of the Administration's 
recent cybersecurity review.
    The focus of today's hearing is not to review what NIST has done, 
but to address what should be their focus going forward. Since NIST is 
still the only federal agency tasked with protecting non-classified 
federal computer systems, the testimony we hear today will have a 
vital, long-lasting effect on our country's security.
    We have a distinguished panel of witnesses who have a long history 
working with NIST and detailed knowledge of NIST's IT activities. I 
want to assure them that this subcommittee is prepared to act on their 
recommendations.

    Mr. Smith. Mr. Chairman, thank you for calling this hearing 
today on cybersecurity, the fourth in a series of hearings held 
by the Committee this year. Thank you to the witnesses as well. 
While our earlier hearings reviewed cybersecurity through a 
relatively broad lens, today we are here to examine the 
specific role NIST plays or should play in supporting computer 
and network security.
    Our starting point for this review is the White House's 60-
Day Cyberspace Policy Review which was released in May and 
which provided a broad outline of the actions the 
Administration intends to emphasize moving forward. A number of 
these actionaries appear well-suited to NIST's capabilities and 
expertise. With respect to security practices and standards, 
NIST is a proven and trusted entity within the Federal 
Government, the private sector, and even around the world.
    It is also well-known for its excellence in advancing 
research and the fundamental science of computer security. For 
these reasons, it is important for the Committee to consider 
more closely the specific additional or expanded activities 
which makes sense for NIST to undertake and what, if any, 
associated legislative authority or direction is necessary to 
enable this.
    In doing so, I think it is also important that we work to 
prioritize these activities and identify those which provide 
the greatest security returns, recognizing the universe of 
computer security activities we would like NIST to do is 
significantly larger than any realistic budget expectations. 
Additionally, and as I emphasized in our prior hearings, I 
think we should also be careful to delineate which activities 
NIST shouldn't undertake, particularly with respect to anything 
which could take on a regulatory nature, either directly or 
indirectly.
    I thank the Chairman and the panel today. Thank you for 
dedicating your time and donating your time to this productive 
discussion. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Smith follows:]
           Prepared Statement of Representative Adrian Smith
    Mr. Chairman, thank you for calling this hearing today on 
cybersecurity--the fourth in a series of hearings held by the Committee 
this year.
    While our earlier hearings reviewed cybersecurity through a 
relatively broad lens, today we are here to examine the specific role 
NIST plays--or should play--in supporting computer and network 
security.
    Our starting point for this review is the White House's 60-day 
Cyberspace Policy Review which was released in May and which provided a 
broad outline of the actions the Administration intends to emphasize 
going forward.
    A number of these action areas appear well-suited to NIST's 
capabilities and expertise. With respect to security practices and 
standards, NIST is a proven and trusted entity within the Federal 
Government, the private sector, and around the world. It is also well-
known for its excellence in advancing research and the fundamental 
science of computer security.
    For these reasons, it is appropriate for the Committee to consider 
more closely the specific additional or expanded activities which make 
sense for NIST to undertake, and what if any associated legislative 
authority or direction is necessary to enable this. In doing so, I 
think it is also important we work to prioritize these activities and 
identify those which provide the greatest security returns, recognizing 
the universe of computer security activities we would like NIST to do 
is significantly larger than any realistic budget expectations. 
Additionally, and as I emphasized in our prior hearings, I think we 
should also be careful to delineate what activities NIST shouldn't 
undertake--particularly with respect to anything which could take on a 
regulatory nature, either directly or indirectly.
    I thank the Chairman for assembling an excellent panel today, and I 
look forward to a productive discussion.

    Chairman Wu. Thank you very much, Mr. Smith, and if there 
are any Members who wish to submit their opening statements, 
the statements will be added to the record at this point.
    [The prepared statement of Mr. Mitchell follows:]
         Prepared Statement of Representative Harry E. Mitchell
    Thank you, Mr. Chairman.
    As the world becomes increasingly connected through the Internet, 
it is critical to ensure that we have a secure and reliable cyberspace 
policy.
    Today we will discuss the findings and recommendations of the Obama 
Administration's 60-day Cyberspace Policy Review.
    Specifically, we will review that recommendations made in the 
Cyperspace Policy Review that may be appropriate for the National 
Institute of Standards and Technology (NIST) and the proposed 
reorganization of the NIST Information Technology Laboratory.
    I look forward to hearing more from our witnesses.
    I yield back.

    Chairman Wu. And now it is my pleasure to welcome our 
witnesses. Ms. Cita Furlani is the Director of the Information 
Technology Laboratory (ITL) at the National Institute of 
Standards and Technology. Dr. Susan Landau is a Distinguished 
Engineer at Sun Microsystems, and a former member of the 
Commission on Cybersecurity for the 44th Presidency. I thought 
that was a mistake at first, but that is the title of the 
group, and the NIST Information, Security and Privacy Advisory 
Board. Let us see, we have a different order here. Dr. Phyllis 
Schneck is the Vice President of Threat Intelligence at McAfee. 
She serves as a commissioner also on the Commission on 
Cybersecurity for the 44th Presidency and is on the National 
Board of Directors for the FBI's InfraGard. Mr. William Wyatt 
Starnes is the Founder and CEO and a great Oregonian, I might 
add, of SignaCert. He is formerly a member of the NIST Visiting 
Committee on Advanced Technology. Professor Fred Schneider is 
the Samuel B. Eckert Professor of Computer Science at Cornell 
University and is a current NIST Information Security and 
Privacy and Advisory Board Member. And finally, our last 
witness is Mark Bohannon who is the General Counsel and Senior 
Vice President, Public Policy at Software & Information 
Industry Association. Prior to working at SIIA, Mr. Bohannon 
was the Chief Counsel of Technology at the U.S. Department of 
Commerce where he helped oversee NIST cybersecurity activities.
    The witnesses will each have five minutes for your spoken 
testimony, and your written testimony will be included in its 
entirety in the record for the hearing. When you complete your 
testimony, we will begin with questions, and each Member will 
have five minutes to ask questions of the panel.
    Ms. Furlani, please proceed.

    STATEMENT OF MS. CITA M. FURLANI, DIRECTOR, INFORMATION 
  TECHNOLOGY LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND 
                           TECHNOLOGY

    Ms. Furlani. Chairman Wu, Ranking Member Smith, and any 
other Members of the Subcommittee. I am Cita Furlani, the 
Director of the Information Technology Laboratory at the 
Department of Commerce's National Institute of Standards and 
Technology. Thank you for the opportunity to appear before you 
today.
    Cybersecurity is a vital, central mission of our 
laboratory. The impacts of NIST's cybersecurity activities 
extend beyond providing the means to protect federal IT 
systems. They provide the cybersecurity foundations for the 
public trust that is essential to our realizing the national 
and global productivity and innovation potential of electronic 
business and its attendant economic benefits.
    Consistent with our mission and the recommendations of the 
Administration's Cyberspace Policy Review, NIST is actively 
engaged with many others in coordination and prioritization of 
cybersecurity research, standards development, standards 
conformance demonstration, and cybersecurity education and 
outreach activities.
    The Review observed that it is our total national 
information infrastructure which is under attack. The President 
has developed a coordinated national response approach that 
places leadership for cybersecurity-related policies amongst 
the team within the White House. This team provides an 
effective means for coordination and collaboration across the 
Federal Government and with the private sector.
    The intelligence community, the other elements of the 
national security community, and NIST are actively coordinating 
their standards and processes for cybersecurity. This effort is 
producing a single set of requirements. For the first time, 
NIST has included security controls in its catalog for both 
national security and non-national security systems. The 
updated security control catalog incorporates best practices 
and information security from the defense, intelligence and 
civil agencies, an historic achievement.
    The Review recommended building a cybersecurity-based 
identity management, vision and strategy. In response, NIST is 
working with OSTP (Office of Science and Technology Policy), 
OMB and the NSC (National Security Council) through a new sub-
interagency policy committee focusing on on-line identity 
management. Working with OMB and other agencies, NIST is 
helping to develop a security and privacy profile that will 
provide guidance to enterprise architects on integrating 
information security and privacy requirements into the Federal 
Enterprise Architecture.
    NIST hosts the Information Security Automation Program 
which is an effort to enable the automation and standardization 
of technical security operations including automated 
vulnerability management and policy compliance evaluations. The 
NIST National Vulnerability Database is one such tool. It makes 
available information on vulnerabilities, impact measurements, 
detection techniques and remediation assistance. It provides 
reference data that enable the information security automation 
program's security automation capabilities. This database also 
is key to the payment card industry in their efforts to 
mitigate vulnerabilities in credit card systems. The Review 
recommended a national public awareness and education campaign 
to promote cybersecurity. NIST, working with the SBA (Small 
Business Administration) and the FBI, has put an instructional 
video on YouTube and published a guide to help small businesses 
and organizations. In addition, the Review recommended 
strengthening federal leadership and accountability for 
cybersecurity. In response, NIST was asked by OMB to contribute 
to the Security Metrics Task Force to develop new metrics for 
information security performance for federal agencies.
    The Review recognizes the role of international standards 
in protecting our information infrastructure. We are actively 
working with others in fostering international standards and 
protocols that are conducive to a free and safe information 
processing and interchange environment. NIST also actively 
contributes to the NITRD (Networking and Information Technology 
Research and Development) program and its five-year strategic 
plan.
    Consistent with the Review's recommendation, NIST works 
with other members of the Cybersecurity and Information 
Assurance Interagency Working Group in establishing research 
and development priorities to address actions that compromise 
or threaten to compromise computer and network-based systems.
    NIST has undertaken an internal assessment of its 
operational structure and allocation of resources to ensure 
that our programs fully reflect the complex interdisciplinary 
nature of today's threats. Based on the feedback we continue to 
receive, I have decided to put the proposed reorganization of 
ITL on hold. We have received expressions of both support and 
concern from various stakeholders. We are seriously considering 
this input and plan to reevaluate how to ensure that our 
structure is as flexible and efficient as possible in meeting 
the many challenges and opportunities ahead. Regardless of 
whatever recommendations emerge from this internal assessment, 
the technical program of work currently performed by the 
Computer Security Division (CSD) would not change. ITL welcomes 
and appreciates all input and looks forward to continued 
conversations on this matter.
    Thank you for the opportunity to testify. I would be happy 
to answer any questions you may have.
    [The prepared statement of Ms. Furlani follows:]
                 Prepared Statement of Cita M. Furlani
    Chairman Wu, Ranking Member Smith, and Members of the Subcommittee, 
I am Cita Furlani, the Director of the Information Technology 
Laboratory (ITL) at the Department of Commerce's National Institute of 
Standards and Technology (NIST). Thank you for the opportunity to 
appear before you today to discuss our role in cybersecurity and our 
perspective on the Administration's Cyberspace Policy Review 
Recommendations.
    As one of the major research components within NIST, the 
Information Technology Laboratory accelerates the development and 
deployment of information and communication systems that are reliable, 
usable, inter-operable, and secure; advance measurement science through 
innovations in mathematics, statistics, and computer science; and 
develop the measurements and standards infrastructure for emerging 
information technologies and applications. In addition to research into 
cybersecurity technologies, NIST is responsible for development of, 
publishing, and providing explanatory support for federal cybersecurity 
standards, guidelines, and best practices. Just as the standards 
function extends beyond writing federal standards to playing an active 
role in the development of national and international consensus 
standards, the support function is extended to State and local 
governments and private sector elements that voluntarily adopt NIST-
developed cybersecurity standards.
    NIST doesn't rely solely on Federal resources and insights. We 
employ collaborative partnerships with our customers and stakeholders 
in industry, government, academia, and consortia to take advantages of 
their technical and operational insights and to leverage the resources 
of a global community. We are actively seeking to expand the scope of 
these collaborative efforts in general, and of our private sector 
collaborations in particular.
    The impacts of NIST's cybersecurity activities extend beyond 
providing the means to protect federal IT systems. They provide the 
cybersecurity foundations for the public trust that is essential to our 
realizing the national and global productivity and innovation potential 
of electronic business and its attendant economic benefits.
    The cybersecurity standards and support capabilities of NIST's 
Information Technology Laboratory rest on the foundation of the 
laboratory's cybersecurity research and development activities. Based 
on input from our customers and stakeholders, we have focused our R&D 
agenda on eight broad program areas: complex systems; cyber and network 
security; enabling scientific discovery; identity management systems; 
information discovery, use and sharing; pervasive information 
technologies; trustworthy information systems; and virtual measurement 
systems.
    Many of our vital programs impact national security in ways that 
extend beyond what are generally recognized as the boundaries of 
cybersecurity. Examples of these impacts include improving the accuracy 
and inter-operability of biometrics recognition systems and 
facilitating communications among first responders. The combination of 
our mission and legislative mandates such as the Federal Information 
Security Management Act (FISMA), the Cyber Security Research and 
Development Act, the USA PATRIOT Act, the Enhanced Border Security Act, 
and the Help America Vote Act lead to rich programmatic diversity.
    Cybersecurity is a vital, central mission of our laboratory. NIST's 
mission in cybersecurity is to work with federal agencies, industry, 
and academia to research, develop, and deploy information security 
standards and technology to protect information systems against threats 
to the confidentiality, integrity, and availability of information and 
services. Consistent with this mission and with the recommendations of 
the Cyberspace Policy Review, NIST is actively engaged with private 
industry, academia, non-national security federal departments and 
agencies, the intelligence community, and other elements of the law 
enforcement and national security communities, in coordination and 
prioritization of cybersecurity research, standards development, 
standards conformance demonstration, and cybersecurity education and 
outreach activities.
    The Cyberspace Policy Review observes that it is our total national 
information infrastructure, not just the federal information 
infrastructure, which is under attack, recognizing a national response 
is necessary to prevent catastrophic consequences for society, 
including those critical infrastructures which integrate information 
systems into their operations. To provide for such a national response, 
the President has developed a coordinated approach that places 
leadership for cybersecurity-related policies within the White House. 
This includes the appointment of a Chief Technology Officer, located in 
the Office of Science and Technology Policy, a Chief Information 
Officer in the Office of Management and Budget, and the pending 
appointment of a Cyber Advisor in the White House. This team provides 
an effective means for coordination and collaboration across the 
Federal Government and with the private sector. This includes 
integrating the responses of national security organizations and those 
of federal organizations that do not have a primarily national security 
mission. In fact, we observe that the intelligence community, the other 
elements of the national security community, and NIST are, in response 
to the Federal Information Security Management Act of 2002, actively 
coordinating their standards and processes for cybersecurity. This 
effort is producing a single set of requirements, rather than the 
past's three independent sets of requirements for consumers and 
providers of information processing and interchanges resources.
    A key output of this initiative to develop a unified information 
security framework for the Federal Government and its contractors 
occurred on August 1, 2009, when NIST announced the release of Special 
Publication 800-53, Revision 3, Recommended Security Controls for 
Federal Information Systems and Organizations. NIST Special Publication 
800-53, Revision 3, is historic in nature. For the first time, NIST has 
included security controls in its catalog for both national security 
and nonnational security systems. The updated security control catalog 
incorporates best practices in information security from the United 
States Department of Defense, Intelligence Community, and civil 
agencies, to produce the most broad-based and comprehensive set of 
safeguards and countermeasures ever developed for information systems. 
This unified framework provides a standardized method for expressing 
security at all levels, from operational implementation to compliance 
reporting. This allows for an environment of information sharing and 
interconnections among these communities and significantly reduces 
costs, time, and resources needed for finite sets of systems and 
administrators to report on cybersecurity to multiple authorities.
    The NIST Identity Management Systems Program is pursuing the 
development of critical standards and metrics to support the effective 
management of digital identities for large-scale enterprises throughout 
their life cycle. These efforts will improve the strength, usability, 
and inter-operability of identity management systems; protect users' 
personal data; and assure that U.S. interests on this issue are 
represented in the international arena. We have been heavily involved 
in Federal Government identity management efforts, including developing 
the standard for the personal identity verification (PIV) card in 
response to HSPD-12 and co-chairing the National Science and Technology 
Council (NSTC) Identity Management Task Force.
    The Cyberspace Policy Review included in its top ten action items, 
``Build a cybersecurity-based identity management vision and strategy 
that addresses privacy and civil liberties interests, leveraging 
privacy-enhancing technologies for the Nation.'' To this end, NIST is 
working with the Office of Science and Technology Policy, the Office of 
Management and Budget (OMB), and the National Security Council staff to 
determine how to address this action item, through a new Sub-
Interagency Policy Committee which will focus on online identity 
management.
    NIST is taking other proactive steps to increase the long-term 
security of federal information systems. Working with the Office of 
Management and Budget and several federal agencies, NIST is helping to 
develop a Security and Privacy Profile that will provide guidance to 
enterprise architects on integrating information security and privacy 
requirements into the Federal Enterprise Architecture. This initiative 
will ensure that information security and privacy requirements are 
built into federal information systems early in the system development 
life cycle rather than attempting to add these requirements after 
systems are deployed into operational environments. NIST will also be 
working with its partners within the Federal Government to publish 
guidance on best practices in systems and security engineering to 
address the effective integration of commercial information technology 
products into federal information systems. This guidance will build on 
the excellent work published by the National Security Agency as part of 
the Information Assurance Technical Framework over a decade ago and 
make the information widely available to both public and private sector 
entities.
    NIST hosts the Information Security Automation Program (ISAP), 
which formalizes and advances efforts to enable the automation and 
standardization of technical security operations, including automated 
vulnerability management and policy compliance evaluations.
    The NIST National Vulnerability Database (NVD), which is funded by 
the National Cybersecurity Division of the Department of Homeland 
Security, is the United States Government repository of standards-based 
vulnerability management reference data. The NVD makes available 
information on vulnerabilities, impact measurements, detection 
techniques, and remediation assistance. It provides reference data that 
enable the ISAP's security automation capabilities. NIST's security 
automation program is based on the NIST Security Checklist program and 
the Security Content Automation Protocol (SCAP) activity. The SCAP 
Validation Program performs conformance testing to ensure that products 
correctly implement SCAP. NVD also plays a pivotal role in the Payment 
Card Industry (PCI) in their efforts to mitigate vulnerabilities in 
credit card systems. The PCI has mandated that NVD's vulnerability 
severity scores be used for measuring the risk to payment card servers 
worldwide and for determining which vulnerabilities must be fixed.
    In addition to the initiatives described above, NIST has 
implemented an aggressive outreach program to work with State, local, 
and tribal governments as well as private sector entities to raise the 
awareness of government officials and corporate executives with regard 
to the ongoing and increasingly sophisticated nature of cyber threats. 
The outreach program will help organizations external to the Federal 
Government have a better understanding of NIST's suite of security 
standards and guidelines and provide an opportunity for voluntary 
adoption of the standards and guidelines by those organizations to 
facilitate an increased level of information security for the Nation's 
critical information infrastructure.
    On a broader scale, in response to the Cyberspace Policy Review's 
recommendation to initiate a national public awareness and education 
campaign to promote cybersecurity and as a contribution to October's 
Cyber Security Awareness Month, NIST, working with the Small Business 
Administration and the Federal Bureau of Investigation, has published a 
guide to help small businesses and organizations understand how to 
provide basic security for their information, systems, and networks. 
The 20-page guide, Small Business Information Security: The 
Fundamentals, uses simple and clear language to walk small business 
owners through the important steps necessary to secure their computer 
systems and data. The guide provides ten ``absolutely necessary steps'' 
to secure information, which includes such basics as installing 
firewalls, patching operating systems and applications, and backing up 
business data, as well as controlling physical access to network 
components and training employees in basic security principles. NIST 
also created a video that explores the reasons small businesses need to 
secure their data.
    We are encouraged to observe that the Cyberspace Policy Review 
recognizes that cybersecurity strategies and solutions must be 
structured in a manner that accommodates commerce, economic growth, 
scientific collaboration, and individual liberties. The report reflects 
the notion that we are not looking for ``lockdown solutions'' that 
achieve security at the expense of essential services or civil 
liberties. Recognizing the economic impact of cyberspace, NIST is 
working to provide measurement techniques to facilitate offsetting the 
cost of both public sector and private sector security solutions by 
decreases in losses or cost of insurance or increases in business due 
to increases in trust. In order to meet the cyber threat to our total 
national infrastructure, we must demonstrate that implementing measures 
that increase security is good business sense. We'd note that not all 
of these measures need to be technical or regulatory in nature. Some 
simple procedural steps can have a materially positive effect on 
security. One example is the financial sector's having introduced a 
delay into the conversion of electronically transferred funds into 
tangible assets, a delay sufficient to permit invocation of fraud 
detection processes.
    As acknowledged in the Cyberspace Policy Review, measurement of 
information security performance can benefit organizations in many 
ways, by increasing accountability, improving the effectiveness of 
safeguards, demonstrating legislative and policy compliance, and 
providing quantifiable inputs for risk-based resource allocation 
decisions. The Cyberspace Policy Review recommended strengthening 
federal leadership and accountability for cybersecurity, including 
identifying cybersecurity as a management priority and assessing the 
progress of federal agencies against cybersecurity goals, ultimately 
leading to increased accountability, compliance with cybersecurity 
policies, and effective implementation of cybersecurity safeguards. 
Because of its strengths in measurement science and cybersecurity, NIST 
was asked by OMB to contribute to the Security Metrics Taskforce. This 
taskforce was established to develop new outcome-focused, rather than 
compliance-focused, metrics for information security performance for 
federal agencies, resulting in more effective provisioning of security 
controls and resources, and improved protection in support of critical 
mission and business processes.
    We were particularly encouraged by the report's recognition of the 
role of international standards in protecting our information 
infrastructure. Our infrastructure is inextricably integrated into a 
complex of global networks. NIST's role in documentary standards has 
long been established in law and executive direction. We are actively 
working with our sister agencies, including the Department of State, on 
improving our common understanding of how we can collectively 
participate, in cooperation with the private sector, in fostering 
international standards and protocols that are conducive to a free and 
safe information processing and interchange environment.
    Recognizing the importance of security-related standards beyond the 
Federal Government, NIST leads national and international consensus 
standards activities in cryptography, biometrics, electronic 
credentialing, secure network protocols, software and systems 
reliability, and security conformance testing.
    Under the provisions of the National Technology Transfer and 
Advancement Act (P.L. 104-113) and OMB Circular A-119, NIST is tasked 
with the key role of encouraging and coordinating federal agency use of 
voluntary consensus standards and participation in the development of 
relevant standards, as well as promoting coordination between the 
public and private sectors in the development of standards and in 
conformity assessment activities. NIST works with other agencies such 
as the State Department to coordinate standards issues and priorities 
with the private sector through consensus standards organizations such 
as the American National Standards Institute (ANSI), the International 
Organization for Standardization (ISO), the Institute of Electrical and 
Electronic Engineers (IEEE), the Internet Engineering Task Force 
(IETF), and the International Telecommunication Union (ITU).
    Key contributions NIST has made include:

          Development of the current federal cryptographic and 
        cybersecurity assurance standards that have been adopted by 
        many State governments, national governments, and much of 
        industry;

          Development of the identity credentialing and 
        management standard for federal employees and contractors (also 
        becoming the de facto national standard);

          Development of the standard and conformance test 
        capability for inter-operable multi-vendor fingerprint minutia 
        capture and verification;

          Development and demonstration of quantum key 
        distribution;

          Establishment of a national cyber vulnerability 
        database; and

          Establishment and oversight of an international 
        cryptographic algorithm and module validation program. (This 
        Cryptographic Module Validation Program [CMVP] achieved a 
        significant milestone on August 15, 2008, by issuing the 
        program's 1,000th certificate.)

