b"<html>\n<title> - THE STATE OF FEDERAL INFORMATION SECURITY</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n               THE STATE OF FEDERAL INFORMATION SECURITY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,\n                     ORGANIZATION, AND PROCUREMENT\n\n                                 of the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 19, 2009\n\n                               __________\n\n                           Serial No. 111-52\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n                      http://www.house.gov/reform\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n57-125 PDF                WASHINGTON : 2010\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                   EDOLPHUS TOWNS, New York, Chairman\nPAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California\nCAROLYN B. MALONEY, New York         DAN BURTON, Indiana\nELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York\nDENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida\nJOHN F. TIERNEY, Massachusetts       MARK E. SOUDER, Indiana\nWM. LACY CLAY, Missouri              TODD RUSSELL PLATTS, Pennsylvania\nDIANE E. WATSON, California          JOHN J. DUNCAN, Jr., Tennessee\nSTEPHEN F. LYNCH, Massachusetts      MICHAEL R. TURNER, Ohio\nJIM COOPER, Tennessee                LYNN A. WESTMORELAND, Georgia\nGERALD E. CONNOLLY, Virginia         PATRICK T. McHENRY, North Carolina\nMIKE QUIGLEY, Illinois               BRIAN P. BILBRAY, California\nMARCY KAPTUR, Ohio                   JIM JORDAN, Ohio\nELEANOR HOLMES NORTON, District of   JEFF FLAKE, Arizona\n    Columbia                         JEFF FORTENBERRY, Nebraska\nPATRICK J. KENNEDY, Rhode Island     JASON CHAFFETZ, Utah\nDANNY K. DAVIS, Illinois             AARON SCHOCK, Illinois\nCHRIS VAN HOLLEN, Maryland\nHENRY CUELLAR, Texas\nPAUL W. HODES, New Hampshire\nCHRISTOPHER S. MURPHY, Connecticut\nPETER WELCH, Vermont\nBILL FOSTER, Illinois\nJACKIE SPEIER, California\nSTEVE DRIEHAUS, Ohio\n------ ------\n\n                      Ron Stroman, Staff Director\n                Michael McCarthy, Deputy Staff Director\n                      Carla Hultberg, Chief Clerk\n                  Larry Brady, Minority Staff Director\n\n  Subcommittee on Government Management, Organization, and Procurement\n\n                 DIANE E. WATSON, California, Chairman\nPAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California\nJIM COOPER, Tennessee                AARON SCHOCK, Illinois\nGERALD E. CONNOLLY, Virginia         JOHN J. DUNCAN, Jr., Tennessee\nHENRY CUELLAR, Texas                 JEFF FLAKE, Arizona\nJACKIE SPEIER, California            ------ ------\nPAUL W. HODES, New Hampshire\nCHRISTOPHER S. MURPHY, Connecticut\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on May 19, 2009.....................................     1\nStatement of:\n    Kundra, Vivek, Federal Chief Information Officer, \n      Administrator for Electronic Government and Information \n      Technology, Office of Management and Budget; Gregory \n      Wilshusen, Director, Information Security Issues, U.S. \n      Government Accountability Office; Jacquelyn Patillo, Acting \n      Chief Information Officer, U.S. Department of \n      Transportation; Margaret H. Graves, Acting Chief \n      Information Officer, U.S. Department of Homeland Security; \n      Samuel Chun, Director, Cyber Security Practice, EDS U.S. \n      public sector, a Hewlett-Packard Co.; and M.J. Shoer, \n      president and virtual chief technology officer, Jenaly \n      Technology Group, Inc......................................     5\n        Chun, Samuel.............................................    47\n        Graves, Margaret H.......................................    36\n        Kundra, Vivek............................................     5\n        Patillo, Jacquelyn.......................................    28\n        Shoer, M.J...............................................    56\n        Wilshusen, Gregory.......................................    10\nLetters, statements, etc., submitted for the record by:\n    Chun, Samuel, Director, Cyber Security Practice, EDS U.S. \n      public sector, a Hewlett-Packard Co., prepared statement of    49\n    Graves, Margaret H., Acting Chief Information Officer, U.S. \n      Department of Homeland Security, prepared statement of.....    38\n    Kundra, Vivek, Federal Chief Information Officer, \n      Administrator for Electronic Government and Information \n      Technology, Office of Management and Budget, prepared \n      statement of...............................................     8\n    Patillo, Jacquelyn, Acting Chief Information Officer, U.S. \n      Department of Transportation, prepared statement of........    29\n    Shoer, M.J., president and virtual chief technology officer, \n      Jenaly Technology Group, Inc., prepared statement of.......    59\n    Wilshusen, Gregory, Director, Information Security Issues, \n      U.S. Government Accountability Office, prepared statement \n      of.........................................................    12\n\n \n               THE STATE OF FEDERAL INFORMATION SECURITY\n\n                              ----------                              \n\n\n                         TUESDAY, MAY 19, 2009\n\n                  House of Representatives,\n            Subcommittee on Government Management, \n                     Organization, and Procurement,\n              Committee on Oversight and Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 9:25 a.m., in \nroom 2247, Rayburn House Office Building, Hon. Diane Watson \n(chairwoman of the subcommittee) presiding.\n    Present: Representatives Watson, Bilbray, Connolly, and \nDuncan.\n    Staff present: Bert Hammond, staff director; Valerie Van \nBuren, clerk; Adam Bordes and Deborah Mack, professional staff; \nDan Blankenberg, minority chief counsel for policy; Adam Fromm, \nminority director of outreach and senior advisor; Kurt \nBardella, minority chief clerk and Member liaison; John Ohly, \nminority professional staff member; and Katy Rother, minority \nstaff assistant.\n    Ms. Watson. The Subcommittee on Government Management, \nOrganization, and Procurement of the Committee on Oversight and \nGovernment Reform will now come to order.\n    Welcome. Today's hearing will review the Federal \nInformation Security Management Act [FISMA] of 2002, and \nagencies' efforts to improve the security, integrity and \nreliability of the Federal Government's information systems. In \naddition, the hearing will seek to learn more about the new \nadministration's strategic objectives for achieving FISMA \ncompliance, as well as the scope for improving how agencies \nmitigate the number of risks facing their systems.\n    Without objection, the Chair and ranking minority member \nwill have 5 minutes to make opening statements, followed by \nopening statements not to exceed 3 minutes by any Member who \nseeks recognition.\n    Without objection, Members and witnesses may have 5 \nadministrative days to submit a written statement of extraneous \nmaterials for the record.\n    I wish all of you a good morning. And welcome to today's \nsubcommittee hearing on Federal Information Security and Review \nof Agency Efforts to Comply with the Federal Information \nSecurity Management Act. I welcome our distinguished witnesses \nand look forward to hearing the testimony.\n    Since FISMA was enacted in 2002, the Federal Government has \nmade significant progress in securing its key network and \ninformation technology access. That said, FISMA only \n[inaudible] information [inaudible] and [inaudible] are only \nrequired to read one chapter of a book. Although FISMA does \nrequire [inaudible] on how agencies are covering their \ninformation security bases, it does nothing to tell us about \nthe current vulnerability landscape or how the cyber-threats \nmay be changing. If FISMA is to become a more useful tool for \ncountering cyber-threats, it must require agencies to utilize \nbetter testing, monitoring and performance measures for \ndetermining what our true cybersecurity posture is.\n    According to the GAO, 20 out of 24 agencies have been \nidentified as having either material weaknesses or material \ndeficiencies in their information security controls. In other \nwords, these agencies are lacking key controls that are \nnecessary for maintaining a sound security program. The failure \nto establish these controls leaves agencies vulnerable to \nsignificant data breaches and disruptions to key critical \ninfrastructure and potential compromises of our national \nsecurity. These weaknesses are widespread within key programs \nof both the Department of Transportation and the Department of \nHomeland Security and must be remedied in order to ensure the \nproper functioning of our Government's IP assets.\n    Today, I am hoping our agency witnesses will tell us what \nchanges are underway to remedy the problems identified through \nthe work of GAO and the IG community. Furthermore, I want our \nnew Federal CIO, Mr. Kundra, to tell us what this plan or what \nhis plan objectives are for strengthening FISMA and how the \nsoon to be released 60-day White House cyber-review will impact \nthe use or relevance of FISMA going forward.\n    Last, I would like to hear our panelists' specific \nrecommendations for legislation to develop a harmonized \nframework for organizing and for coordinating Government-wide \ninformation security policies and practices.\n    Once again, I would like to thank our panel for joining us \ntoday and look forward to their testimony.\n    Now, the ranking member, Mr. Bilbray.\n    Mr. Bilbray. Thank you, Madam Chairman. I appreciate this \nhearing.\n    Let me just first of all ask that my written statement be \nentered into the record.\n    Ms. Watson. Without objection, so ordered.\n    Mr. Bilbray. Madam Chair [remarks off mic].\n    Let me say that [inaudible] San Diego [inaudible].\n    [Technical adjustment.]\n    Mr. Bilbray. Thank you, Madam Chair.\n    Let me just say that one of my biggest concerns after being \nbriefed by a lot of my experts in San Diego, which is a bit of \na hot bed of information services, as everybody knows, besides \nQualCom and many other secret hideaway, high tech firms, but \nthis is really an underestimated threat to our national \nsecurity in a lot of ways. And it is not just within our \nmilitary, it is not just within our own Government operations, \nit is national. Every private sector, every public sector, has \nthis threat hanging over our heads.\n    I think one thing we learned from 9/11 is the good old \ncomment that we didn't know, or we didn't think we needed to do \nthat much is not acceptable any more. Frankly, if we can't \nmaintain some kind of security over our systems at the Federal \nGovernment, we are going to be hard pressed to try to figure \nout how to coordinate the private sector, and even ask the \nprivate sector to do more, when it appears that out of 24 major \ndepartments, we have 23 that have found deficiencies.\n    I just think the challenge here is for us to lead through \nexample and really try to get down to the root cause of these \ndeficiencies and how we can modify our operations to avoid them \nin the future. And maybe, just maybe, we can do something that \nis never done very much in this town, and that is lead through \nexample for the private sector and show them how to address \nthis challenge.\n    So I look forward to the hearing. I look forward to the \nopportunities to dialog with the witnesses and with fellow \nmembers of this committee, because I think it is something that \nwe are going to have to spend a lot more time and effort \naddressing to make sure that we don't live to see the day when \nthere is a 9/11, a cyber-version of 9/11 somewhere over the \nhorizon.\n    Thank you very much for the hearing again.\n    Ms. Watson. Thank you, Mr. Bilbray.\n    I now yield to Mr. Connolly.\n    Mr. Connolly. Thank you, Chairwoman Watson, for holding \nthis timely hearing, which complements our recent hearing on \ncybersecurity. This is an exciting time to be pursuing reforms \nin Federal information security programs. With Aneesh Chopra \nand Vivek Kundra as newly appointed Chief Technology and Chief \nInformation Officers, we have extraordinary expertise at the \nexecutive level.