[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]





               THE STATE OF FEDERAL INFORMATION SECURITY

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                     ORGANIZATION, AND PROCUREMENT

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 19, 2009

                               __________

                           Serial No. 111-52

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                      http://www.house.gov/reform



                  U.S. GOVERNMENT PRINTING OFFICE
57-125 PDF                WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001















              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York         DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida
JOHN F. TIERNEY, Massachusetts       MARK E. SOUDER, Indiana
WM. LACY CLAY, Missouri              TODD RUSSELL PLATTS, Pennsylvania
DIANE E. WATSON, California          JOHN J. DUNCAN, Jr., Tennessee
STEPHEN F. LYNCH, Massachusetts      MICHAEL R. TURNER, Ohio
JIM COOPER, Tennessee                LYNN A. WESTMORELAND, Georgia
GERALD E. CONNOLLY, Virginia         PATRICK T. McHENRY, North Carolina
MIKE QUIGLEY, Illinois               BRIAN P. BILBRAY, California
MARCY KAPTUR, Ohio                   JIM JORDAN, Ohio
ELEANOR HOLMES NORTON, District of   JEFF FLAKE, Arizona
    Columbia                         JEFF FORTENBERRY, Nebraska
PATRICK J. KENNEDY, Rhode Island     JASON CHAFFETZ, Utah
DANNY K. DAVIS, Illinois             AARON SCHOCK, Illinois
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
------ ------

                      Ron Stroman, Staff Director
                Michael McCarthy, Deputy Staff Director
                      Carla Hultberg, Chief Clerk
                  Larry Brady, Minority Staff Director

  Subcommittee on Government Management, Organization, and Procurement

                 DIANE E. WATSON, California, Chairman
PAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California
JIM COOPER, Tennessee                AARON SCHOCK, Illinois
GERALD E. CONNOLLY, Virginia         JOHN J. DUNCAN, Jr., Tennessee
HENRY CUELLAR, Texas                 JEFF FLAKE, Arizona
JACKIE SPEIER, California            ------ ------
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut













                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 19, 2009.....................................     1
Statement of:
    Kundra, Vivek, Federal Chief Information Officer, 
      Administrator for Electronic Government and Information 
      Technology, Office of Management and Budget; Gregory 
      Wilshusen, Director, Information Security Issues, U.S. 
      Government Accountability Office; Jacquelyn Patillo, Acting 
      Chief Information Officer, U.S. Department of 
      Transportation; Margaret H. Graves, Acting Chief 
      Information Officer, U.S. Department of Homeland Security; 
      Samuel Chun, Director, Cyber Security Practice, EDS U.S. 
      public sector, a Hewlett-Packard Co.; and M.J. Shoer, 
      president and virtual chief technology officer, Jenaly 
      Technology Group, Inc......................................     5
        Chun, Samuel.............................................    47
        Graves, Margaret H.......................................    36
        Kundra, Vivek............................................     5
        Patillo, Jacquelyn.......................................    28
        Shoer, M.J...............................................    56
        Wilshusen, Gregory.......................................    10
Letters, statements, etc., submitted for the record by:
    Chun, Samuel, Director, Cyber Security Practice, EDS U.S. 
      public sector, a Hewlett-Packard Co., prepared statement of    49
    Graves, Margaret H., Acting Chief Information Officer, U.S. 
      Department of Homeland Security, prepared statement of.....    38
    Kundra, Vivek, Federal Chief Information Officer, 
      Administrator for Electronic Government and Information 
      Technology, Office of Management and Budget, prepared 
      statement of...............................................     8
    Patillo, Jacquelyn, Acting Chief Information Officer, U.S. 
      Department of Transportation, prepared statement of........    29
    Shoer, M.J., president and virtual chief technology officer, 
      Jenaly Technology Group, Inc., prepared statement of.......    59
    Wilshusen, Gregory, Director, Information Security Issues, 
      U.S. Government Accountability Office, prepared statement 
      of.........................................................    12