    Understanding the value of interagency coordination of research as 
well as of standards development, NIST actively contributes to the 
Networking and Information Technology Research and Development (NITRD) 
program and the development of the NITRD five-year strategic plan. 
Within the past year, the NITRD Program has assumed expanded 
responsibilities for coordination of federal cyber research and 
development, and NIST is well represented in, and leverages, these 
activities.
    The Cyberspace Policy Review challenged the federal networks and 
Information Technology (IT) research community to develop a framework 
for research and development strategies that focus on game-changing 
technologies. Over the past year, through the National Cyber Leap Year 
and a wide range of other activities, the government research 
community, including NIST, sought to elicit the best game-changing 
ideas from the broader research and technology community.
    NIST works with other members of the Cyber Security and Information 
Assurance Interagency Working Group in establishing priorities for 
research and development to prevent, resist, detect, respond to, and/or 
recover from actions that compromise or threaten to compromise the 
availability, integrity, or confidentiality of computer- and network-
based systems. These systems provide both the basic infrastructure and 
advanced communications in every sector of the economy, including 
critical infrastructures such as power grids, emergency communications 
systems, financial systems, and air-traffic-control networks. These 
systems also support national defense, national and homeland security, 
and other vital federal missions, and themselves constitute critical 
elements of the IT infrastructure. Broad areas of concern which NIST 
research addresses include Internet and network security; 
confidentiality, availability, and integrity of information and 
computer-based systems; new approaches to achieving hardware and 
software security; testing and assessment of computer-based systems 
security; and reconstitution and recovery of computer-based systems and 
data.
    There are others ways in which NIST's expertise can help to drive 
improvements in the cybersecurity arena. NIST has integral roles in a 
number of Administration initiatives, including Health Information 
Technology, Smart Grid, Broadband, and Web 2.0. NIST can continue to 
work on more effective metrics (security controls effectiveness 
determination), expand education and other outreach, improve product 
assurance processes, expand national and international cybersecurity 
standards participation, and automate security controls. This is in 
addition to our cryptography, technical guidelines, and best practices 
work.
    To address the interdisciplinary nature of security in cyberspace, 
ITL also has programs in the usability of systems such as voting 
machines, health information technology and software interfaces; 
research in mathematical foundations to determine the security of 
information systems; the National Software Reference Library, computer 
forensics tool testing, software assurance metrics, tools, and 
evaluation; approaches to balancing safety, security, reliability, and 
performance in supervisory control and data acquisition and other 
industrial control systems used in manufacturing and other critical 
infrastructure industries; technologies for detection of anomalous 
behavior, quarantines; standards, modeling, and measurement to achieve 
end-to-end security over heterogeneous, multi-domain networks; and 
biometrics evaluation, usability, and standards (fingerprint, face, 
iris, voice/speaker, multi-modal biometrics.) Research activities in 
ITL range from innovations in identity management and verification, to 
metrics for complex systems, to development of practical and secure 
cryptography in a quantum computing environment, to automation of 
discovery and maintenance of system security configurations and status, 
to techniques for specification and automation of access authorization 
in line with many different kinds of access policies.
    We, at NIST and the Department of Commerce, recognize that we have 
an essential role to play in realizing the vision set forth in the 
Cyberspace Policy Review. NIST will continue to conduct the research 
necessary to enable and to provide cybersecurity specifications, 
standards, assurance processes, training, and technical expertise 
needed for securing the U.S. Government and critical infrastructure 
information systems to mitigate the growing threat. NIST will continue 
to closely coordinate with domestic and international private sector 
cybersecurity programs and national security organizations. Finally, 
consistent with the NIST Three-Year Planning Report, NIST plans to 
broaden its focus on cybersecurity challenges associated with health 
IT, the Smart Grid, automation of federal systems security conformance 
and status determination, and cybersecurity leap-ahead research.
    Cybersecurity is a vital, central mission of our laboratory. Given 
the increasing importance and complexity of cybersecurity, NIST has 
undertaken an internal assessment of its operational structure and 
allocation of resources to ensure that ITL programs fully reflect the 
complex interdisciplinary nature of today's threats. For example, NIST 
is considering whether it needs to strengthen the authority and purview 
of the NIST Chief Cybersecurity Advisor. Regardless of whatever 
recommendations emerge from this internal assessment, the technical 
program of work currently performed by the Computer Security Division 
would not change. NIST welcomes, through our Advisory Committee, key 
external stakeholders, and this subcommittee, input on NIST operations 
and structure and looks forward to continued conversations on this 
matter.
    Thank you for the opportunity to testify today on NIST's work in 
the cybersecurity arena. I would be happy to answer any questions you 
may have.

                     Biography for Cita M. Furlani
    Cita M. Furlani is Director of the Information Technology 
Laboratory (ITL). ITL is one of nine research Laboratories within the 
National Institute of Standards and Technology (NIST) with an annual 
budget of $85 million, 335 employees, and about 150 guest researchers 
from industry, universities, and foreign laboratories.
    Furlani oversees a research program designed to promote U.S. 
innovation and industrial competitiveness by advancing measurement 
science, standards, and technology through research and development in 
information technology, mathematics, and statistics. Through its 
efforts, ITL seeks to enhance productivity and public safety, 
facilitate trade, and improve the quality of life.
    Furlani has several leadership responsibilities in addition to 
those at NIST. Currently, she is Co-Chair of the Interagency Working 
Group on Digital Data, Co-Chair of the Subcommittee on QuInformation 
Science, and Co-Chair for Strategic Planning for the Subcommittee on 
Networking and Information Technology Research and Development, all 
under the auspices of the National Science and Technology Council. She 
also serves as Co-Chair of the Technology Infrastructure Subcommittee 
of the Interagency CIO Council.
    Furlani has served as the Chief Information Officer (CIO) for NIST. 
As CIO, Furlani was the principal adviser to the NIST Director on the 
planning, execution, evaluation, and delivery of information technology 
services and support.
    Furlani also served as Director of the National Coordination Office 
for Networking and Information Technology Research and Development. 
This office, reporting to the White House through the Office of Science 
and Technology Policy and the National Science and Technology Council, 
coordinates the planning, budget, and assessment activities for the 12-
agency Networking and Information Technology R&D Program.
    Previously, Furlani was Director of the Information Technology and 
Electronics Office within the Advanced Technology Program (ATP) at 
NIST. Before joining ATP, Furlani served as Chief of the Office of 
Enterprise Integration, ITL, NIST, coordinating Department of Commerce 
activities in the area of enterprise integration. Furlani also served 
as special assistant to the NIST Director in the Director's role as 
Chair of the Committee on Applications and Technology of the 
Administration's Information Infrastructure Task Force. Previously, 
Furlani was on detail as technical staff to the Director of NIST in the 
position of Senior Program Analyst. Prior to August 1992, she managed 
research and development programs within the NIST Manufacturing 
Engineering Laboratory, applying information technology to 
manufacturing since 1981.
    She earned a Master of Science degree in electronics and computer 
engineering from George Mason University and a Bachelor of Arts degree 
in physics and mathematics from Texas Christian University. She was 
awarded two Department of Commerce Bronze Medal Awards in 1985 and 1993 
and the Department of Commerce Silver Medal Award, in 1995.

    Chairman Wu. Thank you very much, Ms. Furlani. Dr. Landau, 
please proceed.

  STATEMENT OF DR. SUSAN LANDAU, DISTINGUISHED ENGINEER, SUN 
                  MICROSYSTEMS, BURLINGTON, MA

    Dr. Landau. Thank you very much, Mr. Chairman, and Members 
of the Committee. I am a distinguished engineer at Sun where I 
concentrate on security and public policy issues. I have done 
this for ten and a half years. I served on ISPAB, Information 
Security and Privacy Advisory Board, that advises NIST and got 
a chance to see firsthand what a terrific job the people at the 
Computer Security Division do, but I had seen that earlier in 
my work in cryptography. They have a very difficult job and a 
very complicated situation. The designing and security 
standards and guidance for federal agencies, those are their 
customers, but the work that they do actually gets used by 
businesses, private sector as well as being used 
internationally. That is when they do things right, and they do 
things right most of the time. I am very impressed.
    But the reason it is a complicated job is because they--in 
order for them to do their work, providing standards for the 
Federal Government for federal civilian agencies, they need not 
only to do just basic research but mostly applied research and 
security guidance, and they are doing that within an agency, 
NIST, that focuses on scientific research. So doing the applied 
work is often a complicated dance for NIST, for the Computer 
Security Division. And I think they do it extremely well. They 
do it extremely well because they listen to their customers and 
they work well with the industry. They are seen as an honest 
broker.
    The 60-Day Review was very clear on the need to work 
internationally. In order to work internationally, it is 
extremely useful to have a scientific agency at your side 
providing guidance. We show up in this country with NIST to do 
that. Sun was part of a group of industry that had concerns 
over the Chinese government trying to impose mandatory security 
requirements on 13 different products. We showed up at the 
table with NIST, not NSA (National Security Agency), not DHS 
(Department of Homeland Security). Having NIST at the table was 
extremely important because the Chinese government saw that as 
an agency that was not interested in snooping, not interested 
in finding out about things from China that it shouldn't, but 
as a scientific agency. And it really helped the decisions that 
happened, and we as industry are quite happy with the results, 
and we really relied upon NIST to do that.
    That was part of what the 60-Day Review said, the 
importance of international agreements, and that calls for an 
elevated role for the Computer Security Division. There are 
other things that the Computer Security Division should be 
doing, and I am delighted to hear, by the way, that the 
reorganization is off the table because I thought that that was 
problematic. But there are other things that the Computer 
Security Division should be doing.
    We need to address privacy standards. In recent months, 
there had been technical work that describes how easy it is to 
take data that looks as if it is anonymized and re-identify it 
with other data outside that particular data set, taking 
information from Netflix that has been anonymized and comparing 
it with data outside the Netflix database and being able to 
figure out who the people are. We need scientific standards, 
technical standards, to talk about how data should be handled 
to protect privacy. In the past, NIST has worked almost 
entirely on computer security standards and not on privacy 
standards, and I think that this role is very important, 
especially as we move forward with health care. We need NIST, 
we need the Computer Security Division to be active in the 
international arena, we also need greater independence for the 
Computer Security Division. It is impossible to separate policy 
from security. I am not asking here for NIST to be setting 
government policy on security. What I am asking is for NIST to 
be providing advice when a computer security issue comes very 
close to a policy issue, whether it is about identity 
verification, identity management, or any one of another 
technical issues. NIST has that expertise and should be using 
it more in government.
    It is also important to keep the branding of the Computer 
Security Division which is well-known both within the 
government now as a result of FISMA (Federal Information 
Security Management Act) and outside the government because of 
all the excellent work that CSD does.
    For all these reasons, I think it is time to elevate the 
Computer Security Division to the level of a laboratory. I 
think that that would help a great deal in international work, 
I think it would be appropriate in terms of the policy effort 
that I think a computer security group should be doing, I think 
it is important for privacy standards.
    Thank you very much, and I would be happy to answer 
questions.
    [The prepared statement of Dr. Landau follows:]
                   Prepared Statement of Susan Landau

Mr. Chairman and Members of the Committee:

    Thank you for the opportunity to testify today on the Computer 
Security Division and its role in developing computer security 
standards and guidance for the Federal Government and the wider 
community. I am a distinguished engineer at Sun Microsystems, where I 
concentrate on security, cryptography, and public policy. I have been 
involved in Sun efforts on cryptography and export control, security 
and privacy of federated identity management systems, developing our 
policy stance in digital rights management, and in analyzing security 
risks of surveillance in communications infrastructures. I am a member 
of the Commission on Cyber Security for the 44th Presidency, 
established by the Center for Strategic and International Studies, and 
I serve on the advisory committee for the National Science Foundation's 
Directorate for Computer and Information Science and Engineering. I am 
also a former member of NIST's Information Security and Privacy 
Advisory Board, where I served six years. I have been a strong 
supporter of the Computer Security Division for many years.

Fulfilling the Cyberspace Policy Review Recommendations

    Over the last decade there have been many discussions and reports 
regarding the ways and means to achieve cybersecurity. The problem is 
partially technical and a great deal policy. The most recent Cyberspace 
Policy Review\1\ raises several new points.
---------------------------------------------------------------------------
    \1\ Cyberspace Policy Review: Assuring a Trusted and Resilient 
Information and Communications Infrastructure, 2009.
---------------------------------------------------------------------------
    One of these is the need to work internationally in order to 
achieve security in cyberspace. With the somewhat boundaryless nature 
of the Internet, this point is abundantly clear, but this direction has 
not been a focus of recent U.S. policy. It should be.
    Working with other nations on securing cyberspace requires policy 
efforts--treaties and international agreements of various sorts--but it 
also requires technical work--standards, for example. NIST is the 
appropriate agency for the latter. I would expect the Computer Security 
Division (CSD) at NIST to work hand-in-hand with the Department of 
State in forging international agreements to secure cyberspace. CSD has 
a proven history of working well with multiple partners inside and 
outside the Federal Government. It has played an excellent role in 
developing standards accepted by the international community. This 
combination of collaboration and insistence on technical and scientific 
integrity means that CSD will be a respected partner in discussions 
with other nations and scientific societies. It is the only U.S. 
Government agency able to play this role on the civilian side. In fact, 
it has already been doing so.
    Two years ago, for example, the Chinese government notified the 
World Trade Organization that it planned to impose new mandatory 
information security certification rules for thirteen product areas. 
The proposed rules might have barred several types of U.S. products 
from China's marketplace. Industry, working with the Department of 
State, the U.S. Trade Representative, and NIST held a series of policy-
level and technical level discussions with the Chinese government and 
impacted the rules finally promulgated this year. CSD's help in this 
was invaluable.
    The Cyberspace Policy Review points out the need for defined 
performance and security objectives. The organization with experience 
to develop these is CSD.
    Indeed, while this was undoubtedly not the intent of the review, 
the document is a ringing call for the skills, activities, and 
interventions of CSD. The report certainly makes the case for an 
expanded role for the division. The review underscores the fact that 
cybersecurity is a problem that will need international cooperation, 
emphasizes the importance of working with private industry, and 
stresses the need for protecting privacy and civil liberties rights 
while securing cyberspace. The U.S. Government agency with a history 
and a reputation for scientific integrity and with an ability to work 
well with civilian groups outside the Federal Government is NIST's 
Computer Security Division.
    In light of such additional responsibilities, it is appropriate to 
ask how should the CSD be structured to achieve these goals. In one 
sense, no change is needed: the organization works. In another, some 
change will be needed because of the additional responsibilities. 
NIST's Information Technology Laboratory is proposing a restructuring 
of the division within ITL. I believe such a change is a mistake and 
will actually hinder CSD's new roles rather than enhance them. I 
believe that instead that the Computer Security Division should become 
its own laboratory, the Computer Security Laboratory. CSL more properly 
suits the U.S.'s cybersecurity needs for the twenty-first century.

What the Computer Security Division Contributes

    I look at the proposal to reorganize the Computer Security Division 
from the perspective of the cryptographic standards DES and AES, and 
the superb job that CSD did in organizing the competition for the 
Advanced Encryption Standard. Not only did the division run the 
competition in an open way that encouraged submissions from around the 
world, the division even asked for comments on the proposed 
requirements and changed those requirements in order to fit public 
needs. This openness resulted in a standard that was accepted 
immediately almost everywhere. This acceptance of AES is a tremendous 
win for security. I note that the situation is in sharp contrast to 
that for 1970's algorithm, DES, about which doubts about secret back 
doors and weak keys persisted for many years; these impeded the 
algorithm's acceptance.
    The fact is that CSD knows how to work with industry and in a 
public environment. That means better security not just for the 
civilian Federal Government, whose computer security standards and 
guidance the division develops, but also for the U.S. private sector 
and the world.

What Needs to be Sustained and What Needs to be Changed

    Developing security standards for federal civilian agencies has 
various components. In addition to basic research, it requires applied 
work and guidance documents. Successful security means knowing what 
customers--in CSD's case, that is the federal civilian agencies--need. 
It also means knowing how to work with industry to develop the 
standards and guidance documents that enable computer security to be 
implemented. This means computer security not just for federal 
agencies, but for much broader constituencies.
    Having CSD within NIST is complicated, because CSD's efforts, 
including the guidance documents, are out of synch with NIST's research 
mission. But nonetheless it is NIST, and not DHS or NSA, that is the 
right home for CSD. In order to be effective CSD must work with 
industry, developing standards that function at both a technical level 
and a policy one. A standard that is too complex to implement, or that 
contradicts customer needs, is a standard that will not be widely 
deployed. For this reason, the correct home for CSD is the Department 
of Commerce, the U.S. department that works with industry and that has 
responsibility for U.S. competitiveness and e-commerce.
    CSD is viewed as vendor neutral and an honest broker. The honesty 
with which CSD does its work and the openness in which it develops its 
standards and guidance, contribute to the work's broad acceptance and 
usage. Over the last dozen years, CSD has done a superb job in 
developing standards and guidance that works, from AES, to SCAP, to the 
new work on hash standards (Because SHA-1 is increasingly vulnerable to 
attack, NIST's decision to pursue a SHA-3 algorithm seems to have been 
prescient). NIST's work on cloud computing has provided reference 
definitions upon which the Cloud Security Alliance relies; NIST has 
definitely provided thought leadership in this important and emerging 
area.
    CSD guidance and standards are ones that make sense in a civilian 
context. The health care industry, for example, which keeps 95 percent 
of U.S. health care records does not want to adopt computer security 
standards developed by the military; it wants standards developed for a 
civilian context. Many CSD standards are used by private industry and 
in countries around the world. Both U.S. industry and computer security 
benefit from this.
    At the same time, there are things that are missing within CSD. 
Although the division is not a policy setting organization, CSD needs 
to be more willing to be involved in policy decisions that verge on 
technical ones. This includes the Personal Identity Verification (PIV) 
standards, where CSD should have pushed back on OMB, and said that 
these standards cannot be implemented effectively within the time 
frame; there will be security costs, there will be privacy costs that a 
slower timetable would alleviate. Other discussions in which CSD should 
be involved on the policy level includes the current Identity, 
Credential, and Access Management (ICAM) effort on identifiers for 
Level of Assurance 1.
    CSD also needs to work more on usability and security, and on 
usability and privacy. Security controls that are too complex to use 
and privacy standards that are unclear help neither security or 
privacy. I understand that CSD has begun active work in this direction.
    Finally--and this is a long-term challenge--CSD could do a better 
job of making its work public. From the state of its web page, in which 
it is challenging to find information (this is a subject about which 
the Information Security and Privacy Advisory Board, and probably 
others, have raised concerns), to its lack of sufficient workshops on 
implementing its standards, CSD does not do sufficient outreach. It is, 
for example, CSD which should be running workshops for small businesses 
on security (and not the FBI). CSD produces high quality, vendor-
neutral security guidance, and this high quality information should be 
much more broadly publicized--and therefore used--than it is.
    If CSD is to develop privacy standards and to do effective 
outreach, CSD will need an increased budget. These are new 
responsibilities and CSD's people are already stretched thin. These are 
difficult budget times and funding is tight, but given the criticality 
of our nation's cybersecurity needs, such increased appropriations are 
both appropriate and necessary. The money spent now will prevent higher 
costs to society as a result of weak cyber protections; it would be 
money well spent.