\n    First, we should acknowledge the many Federal employees who \nhave done a good job implementing the Federal Information \nSecurity Management Act [FISMA] of 2002. Since 2005, most \nFederal agencies have significantly improved implementation of \ncontingency plans and completed inventories. In the last 7 \nyears we have made significant progress, even as information \nsecurity threats have grown.\n    However, there is still room for improvement. For example, \nthe number of employees receiving specialized security training \ndeclined between fiscal year 2007 and fiscal year 2008. The GAO \nreport also notes that FISMA requires security awareness \ntraining for contractors as well as agency personnel. At our \nMay 5th hearing on cybersecurity, we learned that many security \nbreaches occurred through contractor information systems. \nPerhaps metrics should take breaches into account. Since more \nthan 90 percent of personnel and contractors are receiving \nsecurity awareness training, perhaps the effectiveness and \nfrequency of the training needs to be reexamined.\n    In their prepared testimony for today, both CIO Vivek \nKundra and EDS employee Samuel Chun note that some agencies may \nbe focused more on compliance with FISMA than performance of \ntheir security systems. Moreover, they note that reporting \nrequirements under FISMA could be streamlined. I look forward \nto learning more about how FISMA could be reformed to emphasize \nperformance and minimize unnecessary paperwork.\n    Thank you again, Chairwoman Watson, for holding this \nhearing. I appreciate the work this subcommittee is conducting \nto enhance information and cybersecurity in the Federal \nGovernment, and look forward to the testimony at today's \nhearing.\n    Ms. Watson. Thank you, Mr. Connolly.\n    Mr. Duncan.\n    Mr. Duncan. Thank you very much, Madam Chairwoman.\n    I pushed this button but----\n    Ms. Watson. Yes, I know. We are having trouble. [Remarks \noff mic.] [Laughter.]\n    Mr. Duncan. I don't really have a formal statement anyway. \nI do thank you for calling this hearing. I do sometimes wonder \nif true cybersecurity is possible. I remember several years ago \ncoming back from lunch in my district one time and I heard on \nthe CBS national radio news that computer hackers had gotten \ninto the top secret files of the Pentagon hundreds of time, \nsome report had just come out. And then I remember reading a \nfew years ago a front page story in the Washington Post where a \n12 year old boy in California had opened the floodgates at the \nHoover Dam, a great distance away, hundreds of miles away, by \nhacking into the system.\n    So I don't know, it seems to me that it may be possible we \nstarted out controlling computers and now they control us. \nEverybody, or especially young people, worship the technology \ntoday and are addicted to it. But it seems to me that this is a \nserious problem. We've almost done away with any kind of \nprivacy or secrecy in this country because it seems that \nanybody can find out anything that they want to, and that \nincludes people who wish to do us harm from other countries.\n    So this is a serious problem and I am a little skeptical as \nto whether we can actually do what needs to be done. But I do \nthink it is good that you called this hearing. Thank you very \nmuch.\n    Ms. Watson. Thank you, and if there is no further \ntestimony, I would like now to go to the panel. Would you all \nstand, please?\n    It is the policy of the Committee on Oversight and \nGovernment Reform to swear in all witnesses before they \ntestify. And I would like to ask all of you to stand and raise \nyour right hands.\n    [Witnesses sworn.]\n    Ms. Watson. OK, let the record reflect that the witnesses \nanswered in the affirmative.\n    I would like to now introduce the panelists. First, we have \nVivek Kundra, the Chief Information Officer at the Office of \nManagement and Budget. Mr. Kundra was appointed as the first \nFederal CIO of the United States by President Obama in March \n2009. In this capacity, he directs the policy and strategic \nplanning of Federal information technology investments and is \nresponsible for oversight of Federal technological spending.\n    Prior to joining the Obama administration, Mr. Kundra \nserved in Mayor Fenty's cabinet as the chief technology officer \nfor the District of Columbia and Governor Kane's cabinet as \nassistant secretary of commerce and technology for the \nCommonwealth of Virginia.\n    Mr. Gregory Wilshusen serves as the Director of Information \nSecurity Issues at GAO. His work involves examining Federal \ninformation security practices and trends at Federal agencies. \nHe is GAO's leading expert on FISMA implementation.\n    Ms. Jacquelyn Patillo is the Acting Chief Information \nOfficer at the Department of Transportation. And at DOT, Ms. \nPatillo serves as the principal advisor to the Department's CIO \non matters involving information resources and information \nservices management. Prior to her current role, Ms. Patillo \nserved as the Deputy CIO for DOT and as Chief Information \nofficer at the National Highway Traffic Safety Administration.\n    Ms. Margaret Graves is the Acting Chief Information Officer \nat the Department of Homeland Security. There she oversees an \nIT portfolio of $5.4 billion in programs, as well as the \noperations of the Office of the Chief Information Officer, \nwhich covers the financial or functional areas of applied \ntechnologies, enterprise architecture, data manager, IT \nsecurity infrastructure operations, IT accessibility, budget \nand acquisition.\n    Mr. Samuel Chun is the director for the Cyber Security \nPractice for the U.S. public sector at EDS, a division of \nHewlett-Packard. And there he is responsible for the strategy \nportfolio development in industry messaging of all cyber \nsecurity solutions for EDS' U.S. public sector clients.\n    And Mr. M.J. Shoer is the president of Jenaly Technology \nGroup, Inc. He is here today on behalf of the Computing \nTechnology Industry Association. Founded by Mr. Shoer in 1997, \nthe Jenaly Technology Group provides outsourced IP services to \nsmall business throughout New Hampshire.\n    I would also like to recognize his daughter, Hannah, who \ntraveled with him to today's hearing.\n    I would like to say again, welcome to all of you. I ask \nthat each of the witnesses now give a brief summary of their \ntestimony and to keep the summary under 5 minutes if possible. \nYour complete statement will be included in the hearing record.\n    Mr. Kundra, would you please proceed?\n\nSTATEMENTS OF VIVEK KUNDRA, FEDERAL CHIEF INFORMATION OFFICER, \n    ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND INFORMATION \nTECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET; GREGORY WILSHUSEN, \n    DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GOVERNMENT \n    ACCOUNTABILITY OFFICE; JACQUELYN PATILLO, ACTING CHIEF \n    INFORMATION OFFICER, U.S. DEPARTMENT OF TRANSPORTATION; \n  MARGARET H. GRAVES, ACTING CHIEF INFORMATION OFFICER, U.S. \n DEPARTMENT OF HOMELAND SECURITY; SAMUEL CHUN, DIRECTOR, CYBER \n SECURITY PRACTICE, EDS U.S. PUBLIC SECTOR, A HEWLETT-PACKARD \nCOMPANY; AND M.J. SHOER, PRESIDENT AND VIRTUAL CHIEF TECHNOLOGY \n             OFFICER, JENALY TECHNOLOGY GROUP, INC.\n\n                   STATEMENT OF VIVEK KUNDRA\n\n    Mr. Kundra. Good morning, Chairwoman Watson, Ranking Member \nBilbray, Congressman Connolly and Congressman Duncan. Thank you \nfor the opportunity to testify on the state of Federal \ninformation security.\n    The security of Federal information systems is a major \nconcern for this administration. Our Nation's security and \neconomic prosperity depend on the stability and integrity of \nour Federal communications systems and infrastructure. \nSafeguarding these important interests will require balanced a \ndecisionmaking process that integrates and harmonizes our \nnational and economic security objectives with our privacy \nrights, civil liberties and open government.\n    As a first step, the president has directed a 60-day review \nof cybersecurity policies and efforts throughout the Federal \nGovernment. OMB is working closely, along with other agencies, \nwith Acting Senior Director Melissa Hathaway of the National \nSecurity Council and her team on this review.\n    During the last several decades, the United States and the \nworld have been moving from a paper-based world to a digital \nworld. Advances in technology are fundamentally changing the \nway business is done, increasing productivity and providing the \nAmerican people easy access to services that previously were \nstructurally impossible to deliver electronically.\n    Essential to these new capabilities is the presence of \ncommunications networks that security carry sensitive \ninformation. Yet, as we have unleashed new transactions over \nthis network, a new class of risks has emerged. The American \npeople need to trust that the information they are submitting \nto or receiving from the Government is accurate, reliable and \nsecure.\n    However, recent successful breaches at the Federal Aviation \nAdministration and at the vendor that hosts USAjobs.gov \ndemonstrate that the current Federal information security \nposture is not what the American people have a right to expect. \nThe Federal Information Security Management Act has been in \nplace for 7 years. It has raised the level off awareness in \nagencies and in the country at large, but we are not where we \nneed to be.\n    In our initial review of information security, the \nfollowing things have surfaced. One, the performance \ninformation currently collected under FISMA does not reflect \nthe security posture of Federal agencies. Two, the process used \nto collect the information is cumbersome, labor-intensive and \ntakes away time from meaningful analysis. And three, the \nFederal community is focused too much on compliance and not \nenough on outcomes.\n    While the current reporting metrics may have made sense \nwhen FISMA was enacted, they are largely compliance-based. They \nare trailing, rather than leading indicators. We need metrics \nthat give us insight into agency security postures and possible \nvulnerabilities on an ongoing basis.\n    To evaluate new metrics, we are taking a collaborative \napproach. We are working with a community of Federal agency \nChief Information Officers, Chief Information Security \nOfficers, Inspector Generals and the National Institute of \nStandards and Technology to consider more effective security \nmeasures, ones that show current status and are predictive in \nnature. In addition, we are reaching out to a broad array of \norganizations, across the public and private sectors and \nacademia.\n    Today, agencies and IGs are heavily focused on compliance. \nThe creation of a secure, transparent, collaborative \nenvironment requires a risk-based approach. We will never \nachieve our security goals through compliance alone, because \nsecurity threats are fluid and constantly changing. Each new \ntechnology, new employee and new program represents potential \nfor additional security weaknesses. Agencies need to adopt a \nrisk-based approach to security to look at activities, people \nand programs on an ongoing basis.\n    The administration is committed to creating a trusted, \nsecure Federal computing environment that makes information \ntransparent to the American people while protecting privacy and \nconfidentiality. While the actions I have spoken about here \nwill assist in creating that environment, they alone are not \nenough. A secure, trusted computing environment in the Federal \nGovernment is the responsibility of everyone involved, from the \nagency heads to those charged with oversight. It entails \nemployees, contractors and the American people working together \nto create a culture of vigilance and security that enable us to \ncontinue and efficiently leverage the power of technology.\n    Thank you for the opportunity to testify on this very \nimportant issue, and I look forward to your questions.