[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
THE NATIONAL ARCHIVES' ABILITY TO SAFEGUARD THE NATION'S ELECTRONIC
RECORDS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON INFORMATION POLICY,
CENSUS, AND NATIONAL ARCHIVES
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 5, 2009
__________
Serial No. 111-63
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.oversight.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
57-622 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts JOHN J. DUNCAN, Jr., Tennessee
WM. LACY CLAY, Missouri MICHAEL R. TURNER, Ohio
DIANE E. WATSON, California LYNN A. WESTMORELAND, Georgia
STEPHEN F. LYNCH, Massachusetts PATRICK T. McHENRY, North Carolina
JIM COOPER, Tennessee BRIAN P. BILBRAY, California
GERALD E. CONNOLLY, Virginia JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois JEFF FLAKE, Arizona
MARCY KAPTUR, Ohio JEFF FORTENBERRY, Nebraska
ELEANOR HOLMES NORTON, District of JASON CHAFFETZ, Utah
Columbia AARON SCHOCK, Illinois
PATRICK J. KENNEDY, Rhode Island BLAINE LUETKEMEYER, Missouri
DANNY K. DAVIS, Illinois ANH ``JOSEPH'' CAO, Louisiana
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
JUDY CHU, California
Ron Stroman, Staff Director
Michael McCarthy, Deputy Staff Director
Carla Hultberg, Chief Clerk
Larry Brady, Minority Staff Director
Subcommittee on Information Policy, Census, and National Archives
WM. LACY CLAY, Missouri, Chairman
CAROLYN B. MALONEY, New York PATRICK T. McHENRY, North Carolina
ELEANOR HOLMES NORTON, District of LYNN A. WESTMORELAND, Georgia
Columbia JOHN L. MICA, Florida
DANNY K. DAVIS, Illinois JASON CHAFFETZ, Utah
STEVE DRIEHAUS, Ohio
DIANE E. WATSON, California
HENRY CUELLAR, Texas
Darryl Piggee, Staff Director
C O N T E N T S
----------
Page
Hearing held on November 5, 2009................................. 1
Statement of:
Thomas, Adrienne, Acting Archivist of the United States,
National Archives and Records Administration; Paul
Brachfeld, Inspector General, National Archives and Records
Administration; David Powner, Director, Government
Accountability Office, Information Technology Management
Issues; and Alan E. Brill, Kroll Ontrack, senior managing
director for technology services........................... 13
Brachfeld, Paul.......................................... 30
Brill, Alan E............................................ 57
Powner, David............................................ 42
Thomas, Adrienne......................................... 13
Letters, statements, etc., submitted for the record by:
Brachfeld, Paul, Inspector General, National Archives and
Records Administration, prepared statement of.............. 34
Brill, Alan E., Kroll Ontrack, senior managing director for
technology services, prepared statement of................. 60
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 3
McHenry, Hon. Patrick T., a Representative in Congress from
the State of North Carolina, prepared statement of......... 8
Powner, David, Director, Government Accountability Office,
Information Technology Management Issues, prepared
statement of............................................... 44
Thomas, Adrienne, Acting Archivist of the United States,
National Archives and Records Administration:
Letter dated November 10, 2009........................... 70
Prepared statement of.................................... 17
THE NATIONAL ARCHIVES' ABILITY TO SAFEGUARD THE NATION'S ELECTRONIC
RECORDS
----------
THURSDAY, NOVEMBER 5, 2009
House of Representatives,
Subcommittee on Information Policy, Census, and
National Archives,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:40 p.m., in
room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay
(chairman of the subcommittee) presiding.
Present: Representatives Clay, Driehaus, Watson, Cuellar,
and McHenry.
Staff present: Darryl Piggee, staff director/counsel; Jean
Gosa, clerk; Yvette Cravins, counsel; Frank Davis and Anthony
Clark, professional staff members; Charisma Williams, staff
assistant; Leneal Scott, information systems specialist (full
committee); Adam Fromm, minority chief clerk and Member
liaison; and Chapin Fay and Jonathan Skladany, minority
counsels.
Mr. Clay. The hearing will come to order. Good afternoon.
And the Information Policy, Census, and National Archives
Subcommittee of the Oversight and Government Reform Committee,
will now come to order.
Without objection, the Chair and ranking minority member
will have 5 minutes to make opening statements, followed by
opening statements not to exceed 3 minutes by any other Member
who seeks recognition.
And, without objection, Members and witnesses may have 5
legislative days to submit a written statement or extraneous
materials for the record.
Welcome to today's oversight hearing on the ``National
Archives' Ability to Safeguard the Nation's Electronic
Records.'' The purpose of today's hearing is to examine the
National Archives' policies and procedures to protect the
Nation's ever-increasing store of electronic records.
We will consider several important topics, including an
update on the theft or loss from NARA of a portable hard drive
containing Clinton administration electronic records; possible
breaches of electronic records containing personally
identifiable information from NARA operating systems; and the
status of the largest IT project in NARA's history, the
Electronic Records Archives [ERA].
ERA, fully implemented, would cost well over a half a
billion dollars. Over the last 10 years or more, NARA has tried
with varied success not only to develop and test a system but
even to define its scope.
This subcommittee is concerned that such a large and
expensive information system is being developed in an agency
that is already struggling with managing the security of the
systems they currently operate. The theft or loss of the
Clinton hard drive was very disturbing and we look forward to
hearing the status of the agency's efforts to identify and
notify any and all individuals whose PII may have been
compromised.
It is more troubling, however, to hear of new instances of
data breaches, or possible breaches. The circumstances and the
agency's handling of them casts doubt on the National Archives'
ability to understand and mitigate existing and emerging risk
in order to properly safeguard the Nation's electronic records.
It is this subcommittee's hope that through our hearing
today, we can gain a better understanding of NARA's information
technology security, and provide the National Archives with
some important information and direction they can use in order
to increase IT security across the agency.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Clay. I would like to introduce our panel. Our first
witness will be Adrienne Thomas, the Acting Archivist of the
United States. Prior to her appointment as Acting Archivist in
December 2008, Ms. Thomas served as the Deputy Archivist of the
United States. Ms. Thomas has been with the National Archives
for 38 years, beginning as an Archivist trainee in the Office
of Presidential Libraries, and subsequently holding a number of
policy and administrative roles. And thank you for being here.
Our next witness is Paul Brachfeld, the Inspector General
of the NARA Administration. Mr. Brachfeld previously worked for
the Federal Communications Commission where he served as
Assistant Inspector General for Audits. During his 8 years'
tenure at the FCC, he also served 10 years as Acting Assistant
Inspector General for Investigations. Mr. Brachfeld also served
as Director of Audits for the Federal Election Commission
Office of the Inspector General.
After Mr. Brachfeld, we will hear from David Powner, the
Director of IT Management Issues at the GAO. Mr. Powner is
currently responsible for a large segment of GAO's information
technology work, including systems development, IT investment,
management health IT, and Cyber Critical Infrastructure
Protection Reviews. He has led teams reviewing major IT
modernization efforts at Cheyenne Mountain Air Force Station,
the National Weather Service, the FAA and the IRS. Thank you
for being here, Mr. Powner.
And our final witness will be Alan Brill, the senior
managing director for technology services at Kroll Ontrack, an
industry leader in computer forensics and investigation. Mr.
Brill is recognized internationally as a leader in his fields
of security, computer forensics, and incident response. Mr.
Brill founded Kroll Ontrack global high-technology
investigation practice. He has an international reputation in
the areas of computer communications security and technology
crime investigation.
I thank all of you for being here today and appearing
before us for testimony. It is the policy of the subcommittee
to swear in all witnesses before they testify. Would you all
please stand and raise your right hands?
[Witnesses sworn.]
Mr. Clay. Thank you, you may be seated. And let the record
reflect that the witnesses answered in the affirmative. I ask
that each of the witnesses now give a brief summary of their
testimony. Please limit your summary to 5 minutes and your
complete written statement will be included in the hearing
record.