The Proposed Reorganization

    For reasons that are not entirely clear, the Information Technology 
Laboratory is attempting a reorganization. Some aspects of this seem 
excellent--moving the head of CSD to the secretary's office to work on 
policy-related aspects of computer security is a smart plan--but others 
raise great concern. The argument is being made that there would be 
increased synergy by moving aspects of security, such as identity 
management, into other parts of the organization. I disagree.
    Synergy is best achieved by keeping members of the Computer 
Security Division together. Researchers find commonalities in security 
issues, whether it is protecting VoIP or securing virtual worlds, when 
they work closely together. While spreading security across an IT 
support organization might be useful, the same is not true for an 
organization doing research. The rationale for one split, moving 
identity management to the testing division and separating that group 
from most of computer security, is that identity management is 
intimately tied up with testing. This is correct, but in fact identity 
management is also intimately tied to computer security, and separating 
the two areas weakens the whole. Dividing different groups supporting 
CSD's mission will be detrimental to the work CSD does. Ultimately the 
effect will be to weaken CSD's impact on federal civilian security.
    In addition, having multiple sources for federal civilian computer 
security standards and guidance will cause CSD to lose its identity as 
the ``go-to'' organization for federal civilian security, and the 
division will lose the branding recognition that has already occurred. 
The proposed reorganization, if it should happen, will make it more 
difficult for people to locate the NIST computer security information 
they need (a problem that is already too difficult). This is the wrong 
step at the wrong time.
    I believe that instead we should be looking to create a separate 
Computer Security Laboratory within NIST. There are many arguments for 
such a change.
    The first is that there are new responsibilities the division 
should take on. In the world of massive databases and such privacy-
threatening technologies as social networks, the CSD mission should 
create privacy standards. This includes, for example, how to handle 
data to prevent loss of privacy due to data aggregation, what suitable 
anonymization techniques are, etc. This is a new and important job for 
CSD.
    A second issue is that increasingly we will need to bring to the 
bilateral and multilateral bargaining table a government partner on 
technical cybersecurity issues. This partner must be one that is 
trusted by all sides and this means the division will be part of a U.S. 
team negotiating internationally on issues of cybersecurity. In such 
negotiations, NIST's technical people must be perceived as having the 
right stature. The elevation of the division to a laboratory would be 
very useful to U.S. interests and fits in with the actions proposed by 
the Cyberspace Policy Review.
    A third important reason is that a NIST laboratory-level computer 
security organization would provide the correct level of independence 
for such an organization. The director would be in a better position to 
provide the policy guidance needed in discussions related to computer 
security and privacy. Note that I am not talking about setting 
government policy, but advising on the policy implications of what 
appear to be purely technical decisions, whether in the adoption of a 
PIV card that allows the biometric authenticator to be read without a 
guard present, or in the use of OpenID as a Level of Assurance 1 
identifier.
    In elevating CSD to a laboratory within NIST, CSD's branding is 
retained. This is important to the effective filling of the CSD 
mission.
    As we all know, cybersecurity will only increase in importance with 
time. A separate Computer Security Laboratory will enhance CSD's 
visibility, and ensure that CSD's work is not diluted by other, 
excellent work in ITL (but work that is unrelated to the computer 
security effort). In order to function effectively, CSD needs to be a 
single unit, but with more independence, with strong support from its 
parent agency of NIST, and with the ability to speak with an honest, 
scientific voice. A separate laboratory within NIST is the right way 
for CSD to go at this time.
    Thank you very much for the opportunity to address the Committee. I 
eagerly await any questions you might have.

                       Biography for Susan Landau
    Susan Landau is a Distinguished Engineer at Sun Microsystems 
Laboratories, where she works on security, cryptography, and policy, 
including surveillance and digital-rights management issues. Landau had 
previously been a faculty member at the University of Massachusetts and 
Wesleyan University, where she worked in algebraic algorithms, and she 
held visiting positions at Yale, Cornell, and the Mathematical Sciences 
Research Institute at Berkeley.
    Landau is co-author, with Whitfield Diffie, of ``Privacy on the 
Line: the Politics of Wiretapping and Encryption'' (MIT Press, original 
edition: 1998; updated and expanded edition: 2007), which won 1998 
Donald McGannon Communication Policy Research Award, and the 1999 IEEE-
USA Award for Distinguished Literary Contributions Furthering Public 
Understanding of the Profession.
    Landau participated in the 2006 ITAA study on the security risks of 
applying the Communications Assistance for Law Enforcement Act to Voice 
over IP, and is also primary author of the 1994 Association for 
Computing Machinery report ``Codes, Keys, and Conflicts: Issues in US 
Crypto Policy.'' Prior to her work in policy, Landau did research in 
symbolic computation and algebraic algorithms, discovering several 
polynomial-time algorithms for problems that previously only had 
exponential-time solutions.
    Landau is a member of the Commission on Cyber Security for the 44th 
Presidency, established by the Center for Strategic and International 
Studies, and serves on the advisory committee for the National Science 
Foundation's Directorate for Computer and Information Science and 
Engineering. She is also an Associate Editor for IEEE Security and 
Privacy and a section board member of Communications of the ACM. Landau 
serves on the Executive Council for Association for Computing Machinery 
Committee on Women in Computing, as well as on the Computing Research 
Association Committee on the Status of Women in Computing Research. 
Landau served for six years on the National Institute of Standards and 
Technology's Information Security and Privacy Advisory Board. She has 
been a member of ACM's Advisory Committee on Privacy and Security and 
ACM's Committee on Law and Computing Technology as well as an Associate 
Editor of the Notices of American Mathematical Society.
    Landau is the recipient of the 2008 Women of Vision Social Impact 
Award, a Fellow of the American Association for the Advancement of 
Science, and a Distinguished Engineer of the Association for Computing 
Machinery. More information on her publications and awards can be found 
at http://research.sun.com/people/slandau
    Landau received her Ph.D. from MIT (1983), her MS from Cornell 
(1979), and her BA from Princeton (1976).

    Chairman Wu. Thank you very much, Dr. Landau. Dr. Schneck, 
please proceed.

   STATEMENT OF DR. PHYLLIS SCHNECK, VICE PRESIDENT, THREAT 
                INTELLIGENCE, MCAFEE CORPORATION

    Dr. Schneck. Good afternoon, Chairman Wu, Ranking Member 
Smith, Members of the Subcommittee. My name is Phyllis Schneck. 
I am the Vice President of Threat Intelligence at McAfee. We 
are headquartered in Santa Clara, California. A core of our 
cyberlabs and our cyber research is in Beaverton, Oregon.
    I testify today on behalf of the BSA, the Business Software 
Alliance. Thank you for the opportunity to testify on 
cybersecurity and the role of the ITL. I commend the 
Subcommittee for focusing on these important issues.
    McAfee and BSA believe that innovation and standards are 
among the most important tools we have to improve our 
cybersecurity. Therefore, our primary recommendation regarding 
the role of the ITL in implementing the recommendations of the 
60-Day Review is to contribute to an integrated, U.S. 
Government strategy to influence the development of 
international standards on cybersecurity.
    Please allow me to explain the important links between 
innovation, cybersecurity and international standards. First, 
we believe innovation is key to cybersecurity. Those persons 
intent on doing harm, whether cybercriminals, spies, hostile 
nations, even terrorist groups, find new ways to attack. They 
adopt those new technologies all the time, and we must stay 
ahead of them, and to do that innovation is key.
    Second, we believe that global industry-led voluntary 
standards are critical to innovation. This is because first, 
they facilitate interoperability between systems built by 
different vendors. Second, they facilitate competition between 
those vendors, leading to greater choice, lower cost. Finally, 
they spur the development and the use of innovative and secure 
technologies because they are regularly updated.
    Cybersecurity depends on innovation which in turn depends 
on global industry-led standards. This is why we urge the 
United States to support and uphold these standards by 
developing a comprehensive, international cybersecurity 
standards strategy.
    Currently the U.S. Government's involvement in standards 
development is ad hoc, incomplete and uncoordinated. The 60-Day 
Review recognized this lack of coordination and called for a 
comprehensive strategy that defines what cybersecurity 
standards we need, where they are being developed and what 
agencies will represent the United States for each.
    NIST has expertise in standards and in cybersecurity and is 
internationally respected, so it should play an important role 
in the creation and implementation of such a strategy.
    Conversely there are missteps the government should avoid. 
Most importantly, we should not impose country-specific, 
government-created technology standards for cybersecurity. This 
would set a dangerous precedent that other nations would follow 
to create their own divergent standards. This would be at odds 
with the global nature of the Internet, it would Balkanize the 
global marketplace, and it would inhibit inter-operability. We 
believe our position is fully consistent with President Obama's 
statement when he released the Cyberspace Policy Review on May 
29. President Obama said, ``My Administration will not dictate 
security standards for private companies. On the contrary, we 
will collaborate with industry to find technology solutions 
that ensure our security and promote prosperity.''
    I will now address the proposed reorganization of the ITL 
and CSD. We believe the success of CSD depends first on budget 
and manpower. CSD is already under-resourced and understaffed. 
As we give them new missions in the context of tighter federal 
budgets, they will need sufficient resources. We will also need 
to ensure that NIST funds intended for Congress for 
cybersecurity are not spent on other projects.
    Second, CSD works with a wide range of industry and 
academic partners. The process under way needs to be open and 
transparent so that it can be informed by the views of the 
stakeholders.
    And third, whatever we do, we should avoid diminishing the 
visibility, priority and resources accorded to cybersecurity 
within NIST.
    Finally, I would like to close my testimony with a few 
other recommendations about further activities of CSD. As 
Congress considers how to elevate cybersecurity as a government 
priority, including how to reform FISMA, the Federal 
Information Security Management Act, CSD should produce the 
following. First, government-wide standards and guidelines for 
real-time monitoring, audit and analysis of data about the 
security of federal networks. And second, government-wide 
standards and guidelines developed jointly with industry for 
sharing threat and vulnerability information among federal 
agencies and with the private sector.
    NIST must also continue to invest in cybersecurity research 
and development. BSA has called for the creation of a national 
cybersecurity R&D plan, and we believe that NIST would play an 
important role under such a plan, given its own R&D work and 
its private-sector relationships.
    Thank you, and I look forward to answering any questions.
    [The prepared statement of Dr. Schneck follows:]
                 Prepared Statement of Phyllis Schneck
    Chairman Wu, Ranking Member Smith, Members of the Committee, thank 
you for the opportunity to testify today on the important issue of 
cybersecurity, and the role of the National Institute of Standards and 
Technology (NIST)'s Information Technology Laboratory (ITL).
    My name is Phyllis Schneck, and I am the Vice President of Threat 
Intelligence at McAfee. McAfee is the world's largest dedicated 
security technology company. McAfee is committed to relentlessly 
tackling the world's toughest security challenges. The company delivers 
proactive and proven solutions, services and global threat intelligence 
that help secure systems and networks around the world, allowing users 
to safely connect to the Internet, browse and shop the web more 
securely.
    As Vice President of Threat Intelligence, I am responsible for the 
design and application of McAfee's Internet reputation intelligence, 
strategic thought leadership around technology and policy in 
cybersecurity, and leading McAfee initiatives in critical 
infrastructure protection and cross-sector cybersecurity.
    I testify today on behalf of the Business Software Alliance (BSA), 
of which McAfee is a member. BSA is the foremost organization dedicated 
to promoting a safe and legal digital world. BSA is the voice of the 
world's commercial software industry and its hardware partners before 
governments and in the international marketplace.\1\
---------------------------------------------------------------------------
    \1\ BSA members include Adobe, Apple, Autodesk, Bentley Systems, 
CA, Cadence Design Systems, Cisco Systems, Corel, CyberLink, Dassault 
Systemes SolidWorks Corporation, Dell, Embarcadero, HP, IBM, Intel, 
Intuit, McAfee, Microsoft, Minitab, Quark, Quest Software, Rosetta 
stone, SAP, Siemens, Sybase, Symantec, Synopsys, and The MathWorks.
---------------------------------------------------------------------------
    My testimony will address three questions:

        1.  What could NIST do to address some of the recommendations 
        of the Cyberspace Policy Review?

        2.  What is our assessment of the proposed reorganization of 
        NIST's ITL, and how will it improve the outcomes of ITL 
        activities?

        3.  Given the current emphasis on information assurance and 
        cybersecurity, what recommendations do we have on how ITL might 
        improve its effectiveness or expand the scope of its activities 
        and their impact?

1.  What could NIST do to address some of the recommendations of the 
Cyberspace Policy Review?

    McAfee and BSA welcomed the 60-day review ordered by the President. 
We believe that cybersecurity needs to be elevated as a priority of 
this country. We also welcomed the openness of the review process, 
which allowed a wide range of stakeholders, and in particular owners 
and operators of critical cyber infrastructure, to provide their views 
and recommendations. In the end, while the final report contains many 
recommendations and so will require that industry remain engaged 
throughout their implementation, McAfee and BSA were broadly supportive 
of the Cyberspace Policy Review's conclusions.
    I would like to touch on a few of the recommendations of the 
Cyberspace Policy Review that we believe are of particular importance 
and relevance to NIST.

Firstly, we strongly support the Cyberspace Policy Review's call for an 
integrated U.S. Government strategy to influence the development of 
international standards on cybersecurity.

    Such a strategy would recognize the important links between 
innovation, cybersecurity and international standards.
    We believe innovation is key to greater cybersecurity. Those 
persons intent on doing harm, whether profit-motivated cyber criminals, 
cyber spies, hostile nations or terrorist groups, find new ways to 
attack and adopt new technologies all the time. We must stay a step 
ahead of them. To do this, innovation is key.
    A necessary element of ensuring continued innovation is sound 
standards policy. Global, industry-led, voluntary standards and best 
practices create the environment where multiple innovative solutions 
can flourish by:

          Facilitating inter-operability between systems built 
        by different vendors.

          Facilitating competition between vendors, leading to 
        greater choice and lower cost.

          Spurring the development and use of innovative and 
        secure technologies, because industry-led standards are 
        regularly updated.

    This is why we urge the U.S. Government to support and uphold 
global, industry-led standards and best practices on cybersecurity, by 
doing the following:

          First, the U.S. Government needs to develop a 
        comprehensive international cybersecurity standards strategy. 
        What we have currently is a collection of ad hoc, incomplete 
        and uncoordinated efforts. The White House Cyberspace Policy 
        Review recognized this lack of coordination. NIST should play 
        an important role in the creation and implementation of such a 
        strategy. The strategy needs to answer the following questions:

                1.  What cybersecurity standard development efforts is 
                the U.S. currently involved in?

                2.  What cybersecurity standards do we need?

                3.  Where are they being developed?

                4.  What agencies will represent the U.S. for each of 
                them?

          Second, the government should identify the relevant 
        international industry-led cybersecurity best practices, and 
        recognize and promote their use in federal systems. Government, 
        industry and academia should collaborate to identify 
        international industry-led best practices, and McAfee and BSA 
        would eagerly contribute to such a process.

    But there are also missteps the government should avoid. Most 
importantly, the government should not impose country-specific 
technology standards for cybersecurity, in particular standards 
developed by government agencies, except in narrowly tailored national 
security situations. This would set a precedent that other nations 
would follow to create their own, divergent standards. The end result 
would be at odds with the global nature of the Internet, would 
contribute to breaking up the global marketplace into national markets, 
and would inhibit rather than promote inter-operability.
    Finally, I would add that if NIST were tasked with creating and 
mandating such domestic standards, it would lessen the high regard it 
enjoys not just in the United States, but also internationally, as an 
arbiter of a process grounded in science.
    Therefore, cybersecurity policy-makers should support the global 
nature of the IT marketplace, rather than contribute to breaking it up 
into national markets.
    We believe our position is fully consistent with President Obama's 
statement, when he released the Cyberspace Policy Review on May 29: 
``My administration will not dictate security standards for private 
companies. On the contrary, we will collaborate with industry to find 
technology solutions that ensure our security and promote prosperity.''

Secondly, I would like to say a few words about the Cyberspace Policy 
Review's recommendation to launch a public education and awareness 
campaign.

    Educating the public about threats and about common sense measures 
it can adopt to protect itself, is important. That is why the CEOs of 
BSA raised this issue when they met with Secretary of Homeland security 
Napolitano this year. Many BSA members, including McAfee, have made 
important investments in educating the public about cybersecurity, for 
example by actively supporting and sponsoring the National Cyber 
Security Alliance (NCSA), the preeminent public-private partnership 
between industry, the U.S. Department of Homeland Security (DHS) and 
non-profit institutions, to promote cybersecurity awareness for home 
users, small and medium size businesses, and primary and secondary 
education.
    McAfee and BSA believe a major education and awareness campaign on 
the scale envisaged by the Cyberspace Policy Review should build upon 
the foundation of the NCSA. If NIST were to take a role in education 
and awareness, we recommend that it do so through the national campaign 
that NCSA should coordinate. NCSA should be the focal point, using and 
expanding the relationships and brand it has already built with a 
multitude of local stakeholders--schools and universities, community-
based organizations, local governments, local chambers of commerce, 
home-owners associations, etc.

Thirdly, NIST has a valuable role to play in carrying out the 
Cyberspace Policy Review's call for building a cybersecurity-based 
identity management vision and strategy.

    Identity and authentication are foundational building blocks of a 
modern and fundamentally secure cyberspace. The Administration is 
already working to implement this recommendation of the Cyberspace 
Policy Review, and we expect them to issue a draft document in the 
coming months to the public for comment.
    NIST should play a critical role in crafting and implementing this 
government strategy, on the basis of the important contributions it has 
made to previous federal identity and authentication initiatives, such 
as the implementation of Homeland Security Presidential Directive 12 
(HSPD-12). As identity and authentication can apply not only for 
individuals, but also for devices, NIST's ability to advise and 
influence this strategy will be critical to ensuring its technical 
feasibility and operational success.
    As the Cyberspace Policy Review notes, it is important that the 
government not mandate the use of specific identity management systems, 
but rather ensure that they are available as opt-ins. We also agree 
with the Review that a variety of inter-operable systems should be 
offered, rather than the government picking a single provider or 
technology, which would stifle innovation.

2.  What is our assessment of the proposed reorganization of NIST's 
ITL, and how will it improve the outcomes of ITL activities?

    BSA has not had the opportunity to reach a common position among 
its members on the reorganization of the ITL. However, I would like to 
make the following comments about what is at stake.
    First, we believe two important factors in the future success of 
the Computer Security Division (CSD) of the ITL are budget and 
manpower. CSD is already under-resourced and under-staffed. As we give 
them new missions in a context of tighter federal budgets, sufficiency 
of resources will be a key concern. We will also need to ensure that 
NIST funds intended by Congress for cybersecurity are not spent on 
other projects, and this can be achieved by requiring that ITL 
regularly report to this committee on how it spends funds designated 
for cybersecurity.
    Second, the process that will determine the future course of the 
ITL needs to be open, transparent and based on the input of the wide 
range of stakeholders, in particular from the IT industry and academia, 
who work with CSD.
    And third, the guiding principle should be to avoid diminishing the 
visibility, priority, and resources accorded to cybersecurity within 
NIST.

3.  Given the current emphasis on information assurance and 
cybersecurity, what recommendations do you have on how ITL might 
improve its effectiveness or expand the scope of its activities and 
their impact?

    First, McAfee and BSA want to restate their deep appreciation for 
the outstanding work done by the ITL and CSD over the years.
    I would like to highlight two reasons in particular that have 
contributed to establishing ITL as a widely-respected leader:

        1.  ITL works collaboratively with stakeholders. Its work 
        products are well regarded because they draw upon the best 
        contributions of leading experts in their fields, from industry 
        but also from academia. One of the most salient examples is the 
        AES encryption standard, whose underlying cryptographic 
        algorithm had been developed by Belgian academics and selected 
        through a rigorous competition. The openness of the selection 
        process has greatly contributed to inspiring confidence in AES 
        and thus in its wide adoption outside the Federal Government.

        2.  For the security of federal systems, and with very few 
        exceptions, ITL does not in fact enact mandatory technology 
        standards. Rather, it offers guidance--through its Special 
        Publications 800 (SP 800) series--that are flexible enough to 
        allow each agency to adopt the security posture most 
        appropriate to its risk profile. We need to ensure that federal 
        agencies more consistently implement this guidance.

    As Congress considers how to reform FISMA to place greater emphasis 
on actual security of federal networks and systems, federal agencies 
will need in particular that CSD expand its scope of activities, 
building on its legacy of public-private collaboration and non-
mandatory guidance, to produce the following:

          Government-wide standards and guidelines for real-
        time monitoring, auditing and analysis of data about the 
        security, performance and health of federal networks and 
        systems across the entire Federal Government. This would 
        contribute to providing holistic, end-to-end security of 
        federal networks, rather than focusing on the security of 
        single points of failure.

          Government-wide standards and guidelines for sharing 
        threat and vulnerability information among federal agencies and 
        with the private sector. While we think, as I said before, that 
        NIST should always work collaboratively with stakeholders, 
        given the private sector impact of information sharing, any 
        NIST effort in this area should be undertaken jointly with the 
        private sector, in coordination with DHS.

    Global, industry-led standards must continue to underpin the global 
IT ecosystem. Therefore, these two categories of NIST standards and 
guidelines should draw from global, industry-led standards to the 
greatest extent possible.
    Importantly, in producing such standards and guidelines, NIST 
should spur innovation by always striving to, per the terms of the 
National Institute of Standards and Technology Act, ``ensure that such 
standards and guidelines do not require specific technological 
solutions or products, including any specific hardware or software 
security solutions; ensure that such standards and guidelines provide 
for sufficient flexibility to permit alternative solutions to provide 
equivalent levels of protection for identified information security 
risks; and use flexible, performance-based standards and guidelines 
that, to the greatest extent possible, permit the use of off-the-shelf 
commercially developed information security products.'' \2\
---------------------------------------------------------------------------
    \2\ Section 20 of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3), subsection (c)(5-7).
---------------------------------------------------------------------------
    Finally, NIST must continue to push at the edges of cybersecurity 
research and development. BSA has expressed in the past to this 
committee the importance that we attach to research and development 
(R&D) to improve our nation's cybersecurity, and we have called for a 
national cybersecurity R&D plan. We believe that NIST would play an 
important role under such a plan, given its own R&D work and its 
ability to reach out to the R&D arms of many companies.
    In conclusion, I want to reiterate the importance that we attach 
to:

          Innovation as a major tool to improve our 
        cybersecurity;

          The role that R&D and international, industry-led 
        standards play in spurring innovation and in improving 
        cybersecurity; and

          The development by the U.S. Government of an 
        international cybersecurity standards strategy.