\n    [The prepared statement of Mr. Kundra follows:]\n    \n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    Ms. Watson. Thank you, Mr. Kundra.\n    Mr. Wilshusen, you may proceed.\n\n                 STATEMENT OF GREGORY WILSHUSEN\n\n    Mr. Wilshusen. Good morning, Chairwoman Watson, Ranking \nMember Bilbray and members of the subcommittee.\n    Thank you for the opportunity to participate in today's \nhearing on the state of Federal information security. \nInformation security is a critical consideration for any \norganization that depends on computerized systems and networks \nto carry out its mission or business. It is especially \nimportant for Federal agencies where maintaining the public \ntrust is Essential.\n    Without proper safeguards, Federal systems and networks are \nvulnerable to intrusions by individuals and groups with \nmalicious intent who could potentially obtain and manipulate \nsensitive data, commit fraud, disrupt operations and launch \nattacks against other computer systems. The Federal Information \nSecurity Management Act [FISMA], was enacted in part to provide \na comprehensive framework for assuring the effectiveness of \ninformation security controls over information resources that \nsupport Federal operations and assets.\n    Madam Chairwoman, 2 weeks ago I testified before you and \nthis subcommittee about the growing and evolving nature of \ncyber threats upon our abilities and the challenges that place \nFederal systems and operations at risk. Today, I will discuss \nagencies' progress in performing key information security \ncontrol activities, the effectiveness of information security \nat Federal agencies, and opportunities to bolster security.\n    In fiscal year 2008, Federal Government reported improved \ninformation security performance relative to most of the key \nperformance metrics established by OMB. Although the percentage \nof employees with significant security responsibilities who \nreceive specialized training decreased significantly, increases \nwere reported in the number of employees and contractors who \nreceived security awareness training, the percentage of systems \nwith test to contingency plans and the percentage of systems \nthat were certified and accredited.\n    Despite reported progress, major Federal agencies continue \nto experience significant control deficiencies. Most agencies \ndid not implement controls that sufficiently prevent, limit or \ndetect access to computer network systems or information.\n    Moreover, agencies do not always configure networks, \ndevices and services to prevent unauthorized access and assure \nsystem integrity, patch key servers and workstations in a \ntimely manner, and maintain complete continuity of operations \nplans for key information systems. An underlying cause for \nthese weaknesses is that most agencies have not fully or \neffectively implemented elements of agency-wide information \nsecurity programs mandated by FISMA.\n    These factors continue to place Federal assets at risk of \ninadvertent or deliberate mis-use, financial information at \nrisk of unauthorized modification or destruction, sensitive \ninformation at risk of inappropriate disclosure and critical \noperations at risk of disruption. Accordingly, GAO has again \ndesignated Federal information security as a Government-wide \nhigh risk area in its 2009 high risk report to the Congress.\n    Nevertheless, opportunities exist to bolster Federal \ninformation security. Federal agencies could implement the \nhundreds of recommendations made by GAO and agency IGs to \nresolve previously reported control deficiencies in information \nsecurity program shortfalls.\n    In addition, the White House, OMB and other Federal \nagencies have continued or launched several Government-wide \ninitiatives that are intended to improve information security \nover systems and information. For example, in January 2008, the \nWhite House launched a series of initiatives collectively known \nas the Comprehensive National Cybersecurity Initiative, aimed \nprimarily at improving the Department of Homeland Security and \nother Federal agencies' efforts to protect against intrusion \nattempts and anticipate future threats.\n    In summary, although Federal agencies report performing key \ncontrol activities for an increasing percentage of their \nsystems, persistent weaknesses in agency information security \ncontinues to threaten the confidentiality, integrity and \navailability of Federal systems and information. To help \naddress these and other challenges, sustained commitment, \neffective oversight and improvements to the National \nCybersecurity Strategy are needed to strengthen Federal \ninformation security.\n    Chairwoman Watson, this concludes my opening statement. I \nwould be happy to answer your questions at the appropriate \ntime.\n    [The prepared statement of Mr. Wilshusen follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    Ms. Watson. Thank you, Mr. Wilshusen.\n    Ms. Patillo, you may proceed.\n\n                 STATEMENT OF JACQUELYN PATILLO\n\n    Ms. Patillo. Thank you. Good morning, Madam Chairwoman \nWatson and members of the subcommittee. Thank you for the \nopportunity to appear today to discuss the state of Federal \ninformation security and the Department of Transportation \nefforts to comply with the Federal Information Security \nManagement Act of 2002.\n    I currently serve as the Department's Acting Chief \nInformation Officer and Acting Senior Agency Official for \nPrivacy.\n    The Department of Transportation Office of the Chief \nInformation Officer has operational responsibility for the \nDepartmental network and communications infrastructure, as well \nas providing shared services for the Office of the secretary \nand for an increasing share of employees in the DOT operating \nadministrations as they transition toward use of DOT shared \ninformation services.\n    The DOT CIO's office also has overall responsibility for \nthe Department's FISMA program and the cybersecurity posture of \nDOT networks and information systems. As part of those \nresponsibilities, we must maintain situational awareness of the \nvulnerabilities and activities on DOT networks and systems, but \nalso seek to mitigate identified vulnerabilities prior to \nexploitation in order to minimize risks to DOT, Federal, State, \nlocal and to the extent practicable, private systems and data.\n    Today's world of rapidly evolving threats, interconnected \nsystems and telework vulnerabilities and risks have the \npotential to impact upon the other networks and interconnected \nsystems. DOT is currently working to make improvements from its \n2007 FISMA grade, and the DOT Inspector General's 2008 \nevaluation of the DOT cyber security program as ``not \neffective.'' We developed an aggressive correction action plan \nto address the recommendations made by the Inspector General, \ninstituted regular internal coordination with the DOT operating \nadministrations to monitor and drive progress, as well as \nreallocating existing personnel and resources to focus on key \nareas for improvement such as certification and accreditation, \nverification and validation and awareness training.\n    As DOT continues to make improvements in cybersecurity and \nprivacy, we know much remains to be done. Partnerships between \nthe public and private sector to develop more intuitive and \nproactive mechanisms for dynamic prevention and detection of \nharmful behavior will facilitate a paradigm shift from a \nreactive mode to a more dynamic and proactive mode.\n    In conclusion, I would offer that the Department of \nTransportation has achieved considerable progress in securing \nits networks against intrusions and cyber-attacks. Nonetheless, \nthere is no reason to celebrate nor time to rest. Again, thank \nyou for the opportunity to comment on these important topics, \nand I look forward to answering any questions that you may \nhave.\n    [The prepared statement of Ms. Patillo follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    Ms. Watson. Thank you, Ms. Patillo.\n    Ms. Graves, you may proceed.\n\n                STATEMENT OF MARGARET H. GRAVES\n\n    Ms. Graves. Chairwoman Watson, Ranking Member Bilbray and \nmembers of the subcommittee, thank you and good morning. I am \nMargie Graves, the Acting CIO for DHS. Today I will discuss the \nstate of information security at the Department of Homeland \nSecurity and our efforts to comply with the requirements \nestablished under the Federal Information Security Management \nAct of 2002.\n    In 2004, the Department of Homeland Security embarked on a \nmulti-year strategy for bringing the Department into full FISMA \ncompliance. In the ensuing 2 years, the Department conducted an \nenterprise-wide IT systems inventory and ensured that all \nsystems completed a full risk assessment and a comprehensive \ncertification and accreditation. Security requirements have \nalso been built into the Department's Systems Engineering Life \nCycle methodology and specific contract language in the \nHomeland Security acquisition regulations now expressly \nrequires contractors to comply with applicable Department \nsecurity policies.\n    In 2007, the Department's Enterprise IT Security Operations \nCenter was chartered to provide a 24 by 7 computer incident \nhandling capability for the Department. The original focus was \nto mitigate the effects of standard viruses, worms and other \nforms of malicious payloads that do not directly target any \nspecific agency or group. But by late 2007, it had also become \napparent that in addition to these non-specific threats, there \nwas a growing class of sophisticated actors who directly \ntargeted the Department, especially our leadership.\n    To address these threats, the Department created its own \ninternal focused operations team to better understand \nenterprise risk associated with targeted attacks and to develop \nand deploy responses capabilities to deter them. In addition to \nour full commitment to implementing all Federal IT security \ninitiatives, DHS is now pursuing several enterprise \nconsolidation and enhancement efforts as part of an overall \ndefense-in-depth strategy to better confront these threats.\n    All of these initiatives are supported in the President's \nfiscal year 2010 budget that was recently submitted to Congress \nfor approval. Specific initiatives include the following: \nfirst, the Department is committed to fully implementing all \nrequirements of the Homeland Security Presidential Directive \n12, including logical access for IP systems. Second, the one \nOneNet project is a major Department initiative for collapsing \nlegacy wide-area networks into one enterprise network. The \nDepartment is transitioning all components into mission-unique \nTrust Zones through the implementation of a series of Policy \nEnforcement Points beginning in 2010. Third, we are adding \nfeatures to the Trusted Internet Connections that will allow us \nto further improve our ability to detect and respond to \nmalicious emails.\n    Finally, the Department's data center consolidation project \nprovides the plan for migrating DHS systems to two enterprise \ndata centers that are currently protected by our Trusted \nInternet Connections and that have been designed to address \nsophisticated threats. These two data centers now deliver \nutility computing and infrastructure as a Service, allowing DHS \nto realize benefits of cloud computing while also providing the \nsecurity so necessary for the threats we face today.\n    I would also like to acknowledge the great work that the \nU.S. Computer Emergency Readiness Team [US-CERT], is doing on \nbehalf of Federal agencies. US-CERT is deploying Government-\nspecific centers called Einstein that are designed to provide \nalerts regarding sophisticated actors who directly target the \nFederal Government. Einstein centers are now deployed at both \nthe Department's Trusted Internet Connections and they are \nproviding critical alerts to the focused operations team.