[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]




                               before the

                     CENSUS, AND NATIONAL ARCHIVES

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES


                             FIRST SESSION


                            NOVEMBER 5, 2009


                           Serial No. 111-63


Printed for the use of the Committee on Oversight and Government Reform

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/

                         U.S. GOVERNMENT PRINTING OFFICE 

57-622 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 


                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York         DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts       JOHN J. DUNCAN, Jr., Tennessee
WM. LACY CLAY, Missouri              MICHAEL R. TURNER, Ohio
DIANE E. WATSON, California          LYNN A. WESTMORELAND, Georgia
STEPHEN F. LYNCH, Massachusetts      PATRICK T. McHENRY, North Carolina
JIM COOPER, Tennessee                BRIAN P. BILBRAY, California
GERALD E. CONNOLLY, Virginia         JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois               JEFF FLAKE, Arizona
MARCY KAPTUR, Ohio                   JEFF FORTENBERRY, Nebraska
    Columbia                         AARON SCHOCK, Illinois
DANNY K. DAVIS, Illinois             ANH ``JOSEPH'' CAO, Louisiana
PAUL W. HODES, New Hampshire
JUDY CHU, California

                      Ron Stroman, Staff Director
                Michael McCarthy, Deputy Staff Director
                      Carla Hultberg, Chief Clerk
                  Larry Brady, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
CAROLYN B. MALONEY, New York         PATRICK T. McHENRY, North Carolina
    Columbia                         JOHN L. MICA, Florida
DANNY K. DAVIS, Illinois             JASON CHAFFETZ, Utah
DIANE E. WATSON, California
                     Darryl Piggee, Staff Director

                            C O N T E N T S

Hearing held on November 5, 2009.................................     1
Statement of:
    Thomas, Adrienne, Acting Archivist of the United States, 
      National Archives and Records Administration; Paul 
      Brachfeld, Inspector General, National Archives and Records 
      Administration; David Powner, Director, Government 
      Accountability Office, Information Technology Management 
      Issues; and Alan E. Brill, Kroll Ontrack, senior managing 
      director for technology services...........................    13
        Brachfeld, Paul..........................................    30
        Brill, Alan E............................................    57
        Powner, David............................................    42
        Thomas, Adrienne.........................................    13
Letters, statements, etc., submitted for the record by:
    Brachfeld, Paul, Inspector General, National Archives and 
      Records Administration, prepared statement of..............    34
    Brill, Alan E., Kroll Ontrack, senior managing director for 
      technology services, prepared statement of.................    60
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     3
    McHenry, Hon. Patrick T., a Representative in Congress from 
      the State of North Carolina, prepared statement of.........     8
    Powner, David, Director, Government Accountability Office, 
      Information Technology Management Issues, prepared 
      statement of...............................................    44
    Thomas, Adrienne, Acting Archivist of the United States, 
      National Archives and Records Administration:
        Letter dated November 10, 2009...........................    70
        Prepared statement of....................................    17