 
               THE STATE OF FEDERAL INFORMATION SECURITY

                              ----------                              


                         TUESDAY, MAY 19, 2009

                  House of Representatives,
            Subcommittee on Government Management, 
                     Organization, and Procurement,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 9:25 a.m., in 
room 2247, Rayburn House Office Building, Hon. Diane Watson 
(chairwoman of the subcommittee) presiding.
    Present: Representatives Watson, Bilbray, Connolly, and 
Duncan.
    Staff present: Bert Hammond, staff director; Valerie Van 
Buren, clerk; Adam Bordes and Deborah Mack, professional staff; 
Dan Blankenberg, minority chief counsel for policy; Adam Fromm, 
minority director of outreach and senior advisor; Kurt 
Bardella, minority chief clerk and Member liaison; John Ohly, 
minority professional staff member; and Katy Rother, minority 
staff assistant.
    Ms. Watson. The Subcommittee on Government Management, 
Organization, and Procurement of the Committee on Oversight and 
Government Reform will now come to order.
    Welcome. Today's hearing will review the Federal 
Information Security Management Act [FISMA] of 2002, and 
agencies' efforts to improve the security, integrity and 
reliability of the Federal Government's information systems. In 
addition, the hearing will seek to learn more about the new 
administration's strategic objectives for achieving FISMA 
compliance, as well as the scope for improving how agencies 
mitigate the number of risks facing their systems.
    Without objection, the Chair and ranking minority member 
will have 5 minutes to make opening statements, followed by 
opening statements not to exceed 3 minutes by any Member who 
seeks recognition.
    Without objection, Members and witnesses may have 5 
administrative days to submit a written statement of extraneous 
materials for the record.
    I wish all of you a good morning. And welcome to today's 
subcommittee hearing on Federal Information Security and Review 
of Agency Efforts to Comply with the Federal Information 
Security Management Act. I welcome our distinguished witnesses 
and look forward to hearing the testimony.
    Since FISMA was enacted in 2002, the Federal Government has 
made significant progress in securing its key network and 
information technology access. That said, FISMA only 
[inaudible] information [inaudible] and [inaudible] are only 
required to read one chapter of a book. Although FISMA does 
require [inaudible] on how agencies are covering their 
information security bases, it does nothing to tell us about 
the current vulnerability landscape or how the cyber-threats 
may be changing. If FISMA is to become a more useful tool for 
countering cyber-threats, it must require agencies to utilize 
better testing, monitoring and performance measures for 
determining what our true cybersecurity posture is.
    According to the GAO, 20 out of 24 agencies have been 
identified as having either material weaknesses or material 
deficiencies in their information security controls. In other 
words, these agencies are lacking key controls that are 
necessary for maintaining a sound security program. The failure 
to establish these controls leaves agencies vulnerable to 
significant data breaches and disruptions to key critical 
infrastructure and potential compromises of our national 
security. These weaknesses are widespread within key programs 
of both the Department of Transportation and the Department of 
Homeland Security and must be remedied in order to ensure the 
proper functioning of our Government's IP assets.
    Today, I am hoping our agency witnesses will tell us what 
changes are underway to remedy the problems identified through 
the work of GAO and the IG community. Furthermore, I want our 
new Federal CIO, Mr. Kundra, to tell us what this plan or what 
his plan objectives are for strengthening FISMA and how the 
soon to be released 60-day White House cyber-review will impact 
the use or relevance of FISMA going forward.
    Last, I would like to hear our panelists' specific 
recommendations for legislation to develop a harmonized 
framework for organizing and for coordinating Government-wide 
information security policies and practices.
    Once again, I would like to thank our panel for joining us 
today and look forward to their testimony.
    Now, the ranking member, Mr. Bilbray.
    Mr. Bilbray. Thank you, Madam Chairman. I appreciate this 
hearing.
    Let me just first of all ask that my written statement be 
entered into the record.
    Ms. Watson. Without objection, so ordered.
    Mr. Bilbray. Madam Chair [remarks off mic].
    Let me say that [inaudible] San Diego [inaudible].
    [Technical adjustment.]
    Mr. Bilbray. Thank you, Madam Chair.
    Let me just say that one of my biggest concerns after being 
briefed by a lot of my experts in San Diego, which is a bit of 
a hot bed of information services, as everybody knows, besides 
QualCom and many other secret hideaway, high tech firms, but 
this is really an underestimated threat to our national 
security in a lot of ways. And it is not just within our 
military, it is not just within our own Government operations, 
it is national. Every private sector, every public sector, has 
this threat hanging over our heads.
    I think one thing we learned from 9/11 is the good old 
comment that we didn't know, or we didn't think we needed to do 
that much is not acceptable any more. Frankly, if we can't 
maintain some kind of security over our systems at the Federal 
Government, we are going to be hard pressed to try to figure 
out how to coordinate the private sector, and even ask the 
private sector to do more, when it appears that out of 24 major 
departments, we have 23 that have found deficiencies.
    I just think the challenge here is for us to lead through 
example and really try to get down to the root cause of these 
deficiencies and how we can modify our operations to avoid them 
in the future. And maybe, just maybe, we can do something that 
is never done very much in this town, and that is lead through 
example for the private sector and show them how to address 
this challenge.
    So I look forward to the hearing. I look forward to the 
opportunities to dialog with the witnesses and with fellow 
members of this committee, because I think it is something that 
we are going to have to spend a lot more time and effort 
addressing to make sure that we don't live to see the day when 
there is a 9/11, a cyber-version of 9/11 somewhere over the 
horizon.
    Thank you very much for the hearing again.
    Ms. Watson. Thank you, Mr. Bilbray.
    I now yield to Mr. Connolly.
    Mr. Connolly. Thank you, Chairwoman Watson, for holding 
this timely hearing, which complements our recent hearing on 
cybersecurity. This is an exciting time to be pursuing reforms 
in Federal information security programs. With Aneesh Chopra 
and Vivek Kundra as newly appointed Chief Technology and Chief 
Information Officers, we have extraordinary expertise at the 
executive level.
    First, we should acknowledge the many Federal employees who 
have done a good job implementing the Federal Information 
Security Management Act [FISMA] of 2002. Since 2005, most 
Federal agencies have significantly improved implementation of 
contingency plans and completed inventories. In the last 7 
years we have made significant progress, even as information 
security threats have grown.
    However, there is still room for improvement. For example, 
the number of employees receiving specialized security training 
declined between fiscal year 2007 and fiscal year 2008. The GAO 
report also notes that FISMA requires security awareness 
training for contractors as well as agency personnel. At our 
May 5th hearing on cybersecurity, we learned that many security 
breaches occurred through contractor information systems. 
Perhaps metrics should take breaches into account. Since more 
than 90 percent of personnel and contractors are receiving 
security awareness training, perhaps the effectiveness and 
frequency of the training needs to be reexamined.
    In their prepared testimony for today, both CIO Vivek 
Kundra and EDS employee Samuel Chun note that some agencies may 
be focused more on compliance with FISMA than performance of 
their security systems. Moreover, they note that reporting 
requirements under FISMA could be streamlined. I look forward 
to learning more about how FISMA could be reformed to emphasize 
performance and minimize unnecessary paperwork.
    Thank you again, Chairwoman Watson, for holding this 
hearing. I appreciate the work this subcommittee is conducting 
to enhance information and cybersecurity in the Federal 
Government, and look forward to the testimony at today's 
hearing.
    Ms. Watson. Thank you, Mr. Connolly.
    Mr. Duncan.
    Mr. Duncan. Thank you very much, Madam Chairwoman.
    I pushed this button but----
    Ms. Watson. Yes, I know. We are having trouble. [Remarks 
off mic.] [Laughter.]
    Mr. Duncan. I don't really have a formal statement anyway. 
I do thank you for calling this hearing. I do sometimes wonder 
if true cybersecurity is possible. I remember several years ago 
coming back from lunch in my district one time and I heard on 
the CBS national radio news that computer hackers had gotten 
into the top secret files of the Pentagon hundreds of time, 
some report had just come out. And then I remember reading a 
few years ago a front page story in the Washington Post where a 
12 year old boy in California had opened the floodgates at the 
Hoover Dam, a great distance away, hundreds of miles away, by 
hacking into the system.
    So I don't know, it seems to me that it may be possible we 
started out controlling computers and now they control us. 
Everybody, or especially young people, worship the technology 
today and are addicted to it. But it seems to me that this is a 
serious problem. We've almost done away with any kind of 
privacy or secrecy in this country because it seems that 
anybody can find out anything that they want to, and that 
includes people who wish to do us harm from other countries.
    So this is a serious problem and I am a little skeptical as 
to whether we can actually do what needs to be done. But I do 
think it is good that you called this hearing. Thank you very 
much.
    Ms. Watson. Thank you, and if there is no further 
testimony, I would like now to go to the panel. Would you all 
stand, please?
    It is the policy of the Committee on Oversight and 
Government Reform to swear in all witnesses before they 
testify. And I would like to ask all of you to stand and raise 
your right hands.
    [Witnesses sworn.]
    Ms. Watson. OK, let the record reflect that the witnesses 
answered in the affirmative.
    I would like to now introduce the panelists. First, we have 
Vivek Kundra, the Chief Information Officer at the Office of 
Management and Budget. Mr. Kundra was appointed as the first 
Federal CIO of the United States by President Obama in March 
2009. In this capacity, he directs the policy and strategic 
planning of Federal information technology investments and is 
responsible for oversight of Federal technological spending.
    Prior to joining the Obama administration, Mr. Kundra 
served in Mayor Fenty's cabinet as the chief technology officer 
for the District of Columbia and Governor Kane's cabinet as 
assistant secretary of commerce and technology for the 
Commonwealth of Virginia.
    Mr. Gregory Wilshusen serves as the Director of Information 
Security Issues at GAO. His work involves examining Federal 
information security practices and trends at Federal agencies. 
He is GAO's leading expert on FISMA implementation.
    Ms. Jacquelyn Patillo is the Acting Chief Information 
Officer at the Department of Transportation. And at DOT, Ms. 
Patillo serves as the principal advisor to the Department's CIO 
on matters involving information resources and information 
services management. Prior to her current role, Ms. Patillo 
served as the Deputy CIO for DOT and as Chief Information 
officer at the National Highway Traffic Safety Administration.
    Ms. Margaret Graves is the Acting Chief Information Officer 
at the Department of Homeland Security. There she oversees an 
IT portfolio of $5.4 billion in programs, as well as the 
operations of the Office of the Chief Information Officer, 
which covers the financial or functional areas of applied 
technologies, enterprise architecture, data manager, IT 
security infrastructure operations, IT accessibility, budget 
and acquisition.
    Mr. Samuel Chun is the director for the Cyber Security 
Practice for the U.S. public sector at EDS, a division of 
Hewlett-Packard. And there he is responsible for the strategy 
portfolio development in industry messaging of all cyber 
security solutions for EDS' U.S. public sector clients.
    And Mr. M.J. Shoer is the president of Jenaly Technology 
Group, Inc. He is here today on behalf of the Computing 
Technology Industry Association. Founded by Mr. Shoer in 1997, 
the Jenaly Technology Group provides outsourced IP services to 
small business throughout New Hampshire.
    I would also like to recognize his daughter, Hannah, who 
traveled with him to today's hearing.
    I would like to say again, welcome to all of you. I ask 
that each of the witnesses now give a brief summary of their 
testimony and to keep the summary under 5 minutes if possible. 
Your complete statement will be included in the hearing record.
    Mr. Kundra, would you please proceed?

STATEMENTS OF VIVEK KUNDRA, FEDERAL CHIEF INFORMATION OFFICER, 
    ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND INFORMATION 
TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET; GREGORY WILSHUSEN, 
    DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GOVERNMENT 
    ACCOUNTABILITY OFFICE; JACQUELYN PATILLO, ACTING CHIEF 
    INFORMATION OFFICER, U.S. DEPARTMENT OF TRANSPORTATION; 
  MARGARET H. GRAVES, ACTING CHIEF INFORMATION OFFICER, U.S. 
 DEPARTMENT OF HOMELAND SECURITY; SAMUEL CHUN, DIRECTOR, CYBER 
 SECURITY PRACTICE, EDS U.S. PUBLIC SECTOR, A HEWLETT-PACKARD 
COMPANY; AND M.J. SHOER, PRESIDENT AND VIRTUAL CHIEF TECHNOLOGY 
             OFFICER, JENALY TECHNOLOGY GROUP, INC.

                   STATEMENT OF VIVEK KUNDRA

    Mr. Kundra. Good morning, Chairwoman Watson, Ranking Member 
Bilbray, Congressman Connolly and Congressman Duncan. Thank you 
for the opportunity to testify on the state of Federal 
information security.
    The security of Federal information systems is a major 
concern for this administration. Our Nation's security and 
economic prosperity depend on the stability and integrity of 
our Federal communications systems and infrastructure. 
Safeguarding these important interests will require balanced a 
decisionmaking process that integrates and harmonizes our 
national and economic security objectives with our privacy 
rights, civil liberties and open government.
    As a first step, the president has directed a 60-day review 
of cybersecurity policies and efforts throughout the Federal 
Government. OMB is working closely, along with other agencies, 
with Acting Senior Director Melissa Hathaway of the National 
Security Council and her team on this review.
    During the last several decades, the United States and the 
world have been moving from a paper-based world to a digital 
world. Advances in technology are fundamentally changing the 
way business is done, increasing productivity and providing the 
American people easy access to services that previously were 
structurally impossible to deliver electronically.
    Essential to these new capabilities is the presence of 
communications networks that security carry sensitive 
information. Yet, as we have unleashed new transactions over 
this network, a new class of risks has emerged. The American 
people need to trust that the information they are submitting 
to or receiving from the Government is accurate, reliable and 
secure.
    However, recent successful breaches at the Federal Aviation 
Administration and at the vendor that hosts USAjobs.gov 
demonstrate that the current Federal information security 
posture is not what the American people have a right to expect. 
The Federal Information Security Management Act has been in 
place for 7 years. It has raised the level off awareness in 
agencies and in the country at large, but we are not where we 
need to be.
    In our initial review of information security, the 
following things have surfaced. One, the performance 
information currently collected under FISMA does not reflect 
the security posture of Federal agencies. Two, the process used 
to collect the information is cumbersome, labor-intensive and 
takes away time from meaningful analysis. And three, the 
Federal community is focused too much on compliance and not 
enough on outcomes.
    While the current reporting metrics may have made sense 
when FISMA was enacted, they are largely compliance-based. They 
are trailing, rather than leading indicators. We need metrics 
that give us insight into agency security postures and possible 
vulnerabilities on an ongoing basis.
    To evaluate new metrics, we are taking a collaborative 
approach. We are working with a community of Federal agency 
Chief Information Officers, Chief Information Security 
Officers, Inspector Generals and the National Institute of 
Standards and Technology to consider more effective security 
measures, ones that show current status and are predictive in 
nature. In addition, we are reaching out to a broad array of 
organizations, across the public and private sectors and 
academia.
    Today, agencies and IGs are heavily focused on compliance. 
The creation of a secure, transparent, collaborative 
environment requires a risk-based approach. We will never 
achieve our security goals through compliance alone, because 
security threats are fluid and constantly changing. Each new 
technology, new employee and new program represents potential 
for additional security weaknesses. Agencies need to adopt a 
risk-based approach to security to look at activities, people 
and programs on an ongoing basis.
    The administration is committed to creating a trusted, 
secure Federal computing environment that makes information 
transparent to the American people while protecting privacy and 
confidentiality. While the actions I have spoken about here 
will assist in creating that environment, they alone are not 
enough. A secure, trusted computing environment in the Federal 
Government is the responsibility of everyone involved, from the 
agency heads to those charged with oversight. It entails 
employees, contractors and the American people working together 
to create a culture of vigilance and security that enable us to 
continue and efficiently leverage the power of technology.
    Thank you for the opportunity to testify on this very 
important issue, and I look forward to your questions.
    [The prepared statement of Mr. Kundra follows:]
    

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Ms. Watson. Thank you, Mr. Kundra.
    Mr. Wilshusen, you may proceed.