\n    As a result of the original FISMA statute, Federal agencies \nnow have a good road map for designing and implementing agency-\nwide information security programs. The statute provides a \nstrong foundation on which to build. However, we have seen over \nthe last few years that sophisticated threat actors are \nbecoming more persistent and more aggressive. Therefore, each \nand every agency must also develop in-house focused operations \ncapability to improve overall situational awareness about these \nsophisticated actors and to be ready to respond effectively \nwhenever there is any indication of a targeted attack.\n    The Department welcomes the opportunity to work with \nCongress in developing any future strategy that will not only \nbuild on past successes, but that will also remain relevant and \neffective in today's evolving IT security threat environment.\n    Thank you.\n    [The prepared statement of Ms. Graves follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    Ms. Watson. Thank you, Ms. Graves.\n    Mr. Chun, you may proceed.\n\n                    STATEMENT OF SAMUEL CHUN\n\n    Mr. Chun. Good morning, Chairwoman Watson and distinguished \nmembers of the subcommittee.\n    On behalf of EDS, an HP company, thank you for the \nopportunity to discuss our perspectives on this important topic \nof Federal information security. For nearly 45 years, EDS has \nbeen a trusted ally, serving governments across the world. As \none of the largest providers of technology services and \nsolutions to the U.S. Government, we strive daily to achieve \nsecure operational excellence in everything we do.\n    From the millions of warfighters that carry our identity \ncredentials to the one in five citizens who used our voter \nregistration and election management systems last fall, we are \nentrusted with some of the most sensitive information of our \nfellow citizens. We understand and appreciate the enormous \ncybersecurity challenges that our Government agencies face \ntoday.\n    We can attest definitively to the fact that the well-\npublicized threats facing our information infrastructures are \nreal. Since our founding, we have built and managed on behalf \nof our Government customers, some of the largest and most \ncomplex systems and networks in existence. This includes the \nNavy Marine Corps Intranet, which is the largest purpose-built \nnetwork in the world. We currently manage 180 data centers, \n380,000 servers, 5.4 million desktops and nearly 15 million \nInternet IP addresses. And we, like everyone else, are \nconstantly under attack.\n    We are also finding the number, type and sophistication of \nthe attacks to be growing. We expect these trends to continue.\n    FISMA was enacted nearly 7 years ago to require Federal \nagencies to improve the security postures of their information \nsystems by implementing a program that would reduce security \nrisks. While the debate rages as to whether FISMA is an \neffective engine for measuring and improving security \nperformance, there is little doubt as to its good intentions.\n    While there are numerous positive benefits provided by \nFISMA, there is general consensus that FISMA does in fact need \nreform. We have observed and participated in many passionate \ndebates about FISMA and have concluded the following \ndeficiencies need to be addressed. First, compliance has become \ntoo administrative, emphasizing paperwork. Second, the \ncorrelation between compliance and operating performance is \nunclear. Three, accountability for good and poor compliance is \nalso unclear. Fourth, the validity of what is being measured \nunder FISMA is in question. And five, rapidly emerging threats \nmay be outpacing compliance efforts.\n    Our vision for information security for our customers is \nsimple. Security should be so tightly integrated into the core \nof agency operations that stakeholders have the confidence to \nbe agile at the edge. To put it simply, security should be an \nembedded part of operations that permeates across the \nenterprise.\n    By no means to do we think this will be an easy or short \njourney. In fact, we expect the vision will include some \ndifficult decisions and foundational changes that will require \nchampions, resources, technologies and definitely the wisdom of \ntime. That said, I think we would be remiss were we not to \ndiscuss the first steps and big challenges that must be \naddressed to take the first positive steps toward our vision.\n    First, governance. Because of threats against our \ninformation systems and our infrastructures can appear without \nwarning, and the defense cycles required could be in seconds, \nlawful orders that change an agency's infrastructure must be \ncarried out quickly and comprehensively across the Government \nenterprise. This highlights the need for clear and consistent \nroles, responsibilities, policies and accountability structures \nfor the Government enterprise.\n    Second, consolidation. Consolidating and standardizing \ninfrastructures facilitates situational awareness, nearly \nimpossible when an agency depends on myriad small, \nindependently operating networks and enclaves.\n    Three, consistent protection. Because Government \ninfrastructures are vast and interconnected, applying \nconsistent, enterprise-wide defense in-depth strategies \nstrongly improves security performance.\n    Four, emphasis on operating performance. We support the \nefforts to clearly articulate and require operating thresholds \nfor security of acquisitions to better meet them.\n    Then finally, people. Security practitioners clearly must \nbe trained, vetted and industry-certified on the best security \npolicies, technologies and practices. We need to continue the \ntrend of raising a much larger cybersecurity work force.\n    In summary, we believe security must be tightly integrated \nwith operations in agencies. It will take a conscious effort by \noperators and users, Government and industry alike, for the \ninventing of security into everything we do. For nearly 50 \nyears, EDS has been an ally for governments in tackling some of \nthe most difficult challenges that face them. We continue to \nstand by, ready to work with you on this one.\n    Thank you, and I will be happy to answer your questions.\n    [The prepared statement of Mr. Chun follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    Ms. Watson. Thank you, Mr. Chun.\n    Mr. Shoer, please proceed.\n\n                    STATEMENT OF M.J. SHOER\n\n    Mr. Shoer. Good morning, Chairwoman Watson, Ranking Member \nBilbray, Congressman Connolly and Congressman Duncan.\n    Chairwoman Watson, I want to thank you for your \nacknowledgement of my daughter. I appreciate that. I wanted her \nto have the opportunity to see our participatory Government \nworking quite well.\n    Ranking Member Bilbray, I think you will find that my \ntestimony will address some of the concerns that you \narticulated quite directly.\n    On behalf of the Computing Technology Industry Association \n[CompTIA], we thank you for your ongoing interest in the state \nof Federal information security. This is a broad, yet critical \nsubject, ranging from FISMA as well as a variety of practices \nthat impact our national security, citizenry and the computing \nindustry at large. We appreciate the opportunity to share with \nyou the following views.\n    CompTIA is the voice of the world's $3 trillion information \ntechnology industry. CompTIA's members include thousands of \nsmall businesses called value-added resellers [VARs], as well \nas nearly ever major computer hardware manufacturer, software \npublisher and services provider. Based upon a recent CompTIA \nsurvey, we estimate that 1 in 12, or about 12 million American \nadults, consider themselves to be an IT worker. This is larger \nthan the number of American adults classified by the BLS as \nemployed in farming, mining and construction combined. This is \nalso close to the number of adults classified by BLS as working \nin manufacturing or transportation. CompTIA has concluded that \nthe IT work force is now one of the largest and most important \nparts of the American political community.\n    My name is M.J. Shoer, I am the president and virtual chief \ntechnology officer of a VAR, the Jenaly Technology Group, and I \nam pleased to be testifying on behalf of CompTIA. I live in \nPortsmouth, NH, and have been an information technology \nentrepreneur. In 1997, I founded Jenaly and have since served \nas its president.\n    On behalf of CompTIA and its many small business member \ncompanies, we welcome the subcommittee's exploration of FISMA \nand its effectiveness for today's ever-increasing cybersecurity \nchallenges. Certainly, many critics and the other witnesses, \nincluding the GAO, have commented on the effectiveness of \nFISMA.\n    Recently, the GAO submitted 12 recommendations to the House \nof Representatives. One finding in particular, the eleventh, is \nsignificant for your attention. The finding calls for \nincreasing the cadre of cybersecurity professionals, and the \nreport states the following, ``Expert panel members that \nactions should include making the cybersecurity discipline a \nprofession through testing and licensing.''\n    In summary of my written testimony, the issue before us all \nis how to enhance the security of critical Federal systems and \nprotect our country and its citizenry. It is evident to critics \nor anyone who regularly reads the newspaper that the current \nawareness training model is not working. Security breaches \namong the agencies have increased instead of falling off. This \nmay be due to a disturbing phenomenon, namely, the lack of \nadequate personnel training and testing.\n    In contrast, I fear that all too often, the answer is a \ntendency to invest in technological solutions alone. Certainly, \nfirewalls and encryption are part of the solution. However, the \nreal cybersecurity equation lies in managing the balance \nbetween technology and human capital through training, testing \nand certification.\n    It is unfortunate we have so many challenges today, because \nthe Congress came very close to requiring certification of \nFederal IT security workers in 2002. FISMA itself only requires \nsecurity awareness training to inform impacted personnel of \ninformation security risks associated with their activities and \nto comply with agency procedures. The undisputed evidence \nconcerning breaches reveals that this is insufficient for the \nFederal Government's needs.\n    In my view, I agree with the critical about several key \nflaws with the current FISMA framework. First, the fundamental \nflaw of the FISMA framework and the Federal Government's policy \nis a lack of emphasis on the training and testing that is \nvital. My recent meetings with various Hill staff confirms \nthis, after my hearing episode after episode about breaches in \nthe Federal system caused by human error, for example, the \nremoval of a laptop from a Federal site and then improperly \nsecuring it while outside that site.\n    A second and significant flaw is the lack of uniform \nverifiable IT security training as the single largest problem \nregarding information security and the Federal Government. \nFortunately, a solution to FISMA's flaws may be found elsewhere \nin the Federal system. In 2004, the Department of Defense has \nraised the bar for cybersecurity through a training and testing \nprogram commonly known as the 8570 Directive. This initiative \nfocuses on the certification of personnel. Based upon my own \nexperience in this industry, I believe that accreditations and \ncertifications offer many benefits, including lower transaction \ncosts. Remarkably, throughout the Federal Government only the \nDOD has formally required its employees and contractors to get \ncertified.\n    Last year, my own IT business, Jenaly Technology Group, \nbecause the first in the country to become accredited for best \npractices in information security as it relates to our clients.\n    In conclusion, it is undisputed that we must protect the \nAmerican public by having a security framework that guards \ninformation systems for both our Federal critical systems as \nwell as the private sector. The computing industry is hard at \nwork facing the unprecedented challenges of securing our data \nfrom both malicious threats and human error. Congress' \nenactment of the FISMA has provided a base level of protection.