Before we go to Ms. Thomas, we would like to ask the
ranking member if he has an opening statement.
Mr. McHenry. Thank you, Mr. Chairman, I do. Thank you so
much for continuing to hold good hearings with this
subcommittee. I appreciate your leadership.
In May of this year, this subcommittee first met to discuss
the staggering negligence of National Archives staff in
handling our Nation's valuable records, an issue that was only
just coming to light at the time. We're back again. But back
then we were shocked to hear that a 2 terabyte hard drive had
disappeared from the Archives' storage room where it was kept
in an unsecured location, accessible by many employees.
That device contained the personally identifiable
information of hundreds of thousands of Clinton administration
staff, Secret Service operating procedures, and other highly
sensitive information. Although it was clear that there were
endemic problems with National Archives' management, it
appeared that this loss was an isolated incident and an Acting
Archivist assured this committee that measures were being taken
to address security concerns and prevent any further breaches.
That, unfortunately, is not the case. Now, 6 months down
the road, we're back here again, with more news of lost
electronic storage devices, one of which contains the
personally identifiable information of our Nation's military
veterans on a drive that was sent out to an outside contractor
for maintenance and repair. What's more is that this breach
occurred a year ago, in November 2008, and we're only hearing
about it now. I'm practically speechless.
It is my sincerest hope that, Ms. Thomas, you will tell us
today that the Archives is doing everything possible to ensure
that these veterans do not become victims of identity theft.
The National Archives staff exposed this drive to loss or
theft because they believed it was defective and beyond repair.
Further--they further claim that sending a drive containing
sensitive information to a third party doesn't constitute a
breach of sensitive information, because the contractor is
obligated to keep its contents private.
As the Inspector General of the National Archives will
testify today, the data on this drive is actually retrievable,
using free, publicly available software. In fact, some of my
staff have performed procedures very similar to that. Exposing
a drive like that to eyes outside of the National Archives is
irresponsible, regardless of the technical definition of a
breach.
The National Archives has further claimed to the
subcommittee staff that breaches of this nature will not happen
going forward, because a policy is now in place that prohibits
drives from being sent out to contractors for repair. However,
this policy was actually already in place at the time the drive
with veterans' data was exposed. So that's nothing more than
cover for the past and not real substantive change to ensure
this doesn't happen in the future.
The policy also did not prevent the National Archives from
sending yet another drive containing sensitive records to a
contractor under similar circumstances in April 2009. That
drive contained digitized employee files from the National
Archives, GSA, and OPM. It is unacceptable that the NARA staff
handle any storage devices this carelessly, but it is
particularly disturbing that they are so haphazard with the
Social Security and military identification numbers of our
veterans who have sacrificed so much for this country.
National Archives already uses strict protocols to
safeguard this information contained in Defense Department
files in its possession. Had these same protocols been used for
veterans' data, this incident would have been avoided, in my
opinion.
What is clear is that there is a greater institutional
problem at the Archives that must be fixed, and that is culture
of blatant disregard. It's become very clear that the ongoing
security breaches are not the result of a lack of awareness of
security procedure by staff, but a failure at the managerial
level to enforce the procedure.
Finally, we will also hear from our witnesses about the
National Archives' Electronic Records Archive. As in the case
with NARA as a whole, the ERA is plagued with its own problems.
The ERA, which is the Archives' strategic initiative to
preserve uniquely valuable electronic records in the U.S.
Government, is in the midst of a system development that is
already running far over budget. When fully operational, it
will cost $500 million more than projected.
The GAO has already been critical of this system, citing
methodological weaknesses that could limit NARA's ability to
accurately report on cost schedules and performances, and
concluding that NARA lacks a proper contingency plan should the
electronic record system fail. This really makes me question
the investment overall.
I thank our witnesses for appearing today. I certainly
appreciate and am very interested in Ms. Thomas' testimony
about this recent security breach and what sort of measures are
being taken, if any, to say that this will not happen in the
future.
Thank you, Mr. Chairman, for your leadership and I yield
back.
Mr. Clay. Thank you, Mr. McHenry, for your opening
statement.
[The prepared statement of Hon. Patrick T. McHenry
follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Clay. I also want to recognize four special guests that
we have here today in the front row, who are here to see their
government in action. One is Dr. Kelly Woestman of Pittsburgh
State University, as well as Jerry Handfield, the State
Archivist for the State of Washington, Andy Maltz, who is the
director of Science and Technology Council for the Pickford
Center for Motion Picture Study, and David McMillen, NARA
external affairs liaison.
Welcome to all of you and all the other ladies and
gentlemen in the audience today.
Ms. Thomas we will begin it with your testimony.
STATEMENTS OF ADRIENNE THOMAS, ACTING ARCHIVIST OF THE UNITED
STATES, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION; PAUL
BRACHFELD, INSPECTOR GENERAL, NATIONAL ARCHIVES AND RECORDS
ADMINISTRATION; DAVID POWNER, DIRECTOR, GOVERNMENT
ACCOUNTABILITY OFFICE, INFORMATION TECHNOLOGY MANAGEMENT
ISSUES; AND ALAN E. BRILL, KROLL ONTRACK, SENIOR MANAGING
DIRECTOR FOR TECHNOLOGY SERVICES
STATEMENT OF ADRIENNE THOMAS
Ms. Thomas. Chairman Clay, Ranking Member McHenry, and
members of subcommittee, thank you for this opportunity to
discuss the National Archives and Records Administration's
safeguarding of electronic records.
At NARA we recognize that the challenge of securing IT
systems and devices, particularly in regard to protecting
personally identifiable information, is never-ending and always
changing. We know that no agency will ever be perfect, but
we're committed to doing the best job that we can, learning
from our own mistakes and the mistakes of others.
I appreciate Paul Brachfeld, NARA's Inspector General, and
David Powner of the Government Accountability Office are
appearing alongside me today. NARA's Office of the Inspector
General has reported a number of vulnerabilities and made
important recommendations on how we can improve our security.
In response to their work we've declared a material weakness
with respect to IT security, and we are taking corrective
actions.
Later in my testimony, I will update you on the Electronic
Records Archives which regularly receives useful guidance from
the GAO and has from the very start of the ERA development.
In late September, I was briefed by the Inspector General
on an allegation that NARA may have improperly disclosed
sensitive personally identifiable information when a defective
disk drive from a veterans' information data base was sent to
an authorized contractor for repair in the fall of 2008, rather
than being destroyed and disposed of at a NARA facility,
according to a new policy that had been issued by the CAO in
August 2008.
The defective disk drive supports the case management
reporting system [CMRS]. CMRS is used by NARA's Military
Personnel Record Center to track over a million requests
annually for the personnel records of veterans, but the system
hardware resides in College Park, MD.
On October 9th we learned that an additional hard drive at
our National Personnel Record Center in St. Louis was returned
to a vendor in April 2009. The drive is from a system that is
used to digitize official personnel files of current government
employees, and we believe it contained digitized files and an
associated index of current employees' records from NARA, the
General Services Administration and the Office of Personnel
Management.
NARA and the Inspector General continue to review these
incidents. However, at this time, there is no evidence that the
defective disk drives were ever in unauthorized hands or that
any PII was accessed from these disks. And my staff and I have
concluded that there was no PII breach.
We have implemented many recommendations made by the
Inspector General to improve PII security at the NPRC,
including removing older data from the CMRS system, performing
annual reviews of CMRS user accounts, compiling updated key
inventories to better protect PII stored on paper, and issuing
policy changes to require verification of data before providing
military records to next of kin.
In light of these two hard drive maintenance incidents, we
are taking a comprehensive look at the internal security
controls related to the protection of PII within IT systems
across NARA. We have undertaken an agency-wide systematic
review of the storage and protection of PII that includes a
review of data base encryption within the system, a review of
our tape backup procedures, a review of all of our computer
acquisition and maintenance contracts to ensure that sensitive
data protection is properly addressed, and a review of our
internal PII awareness and training processes and procedures.
We are also ensuring that we use National Security Agency-
approved media, sanitation, and destruction procedures, and
have engaged expert consultants to review our IT security
incident response procedures.