                       THURSDAY, NOVEMBER 5, 2009

                  House of Representatives,
   Subcommittee on Information Policy, Census, and 
                                 National Archives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:40 p.m., in 
room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay 
(chairman of the subcommittee) presiding.
    Present: Representatives Clay, Driehaus, Watson, Cuellar, 
and McHenry.
    Staff present: Darryl Piggee, staff director/counsel; Jean 
Gosa, clerk; Yvette Cravins, counsel; Frank Davis and Anthony 
Clark, professional staff members; Charisma Williams, staff 
assistant; Leneal Scott, information systems specialist (full 
committee); Adam Fromm, minority chief clerk and Member 
liaison; and Chapin Fay and Jonathan Skladany, minority 
    Mr. Clay. The hearing will come to order. Good afternoon. 
And the Information Policy, Census, and National Archives 
Subcommittee of the Oversight and Government Reform Committee, 
will now come to order.
    Without objection, the Chair and ranking minority member 
will have 5 minutes to make opening statements, followed by 
opening statements not to exceed 3 minutes by any other Member 
who seeks recognition.
    And, without objection, Members and witnesses may have 5 
legislative days to submit a written statement or extraneous 
materials for the record.
    Welcome to today's oversight hearing on the ``National 
Archives' Ability to Safeguard the Nation's Electronic 
Records.'' The purpose of today's hearing is to examine the 
National Archives' policies and procedures to protect the 
Nation's ever-increasing store of electronic records.
    We will consider several important topics, including an 
update on the theft or loss from NARA of a portable hard drive 
containing Clinton administration electronic records; possible 
breaches of electronic records containing personally 
identifiable information from NARA operating systems; and the 
status of the largest IT project in NARA's history, the 
Electronic Records Archives [ERA].
    ERA, fully implemented, would cost well over a half a 
billion dollars. Over the last 10 years or more, NARA has tried 
with varied success not only to develop and test a system but 
even to define its scope.
    This subcommittee is concerned that such a large and 
expensive information system is being developed in an agency 
that is already struggling with managing the security of the 
systems they currently operate. The theft or loss of the 
Clinton hard drive was very disturbing and we look forward to 
hearing the status of the agency's efforts to identify and 
notify any and all individuals whose PII may have been 
    It is more troubling, however, to hear of new instances of 
data breaches, or possible breaches. The circumstances and the 
agency's handling of them casts doubt on the National Archives' 
ability to understand and mitigate existing and emerging risk 
in order to properly safeguard the Nation's electronic records.
    It is this subcommittee's hope that through our hearing 
today, we can gain a better understanding of NARA's information 
technology security, and provide the National Archives with 
some important information and direction they can use in order 
to increase IT security across the agency.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    Mr. Clay. I would like to introduce our panel. Our first 
witness will be Adrienne Thomas, the Acting Archivist of the 
United States. Prior to her appointment as Acting Archivist in 
December 2008, Ms. Thomas served as the Deputy Archivist of the 
United States. Ms. Thomas has been with the National Archives 
for 38 years, beginning as an Archivist trainee in the Office 
of Presidential Libraries, and subsequently holding a number of 
policy and administrative roles. And thank you for being here.
    Our next witness is Paul Brachfeld, the Inspector General 
of the NARA Administration. Mr. Brachfeld previously worked for 
the Federal Communications Commission where he served as 
Assistant Inspector General for Audits. During his 8 years' 
tenure at the FCC, he also served 10 years as Acting Assistant 
Inspector General for Investigations. Mr. Brachfeld also served 
as Director of Audits for the Federal Election Commission 
Office of the Inspector General.
    After Mr. Brachfeld, we will hear from David Powner, the 
Director of IT Management Issues at the GAO. Mr. Powner is 
currently responsible for a large segment of GAO's information 
technology work, including systems development, IT investment, 
management health IT, and Cyber Critical Infrastructure 
Protection Reviews. He has led teams reviewing major IT 
modernization efforts at Cheyenne Mountain Air Force Station, 
the National Weather Service, the FAA and the IRS. Thank you 
for being here, Mr. Powner.
    And our final witness will be Alan Brill, the senior 
managing director for technology services at Kroll Ontrack, an 
industry leader in computer forensics and investigation. Mr. 
Brill is recognized internationally as a leader in his fields 
of security, computer forensics, and incident response. Mr. 
Brill founded Kroll Ontrack global high-technology 
investigation practice. He has an international reputation in 
the areas of computer communications security and technology 
crime investigation.
    I thank all of you for being here today and appearing 
before us for testimony. It is the policy of the subcommittee 
to swear in all witnesses before they testify. Would you all 
please stand and raise your right hands?
    [Witnesses sworn.]
    Mr. Clay. Thank you, you may be seated. And let the record 