\n    The key to securing our Federal IT systems for the future \nlies in the partnership between technology and human capital. \nBy effectively managing both technology and the people in \nconcert through training and testing, such as through the \ncertification process, we can win the battles in the security \nwar. The current Defense Department model surrounding the 8570 \nDirective is a model worthy for emulation throughout the \nFederal Government. Any modification of FISMA must recognize \nthe lessons surrounding the human capital contribution to the \nIT security equation by the certification and accreditations to \nenhance our security.\n    Thank you very much, and I look forward to answering any \nquestions.\n    [The prepared statement of Mr. Shoer follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    Ms. Watson. Thank you, Mr. Shoer, and thank all of the \nwitnesses today.\n    We are now going to move to the question period and proceed \nunder the 5-minute rule. I will open up the questioning.\n    I would like to start with Mr. Kundra. Your testimony \nspecifically mentions that FISMA does not provide the necessary \nperformance information to determine the Government's \ninformation security posture. So please cite for us what types \nof information it doesn't have, and how FISMA needs to be more \nreflective for the compliance requirements. Would you provide \nthat information?\n    Mr. Kundra. Part of the debate is, as more and more \ntransactions have moved to the digital world, if you look at \nlegislation in general, or standards overall, the challenge is \nkeeping up with the evolving threat. Because what ends up \nhappening is, when you set X number of standards in terms of \nmaking sure reports are filed, whether that is annually or on a \nquarterly basis, it doesn't necessarily reflect your security \nposture.\n    An example would be within an agency, the old model used to \nbe that you would build perimeter security in terms of \nfirewalls. Because those threats were seen as, you had an \nenterprise and you had malicious actors on the outside that \nwere trying to penetrate the defense that you had put in. So \nessentially, building walls around the agency.\n    But unfortunately, the malicious actors become more and \nmore sophisticated in terms of being able to penetrate much \ndeeper into the security systems. So now, being able to look at \nspecific data elements and looking at the data itself, and you \nhave this evolution, this race toward where you have actors \nthat are actually going out there and making sure that they are \nable to bring down defense, whether they be firewalled, \nintrusion detection systems, intrusion prevention systems.\n    What we need to do is we need to be able to at the Federal \nGovernment monitor agencies more on a real time basis rather \nthan on an annual or quarterly basis. We no longer can use a \nmodel that may have succeeded in an industrial era and apply it \nto the information age. Because we are moving toward a real \ntime model where transactions and billions of dollars and \ninformation is moved on a real time basis. And therefore, we \nhave to ensure that the metrics we are looking at move us in \nthat direction.\n    Ms. Watson. Thank you.\n    As part of this fiscal year 2010 proposal, the Obama \nadministration is proposing to expand the use of its IT \nservices, such as cloud computing and other types of data \nwarehousing, software platforms, for managing agency data and \nsystems. So I have a couple of questions on this.\n    What are the policies and protocols in place to ensure that \nthe service providers and vendors are meeting information \nsecurity and privacy standards set under FISMA and the Privacy \nAct?\n    Mr. Kundra. As a part of what we are making sure with the \nFederal CIO counsel is actually to ensure that FISMA is applied \nto any solutions when it comes to cloud computing. Second, from \na philosophical perspective, what we need to make sure of is \nthat security is actually baked into the very architectures of \nany solution, whether that is from a technical perspective or \nwhether that is from a cultural or human capital perspective. \nAs shifts move in the industry toward cloud computing, it is \nnot only important to bake security into the architecture, but \nalso from a privacy perspective, but also from a privacy \nperspective, the CIO counsel has a privacy committee that looks \nat these issues.\n    And in conversation that we are having with industry, we \nare making sure that privacy issues and security issues are at \nthe forefront and that they are also baked in early into the \nprocurement cycle rather than afterwards, after you have \nprocured a system, and then you have to go back and figure out \nwhat you need to do in terms of security.\n    Ms. Watson. Is it fair to say that the companies providing \nthese services to agencies ought to be responsible for \nproviding at least the same information security protections \nthat would be required of agencies who manage the data in \nhouse?\n    Mr. Kundra. I think what we need to make sure is that we \nlook at it from a risk-based approach, which is, there isn't \ngoing to be one model that applies to everything. So there are \nclasses of risk. What I mean by that is there is a set of \nservices that the Federal Government has, which is public \ninformation, for example, that is not sensitive in nature.\n    So what you want to make sure is that you don't drive up \nthe cost significantly for services that are not sensitive in \nnature and it is informational, versus having information that \nis either classified or sensitive in nature, where you need to \nensure that the contractor or any company providing those \nservices have baked in security. Our view would be, FISMA \nshould be, as we look at standards, and as we look at \ntechnology, it shouldn't be seen as just a ceiling. It should \nbe seen as the floor, but bake in even more security, depending \non what the threat matrix is.\n    Ms. Watson. Does anyone else, DOT, DHS, want to respond?\n    Mr. Wilshusen. If I may, Madam Chairwoman, a couple of \npoints I would just like to point out. With services such as \ncloud computing or software as a service, it is, as Mr. Kundra \nmentioned, very important that the contracts and the \norganizations providing the services have adequate security \nmechanisms in place to provide the same level of security as \nneeded and as required by Federal policy, since this is Federal \ninformation that is at risk.\n    One of the things that has been shown with this year's \nreport is that the number of IGs who reported that their \nagencies almost always ensure that their contractors provide \nthe same level of security required by FISMA, OMB policies and \nNIST guidelines dropped significantly at the same time that the \nnumber of contractor systems increased. So what happened is \nincreasing reliance on contractors, where at the same time the \noversight of those contractors is declining, as indicated in \nthese reports.\n    So it is important that as these technologies and services \ncome to the play, and are being used increasing by Federal \nagencies, that they do in fact assess the risks of using them \nand take the appropriate measures to make sure that the \nsecurity controls are implemented and that the contractors are \nin fact providing the level of security required.\n    Ms. Watson. Is there any other? Ms. Patillo.\n    Ms. Patillo. Yes, if I may, Madam Chairwoman, comment on \nthat question. I agree with Mr. Kundra that what we have to do \nis look toward risk-based systems, especially in our FISMA \nprocess.\n    What I would like to add new to that comment is, I believe \nthat there has to be an integration with the capital planning \nprocess and FISMA. Currently, we sometimes look at that as two \nseparate entities. At the Department of Transportation, we have \none of the largest IT budgets in Federal Government, it is $2.9 \nbillion. Currently, I am spending $125 million on security, \nwhich is less than one half percent on security.\n    So one would ask, is that the appropriate amount of dollars \nto be spending? We grapple with that from day to day. Is it \naccurate? Should it be more? Should it be less? Where should we \napply it? Should it be toward certification and accreditation? \nOr should it be more toward contingency planning?\n    I think that with the integration of security and capital \nplanning, we would be able to answer more questions and be able \nto apply more of a risk-based system.\n    Ms. Watson. My time is up and we will come back to this in \na minute.\n    I would like now to recognize our ranking member, Mr. \nBilbray for 5 minutes.\n    Mr. Bilbray. Thank you, Madam Chair.\n    When I see the defensive mechanisms [indiscernible] that is \non, OK. Interesting that two of our mics went out. [Laughter.]\n    My staff always tells me, you are not paranoid, everybody \nreally is against you. [Laughter.]\n    But we have been talking the defensive side. What is the \nability for technology to find an electronic fingerprint of \nthose who are probing our systems?\n    Mr. Chun. Very little to nothing. The Internet was invented \nand developed with the complete assumption that everyone on the \nInternet would be a trusted source. So decades ago when it was \nactually developed, there was no real concern or thought over \nsomeone on the Internet would need to be traceable, and No. 2, \nwould actually have ill intent.\n    So I would guess the answer, I think the question you are \nalluding to is attribution, can we attribute these attacks \ndefinitively to a source. I believe the current infrastructure \ntechnology answer is no, or very difficult.\n    Mr. Bilbray. Are we working on technology to be able to \ntrack sources?\n    Mr. Chun. The industry itself is looking at modifying the \nbasic framework of the Internet. Very complex issue. There are \ninteroperability issues with older networks and systems. But \nthere are various organizations, including the ones that are \nsponsored by the Government, such as DARPA, that are looking \ninto these fundamental issues of how do we change the Internet \ninto something more trustworthy. And that is a very complex, \nlong-term effort. I can't speak for everyone at Hewlett-\nPackard, but I personally believe this is more of a \ngenerational issue than one that we can fix practically very \nquickly.\n    Mr. Bilbray. I have to assume, there are always those that \nassume that anonymity is a great thing, the Government, no one \nshould be able to track whatever I do on the Internet. Though \nwe take it for granted that we have caller i.d. with our \nphones. I am sure this has the black helicopter people looking \nat this as some great conspiracy by Big Brother.\n    But I darned well think that it is absurd that we have to \nplay constant defensive ball here and not be able to spend some \nof those resources at tracking down who is probing, who is \nprodding, who is trying to find a weak spot. There is no \ndefensive system in the world that can handle constant \nbombardment of those kind of probes without a weak link being \nfound somewhere down the line.\n    I know in 1996, Madam Chair, when I was serving on Energy \nand Commerce and we were looking at the telecommunication \nforum, user i.d. was always a big issue, not just for security \nreasons, but for the interstate gambling aspect of it, the \nconsumption of alcohol, tobacco, pornography, there was all \nthis stuff. I think that we really have to be very frank and \nopen about the fact that this user i.d. is something that needs \nto be followed up on. It may be one of those things that we \nwant to spend more money on being able to track down.\n    God knows, every one of us watches CSI and sees what we \nhave done with tracking down bad guys electronically. Maybe we \nneed to be looking at some of this technology in the future.\n    So that really concerns me. What do we have right now as a \nstrategy to go after the bad guys who are probing? Or is it the \nfact that we don't have a way of tracking, so we just accept \nthat we can't do that?