                 STATEMENT OF GREGORY WILSHUSEN

    Mr. Wilshusen. Good morning, Chairwoman Watson, Ranking 
Member Bilbray and members of the subcommittee.
    Thank you for the opportunity to participate in today's 
hearing on the state of Federal information security. 
Information security is a critical consideration for any 
organization that depends on computerized systems and networks 
to carry out its mission or business. It is especially 
important for Federal agencies where maintaining the public 
trust is Essential.
    Without proper safeguards, Federal systems and networks are 
vulnerable to intrusions by individuals and groups with 
malicious intent who could potentially obtain and manipulate 
sensitive data, commit fraud, disrupt operations and launch 
attacks against other computer systems. The Federal Information 
Security Management Act [FISMA], was enacted in part to provide 
a comprehensive framework for assuring the effectiveness of 
information security controls over information resources that 
support Federal operations and assets.
    Madam Chairwoman, 2 weeks ago I testified before you and 
this subcommittee about the growing and evolving nature of 
cyber threats upon our abilities and the challenges that place 
Federal systems and operations at risk. Today, I will discuss 
agencies' progress in performing key information security 
control activities, the effectiveness of information security 
at Federal agencies, and opportunities to bolster security.
    In fiscal year 2008, Federal Government reported improved 
information security performance relative to most of the key 
performance metrics established by OMB. Although the percentage 
of employees with significant security responsibilities who 
receive specialized training decreased significantly, increases 
were reported in the number of employees and contractors who 
received security awareness training, the percentage of systems 
with test to contingency plans and the percentage of systems 
that were certified and accredited.
    Despite reported progress, major Federal agencies continue 
to experience significant control deficiencies. Most agencies 
did not implement controls that sufficiently prevent, limit or 
detect access to computer network systems or information.
    Moreover, agencies do not always configure networks, 
devices and services to prevent unauthorized access and assure 
system integrity, patch key servers and workstations in a 
timely manner, and maintain complete continuity of operations 
plans for key information systems. An underlying cause for 
these weaknesses is that most agencies have not fully or 
effectively implemented elements of agency-wide information 
security programs mandated by FISMA.
    These factors continue to place Federal assets at risk of 
inadvertent or deliberate mis-use, financial information at 
risk of unauthorized modification or destruction, sensitive 
information at risk of inappropriate disclosure and critical 
operations at risk of disruption. Accordingly, GAO has again 
designated Federal information security as a Government-wide 
high risk area in its 2009 high risk report to the Congress.
    Nevertheless, opportunities exist to bolster Federal 
information security. Federal agencies could implement the 
hundreds of recommendations made by GAO and agency IGs to 
resolve previously reported control deficiencies in information 
security program shortfalls.
    In addition, the White House, OMB and other Federal 
agencies have continued or launched several Government-wide 
initiatives that are intended to improve information security 
over systems and information. For example, in January 2008, the 
White House launched a series of initiatives collectively known 
as the Comprehensive National Cybersecurity Initiative, aimed 
primarily at improving the Department of Homeland Security and 
other Federal agencies' efforts to protect against intrusion 
attempts and anticipate future threats.
    In summary, although Federal agencies report performing key 
control activities for an increasing percentage of their 
systems, persistent weaknesses in agency information security 
continues to threaten the confidentiality, integrity and 
availability of Federal systems and information. To help 
address these and other challenges, sustained commitment, 
effective oversight and improvements to the National 
Cybersecurity Strategy are needed to strengthen Federal 
information security.
    Chairwoman Watson, this concludes my opening statement. I 
would be happy to answer your questions at the appropriate 
time.
    [The prepared statement of Mr. Wilshusen follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Ms. Watson. Thank you, Mr. Wilshusen.
    Ms. Patillo, you may proceed.

                 STATEMENT OF JACQUELYN PATILLO

    Ms. Patillo. Thank you. Good morning, Madam Chairwoman 
Watson and members of the subcommittee. Thank you for the 
opportunity to appear today to discuss the state of Federal 
information security and the Department of Transportation 
efforts to comply with the Federal Information Security 
Management Act of 2002.
    I currently serve as the Department's Acting Chief 
Information Officer and Acting Senior Agency Official for 
Privacy.
    The Department of Transportation Office of the Chief 
Information Officer has operational responsibility for the 
Departmental network and communications infrastructure, as well 
as providing shared services for the Office of the secretary 
and for an increasing share of employees in the DOT operating 
administrations as they transition toward use of DOT shared 
information services.
    The DOT CIO's office also has overall responsibility for 
the Department's FISMA program and the cybersecurity posture of 
DOT networks and information systems. As part of those 
responsibilities, we must maintain situational awareness of the 
vulnerabilities and activities on DOT networks and systems, but 
also seek to mitigate identified vulnerabilities prior to 
exploitation in order to minimize risks to DOT, Federal, State, 
local and to the extent practicable, private systems and data.
    Today's world of rapidly evolving threats, interconnected 
systems and telework vulnerabilities and risks have the 
potential to impact upon the other networks and interconnected 
systems. DOT is currently working to make improvements from its 
2007 FISMA grade, and the DOT Inspector General's 2008 
evaluation of the DOT cyber security program as ``not 
effective.'' We developed an aggressive correction action plan 
to address the recommendations made by the Inspector General, 
instituted regular internal coordination with the DOT operating 
administrations to monitor and drive progress, as well as 
reallocating existing personnel and resources to focus on key 
areas for improvement such as certification and accreditation, 
verification and validation and awareness training.
    As DOT continues to make improvements in cybersecurity and 
privacy, we know much remains to be done. Partnerships between 
the public and private sector to develop more intuitive and 
proactive mechanisms for dynamic prevention and detection of 
harmful behavior will facilitate a paradigm shift from a 
reactive mode to a more dynamic and proactive mode.
    In conclusion, I would offer that the Department of 
Transportation has achieved considerable progress in securing 
its networks against intrusions and cyber-attacks. Nonetheless, 
there is no reason to celebrate nor time to rest. Again, thank 
you for the opportunity to comment on these important topics, 
and I look forward to answering any questions that you may 
have.
    [The prepared statement of Ms. Patillo follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    Ms. Watson. Thank you, Ms. Patillo.
    Ms. Graves, you may proceed.

                STATEMENT OF MARGARET H. GRAVES

    Ms. Graves. Chairwoman Watson, Ranking Member Bilbray and 
members of the subcommittee, thank you and good morning. I am 
Margie Graves, the Acting CIO for DHS. Today I will discuss the 
state of information security at the Department of Homeland 
Security and our efforts to comply with the requirements 
established under the Federal Information Security Management 
Act of 2002.
    In 2004, the Department of Homeland Security embarked on a 
multi-year strategy for bringing the Department into full FISMA 
compliance. In the ensuing 2 years, the Department conducted an 
enterprise-wide IT systems inventory and ensured that all 
systems completed a full risk assessment and a comprehensive 
certification and accreditation. Security requirements have 
also been built into the Department's Systems Engineering Life 
Cycle methodology and specific contract language in the 
Homeland Security acquisition regulations now expressly 
requires contractors to comply with applicable Department 
security policies.
    In 2007, the Department's Enterprise IT Security Operations 
Center was chartered to provide a 24 by 7 computer incident 
handling capability for the Department. The original focus was 
to mitigate the effects of standard viruses, worms and other 
forms of malicious payloads that do not directly target any 
specific agency or group. But by late 2007, it had also become 
apparent that in addition to these non-specific threats, there 
was a growing class of sophisticated actors who directly 
targeted the Department, especially our leadership.
    To address these threats, the Department created its own 
internal focused operations team to better understand 
enterprise risk associated with targeted attacks and to develop 
and deploy responses capabilities to deter them. In addition to 
our full commitment to implementing all Federal IT security 
initiatives, DHS is now pursuing several enterprise 
consolidation and enhancement efforts as part of an overall 
defense-in-depth strategy to better confront these threats.
    All of these initiatives are supported in the President's 
fiscal year 2010 budget that was recently submitted to Congress 
for approval. Specific initiatives include the following: 
first, the Department is committed to fully implementing all 
requirements of the Homeland Security Presidential Directive 
12, including logical access for IP systems. Second, the one 
OneNet project is a major Department initiative for collapsing 
legacy wide-area networks into one enterprise network. The 
Department is transitioning all components into mission-unique 
Trust Zones through the implementation of a series of Policy 
Enforcement Points beginning in 2010. Third, we are adding 
features to the Trusted Internet Connections that will allow us 
to further improve our ability to detect and respond to 
malicious emails.
    Finally, the Department's data center consolidation project 
provides the plan for migrating DHS systems to two enterprise 
data centers that are currently protected by our Trusted 
Internet Connections and that have been designed to address 
sophisticated threats. These two data centers now deliver 
utility computing and infrastructure as a Service, allowing DHS 
to realize benefits of cloud computing while also providing the 
security so necessary for the threats we face today.
    I would also like to acknowledge the great work that the 
U.S. Computer Emergency Readiness Team [US-CERT], is doing on 
behalf of Federal agencies. US-CERT is deploying Government-
specific centers called Einstein that are designed to provide 
alerts regarding sophisticated actors who directly target the 
Federal Government. Einstein centers are now deployed at both 
the Department's Trusted Internet Connections and they are 
providing critical alerts to the focused operations team.
    As a result of the original FISMA statute, Federal agencies 
now have a good road map for designing and implementing agency-
wide information security programs. The statute provides a 
strong foundation on which to build. However, we have seen over 
the last few years that sophisticated threat actors are 
becoming more persistent and more aggressive. Therefore, each 
and every agency must also develop in-house focused operations 
capability to improve overall situational awareness about these 
sophisticated actors and to be ready to respond effectively 
whenever there is any indication of a targeted attack.
    The Department welcomes the opportunity to work with 
Congress in developing any future strategy that will not only 
build on past successes, but that will also remain relevant and 
effective in today's evolving IT security threat environment.
    Thank you.
    [The prepared statement of Ms. Graves follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    Ms. Watson. Thank you, Ms. Graves.
    Mr. Chun, you may proceed.