In order to identify ways to improve security and internal
controls with regards to electronic records, NARA has conducted
an internal audit to identify how well our ITT security program
is functioning. This audit identified 29 recommendations for
improvement in NARA's IT security program. Since then, we have
doubled our IT security staff and much progress has been made
in the area of strengthening our IT security controls.
My written testimony describes many additional corrective
actions that NARA is undertaking to improve IT security. Most
of the original 25--29 recommendations have been completed, and
we continue to work on the remaining actions.
You also asked that I provide an update on our response to
the external hard drive containing copies of Clinton
administration Executive Office of the President data that we
discovered missing in March 2009 from NARA's College Park
facility. The drive is still missing. It contains names, dates
of birth, and Social Security numbers of people who worked in
the Clinton Executive Office of the President, visited the
White House complex, or submitted personal information to the
White House in pursuit of a job or a political appointment.
To date, NARA has mailed approximately 26,000 breach
notification letters to individuals whose names and Social
Security numbers are on the hard drive. We have offered these
individuals 1 year of free credit monitoring. So far, 1,685
persons have taken advantage of the offer. Our contractors are
continuing to search the hard drive for additional names of
individuals whose identity might have been compromised. We
anticipate mailing an additional 120,000 letters in the coming
weeks.
Finally, you asked that I report on the status of the
Electronic Records Archives [ERA]. ERA is a comprehensive
systematic and dynamic means for providing electronic records
that would be free from independent--from dependence on any
specific hardware or software. The primary purpose of this
first-of-a-kind system is to take in, store, and provide access
to records that are born digital, by which we mean the
permanent archival electronic records created by executive
branch agencies, the Congress, Federal courts, and the Office
of the President.
We are currently beginning year 5 and increment 3 of this
7-year, 5-increment system development project. NARA staff is
now using increment 1 to ingest electronic records from legacy
NARA systems and to schedule transfer records from four
agencies serving a pilot capacity for ERA.
Increment 2 of ERA provided support for the transfer of the
electronic Presidential records from the Executive Office of
the Bush administration so that we could preserve and make
these records accessible for archival processing. Increment 2
was delivered in December 2008 to enable NARA to begin the
ingest of 72.32 terabytes of data that legally transferred to
NARA as of January 20, 2009. Ingest of these unclassified
electronic records was completed in October 2009.
Funding in NARA's 2010 budget is dedicated to increment 3
of NARA, which includes a congressional records instance to
provide simplified storage and access capabilities for the
electronic records of Congress. This part of increment 3 is on
schedule and will be delivered to NARA in February 2010.
Increment 3 also provides the capability for the public to
accept access records in ERA. The subcommittee should know,
however, that the start of increment 3 development has not been
as smooth as desired. NARA has raised several concerns with the
contractor related to analysis, design, and architectural
foundation issues. The contractor was receptive to NARA's input
and has taken concrete steps to make improvements in process,
deliverables and staff. At present, the contractor believes it
can deliver increment 3 as scheduled. But you can rest assured
that NARA will continue to monitor progress to ensure that
increment 3 will be delivered within cost and schedule.
In summary, ERA is operating in the way that we now expect
it to at this point in the project. Federal and Presidential
records are stored in the ERA, which operates securely at a
facility on the grounds of U.S. Navy's Allegheny Ballistic Lab
in Rocket Center, WV. Hardware and software failures have been
minimum. We have a staged plan to open the system up to Federal
agencies. The problems we encounter are common to major IT
systems development, but I am confident in the ability of the
ERA program office to manage the development of ERA to a
successful conclusion and to plan for the ongoing operational
phase of ERA after 2012.
Mr. Chairman--that concludes my testimony. I would like to
thank you for inviting me here today and for the helpful
oversight and guidance you and the members of this subcommittee
provide to NARA.
Mr. Clay. Thank you so much.
[The prepared statement of Ms. Thomas follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Clay. Mr. Brachfeld, you may proceed.
STATEMENT OF PAUL BRACHFELD
Mr. Brachfeld. Mr. Chairman and members of the
subcommittee, I thank you for the opportunity to testify today.
NARA's core mission is to safeguard and preserve the
records of our democracy to make them available for this and
future generation of Americans. The challenge is daunting and
becoming more complex each day in this, the Digital Age. Yet
fundamental truisms still exist in many areas. One fundamental
truism, as solid as granite, is that sound internal controls
should be the foundation upon which all systems and operations
are based.
For a decade as a NARA Inspector General, I have had a
front-row seat observing internal control weaknesses and
internal control deficiencies that have resulted in the loss of
Federal funds and property, compromised the successful delivery
of contractual services and deliverables, impaired operations,
and subjected information to include electronic records
maintained in NARA's systems and facilities to compromise.
However, I am hopeful. I believe that under the leadership
of a new Archivist, NARA has the opportunity to elevate
security to the upper tier of our organizational mission.
The staff in my office is committed to assisting management
in this effort. We also look forward to working with the new
Archivist with an eye toward strengthening a role NARA plays in
ensuring Federal records created by all three branches of
government are properly identified, scheduled, accessioned, and
ultimately injected into a functional electronic records
archive.
Today, at the request of the committee Chair, I will focus
upon the exposure resulting from the compromise of records that
placed personally identifiable information [PII], of our
Nation's veterans, Federal employees, and millions of our
Americans at risk. In the past year alone, OIG investigators
and auditors have performed work specific to the following: the
loss of a computer hard drive from Archives to College Park,
populated with millions of records from the Clinton White
House. Within this population are tens of thousands of records
containing PII as well as other potentially sensitive
information.
The loss of government control over a hard drive we suspect
contained millions of PII records of our Nation's veterans.
Inappropriate controls over information stored in the
automated case management system used in St. Louis to track and
process electronic mail-based requests for official military
personnel files. System vulnerabilities leave veterans' PII
susceptible to unauthorized disclosure.
The improper transmission of veterans' records over an
extended period of time by personnel at the National Personnel
Records Center which exposed veterans' PII to potential
compromise.
The donation and surplus of laptops that were not degaussed
or scrubbed which, at least in one case contained files of the
former Director of the Information Security and Oversight
Office. Among these files was PII-specific and national
security officials from the Clinton administration.
The loss or theft of hundreds of pieces of IT equipment,
written off for the period of fiscal year 2002 to 2006, had had
capacity to store information.
Inappropriate packaging of two backup hard drives
containing limited PII at the FDR Presidential Library,
resulting in their loss during shipping. OIG investigators
subsequently recovered one of the two.
Additionally, this committee was recently notified of
another incident in St. Louis, MO in which failed hard drives
from a drive array used to store PII information for thousands
of Federal employees inappropriately left NARA's physical
control. The array contained mirror images of official
personnel files and related information of employees from three
agencies.
These cases worked by OIG staff within the past year are
individually egregious, and collectively represent an agency
that is not meeting a core tenet of its mission to safeguard
the records of our democracy. While each case of data breach,
loss, or under risk of loss, represents a unique stanza; the
chorus of the song remains the same.
As an agency, NARA lacks a viable, robust risk
identification and mitigation strategy, and we all paid for
this shortcoming.
In testimony before this committee on July 30th, I provided
details to the internal control weaknesses which result in the
loss of a hard drive containing two terabytes of Clinton
Presidential records. Internal control weaknesses, lapses, and
exercise of questionable judgment tied to other incidents I
have spoken of today, regularly leave me and my staff
frustrated and bewildered.
Allow me to elaborate. Specifics of the case involving the
hard drive potentially holding millions of our Nation's
veterans' PII, NARA officials contracting for what to do with
these type of hard drives initially had two choices. It needs
to be clear that often there is nothing substantially wrong
with failed drives and they are perfectly useful for many
applications.
Accordingly, one contract choice, the secured data option,
would let NARA physically keep all drives identified as failing
or failed.
The second choice of the vendor providing a new drive, but
then the vendor would take back that drive with the information
on it. The vendor would then test the drive to see if anything
was wrong with it, and if there was, it could be economically
repaired and reused. However, if it cost more to fix than the
drive was worth, the drive could be recycled for metals.