\n    Mr. Kundra. No, we are actually, the Department of Homeland \nSecurity, and I will defer to Ms. Graves here, but US-CERT \nmonitors the Federal infrastructure to be able to respond \naccordingly. And on research and development, investments are \nbeing made, whether it is through the National Science \nFoundation or whether it is with DARPA, and of course, working \nclosely with the National Security Agency, to look at what the \nsecurity and the threat matrix is.\n    But you are absolutely right, in terms of the nature of the \nthreat, it is constantly evolving, as actors go up, as you \nstand up defense systems, making sure that there are actors out \nthere who are also making the appropriate investments to be \nable to penetrate those defense systems. So we have to be ever-\nvigilant, and it cuts across through everything, through the \nculture of an organization, the human capital and even the \ntechnology systems that are out there.\n    Mr. Bilbray. Ms. Graves.\n    Ms. Graves. Yes. To further comment on the US-CERT \ncapability, we do have these Einstein sensors that are located \nin the Federal Government now, and they have signatures and \nscripts for people who specifically target the Federal \nGovernment. Once an intrusion is determined to be active, we \nopen cases and we do the forensics on those particular cases, \nscans, and we do track back to the original source. That does \ntake time. There is no efficient technology to do it. But we do \nhave individuals in place from an intelligence community \nperspective who deal with these types of threats who aid us in \nthat forensic analysis.\n    Subject to future capability, we will also be adding to \nthat in the Department of Homeland Security in terms of the \ncybersecurity initiative and plussing up the capability that we \nhave in US-CERT and also in NPPD. But that is human. That is \nthe human side of following the threat, of doing the analysis, \nof determining the source and of looking at counter-\nintelligence measures and reasons why these specific people are \ntargeting the Government.\n    Mr. Bilbray. Madam Chair, I think this is something that \nboth sides of the aisle need to be brave enough to address. \nThere are people on the left and the right who would not want \nthis technology. But it is not just a national security issue. \nIt is the security of our children, and everybody knows the \npredator issue. It is sad that we need to have a television \nshow set up sting operators for predators, because we don't \nhave the ability to really trace these down.\n    I just look forward to the day that we can literally have \nsome of these probers drawn and quartered in the public square \nto basically send the signal to everybody, especially our \nchildren, that this is not something that is acceptable in a \ncivilized society. Though drawing and quartering is. \n[Laughter.]\n    I yield back.\n    Ms. Watson. Thank you.\n    Mr. Connolly.\n    Mr. Connolly. Thank you, Madam Chair.\n    Hopefully I can be heard. Thank you, Madam Chairman.\n    [Remarks off mic.]\n    Ms. Watson. Sorry about these mics.\n    Excuse us. You see we need your technology.\n    Mr. Connolly. Madam Chairman, I would ask unanimous consent \nthat my statement be entered into the record as read, given the \nfact that it could not be heard. [Laughter.]\n    Ms. Watson. Without objection.\n    Mr. Connolly. Madam Chairman, one of the concerns I have \nabout this subject is how we are coordinating at the Federal \nGovernment level. And I have introduced a bill to try to codify \nby statute the Executive order issued by the President to \ncreate a CTO position. The good news is, we have two highly \nqualified people, Mr. Kundra and Mr. Aneesh Chopra. But when we \nlook out to the future, we are not always going to have an \nObama administration in place. I believe very, very strongly \nthat we have to have a statutory framework that delineates the \nrespective responsibilities between the two.\n    I would hope, Mr. Kundra, that you would take that message \nback to the White House. Because we need to work together. \nThere are some changes that need to be made in the legislation, \nfine. But I believe, Madam Chairwoman, we have to address this \nissue, this committee has to address that issue on a statutory \nbasis. I certainly intend to proceed with the legislation. I \nwould like to have White House input in doing that. And I thank \nyou.\n    Mr. Chun, you talked in your statement about governance as \nthe first challenge. You said that we need a new and empowered \nleader to spearhead the effort. What did you have in mind?\n    Mr. Chun. Someone that we can go to directly. For example, \nif there are issues with some of our contracts, we are almost \nalways going directly to a specific person at that agency. \nWhile that is good, I think as an industry as a whole, we need \nliterally an office we can go to for a coordinated effort.\n    We participate in lots of industry activities, BSA, which \nis a software alliance, Tech America, all those venues. When we \ntalk to our partners, we hear pretty much the same thing from \nindustry and a corporate level, is there someone that is \ncentral to the Government that is in charge of these particular \nissues, someone that I think would be valuable to us.\n    Does that answer your question?\n    Mr. Connolly. I think it does, but I think you are talking \nabout on an agency by agency basis.\n    Mr. Chun. No, I meant that as what we do from a business \nstandpoint. But when that industry engages, such as the \ntechnology industry engages as a whole, there appears to be a \nlot of companies that belong to an organization that deal with \na specific agency question or something that specific \ndepartment may issue a question. And until very recently, when \nthe cybersecurity review was being performed, we haven't seen \none from a central office in Government that says, we need your \ninput. I think that is a really critical thing that has been a \npositive for us.\n    Mr. Connolly. Well, hopefully the creation of a CTO may \nhelp us with that. I think that is worth monitoring carefully.\n    Mr. Kundra, in your initial review of information security, \nyou refereed to the FISMA requirements as cumbersome and labor-\nintensive. I wonder if you could give some examples of how we \ncould improve the process from your point of view.\n    Mr. Kundra. Sure. Part of what we need to be able to do is, \nfrom an OMB perspective, automate a lot of the reporting in \nterms of collecting information. Second, is we need to be able \nto rationalize as far as which metrics we are going after, \nwhich ones are important and which one are not. Having \nthousands of metrics doesn't necessarily add value unless those \nmetrics are relevant, those metrics are able to respond to the \nreal time threat and the nature of the threat that we face, and \nare evolutionary in nature in terms of recognizing that as we \nput up defenses on the other side, there are people putting up \noffenses.\n    So how do we measure metrics, or how do we look at and \napproach security for a position that it has to be one baked \ninto the architecture, whether it is system, agencies, culture? \nSecond, how do we make sure that there isn't a model of \nfaceless accountability, that we are all accountable when it \ncomes to information security and the management of those \nsecurity systems? Third, how do we move toward an area where we \nare actually monitoring, similar to what US-CERT is doing, \nacross the board on a real time basis as threats emerge, so we \ncan see from a leading perspective which threats are emerging \nacross the world, so that we can be beneficiaries to ensure \nthat we are putting up the proper defenses in an ongoing basis?\n    Mr. Connolly. Thank you.\n    Mr. Wilshusen, Government often likes to do that which it \ncan measure most easily. Cybersecurity, educational awareness \nis measurable. We trained 400 people this week. Check. The \nquestion really is, but are we in fact more secure today than \nsince we passed FISMA, with the best of intentions. And perhaps \none can draw the inference from the GAO report that the answer \nto that is more problematic than we want to admit. What is your \ncomment?\n    Mr. Wilshusen. Well, I would certainly say I agree with \nyour comment that what gets measured pretty much gets done. And \none of the areas that we can do, have additional improvements, \nas Mr. Kundra mentioned, is in the type of measurements and the \nmeasures that we actually use to monitor the security at the \nagencies.\n    As we commented before, many of the measures that are \npresently being used are basically compliance-related, \nimplementation measures. They don't measure how effective an \nagency is in actually implementing a control. And so that is \none of the areas where we need some improvement.\n    And certainly the measures that are currently being used \nare in fact defined by OMB. So Mr. Kundra and OMB is in a good \nposition then to make changes to that particular mechanism for \nmonitoring security.\n    But indeed, the Federal agencies have spent a lot of money \ntrying to secure their systems and complying with various \ndifferent requirements. It is still very much an open question \nwhether we are more secure.\n    I would say that with the evolving threats, and with the \nnew, emerging technologies that are in place, as well as the \nchanging business practices, they all increase risk to Federal \nsystems and operations. It is a very fluid, dynamic environment \nthat we have to address on a regular, real time basis.\n    Mr. Connolly. Madam Chairman, I am sure my time is up, but \nI want to suggest that we may want to invite our Federal \nwitnesses to provide the subcommittee with their \nrecommendations for how we might improve FISMA toward the goal \nof ensuring cybersecurity. I am far less concerned about how \nmany people we train in awareness, though that is important. \nBut the goal isn't awareness, that is part of the process. The \ngoal is to ensure the security of the system.\n    And frankly, Madam Chairman, I am so glad you are having \nthis hearing, because frankly, if people really looked at the \npotential threat, we would have to have this hearing in the \nCannon Caucus Room in terms of its importance. I want to thank \nyou again for holding this hearing, because I can't think of a \ntopic that is more timely and more important as we look out to \nthe future.\n    Thank you.\n    Ms. Watson. Thank you.\n    The GAO reports that many of the Government data losses \nwere a result of physical theft or improper safeguarding of \nsystems, including laptops and other portable devices. I recall \nthe well-publicized event several years ago of a computer that \nwas stolen from the Veterans Affairs employee with a massive \namount of personal data of the VA beneficiaries.\n    How many of the reported security incidents are considered \nphysical breaches as opposed to data that is lost or corrupted \nthrough cyber means, and what additional security \nvulnerabilities do cell phone and BlackBerrys and other \nwireless devices present to securing sensitive or classified \ninformation?\n    Mr. Wilshusen. I will start off, if you don't mind, Madam \nChairwoman.\n    With regard to the actual number of incidents that have \nbeen attributed to physical security lapses, such as theft or \nloss of laptops, I don't have that specific information. The \ninformation that is presented in agencies' reports to the US-\nCERT has shown that the number of total incidents has tripled \nover the last 2 years, from 2006 through 2008. And of that, the \nphysical security portion of that would be one of the \ncategories that is included in the unauthorized access category \nthat US-CERT requires agencies to report under.\n    Of that, there is about 18 percent of the number of \nincidents that occurred, triple, from 5,500 in 2006 to over \n16,000 in 2008. About 18 percent of those related to \nunauthorized access to information. That would include both \ncyber access, where someone came in through a network and was \nable to access information, as well as those pertaining to the \nloss or theft of a laptop or some other physical means.