                    STATEMENT OF SAMUEL CHUN

    Mr. Chun. Good morning, Chairwoman Watson and distinguished 
members of the subcommittee.
    On behalf of EDS, an HP company, thank you for the 
opportunity to discuss our perspectives on this important topic 
of Federal information security. For nearly 45 years, EDS has 
been a trusted ally, serving governments across the world. As 
one of the largest providers of technology services and 
solutions to the U.S. Government, we strive daily to achieve 
secure operational excellence in everything we do.
    From the millions of warfighters that carry our identity 
credentials to the one in five citizens who used our voter 
registration and election management systems last fall, we are 
entrusted with some of the most sensitive information of our 
fellow citizens. We understand and appreciate the enormous 
cybersecurity challenges that our Government agencies face 
today.
    We can attest definitively to the fact that the well-
publicized threats facing our information infrastructures are 
real. Since our founding, we have built and managed on behalf 
of our Government customers, some of the largest and most 
complex systems and networks in existence. This includes the 
Navy Marine Corps Intranet, which is the largest purpose-built 
network in the world. We currently manage 180 data centers, 
380,000 servers, 5.4 million desktops and nearly 15 million 
Internet IP addresses. And we, like everyone else, are 
constantly under attack.
    We are also finding the number, type and sophistication of 
the attacks to be growing. We expect these trends to continue.
    FISMA was enacted nearly 7 years ago to require Federal 
agencies to improve the security postures of their information 
systems by implementing a program that would reduce security 
risks. While the debate rages as to whether FISMA is an 
effective engine for measuring and improving security 
performance, there is little doubt as to its good intentions.
    While there are numerous positive benefits provided by 
FISMA, there is general consensus that FISMA does in fact need 
reform. We have observed and participated in many passionate 
debates about FISMA and have concluded the following 
deficiencies need to be addressed. First, compliance has become 
too administrative, emphasizing paperwork. Second, the 
correlation between compliance and operating performance is 
unclear. Three, accountability for good and poor compliance is 
also unclear. Fourth, the validity of what is being measured 
under FISMA is in question. And five, rapidly emerging threats 
may be outpacing compliance efforts.
    Our vision for information security for our customers is 
simple. Security should be so tightly integrated into the core 
of agency operations that stakeholders have the confidence to 
be agile at the edge. To put it simply, security should be an 
embedded part of operations that permeates across the 
enterprise.
    By no means to do we think this will be an easy or short 
journey. In fact, we expect the vision will include some 
difficult decisions and foundational changes that will require 
champions, resources, technologies and definitely the wisdom of 
time. That said, I think we would be remiss were we not to 
discuss the first steps and big challenges that must be 
addressed to take the first positive steps toward our vision.
    First, governance. Because of threats against our 
information systems and our infrastructures can appear without 
warning, and the defense cycles required could be in seconds, 
lawful orders that change an agency's infrastructure must be 
carried out quickly and comprehensively across the Government 
enterprise. This highlights the need for clear and consistent 
roles, responsibilities, policies and accountability structures 
for the Government enterprise.
    Second, consolidation. Consolidating and standardizing 
infrastructures facilitates situational awareness, nearly 
impossible when an agency depends on myriad small, 
independently operating networks and enclaves.
    Three, consistent protection. Because Government 
infrastructures are vast and interconnected, applying 
consistent, enterprise-wide defense in-depth strategies 
strongly improves security performance.
    Four, emphasis on operating performance. We support the 
efforts to clearly articulate and require operating thresholds 
for security of acquisitions to better meet them.
    Then finally, people. Security practitioners clearly must 
be trained, vetted and industry-certified on the best security 
policies, technologies and practices. We need to continue the 
trend of raising a much larger cybersecurity work force.
    In summary, we believe security must be tightly integrated 
with operations in agencies. It will take a conscious effort by 
operators and users, Government and industry alike, for the 
inventing of security into everything we do. For nearly 50 
years, EDS has been an ally for governments in tackling some of 
the most difficult challenges that face them. We continue to 
stand by, ready to work with you on this one.
    Thank you, and I will be happy to answer your questions.
    [The prepared statement of Mr. Chun follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    Ms. Watson. Thank you, Mr. Chun.
    Mr. Shoer, please proceed.