NARA opted for choice two. Thus NARA decided to allow the
populated and potentially readable drive to leave NARA control.
However, as drives actually started to fail, NARA was given a
second chance to correct this decision and was presented with a
third choice. NARA could keep the failed drive and pay
approximately $2,000 for each new drive on a one-by-one basis.
Unfortunately, NARA once again chose to let these populated
drives leave their control.
The trail specifically described was subsequently found to
be untraceable and we cannot get possession back. Accordingly,
I cannot tell the committee today whether a breach, as defined
by data being accessed by unauthorized parties, occurred. But I
can state emphatically that NARA's actions to create the risk
of such a breach and a lack of due diligence to protect this
information cannot be ignored and should not be marginalized.
While I have been informed that this situation I just
described has now been fixed contractually, I believe select
narrow managers, from the top down, do not recognize the risk
factors existing in today's environment. Failing to define the
risk, would you not deploy and make the security first
decisions necessary to adjust to real and potential risk before
unfortunate and irreversible events transpire?
In the brief time allotted to me, I would also note--
specifically; it relates to the ERA program--that I have had
professional skepticism about ERA since the first meeting I
attended in 2002. Fearing a worst-case scenario, I went to
then-Archivist Carlin on April 30, 2002, seeking audit staff
resources to provide independent, objective, and skilled
oversight over ERA. Per my notes he responded, ``I could give
you 50 people and you still couldn't cover it. So you think you
can do it with two?''
In December 2003, failing to obtain any ERA dedicated audit
resources, I made a formal request, to the OMB Director stating
ERA is a challenge we are not equipped to address within our
existing fiscal constraints. We are simply unable to provide
the necessary coverage to this mission-critical program.
Failure to fund this initiative will not allow me to obtain
persons with the skills necessary to independently evaluate and
report upon the progress of ERA. Likewise we'll not be able to
support this program of real time, potentially resulting in
less than optimal results. This is a risk that this Nation
should not face.
As I testify today, I continue to have profound concerns
over the status of the ERA program. My concerns are rarely
reflected by management, who throughout program life have
expressed abundant optimism. For example, in April 2007, ACERA
meeting minutes, the ERA director stated--technical director
stated--that the program is succeeding. Yet OIG auditors were
finding this rosy scenario to be anything but the truth.
In a management letter to the Archivist on January 13,
2007, we accurately defined the ERA programs as one ``beset by
delivery delays, cost overruns and staffing shake-ups.''
History shows we were correct.
At the very next ACERA meeting in November 2007, the
minutes report that same ERA technical director made a 100-
degree course correction by defining that sound engineering
methods were not followed in many areas. Lockheed allowed the
schedule to become the priority, rather than ensuring that
requirements were being met in a satisfactory manner ultimately
has failed. NARA issued a curing notice to lock in 2007.
Shortly thereafter, in testimony before a subcommittee of
the Senate Committee on Homeland Security and Government
Affairs, on May 14, 2008, Archivist Weinstein stated We
discovered belatedly that we may not have the A team from
Lockheed Martin, and Lockheed Martin acknowledged this fact.
And so we got the A team, and the A team has been performing
effectively.
I am not sure as to the basis for this testimony, which was
perhaps designed to allay the concerns espoused by Senators at
this hearing. Seventeen months have passed, we are now in
fiscal year 2010, and key staff in NARA and LMC have come and
gone. New voices replace old voices and optimism ebbs and
flows.
At a time when NARA officials publicly voice confidence
that full operating capability will be met by March 2012, a
senior working within the ERA program office spoke to me just
last week of ongoing contract performance and deliverable
deficiencies. Perhaps the A team is sliding down the alphabetic
scale.
The Acting Archivist told me last week the Chief
Information Officer has been made aware of ongoing
deficiencies. However senior NARA management never brought such
information to my attention nor disclosed it to the auditors
assigned to this program area.
As engaged as I have been, I do not know what capabilities
and capacities will reside in ERA when the contractors throw
another party, turn in their badges, shake hands and exit the
door.
Such a statement should be viewed as troubling to all NARA
stakeholders, and particularly this committee. It is my hope
that through this testimony and the support of a new Archivist,
we will begin to see improvements in our system of internal
controls, and that those who fail to discharge their duties
will face appropriate sanctions.
I thank you for this opportunity and I look forward to
responding to your questions, thank you.
Mr. Clay. Thank you so much, Mr. Brachfeld.
[The prepared statement of Mr. Brachfeld follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Clay. Mr. Powner, you're up.
STATEMENT OF DAVID POWNER
Mr. Powner. Chairman Clay, Ranking Member McHenry, and
members of the subcommittee, we appreciate the opportunity to
testify this afternoon on NARA's electronic records archive
system. This $550 million system is intended to preserve and
provide access to massive amounts of electronic records and is
an investment critical to NARA's mission.
To date, NARA has spent more than half of the $550 million
and has deployed two of the five planned increments. This
afternoon, Chairman Clay, I will comment on NARA's performance
with the first two increments, existing project management
concerns, plans for increments 3 through 5 and recommendations
for improvement.
Starting with performance of the first two increments,
increment 1 was late, over budget, and did not provide the
functionality promised. Specifically, initial operating
capability with four pilot agencies was scheduled for September
2007, but was delayed 9 months to June 2008. This delay
resulted in the cost overrun of $20 million. But even more
troubling is the fact that planned functionality was not
delivered and deferred to later increments.
These delays also squashed NARA's plans to use ERA to
receive the electronic Presidential records of the outgoing
Bush administration in January 2009. Instead, a separate
commercial system with a different architecture from ERA was
used to archive the Bush records. And although NARA certified
the second increment in December 2008, the 73 terabytes of
Presidential records were not ingested into the system until
September 2009. The first two increments are basically
different systems, and integrating these systems in later
increments will need to be addressed.
Managing a project this large requires sound project
management discipline that includes overseeing contractor
performance to ensure that what the government is paying for is
delivered at the agreed-to cost and on time. To date, the ERA
program does not have a good track record here. When we looked
into this last year, we found several weaknesses in NARA's
practice. For example, we found contractor reports on program
funds spent without work completed, and work completed and
funds spent on work that was not in the work plans. NARA is
working to improve the management processes so that the cost
schedule and technical performance can be closely monitored in
the remaining three increments over the next 3 years.
Regarding the remaining three increments, we have reported
and made recommendations to NARA that their outyear increments
need to be clearly defined as to what specific functions will
be delivered when and at what cost. For example, NARA has
significant work ahead in the outyear increments that include
expanding beyond the four pilot agencies, handling classified
information, providing public access capability, and expanding
functionality like access and preservation capabilities. Such
detailed plans are essential if this project is to achieve full
operating capability by 2012 at the $550 million price tag.
Moving forward, NARA needs to closely monitor not only the
cost of each increment, but also needs to monitor the
functionality delivered. Our recommendation to bolster the
program's use of earned value management should help, if
effectively implemented.
The program also needs to ensure integration plans are in
place to merge the differing architectures used in the ERA base
system and the Presidential record system. And also NARA needs
to define in great detail the functions to be delivered in
increments 3 through 5. This includes aligning detailed
requirements and the cost with each increment. Failing to
address these recommendations will clearly jeopardize the
chances of achieving full operating capability by 2012.
Mr. Chairman, this concludes my statement. Thank you for
your oversight of this project, and I look forward to your
questions.
Mr. Clay. Thank you so much Mr. Powner.
[The prepared statement of Mr. Powner follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Clay. Mr. Brill you have 5 minutes.
STATEMENT OF ALAN E. BRILL
Mr. Brill. Thank you, sir. Chairman Clay, Ranking Member
McHenry, members of the committee and members of the staff,
good afternoon. My name is Alan Brill. I'm currently senior
managing director for secure information services at Kroll
Ontrack. I am not here today as a representative of Kroll
Ontrack, but as an individual to share whatever knowledge and
experience I have in the fields of information security, data
protection and data recovery, to assist the subcommittee with
the vital work it performs. And I'm grateful to you for the
opportunity to speak today.