\n    But certainly, that is a key control threat and \nvulnerability of Federal systems, is the fact that so much of \nthe Federal work force is mobile. The data is becoming \nincreasingly portable through not just the laptop computers, \nbut also thumb drives. It is important that appropriate \nsecurity measures, such as encryption and other capabilities, \nare installed to help mitigate the threat of such incidents \noccurring.\n    Ms. Watson. Can we mitigate those threats?\n    Mr. Wilshusen. We can certainly try to address them and \ntake appropriate controls to help reduce the risks associated \nwith those threats. I guess it is also important to realize \nthat risk avoidance is not even a goal relating to \ncybersecurity, it is managing the risk. So we have to assess \nthe risk with the information, first of all, as Mr. Kundra \nmentioned earlier, is this information sensitive and from what \npurpose, from a confidentiality perspective or integrity. And \nthen if it is not sensitive from a confidentiality perspective, \nthen the level of controls might be less than if it is \nsensitive information and then we may want to use encryption. \nFor example, personally identifiable information, OMB has \nissued policies in the past requiring that agencies that put \nsensitive information on their laptops be encrypted, and that \nthe life of that information on that laptop be limited to 90 \ndays and then it should be reevaluated, whether that \ninformation should continue to reside on that laptop.\n    So there are controls that could be in place and in fact \nare in place at some agencies. But they probably need to be \nimplemented on a more regular basis.\n    Ms. Watson. How can we harmonize across these agencies? \nWhat I see is that each agency has different standards. So some \nway we need to coordinate and harmonize. How can we do that? \nMr. Shoer.\n    Mr. Shoer. Madam Chair, I think you are touching on \nsomething that I commented on in both my oral and written \ntestimony. If I can try and distill what you are saying into my \nown words, the technology exists to address the various issues \nand threats that you are speaking about. But what often gets \nlost in these discussions is that the human being, you and I, \nare still, despite all the technology, we are still the last \nline of defense. I see this in the private sector as well as \nthe public.\n    The bottom line is we feel very strongly that it is only \nthrough a level beyond awareness training, as you pointed out, \nthe awareness training is wonderful, but it is documented to be \ninsufficient. We need to be pushing training down from the IT \nstaffer level throughout the agencies to ensure that those who \nhave access to this sensitive information are clearly trained \nand certified in their ability to have access to it and use it.\n    Ms. Watson. I will yield to Mr. Bilbray.\n    Mr. Bilbray. Let me followup on a different line here. The \ndiscussion of bringing in basically an IT security expert into \nthe White House, will that help coordinate the efforts or \nbasically just add another layer?\n    Mr. Kundra. That has been part of the 60-day review, \nworking with Melissa Hathaway, looking at how we are organized \nacross the board within the Federal Government. At the same \ntime, we recognize that cybersecurity is such a vital issue and \nit cuts across every aspect of life when it comes to the \nFederal Government that we need to ensure that we have the \nproper attention and that the President's recommendations are \ngoing to be forthcoming in terms of the 60-day review, in terms \nof what we need to do to ensure that we are organized in a way \nthat allows us to respond to these evolving threats.\n    Mr. Wilshusen. And if I may add, Ranking Member Bilbray, \nGAO convened a panel of cybersecurity experts a couple of \nmonths ago to look at that very same issue and to provide \nrecommendations or suggestions for improvement into the \nNational Cybersecurity Strategy. And they suggested that, \nindeed, establishing White House responsibility and \naccountability for leading and overseeing national \ncybersecurity policy is very important.\n    One of the problems that has occurred to date in this phase \nis that much of that responsibility has been given to DHS in \nits role. But for a number of different reasons, including the \nturnover of key personnel, and the fact that they didn't have \nauthority to monitor budgets or anything like that, they had \nlimited effectiveness in performing that role. So elevating it \nup to the White House was one of the issues that our panel of \ncybersecurity experts felt was needed in this respect.\n    Mr. Bilbray. So you do support it?\n    Mr. Wilshusen. Yes.\n    Mr. Bilbray. What does that do to the oversight \njurisdiction of this committee and the other committees in the \nHouse and Senate?\n    Mr. Wilshusen. I don't know what the specific impact would \nbe by elevating that with regard to the oversight of this \ncommittee.\n    Mr. Bilbray. While I have you here, there was testimony \nhere about the DOD's directive in the initiative to ensure and \nrequire certification. Do you think this is a program that we \nshould use as a model or do you see major shortfalls here, are \nthere shortcomings of the concepts, or do you think we have \noperational systems that are just as good?\n    Mr. Wilshusen. I think any time you can improve the skills, \nknowledge and abilities of those individuals responsible for \nimplementing security, it is a benefit. The key, as I mentioned \nearlier, was the fact of providing computer security awareness \ntraining, while that is fine, it still gets to the point of how \neffective is that training and how will we know whether or not \nindividuals responsible for implementing security actually act \nappropriately in the time and deed when they are being \nchallenged.\n    That is why having measures as the number of personnel that \nmight be certified or that have received computer security \nawareness training may be somewhat misleading. What would \nprobably be a better measure is to have some sort of a \nchallenge response test to see how they react when an incident \noccurs. And just as an example, the Internal Revenue Services \nhas a pretty good program of where the IG would actually ask \nspecific questions to their claims representatives over the \nphone about a tax question, and then they could then determine \nhow accurate those responses were and whether or not they were \ngetting accurate tax information in response.\n    Mr. Bilbray. My father has been in the tax business since \nthe year I was born, and believe me----\n    Mr. Wilshusen. And what they typically find is that many of \nthe responses they receive from their tax representatives are \nwrong and incorrect. Why can't we design similar tests for \ncybersecurity? Why can't we send perhaps an email to an \nindividual to see how many of them actually open up the \nattachment or click on a link?\n    Mr. Bilbray. We don't do testing systems right now?\n    Mr. Wilshusen. We test systems, I don't know if we test the \neffectiveness of those systems across the board. Certainly we \ndon't do that as part of the FISMA reporting process.\n    Mr. Bilbray. Madam Chairman, you remember, this is \nsomething we probably need to talk about too, is they just did \na test to see about getting passports and phony i.d. and four \nout of four, bam, right through. That is a whole different \nissue.\n    After the mics have been all messed up all day, I am in a \nparanoid sense here. But how do we know that the people we are \nhiring aren't working for the bad guys? What kind of security \ndoes DOD do when we bring people on? How do we know? Do we use \nbiometrics? Do we do background checks? How do we know the bad \nguys aren't slipping into the system and actually programming \nour systems?\n    Mr. Shoer. Thank you, Ranking Member Bilbray. I can't speak \nspecifically to that, but I can certainly find the answer for \nyou. But I can tell you that in some of the private sector \nequivalents that CompTIA is involved in, and CompTIA was \nintimately involved in the 8570 Directive, those controls are \nthere. Background checks are a critical piece of that \naccreditation.\n    So those controls are there. I think to your earlier \nquestion about the type of testing that goes on, there is a \ntesting component to 8570, but again, I will have someone get \nback to you in writing with the specifics on exactly how far \nthat goes, so that you know how applicable that model may be to \nthe rest of the Government. We think it is very applicable.\n    Mr. Bilbray. Right now, employees all go through at least \nE-Verify to make sure their Social Security Number and their \nnames matches, right?\n    Mr. Shoer. I would think at a minimum.\n    Mr. Bilbray. OK. But the contractors, the administration \nhas, the previous administration and this administration, has \ndelayed the E-Verify requirement for contractors generically \nfrom February now or late June. Hopefully we will see a go. But \nthe fact is that right now, in the IT system, do we use that on \ncontractors who are brought in to do work? Everything is in-\nhouse.\n    Mr. Shoer. One of the things you might want to investigate, \nand without getting too far off track, the Commonwealth of \nMassachusetts, as you may know, has passed some fairly sweeping \ninformation security privacy regulations. Part of that is \ncertifying that the third party vendors that are hired, now \nthis is focused mostly at private sector, but again, I think \nultimately there is a tremendous opportunity for a public-\nprivate partnership here in sort of establishing these \nstandards that will work throughout the Federal system as well \nas the private sector.\n    But you will have to, for example, as a very simplistic \nexample, you mentioned tax work. So if you are a CPA firm and \nyou engage a company like my own, a VAR, to work with your \ninformation systems, we have to provide that safe harbor \ninformation that certifies that we have done all the things you \nare talking about so that organization knows that the \ncontractors they are bringing in meet these various stringent \nrequirements.\n    I think something similar at the Federal level makes \nperfect sense.\n    Ms. Watson. Thank you for that.\n    Senators Rockefeller and Snowe recently introduced \nlegislation that included provisions to establish a \ncybersecurity office in the White House, along with Federal \nacquisition and procurement requirements for IT. I would \nwelcome in writing your comments on what should go into the \nlegislation.\n    There is a draft out now. But you just might want to \nsuggest what should be included in that legislation. Several \nMembers have mentioned, we will probably need some kind of \npolicy to deal with this. So I would like to have your input as \nwell.\n    Now, moving on, the GAO reported that 23 of the 24 major \nagencies for fiscal year 2008 did not identify or authenticate \nusers in order to prevent unauthorized access to agency \nnetworks. Authenticating users appears to be a fundamental \nsecurity breach at the front end that can have a cascading \neffect on security breaches throughout the system. I know you, \nMr. Bilbray, raised this issue during our last hearing.\n    Do we know who is authorized to have access and who is \nlegitimate and who is not? Why have the vast majority of \nagencies failed to create adequate security measure to identify \nand authenticate users? This question has been raised, but I \nwould like to hear further comment from you on why it is taking \nso long to do this. Mr. Chun.\n    Mr. Chun. I believe the agencies that have complied, the \nones that come to mind are the Defense Department, and the \nMarine Corps, under that contract.\n    Ms. Watson. The GAO said 23 of the 24 major agencies did \nnot identify.