                    STATEMENT OF M.J. SHOER

    Mr. Shoer. Good morning, Chairwoman Watson, Ranking Member 
Bilbray, Congressman Connolly and Congressman Duncan.
    Chairwoman Watson, I want to thank you for your 
acknowledgement of my daughter. I appreciate that. I wanted her 
to have the opportunity to see our participatory Government 
working quite well.
    Ranking Member Bilbray, I think you will find that my 
testimony will address some of the concerns that you 
articulated quite directly.
    On behalf of the Computing Technology Industry Association 
[CompTIA], we thank you for your ongoing interest in the state 
of Federal information security. This is a broad, yet critical 
subject, ranging from FISMA as well as a variety of practices 
that impact our national security, citizenry and the computing 
industry at large. We appreciate the opportunity to share with 
you the following views.
    CompTIA is the voice of the world's $3 trillion information 
technology industry. CompTIA's members include thousands of 
small businesses called value-added resellers [VARs], as well 
as nearly ever major computer hardware manufacturer, software 
publisher and services provider. Based upon a recent CompTIA 
survey, we estimate that 1 in 12, or about 12 million American 
adults, consider themselves to be an IT worker. This is larger 
than the number of American adults classified by the BLS as 
employed in farming, mining and construction combined. This is 
also close to the number of adults classified by BLS as working 
in manufacturing or transportation. CompTIA has concluded that 
the IT work force is now one of the largest and most important 
parts of the American political community.
    My name is M.J. Shoer, I am the president and virtual chief 
technology officer of a VAR, the Jenaly Technology Group, and I 
am pleased to be testifying on behalf of CompTIA. I live in 
Portsmouth, NH, and have been an information technology 
entrepreneur. In 1997, I founded Jenaly and have since served 
as its president.
    On behalf of CompTIA and its many small business member 
companies, we welcome the subcommittee's exploration of FISMA 
and its effectiveness for today's ever-increasing cybersecurity 
challenges. Certainly, many critics and the other witnesses, 
including the GAO, have commented on the effectiveness of 
FISMA.
    Recently, the GAO submitted 12 recommendations to the House 
of Representatives. One finding in particular, the eleventh, is 
significant for your attention. The finding calls for 
increasing the cadre of cybersecurity professionals, and the 
report states the following, ``Expert panel members that 
actions should include making the cybersecurity discipline a 
profession through testing and licensing.''
    In summary of my written testimony, the issue before us all 
is how to enhance the security of critical Federal systems and 
protect our country and its citizenry. It is evident to critics 
or anyone who regularly reads the newspaper that the current 
awareness training model is not working. Security breaches 
among the agencies have increased instead of falling off. This 
may be due to a disturbing phenomenon, namely, the lack of 
adequate personnel training and testing.
    In contrast, I fear that all too often, the answer is a 
tendency to invest in technological solutions alone. Certainly, 
firewalls and encryption are part of the solution. However, the 
real cybersecurity equation lies in managing the balance 
between technology and human capital through training, testing 
and certification.
    It is unfortunate we have so many challenges today, because 
the Congress came very close to requiring certification of 
Federal IT security workers in 2002. FISMA itself only requires 
security awareness training to inform impacted personnel of 
information security risks associated with their activities and 
to comply with agency procedures. The undisputed evidence 
concerning breaches reveals that this is insufficient for the 
Federal Government's needs.
    In my view, I agree with the critical about several key 
flaws with the current FISMA framework. First, the fundamental 
flaw of the FISMA framework and the Federal Government's policy 
is a lack of emphasis on the training and testing that is 
vital. My recent meetings with various Hill staff confirms 
this, after my hearing episode after episode about breaches in 
the Federal system caused by human error, for example, the 
removal of a laptop from a Federal site and then improperly 
securing it while outside that site.
    A second and significant flaw is the lack of uniform 
verifiable IT security training as the single largest problem 
regarding information security and the Federal Government. 
Fortunately, a solution to FISMA's flaws may be found elsewhere 
in the Federal system. In 2004, the Department of Defense has 
raised the bar for cybersecurity through a training and testing 
program commonly known as the 8570 Directive. This initiative 
focuses on the certification of personnel. Based upon my own 
experience in this industry, I believe that accreditations and 
certifications offer many benefits, including lower transaction 
costs. Remarkably, throughout the Federal Government only the 
DOD has formally required its employees and contractors to get 
certified.
    Last year, my own IT business, Jenaly Technology Group, 
because the first in the country to become accredited for best 
practices in information security as it relates to our clients.
    In conclusion, it is undisputed that we must protect the 
American public by having a security framework that guards 
information systems for both our Federal critical systems as 
well as the private sector. The computing industry is hard at 
work facing the unprecedented challenges of securing our data 
from both malicious threats and human error. Congress' 
enactment of the FISMA has provided a base level of protection.
    The key to securing our Federal IT systems for the future 
lies in the partnership between technology and human capital. 
By effectively managing both technology and the people in 
concert through training and testing, such as through the 
certification process, we can win the battles in the security 
war. The current Defense Department model surrounding the 8570 
Directive is a model worthy for emulation throughout the 
Federal Government. Any modification of FISMA must recognize 
the lessons surrounding the human capital contribution to the 
IT security equation by the certification and accreditations to 
enhance our security.
    Thank you very much, and I look forward to answering any 
questions.
    [The prepared statement of Mr. Shoer follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    Ms. Watson. Thank you, Mr. Shoer, and thank all of the 
witnesses today.
    We are now going to move to the question period and proceed 
under the 5-minute rule. I will open up the questioning.
    I would like to start with Mr. Kundra. Your testimony 
specifically mentions that FISMA does not provide the necessary 
performance information to determine the Government's 
information security posture. So please cite for us what types 
of information it doesn't have, and how FISMA needs to be more 
reflective for the compliance requirements. Would you provide 
that information?
    Mr. Kundra. Part of the debate is, as more and more 
transactions have moved to the digital world, if you look at 
legislation in general, or standards overall, the challenge is 
keeping up with the evolving threat. Because what ends up 
happening is, when you set X number of standards in terms of 
making sure reports are filed, whether that is annually or on a 
quarterly basis, it doesn't necessarily reflect your security 
posture.
    An example would be within an agency, the old model used to 
be that you would build perimeter security in terms of 
firewalls. Because those threats were seen as, you had an 
enterprise and you had malicious actors on the outside that 
were trying to penetrate the defense that you had put in. So 
essentially, building walls around the agency.
    But unfortunately, the malicious actors become more and 
more sophisticated in terms of being able to penetrate much 
deeper into the security systems. So now, being able to look at 
specific data elements and looking at the data itself, and you 
have this evolution, this race toward where you have actors 
that are actually going out there and making sure that they are 
able to bring down defense, whether they be firewalled, 
intrusion detection systems, intrusion prevention systems.
    What we need to do is we need to be able to at the Federal 
Government monitor agencies more on a real time basis rather 
than on an annual or quarterly basis. We no longer can use a 
model that may have succeeded in an industrial era and apply it 
to the information age. Because we are moving toward a real 
time model where transactions and billions of dollars and 
information is moved on a real time basis. And therefore, we 
have to ensure that the metrics we are looking at move us in 
that direction.
    Ms. Watson. Thank you.
    As part of this fiscal year 2010 proposal, the Obama 
administration is proposing to expand the use of its IT 
services, such as cloud computing and other types of data 
warehousing, software platforms, for managing agency data and 
systems. So I have a couple of questions on this.
    What are the policies and protocols in place to ensure that 
the service providers and vendors are meeting information 
security and privacy standards set under FISMA and the Privacy 
Act?
    Mr. Kundra. As a part of what we are making sure with the 
Federal CIO counsel is actually to ensure that FISMA is applied 
to any solutions when it comes to cloud computing. Second, from 
a philosophical perspective, what we need to make sure of is 
that security is actually baked into the very architectures of 
any solution, whether that is from a technical perspective or 
whether that is from a cultural or human capital perspective. 
As shifts move in the industry toward cloud computing, it is 
not only important to bake security into the architecture, but 
also from a privacy perspective, but also from a privacy 
perspective, the CIO counsel has a privacy committee that looks 
at these issues.
    And in conversation that we are having with industry, we 
are making sure that privacy issues and security issues are at 
the forefront and that they are also baked in early into the 
procurement cycle rather than afterwards, after you have 
procured a system, and then you have to go back and figure out 
what you need to do in terms of security.
    Ms. Watson. Is it fair to say that the companies providing 
these services to agencies ought to be responsible for 
providing at least the same information security protections 
that would be required of agencies who manage the data in 
house?
    Mr. Kundra. I think what we need to make sure is that we 
look at it from a risk-based approach, which is, there isn't 
going to be one model that applies to everything. So there are 
classes of risk. What I mean by that is there is a set of 
services that the Federal Government has, which is public 
information, for example, that is not sensitive in nature.
    So what you want to make sure is that you don't drive up 
the cost significantly for services that are not sensitive in 
nature and it is informational, versus having information that 
is either classified or sensitive in nature, where you need to 
ensure that the contractor or any company providing those 
services have baked in security. Our view would be, FISMA 
should be, as we look at standards, and as we look at 
technology, it shouldn't be seen as just a ceiling. It should 
be seen as the floor, but bake in even more security, depending 
on what the threat matrix is.
    Ms. Watson. Does anyone else, DOT, DHS, want to respond?
    Mr. Wilshusen. If I may, Madam Chairwoman, a couple of 
points I would just like to point out. With services such as 
cloud computing or software as a service, it is, as Mr. Kundra 
mentioned, very important that the contracts and the 
organizations providing the services have adequate security 
mechanisms in place to provide the same level of security as 
needed and as required by Federal policy, since this is Federal 
information that is at risk.
    One of the things that has been shown with this year's 
report is that the number of IGs who reported that their 
agencies almost always ensure that their contractors provide 
the same level of security required by FISMA, OMB policies and 
NIST guidelines dropped significantly at the same time that the 
number of contractor systems increased. So what happened is 
increasing reliance on contractors, where at the same time the 
oversight of those contractors is declining, as indicated in 
these reports.
    So it is important that as these technologies and services 
come to the play, and are being used increasing by Federal 
agencies, that they do in fact assess the risks of using them 
and take the appropriate measures to make sure that the 
security controls are implemented and that the contractors are 
in fact providing the level of security required.
    Ms. Watson. Is there any other? Ms. Patillo.
    Ms. Patillo. Yes, if I may, Madam Chairwoman, comment on 
that question. I agree with Mr. Kundra that what we have to do 
is look toward risk-based systems, especially in our FISMA 
process.