A substantial proportion of the information that is being
created within our government is generated, exchanged, and
stored digitally. It is produced and stored on computers
ranking from the desktop or laptop computers of individuals, to
the massive processing arrays in networks of large agencies. It
is also a simple fact that most of the data that is created,
and which may have historical import for extended periods of
time, will never in the course of normal use be printed.
How do we safely and efficiently preserve electronic
records when the technologies involved in producing and storing
those records is clearly evolving at a breakneck speed?
I've been involved in the security and recovery of data
from computers for more than 40 years. My recent experience has
involved working with private-sector organizations to safeguard
sensitive data and help those organizations respond to data
security incidents. I've learned a few lessons that I hope will
be helpful to the subcommittee when it considers how best to
carry out its oversight role in assuring the preservation of
electronic records which are a vital part of our national
heritage.
First, don't assume that the devices currently used to
store data will be commonly used, or even reasonably available
in the future. Above all else, we must ensure not only that we
can store the data but that we can completely and accurately
access it on the physical media that we preserve. This means
that we either have to also preserve workable reading
mechanisms or periodically transfer the data to contemporary
storage media, as new storage technology obsoletes the old.
Don't assume data can't be restored, even if the storage
medium appears to be damaged. Consider a quick example.
Following the tragic loss of the Space Shuttle Columbia in
2003, NASA located a hard drive in the debris field. The Glenn
Research Center sent it to my organization for examination.
Although the electronics on that drive had been literally
fried, the case burned and plastic from the innards of the
device had melted onto the surface of the drives, we were able
to rebuild the mechanical components, clean the disk and
recover over 99 percent of the data, which turned out to be
vital for completing a long-term experiment in basic physics.
With today's technology, unless the media containing the
data is utterly destroyed, the data is at least potentially
recoverable. I believe that the best practice is that when a
device contains sensitive data, assume it might be potentially
recoverable, unless you have taken proper systems steps to
render that data permanently unreadable.
Third, what you see is very often not all that you can get.
There are a number of data fields that are automatically
created and maintained by the program that all of us use. Some
are obvious. The date and time that a file was originally
written, how many times it was edited, when it was last opened,
but it can contain more. It may contain a record of changes
made in the course of revision and review. This information is
called metadata. It is important to the understanding of the
file with which it is associated.
People think that things like this are a brand-new issue,
Mr. Chairman, but they are not. If you look at Abraham
Lincoln's handwritten manuscript of the Gettysburg Address, you
can see how he edited it, what it looked like before he made
the changes, what he crossed out and what he added. The same
can often be done with digital records through examination of
the metadata, but only if that metadata is preserved.
Unfortunately, unless care is taken in regard to the
preservation process, metadata can inadvertently be changed or
lost. To ignore metadata is to constrain future understanding
of the file.
Next, ensuring data security must be more than an
afterthought. There is a cost to data protection, but, planned
effectively, those costs can be controlled. There will always
be a tradeoff between cost and protection.
While I'm not an expert in the various security standards
that are used by Federal agencies, I found there are a number
of centers of knowledge that can be an immense value in
understanding the risks and alternatives. The work of
professionals at NIST comes to mind. I have no doubt that this
subcommittee is aware of the ongoing work there to identify
risks, protective measures, and to provide publications that
help professionals and managers in both the public and private
sector to do a better job of security sensitive data.
Sir, the cost of not protecting data appropriately can be
very, very high. What is the cost to future knowledge if
electronic records of today's decisions and activities are lost
through security failures?
I believe that the expertise exists to assist and advise
our government on this complete and continually changing issue.
There are many specialists like myself who recognize that
service on advisory councils and other appropriate mechanisms
is really part of our civic and professional personal duty. Why
not call on this pool of knowledge?
If we don't collect data and collect it properly, if we
don't maintain it in a usable and complete form, and if we
don't safeguard it appropriately, it won't be there for the
benefit of future generations.
Finally, we must assure that both public and private sector
organizations have a plan for exactly what they will do if
there is a data protection incident. Trying to develop a crisis
management plan in the middle of a crisis is difficult at best.
Recognizing that incidents can occur, and if they do occur, is
far more effective in terms of responding to the incident.
I want to thank the subcommittee for inviting me here
today. Sir, over the years I've had the opportunity to work
with information security professionals in government, at the
FBI, the Defense Department, the Secret Service, I am very
proud of the work that they do. Their public service at a time
when they could earn far more in the private sector is a
measure of devotion. Anything that we in the private sector can
do to add to the knowledge, to make sure that we keep up with
the changes, is more than just something that could be done;
it's something that ought to be done.
Thank you very much for inviting me here today, sir.
Mr. Clay. Thank you, too, Mr. Brill, especially for your
passion in regard to this subject. And we appreciate your
service.
[The prepared statement of Mr. Brill follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Clay. I thank the entire panel for their testimony.
I also want to welcome our newest member to the
subcommittee, the gentleman from Texas, Mr. Henry Cuellar.
Welcome aboard and we look forward to your involvement in the
subcommittee. We will go into the question-and-answer period,
and we will recognize the gentleman from Ohio for 5 minutes to
begin the questioning.
Mr. Driehaus. Thank you very much, Mr. Chairman, and I
thank you for calling this hearing and I appreciate very much
the testimony.
This certainly hits home to me. I remember when I was a
State Representative, and one of my colleagues called me and
recited my Social Security number to me after looking at a
county--I believe it was the county auditor or the county
recorder or something like that, the Clerk of Courts, whose son
had developed a new Web site. They decided it would be great if
we scanned every document in the county that came through the
Clerk of Courts and they scanned it onto the Web site, not
thinking that, you know, perhaps some of these parking tickets
out there--and mine was a traffic violation--contained some
sensitive information.
But what it brought to mind was that there was no standard
operating procedure at all in the county, in the State,
anywhere, when it came to not just archiving the data but
dealing with the data at all. And so, Mr. Brachfeld, when I
hear your testimony, it strikes me as very concerning.
Earlier this year I introduced legislation dealing with
classification of documents, because there is no standard
operating procedure in the Federal Government when it comes to
standard classifications. We find that, you know, the Federal
Government exists in silos, and there are different standard
operating procedures when it deals to just classifying
documents and classifying certain information.
So if you could help me, Mr. Brachfeld, I am very
interested--any of you--as to our status as a Federal
Government. In terms of coming up with standard procedures for
dealing with sensitive documentation and sensitive information,
not only how do we collect it but how was it dealt with, and
certainly when it was archived, how do we then deal with this
archive? Give us a score as to how we are in standardizing this
as a process.
Mr. Brachfeld. Actually the focus of my work is doing
investigations and audits. In terms of policy and procedures
and classification of documents, that's not my bailiwick.
Mr. Driehaus. Not just classification. I'm talking about
the sensitive information that you were talking about and how
vulnerable we are to losing that information. It strikes me
that within departments we don't have standard operating
procedures to deal with this appropriately. I'm wondering if
you have any observations as to how far we've come or how far
we still have to go in terms of the various departments in
collecting and classifying and archiving that data?
Mr. Brachfeld. I think there are standards available. For
example, in the cases I was talking about specific to the loss
of data and the breach of data, there is, as Mr. Brill noted as
well, there's NIST standards; OMB puts out regulations
requirements; agencies establish and define their own internal
requirements. The problem is, it shouldn't just be a paper
exercise where you can hold up to the world that we have
policies and we have procedures, and then you can put your head
on your pillow and think that you can rest assured.
No, you have to actually train people and you have to
actually hold people to those standards, and you have to test
and you have to drill down, you have to ensure they are
enforced and protected at all times.
I think that's what happened many times in Federal
agencies, at least through my 30 years now of experience, which
is that it is easy to write policy, especially in this day and
age, to get contractors and pay them to write policy for you.
But to actually instill that work ethic, to actually instill
those morals, to actually enforce the proper treatment of
records and protection of records, that's the problem.