reflect that the witnesses answered in the affirmative. I ask 
that each of the witnesses now give a brief summary of their 
testimony. Please limit your summary to 5 minutes and your 
complete written statement will be included in the hearing 
    Before we go to Ms. Thomas, we would like to ask the 
ranking member if he has an opening statement.
    Mr. McHenry. Thank you, Mr. Chairman, I do. Thank you so 
much for continuing to hold good hearings with this 
subcommittee. I appreciate your leadership.
    In May of this year, this subcommittee first met to discuss 
the staggering negligence of National Archives staff in 
handling our Nation's valuable records, an issue that was only 
just coming to light at the time. We're back again. But back 
then we were shocked to hear that a 2 terabyte hard drive had 
disappeared from the Archives' storage room where it was kept 
in an unsecured location, accessible by many employees.
    That device contained the personally identifiable 
information of hundreds of thousands of Clinton administration 
staff, Secret Service operating procedures, and other highly 
sensitive information. Although it was clear that there were 
endemic problems with National Archives' management, it 
appeared that this loss was an isolated incident and an Acting 
Archivist assured this committee that measures were being taken 
to address security concerns and prevent any further breaches.
    That, unfortunately, is not the case. Now, 6 months down 
the road, we're back here again, with more news of lost 
electronic storage devices, one of which contains the 
personally identifiable information of our Nation's military 
veterans on a drive that was sent out to an outside contractor 
for maintenance and repair. What's more is that this breach 
occurred a year ago, in November 2008, and we're only hearing 
about it now. I'm practically speechless.
    It is my sincerest hope that, Ms. Thomas, you will tell us 
today that the Archives is doing everything possible to ensure 
that these veterans do not become victims of identity theft.
    The National Archives staff exposed this drive to loss or 
theft because they believed it was defective and beyond repair. 
Further--they further claim that sending a drive containing 
sensitive information to a third party doesn't constitute a 
breach of sensitive information, because the contractor is 
obligated to keep its contents private.
    As the Inspector General of the National Archives will 
testify today, the data on this drive is actually retrievable, 
using free, publicly available software. In fact, some of my 
staff have performed procedures very similar to that. Exposing 
a drive like that to eyes outside of the National Archives is 
irresponsible, regardless of the technical definition of a 
    The National Archives has further claimed to the 
subcommittee staff that breaches of this nature will not happen 
going forward, because a policy is now in place that prohibits 
drives from being sent out to contractors for repair. However, 
this policy was actually already in place at the time the drive 
with veterans' data was exposed. So that's nothing more than 
cover for the past and not real substantive change to ensure 
this doesn't happen in the future.
    The policy also did not prevent the National Archives from 
sending yet another drive containing sensitive records to a 
contractor under similar circumstances in April 2009. That 
drive contained digitized employee files from the National 
Archives, GSA, and OPM. It is unacceptable that the NARA staff 
handle any storage devices this carelessly, but it is 
particularly disturbing that they are so haphazard with the 
Social Security and military identification numbers of our 
veterans who have sacrificed so much for this country.
    National Archives already uses strict protocols to 
safeguard this information contained in Defense Department 
files in its possession. Had these same protocols been used for 
veterans' data, this incident would have been avoided, in my 
    What is clear is that there is a greater institutional 
problem at the Archives that must be fixed, and that is culture 
of blatant disregard. It's become very clear that the ongoing 
security breaches are not the result of a lack of awareness of 
security procedure by staff, but a failure at the managerial 
level to enforce the procedure.
    Finally, we will also hear from our witnesses about the 
National Archives' Electronic Records Archive. As in the case 
with NARA as a whole, the ERA is plagued with its own problems. 
The ERA, which is the Archives' strategic initiative to 
preserve uniquely valuable electronic records in the U.S. 
Government, is in the midst of a system development that is 
already running far over budget. When fully operational, it 
will cost $500 million more than projected.
    The GAO has already been critical of this system, citing 
methodological weaknesses that could limit NARA's ability to 
accurately report on cost schedules and performances, and 
concluding that NARA lacks a proper contingency plan should the 
electronic record system fail. This really makes me question 
the investment overall.
    I thank our witnesses for appearing today. I certainly 
appreciate and am very interested in Ms. Thomas' testimony 
about this recent security breach and what sort of measures are 
being taken, if any, to say that this will not happen in the 
    Thank you, Mr. Chairman, for your leadership and I yield 
    Mr. Clay. Thank you, Mr. McHenry, for your opening 
    [The prepared statement of Hon. Patrick T. McHenry 