                     Biography for Phyllis Schneck
    For more than a decade, Dr. Phyllis Schneck has held a 
distinguished presence in the security and infrastructure protection 
community. Currently serving as Vice President of Threat Intelligence 
at McAfee, she is responsible for the design and application of 
McAfee's Internet reputation intelligence, strategic thought leadership 
around technology and policy in cybersecurity, and leading McAfee 
initiatives in critical infrastructure protection and cross-sector 
cybersecurity.
    Schneck recently served as a commissioner and a working group co-
chair on the public-private partnership for the CSIS Commission to 
Advise the 44th President on Cyber Security. Schneck also served for 
eight years as Chairman of the National Board of Directors of the FBI's 
InfraGard program and as Founding President of InfraGard Atlanta, 
growing the InfraGard program from 2,000 to over 26,000 members 
nationwide. Named one of Information Security Magazine's Top 25 Women 
Leaders in Information Security, Schneck holds three patents in high-
performance and adaptive information security, and has six research 
publications in the areas of information security, real-time systems, 
telecom and software engineering.
    Before joining McAfee, she served as Vice President of Research 
Integration at Secure Computing. Schneck holds a Ph.D. in Computer 
Science from Georgia Tech where she pioneered the field of information 
security and security-based high-performance computing.

    Chairman Wu. Thank you very much, Dr. Schneck. Mr. Starnes, 
please proceed.

   STATEMENT OF MR. WILLIAM WYATT STARNES, FOUNDER, CEO, AND 
      PRESIDENT, SIGNACERT, INC.; FOUNDER, TRIPWIRE, INC.

    Mr. Starnes. Good afternoon, Mr. Chairman, and respected 
Members of the Committee. I appreciate the opportunity to 
present today before the Committee.
    As you know, my name is Wyatt Starnes. I am the founder of 
a company called Tripwire, Incorporated. Tripwire has been 
heavily used in both government and commercial security 
practice, and I currently serve as the CEO and President of 
SignaCert, also involved in information assurance issues.
    We have been working with both companies very closely with 
commercial and government sectors in the areas of information 
assurance and cybersecurity for better than a decade.
    For purposes of my testimony and for reasons better 
described in my written testimony, we prefer the term ``cyber 
assurance,'' and the reason we tend to think this way is we 
deal both with non-malicious and malicious activity and have 
found empirically that non-malicious activity, unauthorized 
changes and uncontrolled changes can cause up to 90 percent of 
the failures in complex information technology systems. We 
really believe that that view needs to be broader than just 
cybersecurity.
    Relative to NIST and the 60-Day Review, my personal 
experience tells me that NIST is already ahead of the curve in 
most of the key areas discussed in the report. What I would 
observe in general about the report is it lacks substantive, 
out-of-the-box thinking. There are bigger and more important 
things we can be doing than pure black list-based 
cybersecurity, which is the goal of keeping the bad guys out of 
the systems. We must more broadly assure that the systems are 
intact as designed.
    But NIST's contributions relative to all of these issues, 
cyberassurance and cybersecurity, have in fact been formidable. 
So I am going to talk about three of those.
    One and perhaps most importantly is the 800-series body of 
work which is literally volumes of work, and this work has 
contributed significantly to the state-of-the-art for both 
federal and commercial IT software and systems management.
    Secondly, I would like to focus on some extension of that 
work on a practical sense, and that is a multilateral and both 
private and public partnership and teaming that has been in 
place to effect the security, content, automation protocol, or 
SCAP methodology. Ms. Furlani referred to that in generalized 
security cataloging. We as an industry participant see this as 
an extremely important method and protocol, leveraging heavily 
the work of NIST with the 800-series documents as well as 
bringing in the best of some of the intelligence community and 
DOD (Department of Defense) work.
    In my opinion, the SCAP method and the increased emphasis 
on continuous monitoring as opposed to pure accreditation and 
auditing methods represent far and away the most important 
advance federal IT systems management that I have seen.
    I think I can be even briefer on the subject of the 
reorganization of ITL. My personal belief there, having worked 
inside and outside of NIST, that the management team is very 
capable of making decisions like this. I would expect that the 
goal of these changes are to align the expertise with a 
changing mission requirements and budgetary requirements and 
would also believe that this movement to a broader view of 
cyberassurance as opposed to pure computer security is a 
motivation. IT best practices are increasingly a horizontal 
cross-agency issue, and therefore it is logical to consider 
this reorganization.
    Relative to contributions on the 60-Day Review, the main 
missing element that we saw is again the focus on the defensive 
architecture. We actually see moving to a more offensive 
position. The SCAP framework leads us a long way down that 
path. So it is more than just keeping the bad guys out. It is 
making sure that the systems are good and deployed as we 
intended them. So there is a software supply chain issue. There 
is a change management detection issue. A lot of that is being 
encompassed in the work at SCAP, and generally industry refers 
to these methods as whitelisting methods, in complement to the 
black listing methods. Make sure the bad code is kept out, make 
sure the good code is good. The combination of those methods is 
very powerful.
    So in conclusion, I would like to urge NIST to continue 
their great work multilaterally with their peers in government 
and industry to distill the best of the best ideas into the 
NIST standards and methods on a timeline that fully recognizes 
that we are behind and heavily exposed.
    Thank you, and I welcome any questions.
    [The prepared statement of Mr. Starnes follows:]
              Prepared Statement of William Wyatt Starnes
    Good afternoon Mr. Chairman and respected Members of the Committee. 
I appreciate the opportunity to present before this committee today.
    My name is Wyatt Starnes, a Founder of SignaCert, Inc. and 
Tripwire, Inc., and currently the CEO and President of SignaCert. 
Please see my narrative biography for more details on my background and 
experience.
    I should note for the record that I did serve as member of the 
National Institute of Standards and Technology (NIST) Visiting 
Committee on Advanced Technology (VCAT), and while I have some recent 
experience with NIST and the Information Technology Labs (ITL), I am no 
longer serving as a VCAT member.
    As you are aware Mr. Chairman, I have been working closely with 
both the commercial and government sectors in the areas of information 
assurance and cyber security for many years. For the purposes of this 
testimony I will generally reference the Information Assurance and 
Cybersecurity issues as ``Cyber Assurance'' for the following reasons:

         In my opinion labeling our challenge as ``Cybersecurity'' is 
        limiting. Our full goal must be to address ALL issues that 
        relate to improving the security, availability, stability and 
        reliability of the computing devices used to create and deliver 
        complex IT business processes.

         We must address the risks that are hostile in source and 
        nature (malicious), as well as hardware and software design, 
        delivery, and maintenance weaknesses (non-malicious) that are 
        also known to induce risk.

         It is well established that undetected non-malicious changes 
        do increase malicious risk, and also cause IT business service 
        delivery instability and failure.

    It is my belief that we are at a very critical time in our nation's 
history with regards to our Cyber Assurance practices. We must act now, 
and bring increased creativity, technology and innovation to these 
challenges.
    I would like to commend this subcommittee, led by Congressman Wu 
and his staff, for continuing to direct focus to our cyber assurance 
challenges, and the important contributions that NIST has made, and 
continues to make, in support of these critical national cyber 
assurance priorities.

Specific questions posed by the Subcommittee

    The Committee posed three questions for me to address during this 
hearing:

        1.  What could NIST do to address the recommendations in the 
        60-day review?

        2.  What are my thoughts and comments on the Reorganization of 
        ITL?

        3.  Given the current emphasis on Information Assurance and 
        Cybersecurity, what are my recommendations on how ITL might 
        improve its effectiveness or expand its scope/activities and 
        impact?

NIST and the 60-Day Review

    Relative to question one, regarding NIST and the Cyberspace Policy 
Review: Assuring a Trusted and Resilient Information and Communications 
Infrastructure (the 60-day review), my personal experience tells me 
that NIST is already ahead of the curve with its contributions to the 
key issues and priorities presented in the 60-day review document that 
was delivered to the President.
    Before I address these specifically, I would like to briefly 
comment on the role of NIST and its legislated mission and budgeted 
charter.
    As the Committee knows, NIST is a non-regulatory agency founded on 
March 3, 1901, as the National Bureau of Standards and was the Federal 
Government's first physical science research laboratory.
    While it may surprise many citizens, it is no accident that NIST 
was created as an agency within the Department of Commerce where its 
primary mission is to promote U.S. innovation and industrial 
competitiveness by advancing measurement science, standards, and 
technology in ways that enhance economic security and improve our 
quality of life.
    An even simpler way to state this mission is to reduce the friction 
of commerce by advancing measurement science, standards and technology.
    NIST's role against the 60-day review is clearly in relation to 
creating and administering IT measurement standards, technology and 
methods to enable better, and more standardized methods for optimizing 
the efficacy of cyber assurance methods.
    For the purposes of this, my written statement, I would like to 
elaborate on some of the specific work accomplished by NIST. While 
there is much more Information Technology Labs (ITL) work that deserves 
acknowledgment, I will focus these comments on the following areas:

          The 800-series Information Technology Support for 
        Federal Information Security Management Act (FISMA).

          The National Software Reference Library (NSRL) work, 
        and it relationship to the Help America Vote Act (HAVA), and 
        its potential contributions to FISMA and the Security, Content 
        and Automation Protocol (SCAP).

          The multilateral (public and private) effort to 
        establish and enhance the SCAP method.

FISMA and the ``800-Series'' body of work:

    From the NIST special publication 800-53 Revision 2 (The bold text 
was added by this author for emphasis):

         The Information Technology Laboratory (ITL) at the National 
        Institute of Standards and Technology (NIST) promotes the U.S. 
        economy and public welfare by providing technical leadership 
        for the Nation's measurement and standards infrastructure. ITL 
        develops tests, test methods, reference data, proof of concept 
        implementations, and technical analyses to advance the 
        development and productive use of information technology. ITL's 
        responsibilities include the development of management, 
        administrative, technical, and physical standards and 
        guidelines for the cost-effective security and privacy of other 
        than national security-related information in federal 
        information systems. The Special Publication 800-series reports 
        on ITL's research, guidelines, and outreach efforts in 
        information system security, and its collaborative activities 
        with industry, government, and academic organizations.

    With the charter and intent of the work described here (from the 
same publication):

         This document has been developed by the National Institute of 
        Standards and Technology (NIST) to further its statutory 
        responsibilities under the Federal Information Security 
        Management Act (FISMA) of 2002, P.L. 107-347. NIST is 
        responsible for developing standards and guidelines, including 
        minimum requirements, for providing adequate information 
        security for all agency operations and assets, but such 
        standards and guidelines shall not apply to national security 
        systems. This guideline is consistent with the requirements of 
        the Office of Management and Budget (OMB) Circular A-130, 
        Section 8b(3), Securing Agency Information Systems, as analyzed 
        in A-130, Appendix IV: Analysis of Key Sections. Supplemental 
        information is provided in A-130, Appendix III.

         This guideline has been prepared for use by federal agencies. 
        It may also be used by non-governmental organizations on a 
        voluntary basis and is not subject to copyright. (Attribution 
        would be appreciated by NIST.) Nothing in this document should 
        be taken to contradict standards and guidelines made mandatory 
        and binding on federal agencies by the Secretary of Commerce 
        under statutory authority. Nor should these guidelines be 
        interpreted as altering or superseding the existing authorities 
        of the Secretary of Commerce, Director of the OMB, or any other 
        federal official.

Mr. Starnes Observations on the 800-series work:

    While the creators and authors of the 800-series publications have 
been consistently humble relative to their contributions in bringing 
this important work forward, the impact to both government and industry 
has been enormous.
    I congratulate the dedicated teams across NIST for their work and 
I'd like to specifically commend the Director of ITL, Cita Furlani, for 
her steadfast vision and support of the implementation of this work by 
NIST ITL in order to serve these critical national needs.
    Additionally I would like to recognize Ron Ross, Stu Katzke, Arnold 
Johnson, Marianne Swanson, Gary Stoneburner and George Rogers and many 
others for their contributions to this foundational body of work.

Areas for NIST improvement:

    In general, the areas I outline below are already well underway by 
NIST, and I raise them to encourage continued focus only:

          Make the 800-series documents and recommendations 
        easier to read and use by the targeted constituencies. Bigger, 
        in terms of content volume, is not necessarily better. I 
        support the effort to streamline the 800-series documents 
        making them more concise and easier to utilize.

          Continue to drive emphasis with all federal IT 
        practices, including FISMA and the supporting standards and 
        methods, from ``Certification and Accreditation'' (C&A) and 
        periodic compliance to ``Continuous Monitoring.''

Help America Vote Act (HAVA) and the National Software Reference 
                    Library (NSRL):

    From the NIST web site:

         The Help America Vote Act:

         The Help America Vote Act (HAVA) of 2002 (Public Law 107-252) 
        was passed by Congress ``to establish a program to provide 
        funds to States to replace punch card voting systems, to 
        establish the U.S. Election Assistance Commission (EAC) to 
        assist in the administration of federal elections and to 
        otherwise provide assistance with the administration of certain 
        federal election laws and programs, to establish minimum 
        election administration standards for states and units of local 
        government with responsibility for the administration of 
        federal elections, and for other purposes.''

         NIST's roles under HAVA:

         HAVA established the Technical Guidelines Development 
        Committee (TGDC) to assist the EAC with the development of 
        voluntary voting system guidelines. HAVA directs the Director 
        of the National Institute of Standards and Technology (NIST) to 
        chair the TGDC and to provide technical support to the TGDC in 
        the development of these voluntary guidelines.

          In addition HAVA directs NIST to conduct an 
        evaluation of independent non-federal laboratories to carry out 
        the testing of voting systems and to submit recommendations of 
        qualified laboratories to the EAC for accreditation. HAVA also 
        charges NIST with monitoring and reviewing laboratories 
        accredited by the EAC.

National Software Reference Library:

    From the NIST web site:

         This project is supported by the U.S. Department of Justice's 
        National Institute of Justice (NIJ), federal, State, and local 
        law enforcement, and the National Institute of Standards and 
        Technology (NIST) to promote efficient and effective use of 
        computer technology in the investigation of crimes involving 
        computers. Numerous other sponsoring organizations from law 
        enforcement, government, and industry are providing resources 
        to accomplish these goals, in particular the FBI who provided 
        the major impetus for creating the NSRL out of their ACES 
        program.

         The National Software Reference Library (NSRL) is designed to 
        collect software from various sources and incorporate file 
        profiles computed from this software into a Reference Data Set 
        (RDS) of information. The RDS can be used by law enforcement, 
        government, and industry organizations to review files on a 
        computer by matching file profiles in the RDS. This will help 
        alleviate much of the effort involved in determining which 
        files are important as evidence on computers or file systems 
        that have been seized as part of criminal investigations.

         The RDS is a collection of digital signatures of known, 
        traceable software applications. There are application hash 
        values in the hash set which may be considered malicious, i.e., 
        steganography tools and hacking scripts. There are no hash 
        values of illicit data, i.e., child abuse images.

Mr. Starnes' Observations on HAVA and NSRL:

    In my opinion, HAVA comprises some of the most important technical 
work underway by USG to automate and enforce technical and social trust 
that helps enable our democratic process. HAVA can and should serve as 
a lighthouse for other countries to follow for enabling a seamless, 
automated and trusted voting and vote aggregation system.
    I note HAVA in my testimony because the methods and technologies 
specified under the guidance, and the software measurement methods 
developed under the NSRL programs, have tremendous importance and 
utility over and above the HAVA use cases.
    Essentially HAVA and NSRL represent a practical instantiation of a 
``trust-based'' compute model. I believe that trust-based computing 
methods are crucial to achieve better and more transparent, holistic 
Cyber Assurance for both the government and commercial sectors.
    A major tenet of the HAVA/NSRL method is the ``positive system 
attestation'' methods required by the HAVA language. Under HAVA, 
Software used to operate electronic voting apparatus must be 
cryptographically measured and validated to a trusted reference. NSRL 
data is used to create the ``trust reference'' for software 
attestation.
    Generally referred to as software ``Whitelisting'' by industry, 
these capabilities promise to ``close the blind spot'' in our view of 
IT by establishing the capability to ensure the ``as-deployed'' 
software state (and ONLY the as-deployed software state) is currently 
in place on the IT device or system.
    This ``positive trust-based method'' has broad ramifications for 
government and industry. By fully utilizing whitelisting techniques we 
can:

          Reduce the exposure of malicious and hostile software 
        that is ``hiding in plain sight.''

          Establish and prove supply chain validity 
        (provenance) of the software that is deployed on our mission 
        critical IT devices ranging from Servers to Blackberry's. This 
        is increasingly important in the ``outsourced'' and ``open 
        source'' world that we now rely on.

          Increase the transparency and automation of complex 
        IT system management by creating a systematic ``closed-loop'' 
        measure/validate method. This addresses both malicious and non-
        malicious change quickly and efficiently.

          Enabling continuous monitoring of the positive state 
        of the software stack has been shown to dramatically increase 
        IT uptime and stability, while reducing the labor and manpower 
        required for the delivery of that capacity.

Mr. Starnes' Recommendations to NIST on Whitelisting:

          NIST should explore its role with industry (companies 
        and standards groups) relating to whitelist content exchange 
        standards (XML schemas, etc.) in order to ensure that industry 
        and government content and methods are ``interchangeable.'' 
        This not only serves government customers with improved 
        frameworks such as SCAP (discussed below), but it also enables 
        industry to better serve broader government initiatives, such 
        as HAVA and other extended NSRL-like use cases, such as 
        improved cyber forensics.

          NIST should encourage industry (especially platform 
        and software vendors) to support supply chain validation 
        methods, such as whitelisting methods and content, as a 
        standard practice for IT systems management and security. 
        Broader adoption and support of Common Platform Enumeration, or 
        CPE, should also be stressed as a part of the software 
        measurement for operational monitoring and supply chain 
        assurance purposes.

The Security, Content and Automation Protocol effort:

    The SCAP method is described below.
    From the NIST web site:

         ``The Security Content Automation Protocol (SCAP) is a 
        synthesis of inter-operable specifications derived from 
        community ideas. Community participation is a great strength 
        for SCAP, because the security automation community ensures the 
        broadest possible range of use cases is reflected in SCAP 
        functionality. This web site is provided to support continued 
        community involvement. From this site, you will find 
        information about both existing SCAP specifications and 
        emerging specifications relevant to NIST's security automation 
        agenda. You are invited to participate, whether monitoring 
        community dialogue or leading more substantive activities like 
        specification authorship.

         NIST's security automation agenda is broader than the 
        vulnerability management application of modern day SCAP. Many 
        different security activities and disciplines can benefit from 
        standardized expression and reporting. We envision further 
        expansion in compliance, remediation, and network monitoring, 
        and encourage your contribution relative to these and 
        additional disciplines. NIST is also working on this expansion 
        plan, so please communicate with the SCAP Team early and often 
        to ensure proper coordination of efforts.''

Mr. Starnes' Observations on SCAP:

    A major goal with SCAP was to create a normalized ``content'' view, 
specifically around IT vulnerability and configuration intelligence. 
Using several databases, vulnerabilities and configurations can be 
mapped to government IT platforms. This helps serve prescriptive IT 
device provisioning and deployment, operational compliance, continuous 
monitoring and remediation.
    SCAP provides a powerful and extensible set of methods, content and 
embedded IT best practices, enhancing system visibility while improving 
the validation periodicity for complex IT environments.
    SCAP is the culmination of many years of public-private cooperation 
and, within government, one of the best examples of multilateral 
government -to-government cooperation this witness has seen.
    I applaud the efforts of NIST, NSA, DHS, DISA, MITRE and many 
others for bringing this ground-breaking best practices and content 
method to fruition.
    Industry is already working to extend SCAP methods in several ways 
including known-provenance image management, as shown within the blue 
circle below.



Mr. Starnes' Recommendations on SCAP:

    Government IT professionals, including NIST staff and management, 
are demonstrating pervasive IT leadership with the SCAP methods. It is 
my belief that these methods will become ``de facto standard'' not only 
for Civilian Agencies and DOD, but potentially within the commercial 
sector.
    Vendor support and momentum of the Federal SCAP initiative is 
growing rapidly and is already impacting commercial companies on both 
the supplier and end-user side. Most of the major information security 
companies have, or are readying, SCAP-compliant products for use by 
their customers.
    Additionally, ISVs are adding SCAP protocol to their software 
measurement content, such as the Common Platform Enumeration (CPE) 
fields utilized by SCAP.
    My personal opinion is that SCAP represents the most significant 
and impactful IT standard, content delivery and best practice framework 
ever conceived and delivered by the government IT community.
    Again I applaud the NIST team, and broader Federal IT community, 
for their strong leadership role to conceive and deliver SCAP.

General Observations for the Committee:

    We must begin to better focus our IT legislation targeting the 
specific results that we want the constituencies to deliver. I favor 
emphasis on the use more carrots versus bigger sticks. It is important 
to recognize the leadership that led to the creation of important 
methods such as SCAP. We must also reward the political-will of the 
departments and agencies that are voluntarily stepping up to implement 
these important new methods ahead of any regulatory requirement to 
adopt.