And that's where in my testimony I talk about where I
believe that NARA has fallen short in terms of lack of
training, lack of oversight, and then lack of appropriate
action when people violate NARA policy and procedures which
were drafted in response to OMB requirements. So we don't have
a pass and we don't have a buy. These are things we should be
doing, and these are things that we fail to do at the National
Archives.
Mr. Driehaus. So it is not just a matter of
standardization. It is a matter of following through and making
sure that the processes are being followed and enforced if they
are not followed.
Mr. Brachfeld. That's correct. And that's why as an
Inspector General, I'm first of all very happy to be testifying
today and get the attention to this subject. I am also proud of
my staff, that we're putting forward very sound recommendations
that, should management opt to accept them and adopt them, I
think will bring far increased levels of internal control
security, and maybe we won't be here next year talking about
further breaches. Maybe we'll actually have a pretty tight shop
if we do some of the stuff we're recommending.
Mr. Driehaus. Well, I guess following up on the issue of
holding people accountable, Ms. Thomas, when you were here in
July with regard to the theft of the Clinton administration
hard drive, you at the time stated that you would act with
swift and appropriate disciplinary action if we found out that
there were people to be held accountable. Have you followed up
on that, and what steps have been taken?
Ms. Thomas. Well, at this point in time, we have held off
on taking disciplinary actions, although we are ready to do so
basically at the request of the Inspector General, so that they
can finish their investigation. But once that is finished and
they give us the go-ahead, then disciplinary actions will be
taken.
Mr. Driehaus. So the disciplinary action is pending?
Ms. Thomas. Pending.
Mr. Driehaus. That's all, Mr. Chairman.
Mr. Clay. Thank you, Mr. Driehaus. Mr. McHenry, you may
proceed for 5 minutes.
Mr. McHenry. Thank you, Mr. Chairman.
Ms. Thomas, how long have you been in your current
position?
Ms. Thomas. As Acting Archivist? Since mid-December of last
year.
Mr. McHenry. OK. And I ask that just for context, so that
is on the record. You know, this committee--I don't think
Congress looks at you as the culprit here, but we're asking for
your assistance in--well, in light of the fact the Senate has
not acted upon the President's nomination of the next Archivist
of the United States. But having said that, what policies have
changed in light of this additional security breach with the
loss of these Veterans' records?
Ms. Thomas. Mr. Congressman, I think I have to say that our
own determination is that we used a governmentwide contract,
that other agencies used, that have the appropriate privacy
protections written into the contract. And so that our use of
that contract was a valid way of sending back a disk.
Now, we've cited that we need to be beyond what's
acceptable. And we've adopted a policy; the CIO has, of not
sending disks back to the vendor. But we do not believe that
any breach has actually occurred, because the material was in
the hands of authorized people all along the process.
Mr. McHenry. So you have changed policy in that you don't
send out----
Ms. Thomas. We----
Mr. McHenry. If I may finish.
Ms. Thomas. I'm sorry.
Mr. McHenry. The two choices, Mr. Brachfeld, you testified
the two choices were to secure the data and keep even a failed
disk on hand, or send it back and replace it. Those were the
two choices. Now you've switched; is that correct?
Ms. Thomas. The new policy that's been adopted or in place
by the CIO is that we will not send any disks back to the
contractor.
Mr. McHenry. Mr. Brachfeld, thank you for your testimony.
You've always been very direct, as all Inspectors General are
supposed to be, and we certainly appreciate your work.
Has your office commented previously about this policy of
sending these drives out to contractors and getting them back?
Mr. Brachfeld. It simply never should have happened. Let me
read you a sentence, sir, or two. This is when one of the
contractors'--the most recent case is Dell. This is what Dell
said. ``Dell assumes no responsibility for the destruction of
data returned on such drives. Dell strongly encourages you to
remove all confidential, proprietary, or personal information
from any storage device before it is returned to Dell.'' We
didn't do that.
I brought with me a properly scrubbed, sanitized--this is a
drive right here. This drive for the purpose of this hearing,
this drive has veterans' information for millions of veterans.
It's mobile. I'm carrying it. It is a mobile device. It's game,
set, match.
If you go to NIST standards or if your go to OMB
requirements or if you go to NARA's own internal policy and
procedures, once you have PII data stored on a mobile device,
it must be encrypted. It must be encrypted, simple fact.
Furthermore, should you ship that or lose custody or give
up custody and control, it must be scrubbed, wiped, degaussed.
In neither case that we're talking about today was that done.
This data went out.
Now it's true. There is a language, boilerplate language,
that NARA found about 3 or 4 weeks ago in a contract, and
that's what they feel comfortable in telling you; that the
vendor, once they received this drive, was supposed to maintain
the confidentiality of the data.
But let's go with the first case, the CMRS drive. It didn't
just go to one vendor; it went to two, then three, then four.
It followed a food chain. First it went back to the company we
had a contract with. They sent it to another company to analyze
the data on the drive and see if the drive sectors failed. Then
it went to another company. And, finally, the fourth stop was a
scrap company for the metal scrap.
Now, that's pretty far down the food chain to lose control.
We don't know who had access to that within that company. We
don't know if it was stored physically in a safe location. We
don't know if somebody was embedded in one of these companies
who might see this as an opportunity to find Social Security
numbers or mine whatever data came their way for profit,
national security, etc. We don't know.
So what the National Archives did was violated their own
policy, which is derived from NIST standards and OMB
regulations, and lost control of millions of veterans' files
and records, and now, in the most recent case, thousands of
Federal employees. Those are the simple facts.
Mr. McHenry. Thank you, Mr. Brachfeld. Now, there was
originally veterans' data on that. What process did you go
through--is that currently encrypted or did you delete
information from that file?
Mr. Brachfeld. This--this drive did not--I'm very careful,
I am careful about what I do. This drive, I have the proper
certifications, before I would leave the building with this,
that it was wiped. And I have the technology that was used to
wipe the drive. I have it certified that it has no information
on it at this point. It is clear and again----
Mr. McHenry. Mr. Brill, could your company retrieve data
off of that ``wiped'' hard drive?
Mr. Brill. Sir, if the drive is wiped properly and
completely, the answer is generally you cannot. Here is the
problem. Either there's a big difference between ``I believe I
wiped the drive'' and ``I wiped the drive.'' We find, for
example, that organizations sometimes discover that a
disgruntled employee may have run a wiping program to get rid
of data that would incriminate them. But not all wiping
programs are created equally effectively. And some of them work
very, very well and some of them work not well at all. That's
why it's important not just to say ``wipe the drive'' but as I
think the Inspector General has suggested, that it be wiped in
a forensically acceptable way and possibly tested afterwards to
make sure that when we say there's no data that, in fact, there
is no data.
Mr. McHenry. Thank you for your testimony. I certainly
appreciate it. And I don't think this is necessarily about
contractors is Mr. Brachfeld's point; it is about secure chain
of possession of sensitive information.
And, Mr. Chairman, I think this is a larger cultural issue
with archives in terms of employee satisfaction and following
basic procedures. And I certainly appreciate your leadership in
making sure that we have good oversight of this to make sure we
correct this.
Mr. Clay. Thank you, Mr. McHenry, for your line of
questioning. Mr. Cuellar is recognized for 5 minutes.
Mr. Cuellar. Thank you very much, Mr. Chairman.
Ms. Thomas, let me ask you, looking at the big picture,
looking at this in hindsight, what do you think the weaknesses
are in this IT security? And also as the colleague just
mentioned, when you look at not only in your area, but in the
food chain or the custody down the line.
Just tell me overall, what do you think the weaknesses are?
Ms. Thomas. I think one of the things that is happening is
that, as Mr. Brill has sort of alluded to, technology is moving
at such a fast pace that things--processes and procedures that
were acceptable 6 months ago may not be acceptable today.
I know that when I moved to Virginia 30 years ago, my
driver's license number was my Social Security number. I think
our Social Security numbers were used on a lot of
documentation. You were asked to, when you wrote a check; write
your driver's license on it. That was your Social Security
number.