    Mr. Clay. I also want to recognize four special guests that 
we have here today in the front row, who are here to see their 
government in action. One is Dr. Kelly Woestman of Pittsburgh 
State University, as well as Jerry Handfield, the State 
Archivist for the State of Washington, Andy Maltz, who is the 
director of Science and Technology Council for the Pickford 
Center for Motion Picture Study, and David McMillen, NARA 
external affairs liaison.
    Welcome to all of you and all the other ladies and 
gentlemen in the audience today.
    Ms. Thomas we will begin it with your testimony.



    Ms. Thomas. Chairman Clay, Ranking Member McHenry, and 
members of subcommittee, thank you for this opportunity to 
discuss the National Archives and Records Administration's 
safeguarding of electronic records.
    At NARA we recognize that the challenge of securing IT 
systems and devices, particularly in regard to protecting 
personally identifiable information, is never-ending and always 
changing. We know that no agency will ever be perfect, but 
we're committed to doing the best job that we can, learning 
from our own mistakes and the mistakes of others.
    I appreciate Paul Brachfeld, NARA's Inspector General, and 
David Powner of the Government Accountability Office are 
appearing alongside me today. NARA's Office of the Inspector 
General has reported a number of vulnerabilities and made 
important recommendations on how we can improve our security. 
In response to their work we've declared a material weakness 
with respect to IT security, and we are taking corrective 
    Later in my testimony, I will update you on the Electronic 
Records Archives which regularly receives useful guidance from 
the GAO and has from the very start of the ERA development.
    In late September, I was briefed by the Inspector General 
on an allegation that NARA may have improperly disclosed 
sensitive personally identifiable information when a defective 
disk drive from a veterans' information data base was sent to 
an authorized contractor for repair in the fall of 2008, rather 
than being destroyed and disposed of at a NARA facility, 
according to a new policy that had been issued by the CAO in 
August 2008.
    The defective disk drive supports the case management 
reporting system [CMRS]. CMRS is used by NARA's Military 
Personnel Record Center to track over a million requests 
annually for the personnel records of veterans, but the system 
hardware resides in College Park, MD.
    On October 9th we learned that an additional hard drive at 
our National Personnel Record Center in St. Louis was returned 
to a vendor in April 2009. The drive is from a system that is 
used to digitize official personnel files of current government 
employees, and we believe it contained digitized files and an 
associated index of current employees' records from NARA, the 
General Services Administration and the Office of Personnel 
    NARA and the Inspector General continue to review these 
incidents. However, at this time, there is no evidence that the 
defective disk drives were ever in unauthorized hands or that 
any PII was accessed from these disks. And my staff and I have 
concluded that there was no PII breach.
    We have implemented many recommendations made by the 
Inspector General to improve PII security at the NPRC, 
including removing older data from the CMRS system, performing 
annual reviews of CMRS user accounts, compiling updated key 
inventories to better protect PII stored on paper, and issuing 
policy changes to require verification of data before providing 
military records to next of kin.
    In light of these two hard drive maintenance incidents, we 
are taking a comprehensive look at the internal security 
controls related to the protection of PII within IT systems 
across NARA. We have undertaken an agency-wide systematic 
review of the storage and protection of PII that includes a 
review of data base encryption within the system, a review of 
our tape backup procedures, a review of all of our computer 
acquisition and maintenance contracts to ensure that sensitive 
data protection is properly addressed, and a review of our 
internal PII awareness and training processes and procedures.
    We are also ensuring that we use National Security Agency-
approved media, sanitation, and destruction procedures, and 
have engaged expert consultants to review our IT security 
incident response procedures.
    In order to identify ways to improve security and internal 
controls with regards to electronic records, NARA has conducted 
an internal audit to identify how well our ITT security program 
is functioning. This audit identified 29 recommendations for 
improvement in NARA's IT security program. Since then, we have 
doubled our IT security staff and much progress has been made 
in the area of strengthening our IT security controls.
    My written testimony describes many additional corrective 
actions that NARA is undertaking to improve IT security. Most 
of the original 25--29 recommendations have been completed, and 
we continue to work on the remaining actions.
    You also asked that I provide an update on our response to 
the external hard drive containing copies of Clinton 
administration Executive Office of the President data that we 
discovered missing in March 2009 from NARA's College Park 
facility. The drive is still missing. It contains names, dates 
of birth, and Social Security numbers of people who worked in 
the Clinton Executive Office of the President, visited the 
White House complex, or submitted personal information to the 
White House in pursuit of a job or a political appointment.
    To date, NARA has mailed approximately 26,000 breach 
notification letters to individuals whose names and Social 
Security numbers are on the hard drive. We have offered these 
individuals 1 year of free credit monitoring. So far, 1,685 
persons have taken advantage of the offer. Our contractors are 
continuing to search the hard drive for additional names of 
individuals whose identity might have been compromised. We 
anticipate mailing an additional 120,000 letters in the coming 
    Finally, you asked that I report on the status of the 
Electronic Records Archives [ERA]. ERA is a comprehensive 
systematic and dynamic means for providing electronic records 
that would be free from independent--from dependence on any 
specific hardware or software. The primary purpose of this 
first-of-a-kind system is to take in, store, and provide access 
to records that are born digital, by which we mean the 
permanent archival electronic records created by executive 
branch agencies, the Congress, Federal courts, and the Office 
of the President.
    We are currently beginning year 5 and increment 3 of this 
7-year, 5-increment system development project. NARA staff is 
now using increment 1 to ingest electronic records from legacy 
NARA systems and to schedule transfer records from four 
agencies serving a pilot capacity for ERA.
    Increment 2 of ERA provided support for the transfer of the 
electronic Presidential records from the Executive Office of 
the Bush administration so that we could preserve and make 
these records accessible for archival processing. Increment 2 
was delivered in December 2008 to enable NARA to begin the 
ingest of 72.32 terabytes of data that legally transferred to 
NARA as of January 20, 2009. Ingest of these unclassified 
electronic records was completed in October 2009.
    Funding in NARA's 2010 budget is dedicated to increment 3 
of NARA, which includes a congressional records instance to 
provide simplified storage and access capabilities for the 
electronic records of Congress. This part of increment 3 is on 
schedule and will be delivered to NARA in February 2010.
    Increment 3 also provides the capability for the public to 
accept access records in ERA. The subcommittee should know, 
however, that the start of increment 3 development has not been 
as smooth as desired. NARA has raised several concerns with the 
contractor related to analysis, design, and architectural 
foundation issues. The contractor was receptive to NARA's input 
and has taken concrete steps to make improvements in process, 
deliverables and staff. At present, the contractor believes it 
can deliver increment 3 as scheduled. But you can rest assured 
that NARA will continue to monitor progress to ensure that 
increment 3 will be delivered within cost and schedule.
    In summary, ERA is operating in the way that we now expect 
it to at this point in the project. Federal and Presidential 
records are stored in the ERA, which operates securely at a 
facility on the grounds of U.S. Navy's Allegheny Ballistic Lab 
in Rocket Center, WV. Hardware and software failures have been 
minimum. We have a staged plan to open the system up to Federal 
agencies. The problems we encounter are common to major IT 
systems development, but I am confident in the ability of the 
ERA program office to manage the development of ERA to a 
successful conclusion and to plan for the ongoing operational 
phase of ERA after 2012.
    Mr. Chairman--that concludes my testimony. I would like to 
thank you for inviting me here today and for the helpful 
oversight and guidance you and the members of this subcommittee 
provide to NARA.
    Mr. Clay. Thank you so much.
    [The prepared statement of Ms. Thomas follows:]