Rethinking our budgeting and regulatory processes to drive faster real 
results:

    With FISMA, government has traditionally focused on Certification 
and Accreditation (C&A) and periodic compliance checks for agency IT 
systems and infrastructure. This has resulted in a ``check list'' 
mentality where getting a ``better grade'' becomes the focus. This does 
not necessarily yield a more secure and robust IT environment.
    Additionally, literally millions of dollars and thousands of man 
hours are spent by government every year to fill three-ring binders 
that are immediately out of date and irrelevant when the C&A process 
has been completed. This is driving a false sense of security and is 
wastes tremendous capital and consumes precious manpower without 
significantly improving our real cyber risk.

We MUST move to systematic and continuous monitoring solutions that 
address and adapt to the current realities and dynamic demands of 
today's cyber world.

    Our risk profile now mandates that we move to a more complete 
``sensor'' view (whitelist plus blacklist), along with the active and 
systematic vulnerability and configuration checking enabled by the SCAP 
framework. We must change our C&A and compliance mindset, to one of 
``We are always exposed, so we must continually monitor report and act. 
This is just common sense.
    I urge our legislators in both the House and the Senate to observe 
and support the tremendous technical work being done by government in 
partnership with the commercial sector with the SCAP framework.
    We (industry and government) are already working side-by-side on 
live deployments where broad near real-time continuous monitoring is 
the goal. We believe that these goals are immediately feasible and 
expect they will quickly prove dramatic improvements in our IT 
operational readiness.
    There is significant and immediate leverage to be gained by 
shifting dollars allocated for FISMA-based C&A and compliance projects 
to full-scope continuous monitoring using the SCAP framework. I 
strongly recommend to this committee, and other committees involved in 
oversight and legislation for targeting improved cyber assurance and 
regulation, to consider these suggestions.
    If we do this (with the close cooperation of the legislative 
branches, EOP/OMB and DOD), significant national cyber assurance 
progress can be realized without significant incremental budget impact.
    Realigning IT budgeting and spending to our current challenges, and 
moving from pure C&A to SCAP-enabled Continuous Monitoring, is likely 
budget neutral to positive. Further, it is expected that the immediate 
automation advantage will lower the demand for qualified IT personnel 
and reduce long-term IT operational expense.

Reorganization of ITL

    On this point I can be quite brief. It is curious to me that an 
internal reorganization, conducted by the capable and professional 
management staff of NIST, should draw as much attention as it has. 
While I am not privy to the precise catalysts of, and motivations for, 
the contemplated and/or actual organizational event, it seems like the 
benefit of any doubt should be yielded to the Acting Director and staff 
at NIST.
    That being said, like most organizations--government or otherwise--
I would expect that the intent of the reorganization was to realign the 
human resources with the changing mission requirements. In this case I 
would further expect that NIST has realized that CYBER ASSURANCE 
methods and best practices are increasingly a horizontal-cross agency 
issue, and its core-competencies should not remain in a silo within 
NIST.
    If this is the case, I applaud NIST for adjusting to changing 
needs, and my only advice perhaps would be a bit more advance marketing 
and communication to affected NIST constituencies.

Recommendations on how ITL might improve its effectiveness or expand 
                    its scope/activities and impact in Information 
                    Assurance and Cyber Security

    Having worked with NIST from several perspectives for nearly a 
decade, I have only the deepest appreciation for the dedicated 
scientists and staff at NIST. I often use the story with family and 
friends to explain the reach and impact of NIST in the physical world 
by using the following statement:

    In any room, in nearly any country, in any sector of our commercial 
endeavor--look around that room and I can almost assure you that at 
least SOMETHING in the environment has been touched, driven or impacted 
by work done at NIST.
    Now when I look from my day-job perspective--and take that same 
view from a cyber assurance point of view and ask ``What impact has 
NIST had on the security, reliability, stability, and utility of the 
operational computing infrastructure?'' . . . We still have work to do.
    I encourage NIST, perhaps with even a greater sense of urgency, to 
continue with its core mission of standards and best practices as they 
relate to the broader cyber assurance goals and objective.
    I further encourage NIST and its government partners in these areas 
including NSA, DISA, DHS and others, to embrace more ``out of the box'' 
thinking around the cyber assurance challenges that the Nation is 
facing.

TIME IS OF THE ESSENCE:

    Mr. Richard Marshall, senior information assurance representative 
for the Office of Legislative Affairs at the National Security Agency 
(NSA) said at a public event recently, ``We're polishing stones instead 
of creating stones,'' he said. ``If we don't do something in the near-
term, there won't be a long-term. We are running out of time.'' I 
agree.
    I encourage NIST to consider the following actions:

          Continue to create and advance measurement standards 
        and methods for Cyberspace.

                  We must do this by continuing to improve our 
                NEGATIVE AND DEFENSIVE posture:

                          This is the Risk and Vulnerability 
                        perspective--are we effectively identifying the 
                        ``Bad things and risky things'' in our computer 
                        environment--and improving the common language 
                        to express and communicate these risks.

                          NIST has done some great work in 
                        these areas including the Common Vulnerability 
                        Scoring System (CVSS) and National 
                        Vulnerability Database (NVD).

                          We need to continue to emphasize 
                        these as OPERATIONAL METHODS as opposed to 
                        (only) Certification and Accreditation (C&A) 
                        and compliance methods.

                  We need to supplement these negative detection and 
                enforcement methods with an improved POSITIVE POSTURE: 
                This is where the prescribed ``good state'' perspective 
                is captured and enforced. We need operational methods 
                and standards that measure ``the known and good state'' 
                to assure that our deployed computer environments are 
                intact. We can also address important supply chain 
                provenance issues with these same techniques.

                          NIST has already worked in these 
                        areas but they appear ``less connected'' with 
                        the some of the methods described above. Much 
                        of this work is apparent in the National 
                        Software Reference Library (NSRL) and the Help 
                        America Vote Act (HAVA).

                          Many of the same ``positive 
                        attestation'' and trust attestation controls 
                        required by HAVA can and should be applied to 
                        SCAP-enabled IT operational best practices.

    In my view there are MANY parallels between the ways NIST has 
contributed to this in the physical world for the last 108 years. 
Software, software assemblies and indeed entire software ``stacks'' 
used to enable and enhance our way of life, can and should be measured 
and operationally attested.
    I urge NIST to continue to work multilaterally with their peers in 
government and industry on all the methods I mentioned above, and to 
distill these ``best of the best'' ideas into NIST standards and 
methods on an even a faster cycle than normal.

Summary

    We are a crucial time in our history on multiple fronts. While I 
fully acknowledge that we are a vendor of methods used to improved 
cyber assurance, my primary motivation to ``join the team'' around SCAP 
and other important developments has been citizen-centered.
    We are in a race of dramatic proportions and potential risk, and we 
are behind. Our National and Economic Security are at risk and if we 
can improve this as a team, then we must take action now.
    We must advance the state-of-the-art in Cyber Assurance in order to 
get to the next level of visibility, control and efficiencies. Extended 
SCAP methods, along with Continuous Monitoring, are our best chance of 
getting ahead of our adversaries, and scaling that advantage quickly 
and efficiently across the federal enterprise.
    I respectfully submit that our technical teams have given us the 
tools to significantly raise our odds of closing the large cyber 
assurance gap we now face. It is imperative that our legislative and 
executive branches show the political-will, and the program and 
financial resources to enable us to succeed.
    Thank you and I welcome any questions from the Committee.

                  Biography for William Wyatt Starnes
    William ``Wyatt'' Starnes was born in Atlanta, Georgia in October 
1954. Mr. Starnes had a deep and immediate interest at an early age in 
everything mechanical, electrical and the emerging electronics 
industry. He built his first photocell sensor electronic project for a 
science fair while in still in elementary school. He went on to 
graduate from Ygnacio Valley high school in Concord, California in 1972 
knowing that computers and electronics would become his life's work.
    After graduating, Mr. Starnes was restless and ready to go to 
Silicon Valley to begin his career. He took a highly focused path 
graduating from Control Data Institute of Technology with an Associate 
Art's degree in computer science, and began his professional career 
with Data General (DG) Corporation in Sunnyvale, California in 1973.
    Mr. Starnes' insatiable curiosity about ``how things work'' 
continued in Silicon Valley involving himself in ``everything 
semiconductor'' for the first several years. This work included 
everything from detailed courses in semiconductor physics to software 
design and engineering with many of the early programming languages. 
His early career was centered on semiconductor automated testing and 
measurement. Mr. Starnes not only helped design the first semiconductor 
memory and microprocessor devices for DG, he wrote or co-wrote all of 
the test programs used to verify the functionality of these complex 
chips.
    Data General was the first of many successive entrepreneurial 
experiences for Mr. Starnes. He went on from DG to Monolithic Memories 
and helped to build the first MOS and CMOS processes and devices, 
including the 1k and 4k MOS dynamic RAM's. While still focused on 
programming of Automatic Test Equipment (ATE), he went on to Maruman 
Integrated Circuits, creating one of the first ``Fab-less 
Semiconductor'' resources in Silicon Valley. Maruman produced (and Mr. 
Starnes wrote the test programs for) much of the Atari game devices in 
late 1970's.
    After having made significant technical contributions in the ATE 
industry, in 1978 Mr. Starnes took an early stage management position 
with MegaTest Corporation. Megatest revolutionized ATE by inventing and 
delivering the most cost-effective test and measurement equipment ever 
delivered. This contribution was viewed as critical to Intel 
Corporation, AMD, National Semiconductor and many others, for testing 
complex integrated circuits at a fraction of the cost of previous 
solutions. Interestingly this breakthrough had to do with ``reference 
testing,'' which would become a model for additional breakthroughs in 
software assurance methodologies.
    Mr. Starnes moved to Tokyo Japan in 1981 for two years to found 
MegaTest Japan. This provided much needed international market 
perspective to Mr. Starnes resume, and he continues to be very active 
in the Asian market.
    After a 20-year career in semiconductor manufacturing and testing, 
Mr. Starnes made the shift to software in 1993. Having moved from 
Silicon Valley to Portland, Oregon in 1989--Mr. Starnes began a new 
chapter of his career with Infinite Pictures (now iMove). This company 
did pioneering work in 3-dimensional visualization software and 
hardware. iMove is now one of the leading producers of fixed and mobile 
surveillance devices for industry and government.
    While Mr. Starnes has always maintained his deep technical roots, 
he has continued to expand his management, sales and marketing 
expertise. He has been deeply involved at the senior management level 
of every company he has worked in since 1973. This has allowed him to 
remain both technically adept at the ``street level,'' while 
maintaining senior executive relationships across many enterprise and 
government sectors.
    While at Infinite Pictures Starnes met Gene Kim, with whom he went 
on to found Tripwire, Inc. with in 1997. The Tripwire software was 
developed by Gene Kim under the close guidance of Purdue University 
professor Eugene Spafford (aka Spaf) beginning in 1991.
    While CEO of Tripwire Mr. Starnes grew the company rapidly and was 
awarded Inc. Magazine's 20th Fastest growing company in America award 
in 2002. More importantly, the Tripwire technology and products began 
to alter the state-of-the-art in information security and assurance by 
bringing the notion of integrity management to the market.
    Due to a medical issue (early stage cancer) in the summer of 2003, 
Mr. Starnes left Tripwire to seek a cure with his family and doctors 
support. Quickly recovering after successful treatment, he returned to 
the software assurance and cyber security industry in spring 2004 with 
the formation of SignaCert, Inc.
    It was in this timeframe that Mr. Starnes was invited by the Acting 
Director of NIST to serve on the Visiting Committee on Advanced 
Technology, or VCAT, which he served in that capacity from 2005 to 
2008. Mr. Starnes also presided as the first Chairman of the IT 
Subcommittee under the NIST-VCAT Oversight Committee in 2007 and 2008.
    While at SignaCert, Mr. Starnes and his team have continued to 
drive the ``think differently'' vision in dealing with complex 
information security, compliance and information assurance. The 
fundamental breakthrough, covered now by two U.S. Patents, is that 
software can and should be ``measured.'' This led to the long-term 
development of Global Software Trust Services based on the measurement 
of software that is built by the Independent Software Vendors, or ISVs.
    In a way similar to the ATE methods now commonly used by companies 
such as Intel to test and verify semiconductor devices (as developed by 
MegaTest), SignaCert builds ``reference views'' of software, using 
software measurements, or ``whitelists'' to assure that IT devices 
(servers, workstations, routers, mobile devices, etc.) are in alignment 
to the prescribed reference measurement set, or ``gold image.''
    This information assurance method, is complimentary and additive to 
traditional perimeter-centric, reactive and defensive IT methods (such 
as firewalls, intrusion detection, and anti-virus) by ensuring the 
established, known and presumed trusted, IT state is maintained over 
the deployment and usage life cycle of that IT device.
    Knowing that the ``as-deployed state'' is accurate to a control 
reference has been shown to contribute immediate benefits for all 
market sectors and customers that depend on complex IT to deliver 
critical business and mission services.
    In addition to improving cyber security against both inside and 
outside risk and adversaries, the method has been shown to dramatically 
increase mean-time-between-failure (MTBF) and reduce mean-time-to-
repair (MTTR), which serve to increase IT business process stability 
and availability, while reducing the requirement for trained people to 
manage complex and broadly scaled IT infrastructure.
    Mr. Starnes continues to passionately pursue his primary career 
mission of improving cyber assurance by providing greater efficacy and 
more transparency. Critical to this mission is lowering both costs and 
resource requirements through enabling automation across all critical 
enterprise sectors and geographies.

    Chairman Wu. Professor Schneider, please proceed.

STATEMENT OF DR. FRED B. SCHNEIDER, SAMUEL B. ECKERT PROFESSOR 
            OF COMPUTER SCIENCE, CORNELL UNIVERSITY

    Dr. Schneider. Thank you, Mr. Chairman. NIST's Computer 
Security Division serves today as a trusted source of expert 
information about secure computing. The recent proposal to 
reorganize the division in my opinion threatened its 
effectiveness and thus could have undermined a key national 
resource for civilian cybersecurity. Therefore, my remarks here 
will focus on CSD organization, but I will be prepared to 
answer other questions later.
    What had been proposed involved two elements. The first 
element had the head of CSD reporting higher up in NIST's 
management chain. This would have been good. Higher levels of 
NIST's management increasingly will want to understand and 
champion computer security activities so they can secure needed 
resources and can provide guidance throughout the Federal 
Government.
    The other element of the reorganization involved redefining 
which projects are part of CSD. CSD would no longer be the home 
for all cybersecurity activities within the information 
technology lab. I have not heard a compelling rationale for 
this, and I am not sure one exists.
    First, I fear that having computer security activities 
outside of CSD would erode the CSD brand. This brand is a 
valuable asset. It keeps CSD visible to its customers so they 
know where to come for help, and it enables CSD to attract 
talent because CSD employees are seen to have an impact on 
computer security, both domestically and internationally. 
Second, I am concerned about loss of budget accountability for 
computer security activities. Put all the activities in a 
single division and it will be easy to ascertain that funds 
appropriated to NIST for cybersecurity are used as intended. 
Disburse cybersecurity activities over multiple divisions and 
the funds will be intermixed with funding for other activities.
    Finally and perhaps most important, I see no intellectual 
basis for deciding what computer security activities to place 
outside of CSD and what other activities to place inside of 
CSD. However, I do see difficulties when people who are working 
on closely connected initiatives are not under the same 
management. It removes imperatives for cooperation, for 
rational budgeting, and makes comparisons of people and 
projects difficult. So the proposed reorganization seemed to 
offer few benefits.
    But a slightly different reorganization actually could have 
been a very wise move. Looking ahead, CSD will have to assume a 
larger role because trustworthy computing is so central to the 
future of our nation's critical infrastructures, private sector 
systems, and the Administration's new initiatives in healthcare 
and SmartGrid. Growth will be necessary to meet these needs. 
Although the recent reorganization proposal makes no allowance 
for such growth, there is a plan that does. Elevate CSD to 
become a laboratory in NIST so that it is parallel to the 
information technology lab currently housing CSD. With this 
alternative proposal, the director of the new lab would report 
higher up the NIST management chain, the CSD brand would be 
protected and perhaps even strengthened. Budget control and 
accountability are facilitated by having all and only computer 
security activities under one director, and there would be no 
need to separate various efforts that intellectually are 
closely related.
    In sum, I find that entertaining a reorganization of 
today's CSD is sensible, but the recently proposed 
reorganization lacks a rationale and seems to create problems 
without offsetting benefits. An alternative reorganization that 
elevates CSD to form a new computer security lab at NIST has 
much to recommend it. Thank you.
    [The prepared statement of Dr. Schneider follows:]
                Prepared Statement of Fred B. Schneider
    Mr. Chairman and Members of the Committee, I appreciate this 
opportunity to comment on the role, activities, and proposed 
organizational changes within the Computer Security Division at the 
Information Technology Laboratory of NIST. I am Fred B. Schneider, a 
Computer Science professor at Cornell University and Chief Scientist of 
the NSF-funded TRUST\1\ Science and Technology Center, a collaboration 
involving researchers at U.C.-Berkeley, Carnegie-Mellon University, 
Cornell University, Stanford University, and Vanderbilt University.
---------------------------------------------------------------------------
    \1\ Team for Research in Ubiquitous Secure Technology.
---------------------------------------------------------------------------
    I have been a Computer Science faculty member since 1978, actively 
involved in research, education, and in various advisory capacities for 
both the private and public sectors. Besides my work at Cornell, I 
today serve as member of the Computing Research Association's Board of 
Directors and as a council member of the Computing Community 
Consortium. I also co-chair Microsoft's TCAAB external advisory board 
on trustworthy computing. And perhaps most relevant to today's hearing, 
I have served since Sept. 2006 on the Information Security and Privacy 
Advisory Board (ISPAB), a Congressionally mandated FACA board that 
advises NIST, the Congress, and OMB about cybersecurity in Federal and 
civilian computer systems. The comments that follow are my own 
opinions, however.
    Our nation's needs for secure systems will surely grow over the 
next decade. The networked computing systems employed today to operate 
critical infrastructures (e.g., energy distribution, banking, finance, 
transportation, and communication) are vulnerable to attack. Systems 
running our civilian government offices and private sector business are 
also vulnerable. And we, as a nation, are now discussing a ``smart 
grid'' for energy distribution and a new health care system that will 
depend critically on computing systems that must be trustworthy. 
Activities performed by Computer Security Division (CSD) are critical 
to the success of all.
    CSD plays a special and important role for the Federal Government 
and the private sector, by serving as a respected source of objective 
information about ways to build and operate secure computing systems. 
This role is possible only because

          CSD is able to attract top talent,

          CSD is situated within an institution-NIST-where 
        research is valued and is being conducted (even though only 
        some CSD activities are, in fact, research), and

          CSD can be trusted as an advocate of security, by 
        virtue of not being part of a law enforcement or national 
        security organization, since there is then no basis for concern 
        about CSD developing standards with a hidden purpose of 
        collecting information.

Question: The Cyber Space Policy Review makes a number of 
recommendations to improve federal efforts for cybersecurity. Examples 
of these recommendations include the establishment of a single federal 
entity to act as a locus for U.S. involvement in international 
standards, increased public education and awareness, and a larger focus 
on identity management. What could NIST do to address these and other 
recommendations from the Cyber Space Policy Review?

    NIST--and within NIST, CSD--indeed serves as a locus for U.S. 
involvement in international standards, increased public education and 
awareness related to cybersecurity, and a larger focus on identity 
management. Despite a modest budget, CSD has succeeded admirably in 
these tasks; I urge that it be supported to continue and expand these 
activities.
    There is also much other work to be done in support of civilian 
system cybersecurity, especially with the crying need to revise FISMA 
and with the Administration's initiatives to create the expertise and 
standards for smart grid and health care. NIST is the right place to do 
this work and should aggressively embrace these challenges by 
increasing the size and funding for CSD.
    Moreover, as noted above, CSD is ideally situated to provide 
cybersecurity information that its customers can trust. Other federal 
agencies (e.g., DHS, NSA, FBS, CIA, DOD) also have important roles to 
play in the cybersecurity landscape, but each has a mission that can 
only engender suspicion by a private sector wary of government 
surveillance. So these other federal agencies could neither replace nor 
host CSD activities.

Question: NIST is proposing a reorganization of ITL. What is your 
assessment of this reorganization and how will it improve the outcomes 
of ITL activities?

    Plans for the reorganization of NIST's Information Technology 
Laboratory (ITL) and CSD first came to my attention about four months 
ago, in July. All of the details have still not been made public, but 
there was a public discussion of some aspects of a proposed CSD 
reorganization about two weeks ago (at the Oct. 7, 2009 ISPAB meeting).
    The key parts of the reorganization described to me have two 
elements:

          The Office of the Associate Director for 
        Cybersecurity Research and Development reports higher-up in the 
        ITL management structure.

          The set of projects under CSD is changed slightly, 
        with a few projects whose names suggest they concern 
        cybersecurity being moved outside of CSD while other projects 
        whose names suggest they have a significant content that does 
        not concern cybersecurity being moved into a new CSD with a new 
        name.

    Note, the two elements are largely independent.
    The first element, having CSD report-in higher-up the management 
chain, seems wise and even prescient, given the growing need for 
services that CSD now provides or will need to be providing in the near 
future. Higher-levels of NIST's management will have to understand and 
champion the activities of CSD, to ensure sufficient resources are 
available to support cybersecurity efforts and to provide guidance to 
other federal and civilian decision-makers in a world where 
cybersecurity matters are growing pervasive. Notice, also, that this 
first element of the proposed reorganization directly impacts a small 
number of people but offers enormous leverage.
    The second element of the proposed reorganization affects a much 
larger number of people--all those involved in CSD projects plus some 
others within ITL. Any reorganization that potentially affects many 
people tends to be disruptive (and this one already seems to have had a 
significant impact on the esprit de corps within CSD), so such change 
is best contemplated and undertaken only when there are significant 
gains to be had. In evaluating any proposed reorganization of CSD, I 
think that we should want to know:

          To what extent does the proposed reorganization 
        leverage investments and personnel? For example, what is the 
        overhead for management and for communication within the 
        proposed reorganization, as compared with the current 
        organization?