    What I would like to add new to that comment is, I believe 
that there has to be an integration with the capital planning 
process and FISMA. Currently, we sometimes look at that as two 
separate entities. At the Department of Transportation, we have 
one of the largest IT budgets in Federal Government, it is $2.9 
billion. Currently, I am spending $125 million on security, 
which is less than one half percent on security.
    So one would ask, is that the appropriate amount of dollars 
to be spending? We grapple with that from day to day. Is it 
accurate? Should it be more? Should it be less? Where should we 
apply it? Should it be toward certification and accreditation? 
Or should it be more toward contingency planning?
    I think that with the integration of security and capital 
planning, we would be able to answer more questions and be able 
to apply more of a risk-based system.
    Ms. Watson. My time is up and we will come back to this in 
a minute.
    I would like now to recognize our ranking member, Mr. 
Bilbray for 5 minutes.
    Mr. Bilbray. Thank you, Madam Chair.
    When I see the defensive mechanisms [indiscernible] that is 
on, OK. Interesting that two of our mics went out. [Laughter.]
    My staff always tells me, you are not paranoid, everybody 
really is against you. [Laughter.]
    But we have been talking the defensive side. What is the 
ability for technology to find an electronic fingerprint of 
those who are probing our systems?
    Mr. Chun. Very little to nothing. The Internet was invented 
and developed with the complete assumption that everyone on the 
Internet would be a trusted source. So decades ago when it was 
actually developed, there was no real concern or thought over 
someone on the Internet would need to be traceable, and No. 2, 
would actually have ill intent.
    So I would guess the answer, I think the question you are 
alluding to is attribution, can we attribute these attacks 
definitively to a source. I believe the current infrastructure 
technology answer is no, or very difficult.
    Mr. Bilbray. Are we working on technology to be able to 
track sources?
    Mr. Chun. The industry itself is looking at modifying the 
basic framework of the Internet. Very complex issue. There are 
interoperability issues with older networks and systems. But 
there are various organizations, including the ones that are 
sponsored by the Government, such as DARPA, that are looking 
into these fundamental issues of how do we change the Internet 
into something more trustworthy. And that is a very complex, 
long-term effort. I can't speak for everyone at Hewlett-
Packard, but I personally believe this is more of a 
generational issue than one that we can fix practically very 
quickly.
    Mr. Bilbray. I have to assume, there are always those that 
assume that anonymity is a great thing, the Government, no one 
should be able to track whatever I do on the Internet. Though 
we take it for granted that we have caller i.d. with our 
phones. I am sure this has the black helicopter people looking 
at this as some great conspiracy by Big Brother.
    But I darned well think that it is absurd that we have to 
play constant defensive ball here and not be able to spend some 
of those resources at tracking down who is probing, who is 
prodding, who is trying to find a weak spot. There is no 
defensive system in the world that can handle constant 
bombardment of those kind of probes without a weak link being 
found somewhere down the line.
    I know in 1996, Madam Chair, when I was serving on Energy 
and Commerce and we were looking at the telecommunication 
forum, user i.d. was always a big issue, not just for security 
reasons, but for the interstate gambling aspect of it, the 
consumption of alcohol, tobacco, pornography, there was all 
this stuff. I think that we really have to be very frank and 
open about the fact that this user i.d. is something that needs 
to be followed up on. It may be one of those things that we 
want to spend more money on being able to track down.
    God knows, every one of us watches CSI and sees what we 
have done with tracking down bad guys electronically. Maybe we 
need to be looking at some of this technology in the future.
    So that really concerns me. What do we have right now as a 
strategy to go after the bad guys who are probing? Or is it the 
fact that we don't have a way of tracking, so we just accept 
that we can't do that?
    Mr. Kundra. No, we are actually, the Department of Homeland 
Security, and I will defer to Ms. Graves here, but US-CERT 
monitors the Federal infrastructure to be able to respond 
accordingly. And on research and development, investments are 
being made, whether it is through the National Science 
Foundation or whether it is with DARPA, and of course, working 
closely with the National Security Agency, to look at what the 
security and the threat matrix is.
    But you are absolutely right, in terms of the nature of the 
threat, it is constantly evolving, as actors go up, as you 
stand up defense systems, making sure that there are actors out 
there who are also making the appropriate investments to be 
able to penetrate those defense systems. So we have to be ever-
vigilant, and it cuts across through everything, through the 
culture of an organization, the human capital and even the 
technology systems that are out there.
    Mr. Bilbray. Ms. Graves.
    Ms. Graves. Yes. To further comment on the US-CERT 
capability, we do have these Einstein sensors that are located 
in the Federal Government now, and they have signatures and 
scripts for people who specifically target the Federal 
Government. Once an intrusion is determined to be active, we 
open cases and we do the forensics on those particular cases, 
scans, and we do track back to the original source. That does 
take time. There is no efficient technology to do it. But we do 
have individuals in place from an intelligence community 
perspective who deal with these types of threats who aid us in 
that forensic analysis.
    Subject to future capability, we will also be adding to 
that in the Department of Homeland Security in terms of the 
cybersecurity initiative and plussing up the capability that we 
have in US-CERT and also in NPPD. But that is human. That is 
the human side of following the threat, of doing the analysis, 
of determining the source and of looking at counter-
intelligence measures and reasons why these specific people are 
targeting the Government.
    Mr. Bilbray. Madam Chair, I think this is something that 
both sides of the aisle need to be brave enough to address. 
There are people on the left and the right who would not want 
this technology. But it is not just a national security issue. 
It is the security of our children, and everybody knows the 
predator issue. It is sad that we need to have a television 
show set up sting operators for predators, because we don't 
have the ability to really trace these down.
    I just look forward to the day that we can literally have 
some of these probers drawn and quartered in the public square 
to basically send the signal to everybody, especially our 
children, that this is not something that is acceptable in a 
civilized society. Though drawing and quartering is. 
[Laughter.]
    I yield back.
    Ms. Watson. Thank you.
    Mr. Connolly.
    Mr. Connolly. Thank you, Madam Chair.
    Hopefully I can be heard. Thank you, Madam Chairman.
    [Remarks off mic.]
    Ms. Watson. Sorry about these mics.
    Excuse us. You see we need your technology.
    Mr. Connolly. Madam Chairman, I would ask unanimous consent 
that my statement be entered into the record as read, given the 
fact that it could not be heard. [Laughter.]
    Ms. Watson. Without objection.
    Mr. Connolly. Madam Chairman, one of the concerns I have 
about this subject is how we are coordinating at the Federal 
Government level. And I have introduced a bill to try to codify 
by statute the Executive order issued by the President to 
create a CTO position. The good news is, we have two highly 
qualified people, Mr. Kundra and Mr. Aneesh Chopra. But when we 
look out to the future, we are not always going to have an 
Obama administration in place. I believe very, very strongly 
that we have to have a statutory framework that delineates the 
respective responsibilities between the two.
    I would hope, Mr. Kundra, that you would take that message 
back to the White House. Because we need to work together. 
There are some changes that need to be made in the legislation, 
fine. But I believe, Madam Chairwoman, we have to address this 
issue, this committee has to address that issue on a statutory 
basis. I certainly intend to proceed with the legislation. I 
would like to have White House input in doing that. And I thank 
you.
    Mr. Chun, you talked in your statement about governance as 
the first challenge. You said that we need a new and empowered 
leader to spearhead the effort. What did you have in mind?
    Mr. Chun. Someone that we can go to directly. For example, 
if there are issues with some of our contracts, we are almost 
always going directly to a specific person at that agency. 
While that is good, I think as an industry as a whole, we need 
literally an office we can go to for a coordinated effort.
    We participate in lots of industry activities, BSA, which 
is a software alliance, Tech America, all those venues. When we 
talk to our partners, we hear pretty much the same thing from 
industry and a corporate level, is there someone that is 
central to the Government that is in charge of these particular 
issues, someone that I think would be valuable to us.
    Does that answer your question?
    Mr. Connolly. I think it does, but I think you are talking 
about on an agency by agency basis.
    Mr. Chun. No, I meant that as what we do from a business 
standpoint. But when that industry engages, such as the 
technology industry engages as a whole, there appears to be a 
lot of companies that belong to an organization that deal with 
a specific agency question or something that specific 
department may issue a question. And until very recently, when 
the cybersecurity review was being performed, we haven't seen 
one from a central office in Government that says, we need your 
input. I think that is a really critical thing that has been a 
positive for us.
    Mr. Connolly. Well, hopefully the creation of a CTO may 
help us with that. I think that is worth monitoring carefully.
    Mr. Kundra, in your initial review of information security, 
you refereed to the FISMA requirements as cumbersome and labor-
intensive. I wonder if you could give some examples of how we 
could improve the process from your point of view.
    Mr. Kundra. Sure. Part of what we need to be able to do is, 
from an OMB perspective, automate a lot of the reporting in 
terms of collecting information. Second, is we need to be able 
to rationalize as far as which metrics we are going after, 
which ones are important and which one are not. Having 
thousands of metrics doesn't necessarily add value unless those 
metrics are relevant, those metrics are able to respond to the 
real time threat and the nature of the threat that we face, and 
are evolutionary in nature in terms of recognizing that as we 
put up defenses on the other side, there are people putting up 
offenses.
    So how do we measure metrics, or how do we look at and 
approach security for a position that it has to be one baked 
into the architecture, whether it is system, agencies, culture? 
Second, how do we make sure that there isn't a model of 
faceless accountability, that we are all accountable when it 
comes to information security and the management of those 
security systems? Third, how do we move toward an area where we 
are actually monitoring, similar to what US-CERT is doing, 
across the board on a real time basis as threats emerge, so we 
can see from a leading perspective which threats are emerging 
across the world, so that we can be beneficiaries to ensure 
that we are putting up the proper defenses in an ongoing basis?
    Mr. Connolly. Thank you.
    Mr. Wilshusen, Government often likes to do that which it 
can measure most easily. Cybersecurity, educational awareness 
is measurable. We trained 400 people this week. Check. The 
question really is, but are we in fact more secure today than 
since we passed FISMA, with the best of intentions. And perhaps 
one can draw the inference from the GAO report that the answer 
to that is more problematic than we want to admit. What is your 
comment?
    Mr. Wilshusen. Well, I would certainly say I agree with 
your comment that what gets measured pretty much gets done. And 
one of the areas that we can do, have additional improvements, 
as Mr. Kundra mentioned, is in the type of measurements and the 
measures that we actually use to monitor the security at the 
agencies.
    As we commented before, many of the measures that are 
presently being used are basically compliance-related, 
implementation measures. They don't measure how effective an 
agency is in actually implementing a control. And so that is 
one of the areas where we need some improvement.
    And certainly the measures that are currently being used 
are in fact defined by OMB. So Mr. Kundra and OMB is in a good 
position then to make changes to that particular mechanism for 
monitoring security.
    But indeed, the Federal agencies have spent a lot of money 
trying to secure their systems and complying with various 