    Mr. Clay. Mr. Brachfeld, you may proceed.


    Mr. Brachfeld. Mr. Chairman and members of the 
subcommittee, I thank you for the opportunity to testify today.
    NARA's core mission is to safeguard and preserve the 
records of our democracy to make them available for this and 
future generation of Americans. The challenge is daunting and 
becoming more complex each day in this, the Digital Age. Yet 
fundamental truisms still exist in many areas. One fundamental 
truism, as solid as granite, is that sound internal controls 
should be the foundation upon which all systems and operations 
are based.
    For a decade as a NARA Inspector General, I have had a 
front-row seat observing internal control weaknesses and 
internal control deficiencies that have resulted in the loss of 
Federal funds and property, compromised the successful delivery 
of contractual services and deliverables, impaired operations, 
and subjected information to include electronic records 
maintained in NARA's systems and facilities to compromise.
    However, I am hopeful. I believe that under the leadership 
of a new Archivist, NARA has the opportunity to elevate 
security to the upper tier of our organizational mission.
    The staff in my office is committed to assisting management 
in this effort. We also look forward to working with the new 
Archivist with an eye toward strengthening a role NARA plays in 
ensuring Federal records created by all three branches of 
government are properly identified, scheduled, accessioned, and 
ultimately injected into a functional electronic records 
    Today, at the request of the committee Chair, I will focus 
upon the exposure resulting from the compromise of records that 
placed personally identifiable information [PII], of our 
Nation's veterans, Federal employees, and millions of our 
Americans at risk. In the past year alone, OIG investigators 
and auditors have performed work specific to the following: the 
loss of a computer hard drive from Archives to College Park, 
populated with millions of records from the Clinton White 
House. Within this population are tens of thousands of records 
containing PII as well as other potentially sensitive 
    The loss of government control over a hard drive we suspect 
contained millions of PII records of our Nation's veterans.
    Inappropriate controls over information stored in the 
automated case management system used in St. Louis to track and 
process electronic mail-based requests for official military 
personnel files. System vulnerabilities leave veterans' PII 
susceptible to unauthorized disclosure.
    The improper transmission of veterans' records over an 
extended period of time by personnel at the National Personnel 
Records Center which exposed veterans' PII to potential 
    The donation and surplus of laptops that were not degaussed 
or scrubbed which, at least in one case contained files of the 
former Director of the Information Security and Oversight 
Office. Among these files was PII-specific and national 
security officials from the Clinton administration.
    The loss or theft of hundreds of pieces of IT equipment, 
written off for the period of fiscal year 2002 to 2006, had had 
capacity to store information.
    Inappropriate packaging of two backup hard drives 
containing limited PII at the FDR Presidential Library, 
resulting in their loss during shipping. OIG investigators 
subsequently recovered one of the two.
    Additionally, this committee was recently notified of 
another incident in St. Louis, MO in which failed hard drives 
from a drive array used to store PII information for thousands 
of Federal employees inappropriately left NARA's physical 
control. The array contained mirror images of official 
personnel files and related information of employees from three 
    These cases worked by OIG staff within the past year are 
individually egregious, and collectively represent an agency 
that is not meeting a core tenet of its mission to safeguard 
the records of our democracy. While each case of data breach, 
loss, or under risk of loss, represents a unique stanza; the 
chorus of the song remains the same.
    As an agency, NARA lacks a viable, robust risk 
identification and mitigation strategy, and we all paid for 
this shortcoming.
    In testimony before this committee on July 30th, I provided 
details to the internal control weaknesses which result in the 
loss of a hard drive containing two terabytes of Clinton 
Presidential records. Internal control weaknesses, lapses, and 
exercise of questionable judgment tied to other incidents I 
have spoken of today, regularly leave me and my staff 
frustrated and bewildered.
    Allow me to elaborate. Specifics of the case involving the 
hard drive potentially holding millions of our Nation's 
veterans' PII, NARA officials contracting for what to do with 
these type of hard drives initially had two choices. It needs 
to be clear that often there is nothing substantially wrong 
with failed drives and they are perfectly useful for many 
    Accordingly, one contract choice, the secured data option, 
would let NARA physically keep all drives identified as failing 
or failed.
    The second choice of the vendor providing a new drive, but 
then the vendor would take back that drive with the information 
on it. The vendor would then test the drive to see if anything 
was wrong with it, and if there was, it could be economically 
repaired and reused. However, if it cost more to fix than the 
drive was worth, the drive could be recycled for metals.
    NARA opted for choice two. Thus NARA decided to allow the 
populated and potentially readable drive to leave NARA control. 
However, as drives actually started to fail, NARA was given a 
second chance to correct this decision and was presented with a 
third choice. NARA could keep the failed drive and pay 
approximately $2,000 for each new drive on a one-by-one basis. 
Unfortunately, NARA once again chose to let these populated 
drives leave their control.
    The trail specifically described was subsequently found to 
be untraceable and we cannot get possession back. Accordingly, 
I cannot tell the committee today whether a breach, as defined 
by data being accessed by unauthorized parties, occurred. But I 
can state emphatically that NARA's actions to create the risk 
of such a breach and a lack of due diligence to protect this 
information cannot be ignored and should not be marginalized.
    While I have been informed that this situation I just 
described has now been fixed contractually, I believe select 
narrow managers, from the top down, do not recognize the risk 
factors existing in today's environment. Failing to define the 
risk, would you not deploy and make the security first 
decisions necessary to adjust to real and potential risk before 
unfortunate and irreversible events transpire?
    In the brief time allotted to me, I would also note--
specifically; it relates to the ERA program--that I have had 
professional skepticism about ERA since the first meeting I 
attended in 2002. Fearing a worst-case scenario, I went to 
then-Archivist Carlin on April 30, 2002, seeking audit staff 
resources to provide independent, objective, and skilled 
oversight over ERA. Per my notes he responded, ``I could give 
you 50 people and you still couldn't cover it. So you think you 
can do it with two?''
    In December 2003, failing to obtain any ERA dedicated audit 
resources, I made a formal request, to the OMB Director stating 
ERA is a challenge we are not equipped to address within our 
existing fiscal constraints. We are simply unable to provide 
the necessary coverage to this mission-critical program. 
Failure to fund this initiative will not allow me to obtain 
persons with the skills necessary to independently evaluate and 
report upon the progress of ERA. Likewise we'll not be able to 
support this program of real time, potentially resulting in 
less than optimal results. This is a risk that this Nation 
should not face.
    As I testify today, I continue to have profound concerns 
over the status of the ERA program. My concerns are rarely 
reflected by management, who throughout program life have 
expressed abundant optimism. For example, in April 2007, ACERA 
meeting minutes, the ERA director stated--technical director 
stated--that the program is succeeding. Yet OIG auditors were 
finding this rosy scenario to be anything but the truth.
    In a management letter to the Archivist on January 13, 
2007, we accurately defined the ERA programs as one ``beset by 
delivery delays, cost overruns and staffing shake-ups.'' 
History shows we were correct.
    At the very next ACERA meeting in November 2007, the 
minutes report that same ERA technical director made a 100-
degree course correction by defining that sound engineering 
methods were not followed in many areas. Lockheed allowed the 
schedule to become the priority, rather than ensuring that 
requirements were being met in a satisfactory manner ultimately 
has failed. NARA issued a curing notice to lock in 2007.
    Shortly thereafter, in testimony before a subcommittee of 
the Senate Committee on Homeland Security and Government 
Affairs, on May 14, 2008, Archivist Weinstein stated We 
discovered belatedly that we may not have the A team from 
Lockheed Martin, and Lockheed Martin acknowledged this fact. 
And so we got the A team, and the A team has been performing 
    I am not sure as to the basis for this testimony, which was 
perhaps designed to allay the concerns espoused by Senators at 
this hearing. Seventeen months have passed, we are now in 
fiscal year 2010, and key staff in NARA and LMC have come and 
gone. New voices replace old voices and optimism ebbs and 
    At a time when NARA officials publicly voice confidence 
that full operating capability will be met by March 2012, a 
senior working within the ERA program office spoke to me just 
last week of ongoing contract performance and deliverable 
deficiencies. Perhaps the A team is sliding down the alphabetic 
    The Acting Archivist told me last week the Chief 
Information Officer has been made aware of ongoing 
deficiencies. However senior NARA management never brought such 
information to my attention nor disclosed it to the auditors 
assigned to this program area.
    As engaged as I have been, I do not know what capabilities 
and capacities will reside in ERA when the contractors throw 
another party, turn in their badges, shake hands and exit the 
    Such a statement should be viewed as troubling to all NARA 
stakeholders, and particularly this committee. It is my hope 
that through this testimony and the support of a new Archivist, 
we will begin to see improvements in our system of internal 
controls, and that those who fail to discharge their duties 
will face appropriate sanctions.
    I thank you for this opportunity and I look forward to 
responding to your questions, thank you.
    Mr. Clay. Thank you so much, Mr. Brachfeld.
    [The prepared statement of Mr. Brachfeld follows:]

    Mr. Clay. Mr. Powner, you're up.