          To what extent does the proposed reorganization 
        facilitate or impede inefficiencies, collaborations, synergies, 
        and informed trade-offs by virtue of shared management. For 
        example, how would changing which projects share mangers 
        benefit or harm each effort as it competes for budget, other 
        resources, ratings, promotions, etc.

          Does the proposed reorganization change the 
        visibility of CSD activities to NIST management (which must 
        make budget trade-offs and advocate for CSD outside of NIST) or 
        to CSD customers (Federal Government civilian agencies and the 
        private sector).

          Does the proposed reorganization facilitate better 
        accountability for budget appropriations intended to enhance 
        activities in computer security?

          Does the proposed reorganization better position NIST 
        to support expected future needs (such as changes to FISMA to 
        require continuous monitoring of systems and improved security 
        metrics, the Administration's new smart grid and health care 
        initiatives, and our nation's ever-increasing dependence on 
        networked systems both within the government and private 
        sectors)?

    Yet I am aware of no analysis that answers the above questions. I 
myself am not familiar enough with the details of ITL and CSD to 
attempt such an analysis. But I can offer some general guidelines for 
designing a good CSD organizational structure.
    The CSD brand is a valuable asset. It serves as a clear and obvious 
point of engagement for customers. That both (i) increases the 
efficiency of interactions between CSD and customers and (ii) increases 
the chances that those in need will know to seek CSD expertise and to 
embrace CSD standards and other guidance.
    The CSD brand also means that

        (1)  CSD accomplishments,

        (2)  the unique role and impact CSD has on the computer 
        security landscape internationally (through encryption 
        standards) as well as domestically (through other standards and 
        guidance, too), and

        (3)  the problems CSD addresses

together make CSD an exciting place to work. This, in turn, has enabled 
CSD to recruit an outstanding staff, despite the scarcity of computer 
security experts and despite competition for their services (with 
considerably better compensation) from the private sector. A CSD 
reorganization that erodes the CSD brand by eliminating the name or by 
diffusing the organization's efforts into a larger pool of computer 
science activities should therefore not be undertaken lightly.
    In addition, mixing computer security activities and other computer 
science efforts complicates accountability of computer security budget 
appropriations. Creating decreased management visibility into how 
budget is divided seems unwise, as we enter an era where Congress will 
doubtless be providing increased budgets to NIST in order to serve the 
ever growing computer security needs of our nation.
    Finally, I see no benefits from dividing cybersecurity activities, 
locating some in an organization that is mostly populated by 
cybersecurity experts but others in an organization that is not.

          I can see no intellectual basis that could be used to 
        decide today on such a partitioning of cybersecurity projects, 
        much less to decide on a partitioning that is likely to remain 
        sensible for a future where our understanding of cybersecurity 
        will almost certainly have evolved. To give an extreme case, 
        there once was a time when it made sense for those studying 
        privacy and other policy matters to be organizationally 
        separated from technologists. That separation is no longer 
        sensible, however--technologies are typically useless when 
        developed by people ignorant of policy, and policy developed by 
        people who don't understand technology is often damaging to 
        innovation and growth. So CSD ought to include both, yet the 
        proposed new reorganization seems to be considerably narrower 
        and includes only a subset of the technologists.

          There is also a matter of styles. Some members of CSD 
        engage in research, and some engage in activities that have a 
        very different character-writing standards, compiling best 
        practices, etc. The rest of ITL is primarily concerned with 
        research. If all computer security activities were located in 
        CSD, then this difference would be accommodated by the 
        organizational structure. In contrast, diffusing the one kind 
        of activity within the other will likely lead to an 
        organization that is difficult to manage and has various 
        different classes of citizens.

    From my analysis and the guidelines I proposed above, I conclude 
that NIST management would be wiser to be contemplating a new 
laboratory--CSL (instead of CSD)--in parallel to ITL, instead of making 
changes to the organization of ITL. Choosing which specific projects to 
place in CSD, as advocated by the second element of the proposed 
reorganization, simply offers no leverage but has the potential to 
create problems. A new CSL structure, however, would satisfy all of the 
requirements I noted above: (i) the director would report higher-up in 
the NIST management chain, (ii) CSD function would be even more visible 
and have a stronger identity, (iii) budget control and accountability 
is facilitated, and (iv) there is no need to separate projects that are 
closely related.

Question: Given the current emphasis on information assurance and 
cybersecurity, what recommendations do you have on how ITL might 
improve its effectiveness or expand the scope of its activities and 
their impact?

    Looking to the future, the functions performed today within CSD 
will play a bigger and bigger role in how the Federal Government and 
the private sector protect their computer systems. Smart grid and 
computerized support for health care, for example, raise new computer 
security questions. The current discussion about ``accountability of 
action'' for enforcing security on our networks raises numerous issues 
involving both technology (e.g., how to attribute packets in transit) 
and policy (e.g., how to manage trade-offs with privacy)--topics that 
fall squarely in the expertise of CSD. And no matter what happens with 
a U.S. universal identity card, questions about federated identity 
still need to be sorted out as various public sector and private sector 
organizations create identity management systems on the Internet.
    In short, the need is there today for a CSD that is much larger 
than its current size; and the needed work cannot be done in the 
private sector, because of inherent conflicts of interest and 
commitment. I conclude that CSD will have to grow in size significantly 
over the next five to ten years.
    But CSD growth raises another issue about the recently proposed 
efforts to reorganize ITL and CSD. The proposed reorganization does not 
group all cybersecurity efforts together in a single CSD presumably 
because that division would be too large. So yet another reorganization 
would be required to accommodate significant growth in CSD activities. 
If, instead, a CSL is created today, then we would be putting in place 
an organization that not only satisfies its requirements for today but 
would continue to meet its requirements for a long time to come. And 
that strikes me as by far the more sensible course.

                    Biography for Fred B. Schneider
    Fred B. Schneider is Samuel B. Eckert Professor of Computer Science 
at Cornell University. He joined the Cornell faculty in Fall 1978, 
having completing a Ph.D. at Stony Brook University, preceded by a B.S. 
in Engineering from Cornell in 1975. Schneider currently also serves as 
the Chief Scientist for the NSF-funded TRUST Science and Technology 
Center, which brings together researchers at U.C.-Berkeley, Carnegie-
Mellon University, Cornell University, Stanford University, and 
Vanderbilt University.
    Schneider's research has focused on various aspects of trustworthy 
systems--systems that perform as expected, despite failures and 
attacks. His early work concerned formal methods to aid in the design 
and implementation of concurrent and distributed systems that satisfy 
their specifications; he is author of two texts on that subject: On 
Concurrent Programming and A Logical Approach to Discrete Mathematics 
(co-authored with D. Gries). He is also known for his research in 
theory and algorithms for building fault-tolerant distributed systems. 
For example, his paper on the ``state machine approach'' for managing 
replication received an SOSP ``Hall of Fame'' award for seminal 
research. More recently, his interests have turned to system security. 
His work characterizing what policies can be enforced with various 
classes of defenses is widely cited, and it is seen as advancing the 
nascent science base for security. He is also engaged in research 
concerning legal and economic measures for improving system 
trustworthiness.
    Schneider was elected Fellow of the American Association for the 
Advancement of Science in 1992, the Association of Computing Machinery 
in 1995, and the Institute of Electrical and Electronics Engineers in 
2008. He was named Professor-at-Large at the University of Tromso 
(Norway) in 1996, and was awarded a Doctor of Science honoris causa by 
the University of NewCastle-upon-Tyne in 2003 for his work in computer 
dependability and security.
    Schneider has served since Sept. 2006 as a member of the 
Information Security and Privacy Advisory Board (ISPAB), which advises 
NIST, the Secretary of Commerce, and the Director of OMB on information 
security and privacy issues pertaining to Federal Government 
Information Systems. He chaired the National Academies CSTB study on 
information systems trustworthiness that produced the 1999 volume Trust 
in Cyberspace. He also served as a member of CSTB from 2002-2008 and 
served from 2004-2007 on the CSTB study committee for improving 
cybersecurity research. Schneider was a member of the NSF CISE advisory 
committee 2002-2006. And in Fall 2001, he chaired the United Kingdom's 
pentennial external review of research funding for academic Computer 
Science.
    In 2007, Schneider was elected to the Board of Directors of the 
Computing Research Association (CRA) and appointed to the steering 
committee of CRA's Computing Community Consortium. CRA is an 
association of more than 200 North American academic departments of 
computer science, computer engineering, and related fields; part of 
it's mission is to strength research and advanced education in the 
computing fields and to improve public and policy-maker understanding 
of the importance of computing and computing research in our society.
    Schneider is a frequent consultant to industry, believing this to 
be an efficient means of implementing technology transfer as well as 
learning about the real problems. He is Co-Chair of Microsoft's 
Trustworthy Computing Academic Advisory Board, which comprises outside 
technology and policy experts who meet periodically to advise Microsoft 
about products and strategy. He also provides technical expertise in 
fault-tolerance and computer security to a variety of firms, including: 
BAE Systems, Fortify Software, Lockheed Martin, and Microsoft.

    Chairman Wu. Thank you very much, Dr. Schneider. And Mr. 
Bohannon, please proceed.

STATEMENT OF MR. MARK BOHANNON, GENERAL COUNSEL AND SENIOR VICE 
 PRESIDENT FOR PUBLIC POLICY, SOFTWARE & INFORMATION INDUSTRY 
                       ASSOCIATION (SIIA)

    Mr. Bohannon. Thank you, Mr. Chairman, Ranking Member 
Smith, Congresswoman Edwards. It is a pleasure to be here today 
on behalf of the more than 500 members of SIIA, the principal 
association of software companies, to discuss with you NIST's 
cybersecurity activities in the context of the 60-Day Review.
    As has already been indicated by the panel, that review was 
quite comprehensive in its outlook. Even by its own statement, 
it touched virtually everyone and everything we do in our 
society, and I think I certainly share with my colleagues the 
anticipation that the cyber coordinator will be announced soon.
    But I think you can boil down the thrust of that review 
into three things. First, that we have got to take action to 
enhance the security of our Federal Government systems; second, 
that we need to continue to enhance the public/private 
partnership to make sure our infrastructure is secure; and 
third, that we need to partner effectively with the 
international community since this is a global problem, not 
just a U.S. problem.
    And in our view, the challenges, these three challenges, 
mean that NIST and thereby the Secretary and Department of 
Commerce have an absolutely essential and critical mission and 
contribution to make to seeing where the 60-Day Review goes.
    To be more precise--and I welcome Ms. Furlani's update on 
what is going on with the ITL. I have known her for many years 
and look forward to working with her on where this could 
possibly go once they have stepped back from this program. The 
reality is that this change in NIST review comes at a very 
critical time about the direction I think we are going to take 
with the cybersecurity review, and one of the key questions is 
whether its implementation is going to be informed 
predominantly by the military intelligence framework on 
cybersecurity or whether it is going to be able to adapt across 
a wide-variety of sectors and parts of our economy.
    Our view, based on the experience so far, is that you have 
got to have that blend of perspectives for it to work, and if 
it is going to be effective, it means that NIST must be 
enhanced and reinvigorated in its role, and thereby the 
Department and the Secretary must play a leadership role in 
where the 60-Day Review is going to be carried out.
    So therefore, we think rather than looking at what are the 
merits or non-merits of the ITL reorganization, this is a great 
time to look at really where the future of NIST and its 
cybersecurity activities need to go.
    Mr. Chairman, in our testimony we make a number of 
recommendations and ask some key questions which I assume have 
been submitted for the record. Let me try to summarize those 
here.
    First, we urge the Committee as it has done for decades to 
make sure that NIST does not become a regulator of private-
sector actions. You all have been very consistent in making 
sure that NIST remains a first-class laboratory, not a fifth-
class regulator. NIST does best and carries out its mission 
when it collaborates with the private sector, not try to impose 
government-defined standards or technologies on the private 
sector, and my testimony goes through some examples where they 
have come very close to that line without a great deal of 
success, and in my view some negative consequences.
    The second thing we would urge, and is consistent with some 
of the other panelists, is that we would urge serious 
consideration to making the Computer Security Division a stand-
alone laboratory. We have heard three key challenges facing the 
Computer Security Division. One is funding, one is staffing and 
recruiting and retaining good staff, and the third is enhancing 
and reinvigorating the global brand. We think that currently 
the CSD, being one of six divisions inside of ITL, and ITL 
being one of ten laboratories inside of NIST, is not really the 
right framework in which that can occur. And so again, we know 
that there are issues involved in doing any reorganization, but 
we think that there needs to be serious consideration given to 
this. Creating a cyber information security, information 
assurance lab, I don't want to get hung up on the name. We 
think it would send a very important signal to the private 
sector and to the world that the United States Government is 
taking its role very seriously in this regard.
    The third recommendation we would make is that NIST needs 
to make sure that its primary customers, agencies of the 
Federal Government, are the focus of its efforts, and the 
committee is well-aware of its responsibilities in that regard.
    The fourth recommendation we would make is that NIST needs 
to continue to work with the private sector and the political 
leadership of the Commerce and USTR (United States Trade 
Representatives) among others as we work to roll back some of 
the ridiculously stringent regimes that we are seeing from 
other governments which are trying to impose indigenous or 
unique standards in this area.
    I was not able to appear in the June hearing, Mr. Chairman, 
because I was in China personally working to try to roll those 
back, and while we certainly depended on the leadership of 
Ambassador Kirk and Secretary Locke in getting that done, NIST 
was an absolutely essential partner because of its perceived 
global reputation as an independent assessor, independent 
evaluator, credible place where we could talk about legitimate 
ways of approaching these issues globally. That is going to 
become more important as we see countries like India and Russia 
also beginning to take on those efforts.
    So with that, Mr. Chairman, I just want to say that we 
think that NIST and the Department of Commerce have an 
absolutely essential role. We are very pleased to see that 
Secretary Locke in particular has brought some terrific people 
in who are really beginning to focus on these issues. We 
commend those steps. We commend this hearing, and we look 
forward to working with you and the executive branch to carry 
out these goals. Thank you.
    [The prepared statement of Mr. Bohannon follows:]
                  Prepared Statement of Mark Bohannon
    Chairman Wu, Ranking Member Smith, Members of the Committee, on 
behalf of the more than 500 members of the Software & Information 
Industry Association (SIIA), the principal association of the software 
and digital content industry, we appreciate the opportunity to discuss 
the current cyber and information security activities of the National 
Institute of Standards and Technology (NIST) and how they fit into the 
action plan of the Cyber Space Policy Review (60-Day Review). As the 
Committee is aware, I also served as an official at the Department of 
Commerce during the 1990's working with NIST on computer security 
issues.
    The 60-Day Cyber Space Review was an extraordinarily comprehensive 
document, recognizing that ``cyberspace touches practically everything 
and everyone.'' \1\ We are not alone in awaiting the appointment of a 
White House coordinator to undertake the many and varied `next steps' 
that the Review identified.
---------------------------------------------------------------------------
    \1\ Preface, Cyberspace Policy Review, p. i.
---------------------------------------------------------------------------
    Among the central thrusts of the Review is that action must be 
taken, first, to enhance the security of the Federal Government's 
systems; second, to continue and enhance the public private-partnership 
that is essential to securing our nation's infrastructure; and, third, 
to partner effectively with the international community.
    In each of these vital challenges, NIST--and thereby the Secretary 
and Department of Commerce--has an essential and critical mission and 
contribution to make.
    We read news reports of a possible reorganization of NIST's 
computer security areas of competence. I must emphasize that I am 
relying entirely on published reports on this matter. However, we are 
concerned about these reports regarding the future of NIST's Computer 
Security Division (CSD).
    If this proposed reorganization would separate--some would say 
bifurcate, some would say disperse--the activities of NIST's basic 
research functions from those of its applied-external activities (which 
include its evaluation processes and engagement internationally), this 
would be in our view a serious detriment to the ability of NIST and the 
Department to step up to the plate if and when the Cyberspace Review is 
undertaken systematically.
    This potential change in NIST computer security functions is taking 
place as the 60-day Review--and the direction it will take--remains a 
work in progress. One key question is whether its implementation will 
be informed predominantly by a defense-intelligence framework and the 
related assumptions about cybersecurity. If the follow-on to the 60-day 
Review is going to be meaningful across a variety of commercial sectors 
and viable economically, there must be strong leadership from the 
Department of Commerce--and that cannot occur without an effective and 
enhanced role of NIST.
    It is also occurring as we face mounting global challenges, which 
include efforts by other governments to undertake stringent 
cybersecurity regimes outside of global norms. There are also important 
efforts underway to focus on the next generation of international 
frameworks for assuring cross-border analyses of vulnerabilities and 
bases for product evaluation.
    Therefore, it is an opportune time to look at how to make sure 
NIST--and the Department--are prepared and ready to engage the 
interagency process, the public and our international partners with a 
view to the future.
    In Appendix A, we outline a number of questions that we believe are 
timely and essential to NIST's role in cyber and information security, 
and very relevant to the 60-day Review objectives. Let me summarize 
them here.

    First, we urge the Committee, as it has consistently done by 
decades, not to make NIST a ``regulator'' of private sector actions. 
NIST has effectuated its mission best through long-standing 
collaboration with the private sector. This collaboration, which is not 
replicated to the same degree by any other agency of the Federal 
Government, has benefited not only government agencies (which are the 
first line customers of NIST's work), but also our nation's 
infrastructure, innovation environment and competitive strength.
    When NIST has ventured away from this mission and collaborative 
approach, the result has been injurious. For example, in undertaking 
Federal Information Processing Standards for federal agencies, NIST has 
recognized (including making mandatory) controversial cryptographic 
implementations like Clipper Chip and Skipjack (which are still 
identified for government use). The controversies around these 
approaches are enormous.\2\ NIST is not equipped to become a regulatory 
body which proscribes specific standards for the private sector, nor 
would it be desirable to make it such, as it would inherently distract 
from its core competencies and mission. Instead, it is critical to look 
ahead to the next generation of challenges, which require NIST to 
remain the globally recognized forum for reaching consensus on key 
issues (as it did with the highly successful competition to identify 
the Advanced Encryption Standard), and reinvigorating its recognition 
as a world-class laboratory.
---------------------------------------------------------------------------
    \2\ See ``The Clipper Chip'' (http://www.epic.org/crypto/clipper).

    Second, we would strongly urge consideration to making the Computer 
Security Division a separate lab within NIST should be a priority. The 
CSD is one of currently six Divisions within the Information Technology 
Laboratory (ITL), which is itself one of 10 laboratories within the 
NIST organization. This action--creation of a stand alone Cyber and 
Information Security Lab--would send an important signal, both to 
Government agencies and to the private sector, and enhance the NIST 
`brand' in this important area. As a Division within one of 10 
competing Labs at NIST, the Division is, for example, handicapped in 
its recruiting and retention of quality employees. For example, the 
Division Chiefs are not Senior Executive Service (SES) position.
    To state the obvious, this recommendation is in direct contrast to 
any suggestion of dispersing or bifurcating the computer security 
functions of NIST, which would present serious risks to the funding and 
global branding of NIST in cybersecurity work. It would also compound 
the problems that NIST has been facing in recent years.
    On the one hand, NIST--specifically the Computer Security 
Division--has been handed in recent years a number of legislative 
mandates, including some that have not been funded.\3\ This compounds 
the on-going funding paradigm of the Division (which is shared by other 
NIST Labs) that requires it, except in rare years, to get up to 40 
percent of its funding from other agencies (or engage in cost-
reimbursement work through CRADAs), since appropriation funds may 
account for as little as half of the year's program.
---------------------------------------------------------------------------
    \3\ See, e.g., Cybersecurity R&D Act (2002).
---------------------------------------------------------------------------
    On the other, the work of the Division on broad-based research, 
including those initiatives that benefit both the public and private 
sectors, is increasingly under pressure due to the demands of other 
agencies, including the Office of Management and Budget (OMB), for 
assistance to other Federal agencies in computer security. These 
demands are compounded by the growing mandatory imposition of NIST 
work--whether in the form of FIPS or guidance--on government agencies 
(a consequence of OMB implementing the requirements of FISMA, and no 
longer allowing ``waivers'').
    These conflicting pressures--as well as the challenge of keeping 
quality staff--have impacted a number of key areas of work that NIST 
collaborates on with the private sector, particular improvements in 
conformity assessment.

    Third, make sure that NIST's primary customers--agencies of the 
Federal Government--are the focus of its efforts through effective 
implementation of NIST's mandated responsibilities which include:

          Raising awareness of IT risks, vulnerabilities and 
        protection requirements, particularly for new and emerging 
        technologies;

          Researching, studying, and advising agencies of IT 
        vulnerabilities and devising techniques for the cost-effective 
        security and privacy of sensitive federal systems;

          Developing standards, metrics, tests and validation 
        programs:

                  to promote, measure, and validate security in 
                systems and services

                  to educate consumers and

                  to establish minimum security requirements for 
                federal systems

          Developing guidance to increase secure IT planning, 
        implementation, management and operation.