different requirements. It is still very much an open question 
whether we are more secure.
    I would say that with the evolving threats, and with the 
new, emerging technologies that are in place, as well as the 
changing business practices, they all increase risk to Federal 
systems and operations. It is a very fluid, dynamic environment 
that we have to address on a regular, real time basis.
    Mr. Connolly. Madam Chairman, I am sure my time is up, but 
I want to suggest that we may want to invite our Federal 
witnesses to provide the subcommittee with their 
recommendations for how we might improve FISMA toward the goal 
of ensuring cybersecurity. I am far less concerned about how 
many people we train in awareness, though that is important. 
But the goal isn't awareness, that is part of the process. The 
goal is to ensure the security of the system.
    And frankly, Madam Chairman, I am so glad you are having 
this hearing, because frankly, if people really looked at the 
potential threat, we would have to have this hearing in the 
Cannon Caucus Room in terms of its importance. I want to thank 
you again for holding this hearing, because I can't think of a 
topic that is more timely and more important as we look out to 
the future.
    Thank you.
    Ms. Watson. Thank you.
    The GAO reports that many of the Government data losses 
were a result of physical theft or improper safeguarding of 
systems, including laptops and other portable devices. I recall 
the well-publicized event several years ago of a computer that 
was stolen from the Veterans Affairs employee with a massive 
amount of personal data of the VA beneficiaries.
    How many of the reported security incidents are considered 
physical breaches as opposed to data that is lost or corrupted 
through cyber means, and what additional security 
vulnerabilities do cell phone and BlackBerrys and other 
wireless devices present to securing sensitive or classified 
information?
    Mr. Wilshusen. I will start off, if you don't mind, Madam 
Chairwoman.
    With regard to the actual number of incidents that have 
been attributed to physical security lapses, such as theft or 
loss of laptops, I don't have that specific information. The 
information that is presented in agencies' reports to the US-
CERT has shown that the number of total incidents has tripled 
over the last 2 years, from 2006 through 2008. And of that, the 
physical security portion of that would be one of the 
categories that is included in the unauthorized access category 
that US-CERT requires agencies to report under.
    Of that, there is about 18 percent of the number of 
incidents that occurred, triple, from 5,500 in 2006 to over 
16,000 in 2008. About 18 percent of those related to 
unauthorized access to information. That would include both 
cyber access, where someone came in through a network and was 
able to access information, as well as those pertaining to the 
loss or theft of a laptop or some other physical means.
    But certainly, that is a key control threat and 
vulnerability of Federal systems, is the fact that so much of 
the Federal work force is mobile. The data is becoming 
increasingly portable through not just the laptop computers, 
but also thumb drives. It is important that appropriate 
security measures, such as encryption and other capabilities, 
are installed to help mitigate the threat of such incidents 
occurring.
    Ms. Watson. Can we mitigate those threats?
    Mr. Wilshusen. We can certainly try to address them and 
take appropriate controls to help reduce the risks associated 
with those threats. I guess it is also important to realize 
that risk avoidance is not even a goal relating to 
cybersecurity, it is managing the risk. So we have to assess 
the risk with the information, first of all, as Mr. Kundra 
mentioned earlier, is this information sensitive and from what 
purpose, from a confidentiality perspective or integrity. And 
then if it is not sensitive from a confidentiality perspective, 
then the level of controls might be less than if it is 
sensitive information and then we may want to use encryption. 
For example, personally identifiable information, OMB has 
issued policies in the past requiring that agencies that put 
sensitive information on their laptops be encrypted, and that 
the life of that information on that laptop be limited to 90 
days and then it should be reevaluated, whether that 
information should continue to reside on that laptop.
    So there are controls that could be in place and in fact 
are in place at some agencies. But they probably need to be 
implemented on a more regular basis.
    Ms. Watson. How can we harmonize across these agencies? 
What I see is that each agency has different standards. So some 
way we need to coordinate and harmonize. How can we do that? 
Mr. Shoer.
    Mr. Shoer. Madam Chair, I think you are touching on 
something that I commented on in both my oral and written 
testimony. If I can try and distill what you are saying into my 
own words, the technology exists to address the various issues 
and threats that you are speaking about. But what often gets 
lost in these discussions is that the human being, you and I, 
are still, despite all the technology, we are still the last 
line of defense. I see this in the private sector as well as 
the public.
    The bottom line is we feel very strongly that it is only 
through a level beyond awareness training, as you pointed out, 
the awareness training is wonderful, but it is documented to be 
insufficient. We need to be pushing training down from the IT 
staffer level throughout the agencies to ensure that those who 
have access to this sensitive information are clearly trained 
and certified in their ability to have access to it and use it.
    Ms. Watson. I will yield to Mr. Bilbray.
    Mr. Bilbray. Let me followup on a different line here. The 
discussion of bringing in basically an IT security expert into 
the White House, will that help coordinate the efforts or 
basically just add another layer?
    Mr. Kundra. That has been part of the 60-day review, 
working with Melissa Hathaway, looking at how we are organized 
across the board within the Federal Government. At the same 
time, we recognize that cybersecurity is such a vital issue and 
it cuts across every aspect of life when it comes to the 
Federal Government that we need to ensure that we have the 
proper attention and that the President's recommendations are 
going to be forthcoming in terms of the 60-day review, in terms 
of what we need to do to ensure that we are organized in a way 
that allows us to respond to these evolving threats.
    Mr. Wilshusen. And if I may add, Ranking Member Bilbray, 
GAO convened a panel of cybersecurity experts a couple of 
months ago to look at that very same issue and to provide 
recommendations or suggestions for improvement into the 
National Cybersecurity Strategy. And they suggested that, 
indeed, establishing White House responsibility and 
accountability for leading and overseeing national 
cybersecurity policy is very important.
    One of the problems that has occurred to date in this phase 
is that much of that responsibility has been given to DHS in 
its role. But for a number of different reasons, including the 
turnover of key personnel, and the fact that they didn't have 
authority to monitor budgets or anything like that, they had 
limited effectiveness in performing that role. So elevating it 
up to the White House was one of the issues that our panel of 
cybersecurity experts felt was needed in this respect.
    Mr. Bilbray. So you do support it?
    Mr. Wilshusen. Yes.
    Mr. Bilbray. What does that do to the oversight 
jurisdiction of this committee and the other committees in the 
House and Senate?
    Mr. Wilshusen. I don't know what the specific impact would 
be by elevating that with regard to the oversight of this 
committee.
    Mr. Bilbray. While I have you here, there was testimony 
here about the DOD's directive in the initiative to ensure and 
require certification. Do you think this is a program that we 
should use as a model or do you see major shortfalls here, are 
there shortcomings of the concepts, or do you think we have 
operational systems that are just as good?
    Mr. Wilshusen. I think any time you can improve the skills, 
knowledge and abilities of those individuals responsible for 
implementing security, it is a benefit. The key, as I mentioned 
earlier, was the fact of providing computer security awareness 
training, while that is fine, it still gets to the point of how 
effective is that training and how will we know whether or not 
individuals responsible for implementing security actually act 
appropriately in the time and deed when they are being 
challenged.
    That is why having measures as the number of personnel that 
might be certified or that have received computer security 
awareness training may be somewhat misleading. What would 
probably be a better measure is to have some sort of a 
challenge response test to see how they react when an incident 
occurs. And just as an example, the Internal Revenue Services 
has a pretty good program of where the IG would actually ask 
specific questions to their claims representatives over the 
phone about a tax question, and then they could then determine 
how accurate those responses were and whether or not they were 
getting accurate tax information in response.
    Mr. Bilbray. My father has been in the tax business since 
the year I was born, and believe me----
    Mr. Wilshusen. And what they typically find is that many of 
the responses they receive from their tax representatives are 
wrong and incorrect. Why can't we design similar tests for 
cybersecurity? Why can't we send perhaps an email to an 
individual to see how many of them actually open up the 
attachment or click on a link?
    Mr. Bilbray. We don't do testing systems right now?
    Mr. Wilshusen. We test systems, I don't know if we test the 
effectiveness of those systems across the board. Certainly we 
don't do that as part of the FISMA reporting process.
    Mr. Bilbray. Madam Chairman, you remember, this is 
something we probably need to talk about too, is they just did 
a test to see about getting passports and phony i.d. and four 
out of four, bam, right through. That is a whole different 
issue.
    After the mics have been all messed up all day, I am in a 
paranoid sense here. But how do we know that the people we are 
hiring aren't working for the bad guys? What kind of security 
does DOD do when we bring people on? How do we know? Do we use 
biometrics? Do we do background checks? How do we know the bad 
guys aren't slipping into the system and actually programming 
our systems?
    Mr. Shoer. Thank you, Ranking Member Bilbray. I can't speak 
specifically to that, but I can certainly find the answer for 
you. But I can tell you that in some of the private sector 
equivalents that CompTIA is involved in, and CompTIA was 
intimately involved in the 8570 Directive, those controls are 
there. Background checks are a critical piece of that 
accreditation.
    So those controls are there. I think to your earlier 
question about the type of testing that goes on, there is a 
testing component to 8570, but again, I will have someone get 
back to you in writing with the specifics on exactly how far 
that goes, so that you know how applicable that model may be to 
the rest of the Government. We think it is very applicable.
    Mr. Bilbray. Right now, employees all go through at least 
E-Verify to make sure their Social Security Number and their 
names matches, right?
    Mr. Shoer. I would think at a minimum.
    Mr. Bilbray. OK. But the contractors, the administration 
has, the previous administration and this administration, has 
delayed the E-Verify requirement for contractors generically 
from February now or late June. Hopefully we will see a go. But 
the fact is that right now, in the IT system, do we use that on 
contractors who are brought in to do work? Everything is in-
house.
    Mr. Shoer. One of the things you might want to investigate, 
and without getting too far off track, the Commonwealth of 
Massachusetts, as you may know, has passed some fairly sweeping 
information security privacy regulations. Part of that is 
certifying that the third party vendors that are hired, now 
this is focused mostly at private sector, but again, I think 
ultimately there is a tremendous opportunity for a public-
private partnership here in sort of establishing these 
standards that will work throughout the Federal system as well 
as the private sector.
    But you will have to, for example, as a very simplistic 
example, you mentioned tax work. So if you are a CPA firm and 
you engage a company like my own, a VAR, to work with your 
information systems, we have to provide that safe harbor 
information that certifies that we have done all the things you 
are talking about so that organization knows that the 
contractors they are bringing in meet these various stringent 
requirements.
    I think something similar at the Federal level makes 
perfect sense.
    Ms. Watson. Thank you for that.
    Senators Rockefeller and Snowe recently introduced 
legislation that included provisions to establish a 
cybersecurity office in the White House, along with Federal 
acquisition and procurement requirements for IT. I would 
welcome in writing your comments on what should go into the 
legislation.