                   STATEMENT OF DAVID POWNER

    Mr. Powner. Chairman Clay, Ranking Member McHenry, and 
members of the subcommittee, we appreciate the opportunity to 
testify this afternoon on NARA's electronic records archive 
system. This $550 million system is intended to preserve and 
provide access to massive amounts of electronic records and is 
an investment critical to NARA's mission.
    To date, NARA has spent more than half of the $550 million 
and has deployed two of the five planned increments. This 
afternoon, Chairman Clay, I will comment on NARA's performance 
with the first two increments, existing project management 
concerns, plans for increments 3 through 5 and recommendations 
for improvement.
    Starting with performance of the first two increments, 
increment 1 was late, over budget, and did not provide the 
functionality promised. Specifically, initial operating 
capability with four pilot agencies was scheduled for September 
2007, but was delayed 9 months to June 2008. This delay 
resulted in the cost overrun of $20 million. But even more 
troubling is the fact that planned functionality was not 
delivered and deferred to later increments.
    These delays also squashed NARA's plans to use ERA to 
receive the electronic Presidential records of the outgoing 
Bush administration in January 2009. Instead, a separate 
commercial system with a different architecture from ERA was 
used to archive the Bush records. And although NARA certified 
the second increment in December 2008, the 73 terabytes of 
Presidential records were not ingested into the system until 
September 2009. The first two increments are basically 
different systems, and integrating these systems in later 
increments will need to be addressed.
    Managing a project this large requires sound project 
management discipline that includes overseeing contractor 
performance to ensure that what the government is paying for is 
delivered at the agreed-to cost and on time. To date, the ERA 
program does not have a good track record here. When we looked 
into this last year, we found several weaknesses in NARA's 
practice. For example, we found contractor reports on program 
funds spent without work completed, and work completed and 
funds spent on work that was not in the work plans. NARA is 
working to improve the management processes so that the cost 
schedule and technical performance can be closely monitored in 
the remaining three increments over the next 3 years.
    Regarding the remaining three increments, we have reported 
and made recommendations to NARA that their outyear increments 
need to be clearly defined as to what specific functions will 
be delivered when and at what cost. For example, NARA has 
significant work ahead in the outyear increments that include 
expanding beyond the four pilot agencies, handling classified 
information, providing public access capability, and expanding 
functionality like access and preservation capabilities. Such 
detailed plans are essential if this project is to achieve full 
operating capability by 2012 at the $550 million price tag.
    Moving forward, NARA needs to closely monitor not only the 
cost of each increment, but also needs to monitor the 
functionality delivered. Our recommendation to bolster the 
program's use of earned value management should help, if 
effectively implemented.
    The program also needs to ensure integration plans are in 
place to merge the differing architectures used in the ERA base 
system and the Presidential record system. And also NARA needs 
to define in great detail the functions to be delivered in 
increments 3 through 5. This includes aligning detailed 
requirements and the cost with each increment. Failing to 
address these recommendations will clearly jeopardize the 
chances of achieving full operating capability by 2012.
    Mr. Chairman, this concludes my statement. Thank you for 
your oversight of this project, and I look forward to your 
    Mr. Clay. Thank you so much Mr. Powner.
    [The prepared statement of Mr. Powner follows:]

    Mr. Clay. Mr. Brill you have 5 minutes.

                   STATEMENT OF ALAN E. BRILL

    Mr. Brill. Thank you, sir. Chairman Clay, Ranking Member 
McHenry, members of the committee and members of the staff, 
good afternoon. My name is Alan Brill. I'm currently senior 
managing director for secure information services at Kroll 
Ontrack. I am not here today as a representative of Kroll 
Ontrack, but as an individual to share whatever knowledge and 
experience I have in the fields of information security, data 
protection and data recovery, to assist the subcommittee with 
the vital work it performs. And I'm grateful to you for the 
opportunity to speak today.
    A substantial proportion of the information that is being 
created within our government is generated, exchanged, and 
stored digitally. It is produced and stored on computers 
ranking from the desktop or laptop computers of individuals, to 
the massive processing arrays in networks of large agencies. It 
is also a simple fact that most of the data that is created, 
and which may have historical import for extended periods of 
time, will never in the course of normal use be printed.
    How do we safely and efficiently preserve electronic 
records when the technologies involved in producing and storing 
those records is clearly evolving at a breakneck speed?
    I've been involved in the security and recovery of data 
from computers for more than 40 years. My recent experience has 
involved working with private-sector organizations to safeguard 
sensitive data and help those organizations respond to data 
security incidents. I've learned a few lessons that I hope will 
be helpful to the subcommittee when it considers how best to 
carry out its oversight role in assuring the preservation of 
electronic records which are a vital part of our national 
    First, don't assume that the devices currently used to 
store data will be commonly used, or even reasonably available 
in the future. Above all else, we must ensure not only that we 
can store the data but that we can completely and accurately 
access it on the physical media that we preserve. This means 
that we either have to also preserve workable reading 
mechanisms or periodically transfer the data to contemporary 
storage media, as new storage technology obsoletes the old.
    Don't assume data can't be restored, even if the storage 
medium appears to be damaged. Consider a quick example. 
Following the tragic loss of the Space Shuttle Columbia in 
2003, NASA located a hard drive in the debris field. The Glenn 
Research Center sent it to my organization for examination. 
Although the electronics on that drive had been literally 
fried, the case burned and plastic from the innards of the 
device had melted onto the surface of the drives, we were able 
to rebuild the mechanical components, clean the disk and 
recover over 99 percent of the data, which turned out to be 
vital for completing a long-term experiment in basic physics.
    With today's technology, unless the media containing the 
data is utterly destroyed, the data is at least potentially 
recoverable. I believe that the best practice is that when a 
device contains sensitive data, assume it might be potentially 
recoverable, unless you have taken proper systems steps to 
render that data permanently unreadable.
    Third, what you see is very often not all that you can get. 
There are a number of data fields that are automatically 
created and maintained by the program that all of us use. Some 
are obvious. The date and time that a file was originally 
written, how many times it was edited, when it was last opened, 
but it can contain more. It may contain a record of changes 
made in the course of revision and review. This information is 
called metadata. It is important to the understanding of the 
file with which it is associated.
    People think that things like this are a brand-new issue, 
Mr. Chairman, but they are not. If you look at Abraham 
Lincoln's handwritten manuscript of the Gettysburg Address, you 
can see how he edited it, what it looked like before he made 
the changes, what he crossed out and what he added. The same 
can often be done with digital records through examination of 
the metadata, but only if that metadata is preserved. 
Unfortunately, unless care is taken in regard to the 
preservation process, metadata can inadvertently be changed or 
lost. To ignore metadata is to constrain future understanding 
of the file.
    Next, ensuring data security must be more than an 
afterthought. There is a cost to data protection, but, planned 
effectively, those costs can be controlled. There will always 
be a tradeoff between cost and protection.
    While I'm not an expert in the various security standards 
that are used by Federal agencies, I found there are a number 
of centers of knowledge that can be an immense value in 
understanding the risks and alternatives. The work of 
professionals at NIST comes to mind. I have no doubt that this 
subcommittee is aware of the ongoing work there to identify 
risks, protective measures, and to provide publications that 
help professionals and managers in both the public and private 
sector to do a better job of security sensitive data.
    Sir, the cost of not protecting data appropriately can be 
very, very high. What is the cost to future knowledge if 
electronic records of today's decisions and activities are lost 
through security failures?
    I believe that the expertise exists to assist and advise 
our government on this complete and continually changing issue. 
There are many specialists like myself who recognize that 
service on advisory councils and other appropriate mechanisms 
is really part of our civic and professional personal duty. Why 
not call on this pool of knowledge?
    If we don't collect data and collect it properly, if we 
don't maintain it in a usable and complete form, and if we 
don't safeguard it appropriately, it won't be there for the 
benefit of future generations.
    Finally, we must assure that both public and private sector 
organizations have a plan for exactly what they will do if 
there is a data protection incident. Trying to develop a crisis 
management plan in the middle of a crisis is difficult at best. 
Recognizing that incidents can occur, and if they do occur, is 
far more effective in terms of responding to the incident.
    I want to thank the subcommittee for inviting me here 
today. Sir, over the years I've had the opportunity to work 
with information security professionals in government, at the 
FBI, the Defense Department, the Secret Service, I am very 
proud of the work that they do. Their public service at a time 
when they could earn far more in the private sector is a 
measure of devotion. Anything that we in the private sector can 
do to add to the knowledge, to make sure that we keep up with 
the changes, is more than just something that could be done; 
it's something that ought to be done.
    Thank you very much for inviting me here today, sir.
    Mr. Clay. Thank you, too, Mr. Brill, especially for your 
passion in regard to this subject. And we appreciate your 
    [The prepared statement of Mr. Brill follows:]