When all of the information--not all the information but a
good deal of the information became electronic and much easier
to manipulate and use in nefarious ways and all the data was in
a more concentrated small device, like Paul has mentioned, it's
becoming more and more of a challenge to deal with that and to
protect that information.
So our procedures, our policies, have to catch up to the
reality of today and continuously change as technology changes.
Mr. Cuellar. You said that we got to get our policies to
try--looking at the word ``try''--to catch up, are you caught
up?
Ms. Thomas. I think we are at the moment, but as Mr. Brill
has said, technology tomorrow, I don't know.
Mr. Cuellar. But you should have something in place that
lets you keep up----
Ms. Thomas. And that is certainly what the administration
is doing, that's what OMB is doing, NIST is doing, and we are
following those procedures.
Mr. Cuellar. Let's talk about the internal audit that you
conducted on your IT security. When was that performed and by
whom?
Ms. Thomas. We had a contractor, SAIC, come in and review
all of our IT security.
Mr. Cuellar. When was that?
Ms. Thomas. It was this past year.
Mr. Cuellar. What was the conclusion?
Ms. Thomas. Well, they came up with a series of
recommendations, I think I said 29 recommendations--at least
29--all of which we are working to implement. Most of them have
been by now, and we're working on all of them.
Mr. Cuellar. Out of 29, how many have been implemented?
Ms. Thomas. I would have to provide that for the record. I
don't know how many.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Cuellar. You don't know right now how many have been
implemented?
Ms. Thomas. I do not know. I know it's more than 50
percent, probably more like three-quarters.
Mr. Cuellar. You can see how that can be a problem. If you
do an internal audit to see what your weaknesses are and we
haven't implemented, how long would it take you to implement
100 percent of the recommendations, of 29 recommendations?
Ms. Thomas. I know that the CIO is working on implementing
all of the recommendations, and I am going to say that within
the next 6 months. And I may have to correct that after I talk
to the CIO. I'm sorry.
Mr. Cuellar. So if we are going to try to keep up with the
changes that you mentioned, have your policy keep up, we have
to wait another 6 months to implement those?
Ms. Thomas. These are identified weaknesses which we are
trying to correct in all instances. Some are more serious than
others. Those are the ones that we have tackled first.
Mr. Cuellar. Well, let me ask you, Mr. Brachfeld, was this
in fact an audit, and who performed it?
Mr. Brachfeld. It technically cannot be considered an
audit. It was performed by SAIC under what is called a Program
Review for Information Service Management Assistance. It's
called PRISMA. So it's not technically allowed to be called an
audit. It was not an audit. It does not--in fact; SAIC in their
PRISMA report, specifically states that it's not an audit.
Mr. Cuellar. What would you classify that?
Mr. Brachfeld. It's a review that was done for management,
in addition to the audit work that we do. Where we have
determined that IT Security is a material weakness, management
opted to get a second opinion, so to speak, and contracted for
SAIC to do that work. They came out with a finding of 29; I
believe it was, weaknesses that they identified.
Mr. Cuellar. Now you have reviewed those, that matter. Do
you know how many of the 29 recommendations NARA has
implemented?
Mr. Brachfeld. My IT auditors, whom I have a tremendous
amount of faith in and who have been right throughout in terms
of their analysis, determined that 27 of the 29 have not been
adopted to date. We believe that only two have been closed out
and completed to our satisfaction.
Mr. Cuellar. Mr. Chairman, can I just follow on up on that?
Twenty-seven out of the 29 have not been implemented?
Mr. Brachfeld. That was reported on September, I believe,
9th or 20th. It was reported just this past month to
management. We put together a matrix defining why we believe 27
to 29 had not been corrected. We requested a meeting in
September to discuss this. And it is now November 5th, and our
request for a meeting has not been addressed.
Mr. Cuellar. And the question, Mr. Chairman, was--I believe
Ms. Thomas' testimony was that more than half or three-quarters
of it had been implemented, and Mr. Brachfeld is saying that,
according to his folks, that only two have been implemented and
the meeting has not been set up, and I find that a little
disturbing.
Mr. Clay. Sounds like there is some discrepancy. Thank you.
Now, Ms. Thomas, you assured the subcommittee in July that
in regard to the theft or loss of the Clinton administration
hard drive, you would act with swift and appropriate
disciplinary action. Have you made your determinations as to
the causes of the theft or loss, and what specific actions have
you taken?
Ms. Thomas. The determination of what, how the hard drive
went missing, was stolen, is an investigatory responsibility of
the Inspector General. So we are waiting for the investigation
to be complete. We have, however, determined that there were
certainly internal control weaknesses that allowed whatever
happened to happen, and we have made substantial changes in the
way the controls of the equipment--who can have access to it--
and we are ready to take disciplinary action against those
people who were not following existing policy. But we are
waiting for the end of the investigation.
Mr. Clay. You could take action now in your agency?
Ms. Thomas. We have been requested not to by the Inspector
General. Yes, but we could take action now, were it not for
that standing request.
Mr. Clay. Mr. Brachfeld, is it complete?
Mr. Brachfeld. The investigation--your question is, is your
investigation complete? No. We are actively investigating it.
We have new information which I cannot discuss publicly at this
open hearing, but we do have progress in our investigation. And
as the nature of the investigation is extremely sensitive, the
acting Archivist is correct. We respectfully requested that
they hold off, because we don't want to do anything at this
point that could damage our investigation.
So in that case, that is correct. We have respectfully
requested that disciplinary action be held back pending the
furtherance of our investigation or in support of our
investigation.
Mr. Clay. Thank you for that response.
Mr. Powner, can you estimate the cost of integrating
increments one and two down the line? I mean, you stated that
it was a project at $550 million?
Mr. Powner. Right, $550 million life cycle cost. We have
spent about half of that to date. We do not have clear
integration costs going forward.
Here is the problem, not only with the integration costs
going forward, but when you look at the outyear increments, 3,
4 and 5, how are we going to allocate the remaining money?
There is a serious question with the remaining money to be
spent, including those integration costs, whether we are going
to get a full operational capability by 2012.
If you look at the track record to date, I think the answer
is likely no. And so what we want to see is real clear plans
for the next three increments and exactly what's going to be
delivered so we can measure to that.
This is similar in cost, Mr. Chairman--we were here a year
ago talking about FTCA. That was a $500 million contract at one
time, a system at one time that doubled quickly. We want to
avoid a situation like that.
Mr. Clay. Has there been a--I guess we will call it a
cavalier attitude with taxpayers' money in this instance?
Mr. Powner. I wouldn't say that. But I would say that the
management discipline that we would like to see from the
government is clearly not where we want it to be. And I will
give you an example where we look at these contractor reports
and we see contractor reports where they're spending money,
receiving funds, but not getting the work done. There's a
program management technique that is OMB-endorsed, called
earned value management. We look at those reports and scrub
them.
And what we need here is we need the program office to pay
close attention to those reports so that we are overseeing the
contractor and the government is in charge, not the contractor.
Mr. Clay. Would you supply this committee with a summary
report of the spending to this date and what problems you see
are on the horizon as far as the spending is concerned with
this program?
Mr. Powner. Yes, we can do that, Mr. Chairman.
Mr. Clay. Thank you so much. And I notice that you may have
wanted to get in on the discussion earlier on whether there are
industry standards that NARA could use that would have helped
this situation. Did you have a comment?
Mr. Powner. Well, the one comment on the multiple
classifications, GAO has done a lot of work on sensitive but
unclassified data. This is dated; but 2 to 3 years ago, there
were over 70 classifications of sensitive but unclassified
data. And I think the quick answer to the Congressman's
question is consolidating those many classifications is a clear
work in progress and it's incomplete.
Mr. Clay. Thank you for that response.
Mr. Brill, any comment on industry standards?
Mr. Brill. I think if there is anything to be said about
industry standards, there's recognition that the more complex
you make any program, the more likely you are to have problems.
If you can keep things simple, if you can classify things in a
limited number of buckets, and you have some clear rules about
what to do in each case, then it is much more likely that
you're going to have a very high degree of success in that
program.