    There is a draft out now. But you just might want to 
suggest what should be included in that legislation. Several 
Members have mentioned, we will probably need some kind of 
policy to deal with this. So I would like to have your input as 
well.
    Now, moving on, the GAO reported that 23 of the 24 major 
agencies for fiscal year 2008 did not identify or authenticate 
users in order to prevent unauthorized access to agency 
networks. Authenticating users appears to be a fundamental 
security breach at the front end that can have a cascading 
effect on security breaches throughout the system. I know you, 
Mr. Bilbray, raised this issue during our last hearing.
    Do we know who is authorized to have access and who is 
legitimate and who is not? Why have the vast majority of 
agencies failed to create adequate security measure to identify 
and authenticate users? This question has been raised, but I 
would like to hear further comment from you on why it is taking 
so long to do this. Mr. Chun.
    Mr. Chun. I believe the agencies that have complied, the 
ones that come to mind are the Defense Department, and the 
Marine Corps, under that contract.
    Ms. Watson. The GAO said 23 of the 24 major agencies did 
not identify.
    Mr. Chun. There are agencies, I was alluding to, trying to 
relate a success story, for bringing the Marine Corps into that 
contract. We were one of the first to implement a cryptographic 
log-on mandate, which basically says you need to use multi-
factor authentication. You use what you are, what you have, 
instead of just typing a user and password in. The technology 
does exist. It has been implemented and has been successful in 
other places. I can't speak for the specific reason why an 
agency would choose or hasn't gotten to that.
    But it is relatively mature. Matter of fact, it doesn't 
necessarily need to be two, there could be many multi-
authentication factors to gain access to a system. But you do 
have to balance, and it is always kind of a sensitive thing, 
what security is. The safest computer in the world is one that 
is not connected to the Internet, in a steel bunker with no 
windows and no doors. [Laughter.]
    You can put so many controls into a system that it is 
actually not providing any value to the mission of the agency. 
So it is one of those things that we try to be particular 
about. That is one that the technology exists, it is mature, we 
believe, and has been used in the past. So we encourage all the 
agencies to look at that.
    Mr. Bilbray. Madam Chairman, would you yield, please?
    Ms. Watson. Yes, Mr. Bilbray.
    Mr. Bilbray. Does the DOD now use any biometrics to 
confirm? Or is it all strictly just on data information?
    Mr. Chun. I can get you the specific technical details in 
written form. But the common access cards they use, it is 
capable of storing biometric information. Whether that is used 
specifically, I will get back to you on the cost to DOD. And 
maybe you can ask a better question of the Defense Department. 
Matter of fact, I believe they do use biometrics on their 
cards.
    Mr. Bilbray. I always bring that up, Madam Chair, I don't 
know if you use the CLEAR system when you fly back and forth to 
Los Angeles, but there is a system that has multiple checks, so 
it rotates stuff around. It is probably going to, in a lot of 
ways, be this sort of flagship of indication of what is 
possible with a whole lot of these issues.
    I yield back, Madam Chair.
    Mr. Wilshusen. Madam Chairwoman, if I might just clarify 
one point.
    Ms. Watson. Yes.
    Mr. Wilshusen. What we have found is that 23 out of 24 
agencies did not sufficiently implement controls to effectively 
prevent, limit or detect unauthorized access to systems. So it 
is a little bit broader than just identification and 
authentication controls. But it also includes weaknesses 
related to boundary protection, making sure that firewalls and 
routers are adequately configured, as well as the authorization 
controls, which assure that agencies only grant the level of 
access to an individual necessary to perform that individual's 
job and no more.
    It also includes their procedures for auditing and 
monitoring access to that work, looking for intrusions and the 
audit and logging capabilities, as well as physical security to 
computing resources. So it is a little bit broader than just 
those controls used to identify and authenticate the identity 
of users.
    Ms. Watson. We hear from these agencies that it is under 
review. Is it that we are short-staffed, or the expertise needs 
to be increased? Or do we lack the resources, financial 
resources, to speed it up?
    Mr. Wilshusen. I think it is probably----
    Ms. Watson. All the above?
    Mr. Wilshusen. Probably so. One of the things that is 
important to understand is that many of these capabilities 
already reside in the systems at hand, that are in use. So it 
is important upon agencies to actually implement and configure 
the systems accordingly to provide the level of security that 
is required to protect their information systems.
    Ms. Watson. Do you feel it is the lack of oversight from 
the policymakers or, there is new technology being developed 
every single day, and getting the handle on how we secure it to 
reduce the risks and the vulnerabilities of that system, it is 
mind-boggling. Anyone who wants to comment, please do.
    What we are going to do, as a subcommittee, is provide 
information from the testimony that we have up to the full 
committee for policy. So just break in at any time, because we 
want to get this right from the beginning, if that is possible. 
Ms. Patillo.
    Ms. Patillo. Yes, Madam Chairwoman, I would like to comment 
on that. At the Department of Transportation, we look at the 
amount of events that are captured through our cybersecurity 
management center. When we look at those, it is mind-boggling, 
if you would realize that there are 3 million events that come 
in on a given day.
    Of those 3 million events, we have to analyze those into 
actionable events. What we typically come up with at the end of 
the day out of those 3 million is 10 actionable events. So 
there is human intervention among analyzing that. So if one 
could just try to visualize individuals that are having to 
correlate this data to figure out which are really actionable 
events, we find that, what I believe, as Mr. Kundra has said, 
we have to look more to automation and the technology. Because 
if you are looking solely to human intervention to analyze what 
this means that comes into our networks on a given day, 
wouldn't it be simpler if we had an automated way of 
determining which events are actual incidents?
    Mr. Kundra. If I could add to that, it is also looking at 
the default setting of products and services that the Federal 
Government procures. From a commercial perspective, what a lot 
of the providers want to do is they want to have maximum 
functionality and they want to make available as many options 
as possible. Unfortunately, a lot of those options end up 
causing vulnerabilities in the systems themselves.
    So if we think of it on the front end, in terms of making 
sure that the default position, when it comes to whether it is 
systems the way they are configured or it is services that we 
are acquiring, are as secure as possible, and then one by one, 
based the options we need, we would turn them on, I think it 
moves the security agenda much further forward.
    Ms. Watson. I want to go back to you, Ms. Patillo. You have 
all these actionable items. What would you suggest that we put 
into policy that will help, since you have these incidents 100 
times a day, what would you suggest that we do policy-wise that 
will assist you?
    Ms. Patillo. From a policy perspective, what could assist 
us, I believe, as Mr. Kundra has already articulated, we need 
to look at the very beginning of the process which begins with 
procurement. At the onset, all contracts should be required to 
have security baked in at the very beginning.
    Ms. Watson. Should we do that through policy, or can you do 
that within your own department, for that requirement?
    Ms. Patillo. We could do that within our own department, 
but I believe that it gives it an extra sense of authority if 
perhaps we could have it written in the FAR.
    Ms. Watson. OK.
    Mr. Kundra, did you want to address that?
    Mr. Kundra. No.
    Ms. Watson. Mr. Shoer.
    Mr. Shoer. I think we have seen some advances in the 
acquisition process. I believe, I can double check, I think 
this is actually written into the Federal Acquisition 
Regulations, a specific section about security that wasn't 
there before. We are also seeing a lot more security as a 
requirement, a clear, articulated requirement in acquisitions 
that we respond to. So I think those are some very positive 
steps forward.
    I am not entirely convinced or sure, whether at a policy 
level, how that interacts with actual tactical acquisitions 
that go out. But certainly it is something that has been done, 
we support it, especially if it is very clearly articulated, so 
we can meet it. But at a policy standpoint, I just don't see 
how that would be connected from a policy level other than 
being to make this not quite this way. Does that make sense?
    Ms. Watson. Somewhat. [Laughter.]
    We ourselves are trying to reach for solutions to mitigate 
some of these issues. So we expect you as the experts to 
suggest to us. So really what I would like you to do, we are 
going to be addressing these areas that we have been focusing 
on today. Put in writing your recommendations, and we will see 
what we really need to add to what is already in the law. And 
if we can improve it, we will. So jus feel free to recommend to 
us.
    Mr. Wilshusen.
    Mr. Wilshusen. One thing I might add, and it is expanding 
what Mr. Kundra said, is one of the areas that we should 
probably look at is instead of looking at acquisitions on a 
department by department level, is looking at it on a 
Government-wide basis. Because the Federal Government spends 
billions of dollars, I think it is like $70 billion in IT 
products and services for its fiscal year, is to leverage the 
procurement power of the Federal Government collectively to 
achieve both cost savings and to help incentivize the vendors 
and the producers of this offer to provide or secure products. 
There are a couple of initiatives already underway through 
SmartBuy that GSA has which helps to allow agencies to buy 
encrypted products at reduced rates and at cost savings, as 
well as the Federal desktop configuration, which Mr. Kundra 
alluded to, in terms of having the vendors products with 
security already built into it.
    Ms. Watson. Thank you.
    We are going to conclude this, but I would like Mr. Bilbray 
to followup.
    Mr. Bilbray. Yes, let me followup on that. Madam Chair, the 
conversation just really went to the road map of where we need 
to go down the line. Those of us in California, in the 6-years 
I served on the Air Resources Board there, there was a thing 
called technology-forcing regulation that traded the cleanest 
fuel, cleanest cars and really pushed it.
    But one of the things I am really upset about, what I am 
seeing come out of Energy and Commerce right now, or what was 
announced today of a standard that the Federal Government was 
going to set for everybody else, but not using our procurement 
resources as a way of leading through example, I think that a 
lot of us on both sides of the aisle feel that if the Federal 
Government had led through example of buying clean energy for 
this facility, going out and buying high efficiency vehicles or 
ordering massive amounts over a period of years, that would 
create the incentive and the market for the research, 
development for the kind of product we want to see.
    We have been able to do that in California by setting goals 
that were over the horizon but within the realm of reality. And 
the private sector, because of the profit incentive, has been 
able to develop technologies that we desire to possess 
somewhere in the near future.
    So I guess the issue here is, the Federal Government can 
lead through example by using those huge resources to be able 
to develop that. Then the spinoff goes over to the private 
sector where they then can benefit from that technological 
breakthrough.
    Ms. Watson. With that, we are going to have to conclude 
this hearing, we do have a vote out.
    I want to thank the witnesses for your testimony today. We 
consider you the experts, so as I suggested before, we would 
appreciate your writing your recommendations. We will continue 
down this road, because we have the responsibility of looking 
at procurement policies. So this is a work in process. And we 
are going to try to refine it, each time we have a hearing.
    We don't know it all and we haven't heard it all. But I 
think this hearing was very valuable. I hope the recorder was 
able to get everything down, because there has been a lot of 
good information offered. We will see next time we hold a 
hearing that our systems work. [Laughter.]
    But with that, I want to thank you for attending, your 
testimony, the audience for being good listeners, and the 
ranking member, Mr. Bilbray, for your insights.
    With that, this hearing is adjourned.
    [Whereupon, at 11:10 a.m., the subcommittee was adjourned.]

                                 