    Fourth, work with the private sector and the leadership of the 
Department of Commerce and other agencies of the Federal Government in 
taking on the global challenge of other governments' stringent 
cybersecurity regimes. We were very pleased to see the recognition in 
the 60-day Review that it will be essential to partner effectively with 
the international community. We are seeing efforts in several 
countries--China, Russia, India, just to name a few--to impose 
stringent, potentially trade-restrictive frameworks that require 
mandatory evaluation of U.S. IT products against locally developed, 
indigenous information security standards. This is not only bad 
security practice; it is potentially adverse to our nation's technology 
base and economic security.
    As we have worked to roll back these regimes, the U.S. Government 
has been a critical partner. NIST, in particular, has played an 
essential role based on its status as a world class laboratory that is 
respected for its independent assessments and solid work. There is no 
other entity like NIST anywhere in the world. When we engage other 
governments, the officials sitting on the other side are almost 
entirely from their defense, intelligence and national security 
operations.
    In closing, Mr. Chairman, I reiterate the need for an engaged and 
prepared Department of Commerce in taking up the challenge of our 
nation's cybersecurity strategy, and playing a key role in the 
direction of the 60-day Review. NIST is essential to that role, and the 
recommendations and questions we have posed here chart what we believe 
is a path for a renewed and reinvigorated cyber and information 
security function of NIST. We also note that, in the few short months 
since Secretary Locke has taken over the leadership of the Department, 
we are seeing a more focused and engaged team at the top levels of the 
Department. This is a very positive development which we commend and 
look forward to working with.
    Again, thank you for the opportunity to appear today. I will be 
glad to take any questions from the Committee.

APPENDIX A

          In the context of NIST's overall mission and its 
        existing paradigm for research, what is the most effective way 
        to ensure that the CSD is able to carry out its mission and 
        work collaboratively with the private sector to achieve its 
        goals?

          What is the process for developing a strategic plan 
        for CSD to carry out its mission?

          Is the current budgetary process for CSD--which 
        relies on appropriate monies, but also requires each group 
        within CSD to contract for specific monies with particular 
        agencies--consistent with CSD's mission and consistent 
        execution of long-term programs?

          In a highly competitive environment for skilled 
        talent in this area, how is NIST supporting the CSD in this 
        regard and what can be done to both attract and keep these 
        individuals to the CSD?

          The Cybersecurity Research & Development Act included 
        a number of ``grand challenges.'' How has NIST/CSD responded 
        and what can be done to enhance the capacity of the agency to 
        carry out these challenges?

          What has been the experience with the National 
        Infrastructure Assurance Program (NIAP) and should NIST 
        continue to have a key role in its implementation?

          With the Common Criteria now a broadly accepted basis 
        for conformity assessment, how is the CSD looking to ensure its 
        continued effectiveness and relevance to the dynamic challenges 
        of combating information security?

          How is NIST preparing to support, working with the 
        private sector, the development of the next generation of 
        Common Criteria arrangements, including improvements in the 
        development of protection profiles?

          Has the Special 800 series been effective in 
        providing guidance, and how can the process be updated and 
        improved? How is NIST working to avoid inappropriate use of the 
        Special 800 series which are now being used as legal standards 
        imposed on private sector companies when they were never 
        designed to be used in that way?

          With the adoption of data encryption playing a larger 
        role in data security, is NIST's FIPS 140-2 validation program 
        effective at ensuring timely and effective evaluations? Does 
        the program encourage use of validation?

          There are several efforts to redefine what are 
        ``national security'' and ``non-national security systems.'' 
        How does this discussion affect NIST's role and what are can be 
        done to avoid unnecessary duplication and complexity?

          How can the work of the CSD in implementing FISMA be 
        highlighted and reinforced and how can its role be made more 
        effective?

                      Biography for Mark Bohannon
    Mark Bohannon is the General Counsel and Senior Vice President 
Public Policy for the Software & Information Industry Association 
(SIIA).
    As the principal trade association of the software code and 
information content industry, the more than 500 members of the Software 
& Information Industry Association (SIIA) develop and market software 
and electronic content for business, education, consumers and the 
Internet. SIIA's members are software companies, e-businesses, and 
information service companies, as well as many electronic commerce 
companies. Its membership consists of some of the largest and oldest 
technology enterprises in the world as well as many smaller and newer 
companies.
    Mr. Bohannon is responsible for the legal and public policy agenda 
of SIIA. Mr. Bohannon's experience includes engagement with hundreds of 
companies developing online services for the business, consumer and 
government markets.
    Prior to joining SIIA, Mr. Bohannon was a senior official of the 
U.S. Department of Commerce where he served as Chief Counsel for 
Technology and Counselor to the Under Secretary for Technology. During 
his tenure, his responsibilities included a number of technology policy 
initiatives, fighting against technical barriers to trade, and 
promoting effective e-Commerce, intellectual property and Internet 
policies. Mr. Bohannon also served on numerous USG delegations to 
bilateral talks and negotiations with major trading partners and 
multilateral fora such as the Hague, OECD, UNCITRAL and WTO.
    A native of Austin, Texas, Mr. Bohannon is a graduate of the Edmund 
A. Walsh School of Foreign Service at Georgetown University and of the 
George Washington University Law School in Washington, D.C.

                               Discussion

    Chairman Wu. Thank you very much, Mr. Bohannon, and now it 
is in order for the panel to ask questions, and the Chair 
recognizes himself for five minutes. I hope to be able to 
address both the international cooperation issues and also the 
reorganization issues in five minutes, but it may stretch out a 
little bit.
    Mr. Bohannon, you cited the Chinese incidents, and I would 
like to expand on that a little bit, and also I would like to 
ask the rest of the panel about the appropriate role that you 
see for NIST playing in development of international standards, 
what has gone well and what can be improved going forward. Mr. 
Bohannon, would you care to go first?
    Mr. Bohannon. Sure. The developments in China are complex. 
Let me try to summarize them the best I can.
    Starting several years ago, China began to develop a series 
of standards for evaluating IT products in a wide range of 
areas. Not surprisingly they include areas in which the U.S. IT 
industry is dominant or has very superior products to the rest 
of the world. Those standards are based in large part on 
indigenous standards that were developed by indigenous 
standards organizations without really input from anyone 
outside of China, to be honest with you. They would require 
evaluation of products through laboratories that are at best 
loosely associated with the Chinese government.
    These kinds of evaluations are very sensitive. NIST has 
handled these issues very carefully and has a long-time history 
of working in this area. Those Chinese standards would have 
prevented market access for many IT products. Working with the 
Secretary of Commerce and USTR, we have been able to roll them 
back. They are still quite broad in scope, however, and we are 
looking forward to continuing to work with the United States 
Government.
    But the implications were that China would develop very 
indigenous, very unique standards for security in products that 
are widely used and that would be detrimental not only to the 
security of China in terms of its practices but also our 
technology base and our innovation base.
    Chairman Wu. Mr. Bohannon, I think we are familiar with the 
scope of the problem, but if there are any further comments you 
want to make about NIST's role and why that was important.
    Mr. Bohannon. Sure. NIST's role--they were very important 
because the Chinese see NIST as a truly world-class laboratory 
from which NIST can provide an independent view about things. 
Its role in developing advanced encryption standard is well 
known, but that is only the tip of the iceberg. It is not only 
China but other governments see NIST as a place where it can go 
for unbiased, professional independent assessments of what are 
good security practices and how they can be implemented in a 
meaningful way.
    And so we were very pleased when the NIST team were willing 
to have late-night videoconferences with their counterparts 
explaining to them why the United States Government doesn't do 
things like ask for source code or why other governments don't 
ask for source code. That was a very important message. It was 
a different message than could come from the trade route with 
the Secretary of Commerce. It came from the best in world-class 
experts in this area to explain why that is not good security 
practice based on global norms. And those are making a big 
difference.
    Chairman Wu. Thank you very much, Mr. Bohannon. Would any 
of the other witnesses like to comment on what has been 
occurring well or not well and what could be improved going 
forward on international standard setting?
    Dr. Landau. I would just like to say, and this is an old 
example but it contrasts with a previous failed example or an 
example that was not so successful. The advanced encryption 
standard was done extremely openly, extremely transparently. 
Not only were the submissions open but in fact, the comments on 
the proposed specifications were given out, that is, the 
proposed specs were put out and NIST asked for comments, and 
then the proposed specs were changed in accordance with 
comments it received internationally. The result was a very 
open competition, and when the standard was chosen, and it was 
a standard designed by two Belgians, the acceptance was 
immediate internationally which created a much better situation 
for industry, it created a much better situation for security, 
and it created a situation in which the United States 
Government has approved the use of the advanced encryption 
standard for top-secret implementations. The NSA has approved 
of it, and I think it is a tremendous success and it has to do 
with the transparency of the process, the scientific integrity 
with which it was carried out.
    Chairman Wu. Mr. Starnes.
    Mr. Starnes. Thank you. A couple things on the 
international standards front that relate to this discussion 
about brand, the primary brand at NIST is NIST, and it is a 
significant brand. And as NIST doesn't have regulatory 
authority, they are very good in these kinds of technology and 
standards discussions across border.
    There is a movement, a broad movement that we are watching 
carefully to this notion of trusted platform. How do I know 
that this device is trusted? That involves both hardware and 
software systems. So there is deep concern that our definition 
of trust is not consistent. We can describe technical trust, 
but social trust is a little bit more interpretive. So there is 
work being done against some particular elements, fundamental 
elements in the platform, things called Trusted Platform 
Modules (TPMs) where China, for example, would like to build 
their own based on their definition of trust. And I think we do 
have to look carefully at some of these formative issues, and 
NIST can play an extremely important role in creating an 
adopted international standard at the core basis of the 
evolution of this trusted platform movement.
    Chairman Wu. Thank you very much, Mr. Starnes, and my time 
is expired, but Dr. Schneck, perhaps we can come back in the 
next round. Mr. Smith, five minutes.
    Mr. Smith. Thank you, Mr. Chairman. Dr. Schneider, you 
stated in your testimony the need to revise FISMA. Could you 
elaborate? What do you see as the problems and what you believe 
should be done about them especially as it relates to NIST?
    Dr. Schneider. Yes, thank you. So I suppose I am an 
outsider. I am not working for a federal agency, and therefore 
I don't have to follow FISMA guidelines periodically to 
establish the security of my computing systems.
    But I have heard people who do this in my capacity on the 
ISPAB, and it strikes me as a very expensive madness, an annual 
ritual where IT managers have to compile an enormous amount of 
paper certifying a number of things that is only loosely 
correlated with the security of their systems.
    When the Federal Government didn't require our agency 
computer systems to be very secure, there was much distance to 
cover, and the sort of initial inventorying that FISMA reviews 
are about were a very good way to get started. We are now way 
down that path, and we understand much better about 
vulnerabilities and about how to address them, and the current 
FISMA requirements are not about that. They should be 
continuous, they should involve monitoring, they should be 
focused much more on technical issues and much less on 
inventory-style documentation. They should be much less 
legalistic exercise between some sort of auditor and agency 
management, and I think that lots and lots of resources are 
being spent trying to accommodate a set of guidelines without 
getting much security gain.
    Mr. Smith. Okay. Thank you. Ms. Furlani, you noted in your 
testimony about OMB talking about outcome-focused rather than 
compliance-focused metrics in cybersecurity. What type of 
products do you expect to emerge from that effort and what is 
the timeline associated with that?
    Ms. Furlani. The effort has just begun, so I am not 
prepared--I really don't know a timeline. But there is an 
energy assigned to it to try to make the changes as quickly as 
possible.
    The focus is to understand some of the issues that Fred--
Dr. Schneider has mentioned and how the changes might be 
implemented that metrics could be more realistic in today's 
environment.
    Mr. Smith. Okay. Thank you. Dr. Landau, you mentioned in 
your testimony the emerging security needs in the area of cloud 
computing. Could you explain exactly what that is and how it is 
used on federal computer networks and what unique security 
needs accompany it?
    Dr. Landau. When you have a system that is in your office 
or in your IT center, you own it, you manage it. When the data 
is instead held somewhere else on Google documents, or Gmail 
should be examples that people tend to be familiar with, then 
you are no longer managing the security of your system or your 
IT managers are no longer managing the security of your system. 
I don't know exactly how the Federal Government is using cloud 
computing. I know that NIST has been preparing documents about 
security risks and security definitions for cloud computing, 
and I would defer to Cita for that.
    But you raise a whole set of security risks and a whole set 
of policy risks and legal risks when you move to cloud 
computing, and those have to be addressed, whether it is in 
business, whether it is in government, whether it is in 
education. As you shift where the data is being held, what is 
the backup policy, who has access to it, what are the legal 
policies? If the data is being held in the United States, that 
is one thing. Is the data being held in Canada? Is the data 
being held in the UK? What is the backup policy? So it is a new 
set of security risks that are being introduced.
    Mr. Smith. Thank you very much.
    Dr. Landau. Sure.
    Chairman Wu. Thank you very much, Mr. Smith. Ms. Edwards?
    Ms. Edwards. Thank you, Mr. Chairman, and thank you to each 
of our witnesses. I am in the 4th Congressional District in 
Maryland. We are really proud to be the home of the NIST labs. 
I know I have had a chance to visit and meet with all of our 
partners, friends in NIST and am incredibly impressed by the 
work that is done there, and I appreciate your testimony.
    Ms. Furlani, I have a question because I don't quite 
understand the argument around concerns raised about 
reorganization if there isn't a deep impact on the actual work 
that takes place and NIST's responsibilities. And so I wonder 
if you have any comments about some of the testimony that you 
have heard here today regarding NIST's capacity to take on 
these responsibilities and also maintain what I think is a 
really high standard for cooperation and work with private 
industry and trusted work with private industry in so many 
other areas. And why would a reorganization actually impact 
that trust that has been well-established?
    Ms. Furlani. Thank you for the opportunity to speak. The 
energy that was applied to rethinking how we could better use 
the resources that are ours to manage to address all the 
incoming opportunities to succeed was the driver behind the 
proposal--the initial thinking of how we might consider 
restructuring to be better prepared to address the future, the 
perception that somehow we would be diminishing what we were 
already--the great things that are already being accomplished 
was misplaced. And so what we were trying to do is make sure 
that we could address the new requirements with the resources 
that we have and bring the broader perspectives that are 
available across the laboratory to that focus.
    Ms. Edwards. Thank you, and I have a couple of other 
questions that are actually related more to this concern that 
the absorption of cybersecurity responsibilities and standard 
setting in the Homeland Security, national security arena, 
apart from NIST's role--and I wonder if any of the witnesses 
have some thoughts about as to the value of maintaining a 
somewhat independent standard setting for cybersecurity that 
isn't completely folded into a national security framework. I 
am thinking about areas like healthcare and, you know, some 
things that seem a little bit of a distance from national 
security concerns.
    Dr. Schneck. Thank you and thank you for the opportunity to 
address that. As a McAfee employee and as a citizen with a 
background of high-performance computing and actually a founder 
of the Georgia Tech Information Security Center, I look at the 
development of cybersecurity standards as a collaborative 
effort, a necessarily collaborative effort with academia, with 
private sector and with NIST's scientific guidance as has been 
mentioned by the other panelists. And we look at that because 
we are up against an enemy, an international enemy. We are all 
connected, and we all face the same threat. And this enemy is 
collaborative, and this enemy works fast. So if we were to have 
an only-government or a very regulatory standards body for 
cybersecurity, you not only stifle the market or innovation as 
we have mentioned, but you set back the implementation of 
standards of stronger cybersecurity for two to three years, and 
by the time we are able to meet those standards in the networks 
that keep the lights on, we are three years behind what the 
market has developed to do better than the enemy, and we lose 
that war.
    So I feel strongly that cybersecurity standard setting 
needs to be a very collaborative exercise with the private 
sector, with academia, with many experts from government with 
different agencies and certainly with NIST's scientific 
guidance bringing crucial guidance into that process.
    Ms. Edwards. And does that mean, in your view does that 
mean that the coordination for that has to take place out of 
the White House or is there some sort of other interagency 
coordination at the federal level with private industry and 
academia that should be set up that is at the whims of one 
administration's focus or not?
    Dr. Schneck. The focus is how we set standards for 
cybersecurity, not overall cybersecurity strategy but simply 
standards. The view I would put here today and on behalf of BSA 
is it is collaborative. It is private sector and academia but 
with strong respect for and inclusion of that crucial role that 
NIST plays, and the China example is a great point of bringing 
the science back into the equation because the science is what 
will help us win that war against that threat.
    Ms. Edwards. Thank you, Mr. Chairman.
    Chairman Wu. Thank you very much. I believe we have just 
commenced a series of nine votes, and I think it would be 
inhumane to ask the panel to wait that long through the votes, 
so it is my intent to move as expeditiously as possible. And we 
probably have ten more minutes for questions.
    Dr. Schneck, I know that you wanted to make a comment about 
international issues, but perhaps we could submit a series of 
written questions and look forward to your response.
    Dr. Landau, you distinguish between security issues, 
identity issues and privacy issues. How does that affect the 
framework of security standards that we should be developing?
    Dr. Landau. Well, up until now, NIST has focused on the 
security standards, and anytime that I was on the ISPAB and we 
discussed NIST addressing privacy standards, NIST had stayed 
very far away. I am delighted to hear that it is beginning to 
move in that direction. I would urge the Committee to give NIST 
even more authority to do so because I think there is a crying 
need as we see the accumulation of data in private hands and 
the need for a good set of standards.
    Identity management is a very complicated issue, and we 
have seen some fledgling efforts. I think that NIST has a very 
good understanding of the difficulties of doing identity 
management, and I am sorry that NIST was not pulled more into 
the discussions earlier this summer as well. It produced the 
levels of assurance document, that is part of the 800-series, 
but it wasn't as involved as I think it ought to have been in 
the policy implications of making decisions about identity 
management systems for different levels of assurance. And that 
is a place where I had said earlier I thought that NIST should 
be providing more policy guidance and should be somewhat more 
independent.
    Chairman Wu. So if I am simplifying this incorrectly, 
please correct me, that there has been a fair amount of 
activity on the privacy side and that more activity is needed--
I am sorry, on the security side and more activity is needed on 
the privacy and identity side?
    Dr. Landau. More activity is needed on the privacy side and 
I would say on the policy side, on the policy side where it is 
closely allied to technical issues, and one particular example 
of that is the identity management.
    Chairman Wu. Very good. And I wanted to ask the panel 
whoever wants to respond that, you know, we have been talking 
about standards and focused on that. Is there some low-hanging 
fruit here if one of the federal entities, NIST or otherwise, 
developed better education programs so that people up and down 
the food chain, but especially end-users, became more aware of 
what they could do. Would that help the overall privacy 
assurance security issues, you know, outside of standard 
setting?
    Dr. Landau. So I would like to say here that while I think 
a lot of the Computer Security Division, the one place that I 
think it has not handled things well is in outreach and in 
particular inability to find the information. If you know the 
information is there and you look for it, you can find it. But 
if you are not determined, it is somewhat hard to do. And I 
would like to see better outreach, better development of its 
website, more usable access to information.
    Chairman Wu. What kinds of mechanisms could we use to push 
that out as opposed to having it as a pool that people reached 
into?
    Dr. Landau. I know that NIST had a program in which it 
advised small business, but it was a very small program. I 
mean, there is the answer, it is a very small program. It 
doesn't reach very many people. I think NIST should be doing 
that work and not the FBI.
    Chairman Wu. Would the ag extension or manufacturing 
extension sort of mechanism or model apply in this case?
    Dr. Landau. I don't know what the ag extension model is 
well enough. I am sorry.
    Chairman Wu. Mr. Furlani and then Mr. Starnes, we will come 
back to you.
    Ms. Furlani. Yes, we have been planning and working 
historically with our Manufacturing Extension Partnership and 
with our new YouTube video. We are hoping to leverage that 
capability to get to the small manufacturers. Of course--it is 
addressing all small businesses. We were hoping that maybe some 
of your newsletters might refer back to our YouTube video and 
make it more available to your constituents as well.
    Chairman Wu. Mr. Starnes.
    Mr. Starnes. Yes, traditionally in information security, we 
have, to your observation, Representative Edwards, pulled the 
collective knowledge and talent across multiple parts of 
industry and government, and I think this is a clear case where 
we need to do that again and are doing that. So we have to 
differentiate between standards, which NIST is very good at, 
and methods and best practice which are putting standards into 
action. And there are some very good technical solutions that 
are coming, multilaterally as I mentioned, from government that 
move us from just certification and accreditation. We spent 
$1.31 billion on certification and accreditation last year. 
Many of those dollars should be spent with these new tools and 
techniques for continuous monitoring of information technology 
systems using all of the intelligence of all of our federal 
agencies and commercial entities.
    Chairman Wu. Thank you very much, Mr. Starnes. My time has 
about expired. Mr. Smith, further questions?
    Mr. Smith. I think just briefly. Mr. Bohannon, you 
emphasized in your testimony that Congress should avoid making 
NIST a regulator of private-sector actions. Could you elaborate 
and maybe touch on how the government procurement is de facto 
an approach to regulation, whether on purpose or not?
    Mr. Bohannon. That is a very good question. Obviously 
government procurement is where the rubber hits the road, when 
it comes to NIST work. The approach with NIST, though, is 
consistent with trying to figure out how to walk that fine line 
because with a few exceptions, some of which I talk about in my 
testimony, on the whole where NIST has developed federal 
information processing standards, it has done so in an open, 
transparent and collaborative way so that when FIPS (Federal 
Information Processing Standard) are in fact referenced for 
government use, they are the product on the whole of working 
with the stakeholders, the technology providers, and the users 
to make sure there is a standard that as much as possible 
conforms to general commercial practice. And notably the 
government has its needs. Those are taken into account, but 
that is a fine line and one that, going back to Congresswoman 
Edwards' question, you know, some of us have short memories. 
But it was just seven years ago that when the Department of 
Homeland Security was going to be created, the proposal was to 
move the Computer Security Division to DHS. Thanks to the 
leadership of this Committee, on both sides of the aisle, that 
did not happen. I think we would be in a very different 
situation today if the Computer Security Division had moved. I 
think its work on the special 800-series, I think its work on 
AES (Advanced Encryption Standard), I think the work where it 
needs to go would have been fundamentally different because it 
would have come out of an agency that had very specific law 
enforcement and regulatory mission stakes, and the credibility 
of that work would have been dramatically differentiated.
    So Mr. Smith, you are absolutely right. It is a fine line, 
but as we pointed out, the way NIST does its business in a 
collaborative way means that on the whole, it doesn't always 
get it perfect, but on the whole, the results are consistent 
with commercial goods, commercial practice, taking into account 
stakeholders, and try to reflect the best of what should be in 
that standard.
    Mr. Smith. Thank you. Thank you, Mr. Chairman.
    Chairman Wu. Thank you very much, Mr. Smith. Ms. Edwards? 
No further questions. Okay.
    Ms. Furlani, there have been numerous suggestions for about 
what you might do, what your agency might do and so on. I 
wanted to give you an opportunity to respond to any of the 
suggestions that you want to respond to, but in particular, I 
would very much like you to respond to--I mean, it is not as 
simple as should CSD become a laboratory on its own, but that 
is--let us reduce it to that simplicity, and could you respond 
to that and any other comments, suggestions that you would like 
to respond to?
    Ms. Furlani. Thank you, Chairman Wu. Certainly we have had 
a lot of input, and as I have said, both support and concerns. 
We are going to go back to the drawing board essentially and 
revisit what might make the best next proposal. The idea of 
separating cybersecurity from information technology is 
difficult for me to understand because of the intertwined 
nature of the two, but the decision of course would be Dr. 
Gallagher's, not mine. So we have lots to consider, many from 
the panel members which I greatly appreciate and others. And we 
have a lot of rethinking--and of course the original goal, 
which I want to go back to and make sure that we have the full 
input from my staff which is where we all started with just 
trying to get the staff's input. We are back to revisiting the 
entire setup, and we will hopefully come out with something 
that enables us to move forward in the future, meet our new 
opportunities and challenges in a much more robust capable way.
    Chairman Wu. Thank you very much, Ms. Furlani. And for the 
entire panel, we will submit some additional written questions. 
But you all have put a lot of work into the prepared written 
materials, into preparing for the oral testimony, and some of 
you have traveled a decent distance to get here. So at the risk 
of shortening up my thank-yous in person at the table, I want 
to give each of you who has something that you want to 
contribute to this discussion but you haven't had an 
opportunity to put that either in your oral testimony or you 
haven't been asked that question. Please, at this time, for as 
much time as we have, if you want to add that last point, this 
is your chance.
    Dr. Landau. I would like to just make a brief comment which 
I do have in my written testimony about the importance of 
usability work in security, and I know that the Computer 
Security Division has begin work on this, and I think it is an 
important, new direction. I would like to see the Committee 
strongly support that work because of course, it increases 
security. Thank you.
    Chairman Wu. Thank you. Anyone else?
    Dr. Schneck. Thank you. One opportunity--we talk a lot 
about cybersecurity and the threats and the scariness of it and 
the work that we need to do. The issue of awareness was raised 
before, and that is a very positive point, and I think there is 
a huge opportunity for NIST to work with the National 
Cybersecurity Alliance. Part of this is in my written 
testimony, but when you visualize that, this group, what they 
do is they take the message and they bring it to the street, 
from the federal to the State, local, tribal community level 
and to homeowners' associations and to schools so that our 
youngest citizens all the way on up are learning not just what 
to be careful of but how to responsibly build security and 
privacy as Dr. Landau has referred to today into their daily 
lives and to our use of cyber, because it is going to affect 
our entire way of life forward.
    Chairman Wu. Thank you very much. Anyone else?
    Mr. Starnes. Thank you, Chairman, but I would like to put 
just a punctuation mark on my C&A (Certification and 
Accreditation) comments of earlier. If we took just 30 percent 
of the C&A dollars that were spent in 2008, that would be more 
than we spent on cybersecurity research in the entire year. So 
I encourage the Committee to focus legislatively on these 
processes as well and help government agencies and industry do 
zero-based implementation of important new methods around 
continuous monitoring.
    Chairman Wu. Thank you very much, Mr. Starnes. And since 
Mr. Smith and I are at risk of missing some of these votes, Dr. 
Schneider, Mr. Bohannon, your indulgence in perhaps providing 
us comments and answering other inquiries as we go. I want to 
again thank you all very, very much for your testimony, and no 
guarantees in life, but I think there is a high probability 
that we will try to pitch in with relevant legislation to try 
to improve the situation, and we look forward to your comment 
on that effort also. So thank you very much. The record will 
remain open for two weeks for additional statements from 
Members and for answers to follow-up questions. The witnesses 
are excused, and the hearing is now adjourned. Thank you.
    [Whereupon, at 3:17 p.m., the Subcommittee was adjourned.]
                               Appendix:

                              ----------                              


                   Answers to Post-Hearing Questions




                   Answers to Post-Hearing Questions
Responses by Cita M. Furlani, Director, Information Technology 
        Laboratory, National Institute of Standards and Technology

Questions submitted by Chairman David Wu

Q1.  What are the current limitations and flaws of FISMA and what parts 
of FISMA policy must change to improve the security of federal 
information technology systems? What role should NIST play in an 
effective FISMA framework?

A1. The Federal Information Security Management Act (FISMA) Act of 2002 
tasked the National Institute of Standards and Technology (NIST) with 
the responsibility to establish security standards and guidelines for 
the Federal Government and charged the Office of Management and Budget 
(0MB) with enforcement of FISMA.
    NIST developed two standards, Federal Information Processing 
Standard (FIPS) 199, Standards for Security Categorization of Federal 
Information and Information Systems and FIPS 200, Minimum Security 
Requirements for Federal Information and Information Systems and 
associated guidelines including Special Publication 800-53, Recommended 
Security Controls for Federal Information Systems and Organizations to 
provide a foundation for federal agency security.
    Since FISMA's release, agencies' security capabilities have been 
maturing, and it is time to shift the focus from compliance to 
improving the implementation of their enterprise security. The existing 
NIST work in developing standards and guidelines and in creating tools 
for monitoring the status of security settings enables this shift. NIST 
is prepared to develop additional security automation tools to further 
optimize system security configurations and report status of system 
components. NIST is poised to ensure its standards and guidelines 
address new security technologies that can be used to mitigate the ever 
changing threat environment. In addition, NIST is working with 0MB and 
others to develop security metrics that will better quantify the 
improvements that agencies make to their security implementations and 
provide more robust methods for assessment of agencies' security 
posture.
                   Answers to Post-Hearing Questions
Responses by Susan Landau, Distinguished Engineer, Sun Microsystems, 
        Burlington, MA

Questions submitted by Chairman David Wu

Q1.  What are the current limitations and flaws of FISMA and what parts 
of FISMA policy must change to improve the security of federal 
information technology systems? What role should NIST play in an 
effective FISMA framework?

A1. I am speaking from my experience on ISPAB; since I retired from the 
board in January 2008, this information is a bit dated. I have just 
three points to make.

          In its early years, FISMA increased security 
        awareness. However, after multiple times of agencies filling in 
        the FISMA reports, it appears--at least from the outside--that 
        FISMA has become more of an exercise in paperwork than a schema 
        for enforcing good security practices.

          The problem is incentives and this is not a NIST 
        issue, but a Federal Government one. Unless the cost for 
        failure to have a good security posture and a good recovery 
        plan is high, it is difficult to incentivize the agencies to 
        treat cybersecurity with the appropriate attention.

          Backup and disaster recovery are two issues not 
        covered by FISMA; they should be part of any cybersecurity plan 
        (and continuity of operations should be updated with each 
        technology enhancement).

    I hope this is useful to you.
                   Answers to Post-Hearing Questions
Responses by Phyllis Schneck, Vice President, Threat Intelligence, 
        McAfee Corporation

Questions submitted by Chairman David Wu

Q1.  What are the current limitations and flaws of FISMA and what parts 
of FISMA policy must change to improve the security of federal 
information technology systems? What role should NIST play in an 
effective FISMA framework?

A1. We believe Congress needs to reform FISMA, to close the gap between 
compliance and security. Congress needs to legislate to empower 
officials in charge of the security of agencies' computer networks:
    * First, they need authority to actually enforce security 
requirements over their agencies' networks and systems. It would be 
appropriate for OMB to develop some additional incentives to push 
agencies to comply with their FISMA requirements, including having some 
percentage of cyber budgets of agencies withheld in the event that they 
do not show good progress toward meeting their compliance obligations. 
Alternatively, agencies could be rewarded with larger budget growth 
rates for their cyber security programs when they show actual progress 
in improving the security postures of their operations.
    * Second, they need the technical and human resources necessary to 
perform these tasks, such as network monitoring and automated security 
policy compliance monitoring and enforcement capabilities. This in 
particular is where NIST efforts will be most needed. Network 
monitoring and automated security policy compliance monitoring should 
be done across the government on the basis of common standards. This 
would allow a government-wide security center to have a consistent view 
of federal networks' security.
    We also need the legislation to ensure these officials are 
accountable for identifying and addressing the threats and 
vulnerabilities that their networks actually face. We can do this in 
particular by having ``red teams'' test the effectiveness of the 
security measures in place against real-life attacks, and by having 
this serve as a feedback loop that leads to system and network security 
improvements.
                   Answers to Post-Hearing Questions
Responses by William Wyatt Starnes, Founder, CEO, and President, 
        SignaCert, Inc.; Founder, Tripwire, Inc.

Questions submitted by Chairman David Wu

Q1.  What are the current limitations and flaws of FISMA and what parts 
of FISMA policy must change to improve the security of federal 
information technology systems? What role should NIST play in an 
effective FISMA framework?

A1. FISMA is a broad methodology that seeks to normalize the IT 
compliance and reporting for Federal IT infrastructure. Generally the 
method encourages ``periodic testing'' of IT devices and infrastructure 
against a range of configuration, vulnerability and usage best 
practices.
    There are several problems with this approach.

          Specifically, it is questionable whether the FISMA 
        report card actually properly and correctly reflects the actual 
        security, compliance and readiness of the Civilian Agency 
        reporting the results.

          Also, FISMA largely is viewed as a Certification and 
        Accreditation (C&A) process, and the C&A processes are ``point 
        in time'' current state of the IT devices. This ``IT Audit'' 
        mentality:

                  creates periodic ``peak load'' human resource drain 
                by the Agencies to do the FISMA reporting

                  generates tremendous paperwork, much of which goes 
                largely unused past the summary reporting for the 
                actual roll-up to the OMB

                  as it is point in time and periodic, there is large 
                time gap between the audits where a actual and 
                problematic security and compliance issues can emerge, 
                causing increased risk and disruption.

    There is a lot of emerging consensus that we should change or 
update the methodologies and technologies used for FISMA, as well as 
changing driving legislation, to deal with the aforementioned risks and 
weaknesses.
    NIST/NSA/DHS and others have been in close collaboration for 
several years on best practices, method and technologies that address 
many of the FISMA gaps. Called the Security Content Automation 
Protocol, or SCAP, these methods are very well suited to all IT 
management needs, and we recommend that the full extended version of 
SCAP be establish as the technical pillar for FISMA 2.0 usage.
    In concert, we strongly urge Congress, through all of the 
committees activities, to begin to shift ``C&A'' requirements (and the 
thus the dollars allocated for C&A), to SCAP CONTINUOUS MONITORING.
    IT compliance, done well, should be largely transparent to the 
users and even the IT staff. Good systems hygiene should be complete, 
intrinsic and continuous, not just scorecard driven period process. 
Legislated FISMA processes should fully embrace this concept.
    With the SCAP framework, the following key IT issues can be 
continuously addressed in a consistent form at all Agencies, and 
ultimately across the broader DOD and even commercial IT enterprise:

        1.  It devices are configured with the right software 
        components (including supply chain provenance) not only at the 
        time and point of deployment, but actively and continuously 
        across their usage lifetime.

        2.  The deployed software can be configured correctly at point 
        of deployment, and maintained in the correct, secure and most 
        stable configuration throughout their usage lifetime.

        3.  The presence of vulnerabilities can be actively tested and 
        validated in a consistent and complete way across the entire IT 
        infrastructure on an active, real time and continuous basis.

    See the diagram below for a simple view of the core SCAP test 
areas.
    Another benefit of these methods is that we can use the SCAP 
protocol to aggregate and automate ``best practices'' knowledge against 
all three of the areas above so that IT operational readiness (AS A 
NATION) gets better based on the collective knowledge and experience of 
the best IT expertise that we have, and we can immediately apply that 
knowledge--reducing our cyber vulnerabilities across all industry 
sectors.


                   Answers to Post-Hearing Questions
Responses by Fred B. Schneider, Samuel B. Eckert Professor of Computer 
        Science, Cornell University

Questions submitted by Chairman David Wu

Q1.  What are the current limitations and flaws of FISMA and what parts 
of FISMA policy must change to improve the security of federal 
information technology systems? What role should NIST play in an 
effective FISMA framework?

A1. I do not have direct experience with FISMA and I have not read the 
legislation. But I am a member of NIST's Information Security and 
Privacy Advisory Board (ISPAB), and our board has heard a good deal 
from officers at civilian Federal agencies that must comply with FISMA 
as well as from the Inspector General (IG) community, which is 
responsible for auditing FISMA compliance. These comments are based on 
what I have heard from those communities.
    I believe that we should strive to have FISMA compliance for an 
agency mean that the agency's computing systems are secure enough, 
given the tasks they perform, the data they store, and the information 
and services they can access. I fear that the way FISMA is interpreted 
today does not succeed at this.
    FISMA compliance should embody a philosophy of risk management 
rather than one of absolute security. Risk management requires 
understanding the consequences of system compromise, including loss of 
functionality, ex-filtration of confidential data, corruption of 
information, and even possible use by an attacker as a stepping-stone 
to other systems. This is multi-dimensional and, therefore, attempting 
a simple categorization of all systems within an agency or across 
agencies is unlikely to be useful. Only with richer kinds 
characterizations, can we portray system weaknesses in a sufficiently 
useful way for decision-makers. And only richer characterizations will 
incentivize corrective measures that address the real problems in 
context (as opposed to incentivizing measures that merely sound 
impressive on paper).
    There needs to be a strong coupling between FISMA compliance and 
security of a system in its deployed context. Today that coupling is 
weak. A system that has been deemed compliant today might still be easy 
to attack; a system that today implements sufficient defenses for its 
role will not necessarily be deemed FISMA compliant.
    This disconnect between FISMA compliance and real security partly 
results from

          an absence of good metrics for security,

          FISMA compliance being dominated by documenting 
        defenses rather than by exercising them, and

          FISMA compliance being seen as a periodic obligation 
        discharged by negotiating with an auditor rather than a 
        continuous one concerned with eliminating system 
        vulnerabilities as they become known.

    The first of these--the absence of metrics--is an open research 
question; the other two are inherent in the way FISMA compliance is 
interpreted and evaluated.
    NIST is an obvious place to undertake research in security metrics. 
That said, I am doubtful that anyone will ever devise a way to measure 
whether a system is secure (because security is relative to attacks, 
and new attacks are being discovered every day). But it does seem 
reasonable to expect better ways than practiced today for evaluating a 
system and ascertaining whether it is secure against some set of known 
attacks. And NIST is a reasonable place to develop and codify as 
metrics these better ways; FISMA compliance assessments should adopt 
such improved metrics as they become available.
    NIST has in the past done a good job of developing and documenting 
security best practices for civilian Government agency computing 
systems. Best practices bring good security, so we should want NIST to 
continue that work. And a security evaluation of a system for FISMA 
compliance should ascertain whether current best practices are being 
followed. I would urge, though, that ``best practices'' be expanded to 
include the obligation that a system is checked against lists of known 
vulnerabilities. That is, we need to check that certain desirable 
features and processes are present but also check that undesirable ones 
are absent.
    Finally, FISMA compliance needs to require more than documenting 
what a system is. We don't evaluate the efficacy of a weapons system or 
a military unit only by evaluating metrics--we run exercises in the 
field and force engagement with realistically simulated attackers. 
FISMA compliance needs to adopt that approach for our computing 
systems. Some of this can be accomplished with existing automated 
tools, but some will require building new tools. We should also 
contemplate requiring periodic random surprise red-team attacks and 
simulated natural disasters, because this evaluates system 
trustworthiness in a way that incentivizes continuous readiness. The 
key point is to promote the view that system defense a continuous 
obligation and is results-oriented, rather than being documentation-
oriented. Documentation is a useful basis for determining 
accountability after a system is found wanting, but documentation does 
little to defend against attacks.
                   Answers to Post-Hearing Questions
Responses by Mark Bohannon, General Counsel and Senior Vice President 
        for Public Policy, Software & Information Industry Association 
        (SIIA)

Questions submitted by Chairman David Wu

Q1.  What are the current limitations and flaws of FISMA and what parts 
of FISMA policy must change to improve the security of federal 
information technology systems? What role should NIST play in an 
effective FISMA framework?

A1. As the Committee is well aware, the Federal Information Security 
Management Act (FISMA), enacted in 2002, sets forth a comprehensive 
framework to ensure the effectiveness of security controls over 
information resources that support federal operations and assets. FISMA 
assigns specific responsibilities to federal agencies, the Office of 
Management and Budget (OMB), and the National Institute of Standards 
and Technology (NIST). It also requires agencies and OMB to annually 
report on the adequacy and effectiveness of agency information security 
programs and compliance with the provisions of the Act. To help meet 
these requirements, OMB established a uniform set of information 
security measures that all federal agencies report on annually. NIST 
produces important guidance and publications related to FISMA 
implementation.
    In reviewing the current limitations and flaws of FISMA, recent 
investigations by the General Accounting Office (GAO) are useful 
inputs. As the GAO has stated,\1\ leading organizations and experts 
have identified different types of measures that are useful in helping 
to achieve information security goals. While it found that officials 
categorized these types using varying terminology, GAO concluded that 
they generally fell into three types: (1) compliance, (2) control 
effectiveness, and (3) program impact. These types are consistent with 
those laid out by NIST in its information security performance 
measurement guide.\2\ The GAO found that, while information security 
measures can be grouped into these three major types, organizations and 
experts reported that all such measures generally have certain key 
characteristics, or attributes. These attributes include being (1) 
measurable, (2) meaningful, (3) repeatable and consistent, and (4) 
actionable.\3\
---------------------------------------------------------------------------
    \1\ See GAO report number GAO-10-159T, entitled `Information 
Security: Concerted Effort Needed to Improve Federal Performance 
Measures' which was released on October 29, 2009.
    \2\ National Institute of Standards and Technology, Performance 
Measurement Guide for Information Security, NIST Special Pub. 800-55 
Revision 1 (Gaithersburg, Md.: July 2008).
    \3\ Although we focused on identifying attributes and practices for 
measuring the performance of information security programs, our 
findings conformed closely to our prior work on effective performance 
measurement and reporting practices for the Federal Government in 
general. See, for example, GAO, Managing for Results: Enhancing Agency 
Use of Performance Information for Management Decision Making, 
available at www.gao.gov/cgi-bin/getrpt?GAO-05-927, Sept. 9, 2005.
---------------------------------------------------------------------------
    Using this framework, GAO determined--and we concur--``that federal 
agencies have not always followed key practices identified by leading 
organizations for developing information security performance measures. 
While agencies have developed measures that fall into each of the three 
major types (i.e., compliance, control effectiveness, and program 
impact), on balance they have relied primarily on compliance measures, 
which have a limited ability to gauge program effectiveness. Agencies 
stated that, for the most part, they predominantly collected measures 
of compliance because they were focused on measures associated with 
OMB's FISMA reporting requirements. In addition, while most agencies 
have developed some measures that include the four key attributes 
identified by leading organizations and experts, these attributes were 
not always present in all agency measures. Further, agencies have not 
always followed key practices in developing measures, such as focusing 
on risks.''
    GAO focused on the inadequacies of OMB's measures which ``did not 
address the effectiveness of several key areas of information security 
controls, including, for example, agency security control testing and 
evaluation processes. There is no measure of the quality of agencies' 
test and evaluation processes or results that demonstrate the 
effectiveness of the controls that were evaluated.''
    As a starting point, the most recent five recommendations GAO made 
to OMB to assist federal agencies in developing and using measures that 
better address the effectiveness of their information security programs 
are worth considering:

          ``issue revised guidance to chief information 
        officers for developing measures,'' which we would add should 
        follow and build on the relevant work and publications produced 
        by NIST;

          ``direct chief information officers to ensure that 
        measures exhibit key attributes'';

          ``direct chief information officers to employ the key 
        practices for developing a measure as identified by leading 
        organizations,'' again taking into account the work and 
        publications produced by NIST;

          ``revise annual FISMA reporting guidance to 
        agencies''; and:

          ``revise the annual FISMA report to Congress to 
        provide better status information on the security posture of 
        the Federal Government.''

    In addition, we would note that implementation of FISMA, with the 
continued leadership of NIST working with OMB, would benefit from:

          Requiring that federal agency CIOs and CISOs are 
        appropriately positioned within their agencies management 
        structure to promote ``top down'' priority of information 
        security.

          Agencies sometimes use FISMA compliance as an excuse 
        to reject innovations simply because they are new and not 
        explicitly reflected in the FISMA checklists. FISMA should 
        actively encourage government agencies to be more open to 
        deploying cutting edge solutions.

          Audit and oversight methods should be harmonized to 
        the greatest degree possible using NIST work and publications. 
        There also needs to be work to establish consistency in IG 
        examinations, recognizing that IG offices are not necessarily 
        staffed with requisite skill sets.

          Agencies should conduct at least annual risk 
        assessments that incorporate classified information and input 
        from the private sector. Those risk assessments should also 
        incorporate the work and outcome of NIST as well as other 
        sources, including the Department of Homeland Security's US-
        CERT.