We see all the time--you know, my work is kind of divided
in two, sir. In some cases, we are brought in, in advance, to
try and avoid problems. But in a lot of cases, we're the
firemen. We're the guys who get the call when something
terrible happens, and I think it would be fair to tell you that
when that happens, we can end up, in most cases, classifying
the incident into one of two major buckets. One is ``It
happened.'' The other is, ``It happened, but it shouldn't have
happened.'' It was an avoidable problem that, if rules had been
followed--if, for example, something as simple as a patch from
a vendor had been applied to a computer, wouldn't have
happened. If a firewall was properly configured, wouldn't have
happened.
If we can manage those, if we can avoid the avoidable
incidents by simplification, by good management, by good
followup, by good audits, that is key.
There will always be incidents. Human beings will always
make mistakes. Machines are not infallible. So, rather than
sometimes throwing up our hands and saying things happen, let's
classify it simply. Let's stop the things that we can
reasonably prevent through what I consider a commercially
reasonable set of controls, have plans in place for what we are
going to do if something happens in spite of our best efforts,
and recognize, as everybody has said here, that the environment
changes.
The first computer that I used at the Pentagon back in 1968
had 2,000 positions of memory, 2K. The systems in my office now
are measured not in kilobytes but in petabytes. And one
petabyte is 1 million gigabytes. The vast amounts of data mean
that we have to treat it in a systematic fashion. Those who
figure out how to do that, how to build the security into the
network, build it into the systems, tend to have fewer
mistakes. And the mistakes that occur don't fall into that
tragic category of ``We could have prevented this.''
Mr. Clay. Thank you so much. The gentlewoman from
California is recognized for 5 minutes, Ms. Watson.
Ms. Watson. Thank you so much, Mr. Chairman. And I came in
late and probably a lot of this has been already discussed.
But what would each one of you recommend after the
investigation into the breaches, into the delays and so on,
what would you recommend as we move forward? Because this
valuable information that is stored in the Archives, if there
are breaches or if the machinery in some way collapses, what
kind of backup systems do we need to have? What do we need to
build into our base equipment so, as you said, Mr. Brill, these
things should not have happened? Can any of you look forward
and tell us what you would like to see?
Mr. Brachfeld. I guess I'll tackle it. It's my nature; what
can I do.
There are two different issues here in terms of the
breaches and the events that transpired. I think that if you
look at NARA today, we have policies and procedures that are
defined because they have been derived from NIST and OMB. So we
have that piece of the equation.
The question, as we move forward now, is ensuring through
training and oversight that there's compliance with those
requirements and, as appropriate, punishment. Because those
regulations which are on our books, which are in our
requirements, say that if people violate the security
provisions, appropriate administrative and potentially criminal
action and criminal charges----
Ms. Watson. Who should do the oversight?
Mr. Brachfeld. I'm not a program official. I do audits
investigations. The agency is in charge with oversight of
programs, ensuring that their programs are implemented and
successful. So the agency needs to do that piece of the puzzle.
I'm there to provide whatever guidance and support I can in
that regard. And should somebody or an entity fail to live up
to their requirements, I'm there to do investigations. And if
it turns criminal, I'm there to do the criminal
investigations--and my staff.
Ms. Watson. Who determines there should be an
investigation? Whose responsibility would that be?
Mr. Brachfeld. That's my decision. If I'm alerted to--it
happens all the time. We get hotline calls. We get people
coming to us. We get formal referrals. Once my office becomes
aware of an event or events, we make a decision. My Assistant
Inspector General for audits and Assistant Inspector General
for investigations, we work the issue. We make determinations.
If we believe it's a potential for criminal, we work
through the Department of Justice, as we are required by law to
do. If we believe it's administrative, we take a different
track. Or if we believe that nothing inappropriate happened and
it's not my responsibility in that regard, we may just do a
referral. But it weighs on my shoulders and we address that.
Ms. Watson. Mr. Brill, you were mentioning that we should
have standards. What should we do in order to avoid these kinds
of, well, breaches? I don't know what you would do. But what
would you suggest?
Mr. Brill. It's as good a word as any, I suspect. You know,
it's an interesting thing. I have been sitting here thinking
about something and it's this. Back in about 1975, I was an
Army Reserve officer. I served Active and Reserve for 38 years.
And I was assigned to the Office of the Secretary of Defense as
a mobilization designee. And we started looking, even back
then, at information security.
And I remember a meeting that I had with the then-Deputy
Assistant Secretary of Defense for Audits, and I had just
successfully compromised a data center that I had been
requested to test out.
And what I said to him was this. How can you, how can you
go before Congress and have to say that the standards that
you're using maybe would not be acceptable in a major
corporation? I work with corporations primarily, not
governments. But what I found is there is an evolution. The
standards that have come out, the internal controls, as the
Inspector General has said, following things like Sarbanes-
Oxley, following the changes in governance, in the corporate
world, have changed things.
The changes that occurred in 2006 when the Federal Rules of
Civil Procedure were modified as a result of the work of the
Sedona Conference to recognize the importance of digital
records in the civil litigation process--there's been a sea
change. People are realizing that the key to this is good
management. It's no different than it was 100 years ago.
When we had paper records, we could preserve them, but that
didn't mean they were going to be readable unless we preserved
them properly and we protected them properly.
Digital records are no different. The techniques vary, but
the principles are the same. And isn't it always the same,
ma'am, that responsibility has to be taken, somebody has to be
the person that you can to talk to about it, and that there are
standards, whether we use the ISO standards, whether we use the
good work that's been done at NIST, whether we use the
standards of other organizations?
I don't really care what standards there are, but if we
have a standard and we all agree to it, then an agency knows
what to do. You know what you can ask them. The auditors know
that it's a fair game, that you're testing on the basis of
rules.
So I think what I'm seeing is that, just as corporations
have recognized that the way that they handled automated
records in the past is no longer acceptable, if you did what
you did a few years ago you're likely to find a judge holding
that you've committed spoliation, and that there could be
penalties for that.
Just as I said to the guy at the Defense Department years
ago, I think that if we are lucky as citizens, there's a two-
way street between the private sector and the public sector in
terms of exchanging knowledge, research that's done, best
practices. And to the extent that can be done, I think there's
great value to be had.
Let's see what some of the best-run companies are doing.
Let's see why the standards are changing. Let's see what's
being done. I think the real key in getting that information is
perhaps the simplest thing that anyone can do. And I can
express it in one word: Ask.
Ms. Watson. Thank you, Mr. Chairman. I yield back.
Mr. Clay. Thank you, Ms. Watson.
Just as a final question, Ms. Thomas, at a hearing last
month, we heard about your advisory committee on the electronic
records archives. NARA believes that the advisory committee has
been valuable in providing outside expert advice in the
development of ERA. Its members represent expertise in an
extremely wide range of areas. However, as far as we can tell,
the committee does not include one expert or even anyone with
direct experience in the area of information technology
security.
Why isn't this important field represented on your advisory
committee?
Ms. Thomas. I don't know whether there is any specific
person whose profession is information security. I think all of
the members who have responsibility for systems certainly have
responsibility for information security, security over those
systems and therefore come to the committee with a wealth of
experience in how they deal with their own systems.
Mr. Clay. Well, do they bring a knowledge of information
security like, for instance, your fellow panelist, Mr. Brill?
Ms. Thomas. I think Mr. Brill is unique.
Mr. Clay. I do too. But there has to be, just to have
someone----
Mr. McHenry. I think that is a compliment, Mr. Brill.
Ms. Thomas. It is. It is.
Mr. Clay. To have someone else represent that aspect of
information technology would be probably helpful to the
advisory committee.
Ms. Thomas. I think you're probably right, Mr. Chairman,
and we can certainly look at the membership and if we are
deficient in that, having that kind of person--maybe Mr. Brill
would even like to join ECERA.
Mr. Clay. We will let you and Mr. Brill discuss that. If
there are no other questions, the hearing is adjourned. Thank
you.
[Whereupon, at 4 p.m., the subcommittee was adjourned.]