\n    Mr. Chun. There are agencies, I was alluding to, trying to \nrelate a success story, for bringing the Marine Corps into that \ncontract. We were one of the first to implement a cryptographic \nlog-on mandate, which basically says you need to use multi-\nfactor authentication. You use what you are, what you have, \ninstead of just typing a user and password in. The technology \ndoes exist. It has been implemented and has been successful in \nother places. I can't speak for the specific reason why an \nagency would choose or hasn't gotten to that.\n    But it is relatively mature. Matter of fact, it doesn't \nnecessarily need to be two, there could be many multi-\nauthentication factors to gain access to a system. But you do \nhave to balance, and it is always kind of a sensitive thing, \nwhat security is. The safest computer in the world is one that \nis not connected to the Internet, in a steel bunker with no \nwindows and no doors. [Laughter.]\n    You can put so many controls into a system that it is \nactually not providing any value to the mission of the agency. \nSo it is one of those things that we try to be particular \nabout. That is one that the technology exists, it is mature, we \nbelieve, and has been used in the past. So we encourage all the \nagencies to look at that.\n    Mr. Bilbray. Madam Chairman, would you yield, please?\n    Ms. Watson. Yes, Mr. Bilbray.\n    Mr. Bilbray. Does the DOD now use any biometrics to \nconfirm? Or is it all strictly just on data information?\n    Mr. Chun. I can get you the specific technical details in \nwritten form. But the common access cards they use, it is \ncapable of storing biometric information. Whether that is used \nspecifically, I will get back to you on the cost to DOD. And \nmaybe you can ask a better question of the Defense Department. \nMatter of fact, I believe they do use biometrics on their \ncards.\n    Mr. Bilbray. I always bring that up, Madam Chair, I don't \nknow if you use the CLEAR system when you fly back and forth to \nLos Angeles, but there is a system that has multiple checks, so \nit rotates stuff around. It is probably going to, in a lot of \nways, be this sort of flagship of indication of what is \npossible with a whole lot of these issues.\n    I yield back, Madam Chair.\n    Mr. Wilshusen. Madam Chairwoman, if I might just clarify \none point.\n    Ms. Watson. Yes.\n    Mr. Wilshusen. What we have found is that 23 out of 24 \nagencies did not sufficiently implement controls to effectively \nprevent, limit or detect unauthorized access to systems. So it \nis a little bit broader than just identification and \nauthentication controls. But it also includes weaknesses \nrelated to boundary protection, making sure that firewalls and \nrouters are adequately configured, as well as the authorization \ncontrols, which assure that agencies only grant the level of \naccess to an individual necessary to perform that individual's \njob and no more.\n    It also includes their procedures for auditing and \nmonitoring access to that work, looking for intrusions and the \naudit and logging capabilities, as well as physical security to \ncomputing resources. So it is a little bit broader than just \nthose controls used to identify and authenticate the identity \nof users.\n    Ms. Watson. We hear from these agencies that it is under \nreview. Is it that we are short-staffed, or the expertise needs \nto be increased? Or do we lack the resources, financial \nresources, to speed it up?\n    Mr. Wilshusen. I think it is probably----\n    Ms. Watson. All the above?\n    Mr. Wilshusen. Probably so. One of the things that is \nimportant to understand is that many of these capabilities \nalready reside in the systems at hand, that are in use. So it \nis important upon agencies to actually implement and configure \nthe systems accordingly to provide the level of security that \nis required to protect their information systems.\n    Ms. Watson. Do you feel it is the lack of oversight from \nthe policymakers or, there is new technology being developed \nevery single day, and getting the handle on how we secure it to \nreduce the risks and the vulnerabilities of that system, it is \nmind-boggling. Anyone who wants to comment, please do.\n    What we are going to do, as a subcommittee, is provide \ninformation from the testimony that we have up to the full \ncommittee for policy. So just break in at any time, because we \nwant to get this right from the beginning, if that is possible. \nMs. Patillo.\n    Ms. Patillo. Yes, Madam Chairwoman, I would like to comment \non that. At the Department of Transportation, we look at the \namount of events that are captured through our cybersecurity \nmanagement center. When we look at those, it is mind-boggling, \nif you would realize that there are 3 million events that come \nin on a given day.\n    Of those 3 million events, we have to analyze those into \nactionable events. What we typically come up with at the end of \nthe day out of those 3 million is 10 actionable events. So \nthere is human intervention among analyzing that. So if one \ncould just try to visualize individuals that are having to \ncorrelate this data to figure out which are really actionable \nevents, we find that, what I believe, as Mr. Kundra has said, \nwe have to look more to automation and the technology. Because \nif you are looking solely to human intervention to analyze what \nthis means that comes into our networks on a given day, \nwouldn't it be simpler if we had an automated way of \ndetermining which events are actual incidents?\n    Mr. Kundra. If I could add to that, it is also looking at \nthe default setting of products and services that the Federal \nGovernment procures. From a commercial perspective, what a lot \nof the providers want to do is they want to have maximum \nfunctionality and they want to make available as many options \nas possible. Unfortunately, a lot of those options end up \ncausing vulnerabilities in the systems themselves.\n    So if we think of it on the front end, in terms of making \nsure that the default position, when it comes to whether it is \nsystems the way they are configured or it is services that we \nare acquiring, are as secure as possible, and then one by one, \nbased the options we need, we would turn them on, I think it \nmoves the security agenda much further forward.\n    Ms. Watson. I want to go back to you, Ms. Patillo. You have \nall these actionable items. What would you suggest that we put \ninto policy that will help, since you have these incidents 100 \ntimes a day, what would you suggest that we do policy-wise that \nwill assist you?\n    Ms. Patillo. From a policy perspective, what could assist \nus, I believe, as Mr. Kundra has already articulated, we need \nto look at the very beginning of the process which begins with \nprocurement. At the onset, all contracts should be required to \nhave security baked in at the very beginning.\n    Ms. Watson. Should we do that through policy, or can you do \nthat within your own department, for that requirement?\n    Ms. Patillo. We could do that within our own department, \nbut I believe that it gives it an extra sense of authority if \nperhaps we could have it written in the FAR.\n    Ms. Watson. OK.\n    Mr. Kundra, did you want to address that?\n    Mr. Kundra. No.\n    Ms. Watson. Mr. Shoer.\n    Mr. Shoer. I think we have seen some advances in the \nacquisition process. I believe, I can double check, I think \nthis is actually written into the Federal Acquisition \nRegulations, a specific section about security that wasn't \nthere before. We are also seeing a lot more security as a \nrequirement, a clear, articulated requirement in acquisitions \nthat we respond to. So I think those are some very positive \nsteps forward.\n    I am not entirely convinced or sure, whether at a policy \nlevel, how that interacts with actual tactical acquisitions \nthat go out. But certainly it is something that has been done, \nwe support it, especially if it is very clearly articulated, so \nwe can meet it. But at a policy standpoint, I just don't see \nhow that would be connected from a policy level other than \nbeing to make this not quite this way. Does that make sense?\n    Ms. Watson. Somewhat. [Laughter.]\n    We ourselves are trying to reach for solutions to mitigate \nsome of these issues. So we expect you as the experts to \nsuggest to us. So really what I would like you to do, we are \ngoing to be addressing these areas that we have been focusing \non today. Put in writing your recommendations, and we will see \nwhat we really need to add to what is already in the law. And \nif we can improve it, we will. So jus feel free to recommend to \nus.\n    Mr. Wilshusen.\n    Mr. Wilshusen. One thing I might add, and it is expanding \nwhat Mr. Kundra said, is one of the areas that we should \nprobably look at is instead of looking at acquisitions on a \ndepartment by department level, is looking at it on a \nGovernment-wide basis. Because the Federal Government spends \nbillions of dollars, I think it is like $70 billion in IT \nproducts and services for its fiscal year, is to leverage the \nprocurement power of the Federal Government collectively to \nachieve both cost savings and to help incentivize the vendors \nand the producers of this offer to provide or secure products. \nThere are a couple of initiatives already underway through \nSmartBuy that GSA has which helps to allow agencies to buy \nencrypted products at reduced rates and at cost savings, as \nwell as the Federal desktop configuration, which Mr. Kundra \nalluded to, in terms of having the vendors products with \nsecurity already built into it.\n    Ms. Watson. Thank you.\n    We are going to conclude this, but I would like Mr. Bilbray \nto followup.\n    Mr. Bilbray. Yes, let me followup on that. Madam Chair, the \nconversation just really went to the road map of where we need \nto go down the line. Those of us in California, in the 6-years \nI served on the Air Resources Board there, there was a thing \ncalled technology-forcing regulation that traded the cleanest \nfuel, cleanest cars and really pushed it.\n    But one of the things I am really upset about, what I am \nseeing come out of Energy and Commerce right now, or what was \nannounced today of a standard that the Federal Government was \ngoing to set for everybody else, but not using our procurement \nresources as a way of leading through example, I think that a \nlot of us on both sides of the aisle feel that if the Federal \nGovernment had led through example of buying clean energy for \nthis facility, going out and buying high efficiency vehicles or \nordering massive amounts over a period of years, that would \ncreate the incentive and the market for the research, \ndevelopment for the kind of product we want to see.\n    We have been able to do that in California by setting goals \nthat were over the horizon but within the realm of reality. And \nthe private sector, because of the profit incentive, has been \nable to develop technologies that we desire to possess \nsomewhere in the near future.\n    So I guess the issue here is, the Federal Government can \nlead through example by using those huge resources to be able \nto develop that. Then the spinoff goes over to the private \nsector where they then can benefit from that technological \nbreakthrough.\n    Ms. Watson. With that, we are going to have to conclude \nthis hearing, we do have a vote out.\n    I want to thank the witnesses for your testimony today. We \nconsider you the experts, so as I suggested before, we would \nappreciate your writing your recommendations. We will continue \ndown this road, because we have the responsibility of looking \nat procurement policies. So this is a work in process. And we \nare going to try to refine it, each time we have a hearing.\n    We don't know it all and we haven't heard it all. But I \nthink this hearing was very valuable. I hope the recorder was \nable to get everything down, because there has been a lot of \ngood information offered. We will see next time we hold a \nhearing that our systems work. [Laughter.]\n    But with that, I want to thank you for attending, your \ntestimony, the audience for being good listeners, and the \nranking member, Mr. Bilbray, for your insights.\n    With that, this hearing is adjourned.\n    [Whereupon, at 11:10 a.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"