    Mr. Clay. I thank the entire panel for their testimony.
    I also want to welcome our newest member to the 
subcommittee, the gentleman from Texas, Mr. Henry Cuellar. 
Welcome aboard and we look forward to your involvement in the 
subcommittee. We will go into the question-and-answer period, 
and we will recognize the gentleman from Ohio for 5 minutes to 
begin the questioning.
    Mr. Driehaus. Thank you very much, Mr. Chairman, and I 
thank you for calling this hearing and I appreciate very much 
the testimony.
    This certainly hits home to me. I remember when I was a 
State Representative, and one of my colleagues called me and 
recited my Social Security number to me after looking at a 
county--I believe it was the county auditor or the county 
recorder or something like that, the Clerk of Courts, whose son 
had developed a new Web site. They decided it would be great if 
we scanned every document in the county that came through the 
Clerk of Courts and they scanned it onto the Web site, not 
thinking that, you know, perhaps some of these parking tickets 
out there--and mine was a traffic violation--contained some 
sensitive information.
    But what it brought to mind was that there was no standard 
operating procedure at all in the county, in the State, 
anywhere, when it came to not just archiving the data but 
dealing with the data at all. And so, Mr. Brachfeld, when I 
hear your testimony, it strikes me as very concerning.
    Earlier this year I introduced legislation dealing with 
classification of documents, because there is no standard 
operating procedure in the Federal Government when it comes to 
standard classifications. We find that, you know, the Federal 
Government exists in silos, and there are different standard 
operating procedures when it deals to just classifying 
documents and classifying certain information.
    So if you could help me, Mr. Brachfeld, I am very 
interested--any of you--as to our status as a Federal 
Government. In terms of coming up with standard procedures for 
dealing with sensitive documentation and sensitive information, 
not only how do we collect it but how was it dealt with, and 
certainly when it was archived, how do we then deal with this 
archive? Give us a score as to how we are in standardizing this 
as a process.
    Mr. Brachfeld. Actually the focus of my work is doing 
investigations and audits. In terms of policy and procedures 
and classification of documents, that's not my bailiwick.
    Mr. Driehaus. Not just classification. I'm talking about 
the sensitive information that you were talking about and how 
vulnerable we are to losing that information. It strikes me 
that within departments we don't have standard operating 
procedures to deal with this appropriately. I'm wondering if 
you have any observations as to how far we've come or how far 
we still have to go in terms of the various departments in 
collecting and classifying and archiving that data?
    Mr. Brachfeld. I think there are standards available. For 
example, in the cases I was talking about specific to the loss 
of data and the breach of data, there is, as Mr. Brill noted as 
well, there's NIST standards; OMB puts out regulations 
requirements; agencies establish and define their own internal 
requirements. The problem is, it shouldn't just be a paper 
exercise where you can hold up to the world that we have 
policies and we have procedures, and then you can put your head 
on your pillow and think that you can rest assured.
    No, you have to actually train people and you have to 
actually hold people to those standards, and you have to test 
and you have to drill down, you have to ensure they are 
enforced and protected at all times.
    I think that's what happened many times in Federal 
agencies, at least through my 30 years now of experience, which 
is that it is easy to write policy, especially in this day and 
age, to get contractors and pay them to write policy for you. 
But to actually instill that work ethic, to actually instill 
those morals, to actually enforce the proper treatment of 
records and protection of records, that's the problem.
    And that's where in my testimony I talk about where I 
believe that NARA has fallen short in terms of lack of 
training, lack of oversight, and then lack of appropriate 
action when people violate NARA policy and procedures which 
were drafted in response to OMB requirements. So we don't have 
a pass and we don't have a buy. These are things we should be 
doing, and these are things that we fail to do at the National 
    Mr. Driehaus. So it is not just a matter of 
standardization. It is a matter of following through and making 
sure that the processes are being followed and enforced if they 
are not followed.
    Mr. Brachfeld. That's correct. And that's why as an 
Inspector General, I'm first of all very happy to be testifying 
today and get the attention to this subject. I am also proud of 
my staff, that we're putting forward very sound recommendations 
that, should management opt to accept them and adopt them, I 
think will bring far increased levels of internal control 
security, and maybe we won't be here next year talking about 
further breaches. Maybe we'll actually have a pretty tight shop 
if we do some of the stuff we're recommending.
    Mr. Driehaus. Well, I guess following up on the issue of 
holding people accountable, Ms. Thomas, when you were here in 
July with regard to the theft of the Clinton administration 
hard drive, you at the time stated that you would act with 
swift and appropriate disciplinary action if we found out that 
there were people to be held accountable. Have you followed up 
on that, and what steps have been taken?
    Ms. Thomas. Well, at this point in time, we have held off 
on taking disciplinary actions, although we are ready to do so 
basically at the request of the Inspector General, so that they 
can finish their investigation. But once that is finished and 
they give us the go-ahead, then disciplinary actions will be 
    Mr. Driehaus. So the disciplinary action is pending?
    Ms. Thomas. Pending.
    Mr. Driehaus. That's all, Mr. Chairman.
    Mr. Clay. Thank you, Mr. Driehaus. Mr. McHenry, you may 
proceed for 5 minutes.
    Mr. McHenry. Thank you, Mr. Chairman.
    Ms. Thomas, how long have you been in your current 
    Ms. Thomas. As Acting Archivist? Since mid-December of last 
    Mr. McHenry. OK. And I ask that just for context, so that 
is on the record. You know, this committee--I don't think 
Congress looks at you as the culprit here, but we're asking for 
your assistance in--well, in light of the fact the Senate has 
not acted upon the President's nomination of the next Archivist 
of the United States. But having said that, what policies have 
changed in light of this additional security breach with the 
loss of these Veterans' records?
    Ms. Thomas. Mr. Congressman, I think I have to say that our 
own determination is that we used a governmentwide contract, 
that other agencies used, that have the appropriate privacy 
protections written into the contract. And so that our use of 
that contract was a valid way of sending back a disk.
    Now, we've cited that we need to be beyond what's 
acceptable. And we've adopted a policy; the CIO has, of not 
sending disks back to the vendor. But we do not believe that 
any breach has actually occurred, because the material was in 
the hands of authorized people all along the process.
    Mr. McHenry. So you have changed policy in that you don't 
send out----
    Ms. Thomas. We----
    Mr. McHenry. If I may finish.
    Ms. Thomas. I'm sorry.
    Mr. McHenry. The two choices, Mr. Brachfeld, you testified 
the two choices were to secure the data and keep even a failed 
disk on hand, or send it back and replace it. Those were the 
two choices. Now you've switched; is that correct?
    Ms. Thomas. The new policy that's been adopted or in place 
by the CIO is that we will not send any disks back to the 
    Mr. McHenry. Mr. Brachfeld, thank you for your testimony. 
You've always been very direct, as all Inspectors General are 
supposed to be, and we certainly appreciate your work.
    Has your office commented previously about this policy of 
sending these drives out to contractors and getting them back?
    Mr. Brachfeld. It simply never should have happened. Let me 
read you a sentence, sir, or two. This is when one of the 
contractors'--the most recent case is Dell. This is what Dell 
said. ``Dell assumes no responsibility for the destruction of 
data returned on such drives. Dell strongly encourages you to 
remove all confidential, proprietary, or personal information 
from any storage device before it is returned to Dell.'' We 
didn't do that.
    I brought with me a properly scrubbed, sanitized--this is a 
drive right here. This drive for the purpose of this hearing, 
this drive has veterans' information for millions of veterans. 
It's mobile. I'm carrying it. It is a mobile device. It's game, 
set, match.
    If you go to NIST standards or if your go to OMB 
requirements or if you go to NARA's own internal policy and 
procedures, once you have PII data stored on a mobile device, 
it must be encrypted. It must be encrypted, simple fact.
    Furthermore, should you ship that or lose custody or give 
up custody and control, it must be scrubbed, wiped, degaussed. 
In neither case that we're talking about today was that done. 
This data went out.
    Now it's true. There is a language, boilerplate language, 
that NARA found about 3 or 4 weeks ago in a contract, and 
that's what they feel comfortable in telling you; that the 
vendor, once they received this drive, was supposed to maintain 
the confidentiality of the data.
    But let's go with the first case, the CMRS drive. It didn't 
just go to one vendor; it went to two, then three, then four. 
It followed a food chain. First it went back to the company we 
had a contract with. They sent it to another company to analyze 
the data on the drive and see if the drive sectors failed. Then 
it went to another company. And, finally, the fourth stop was a 
scrap company for the metal scrap.
    Now, that's pretty far down the food chain to lose control. 
We don't know who had access to that within that company. We 
don't know if it was stored physically in a safe location. We 
don't know if somebody was embedded in one of these companies 
who might see this as an opportunity to find Social Security 
numbers or mine whatever data came their way for profit, 
national security, etc. We don't know.
    So what the National Archives did was violated their own 
policy, which is derived from NIST standards and OMB 
regulations, and lost control of millions of veterans' files 
and records, and now, in the most recent case, thousands of 
Federal employees. Those are the simple facts.
    Mr. McHenry. Thank you, Mr. Brachfeld. Now, there was 
originally veterans' data on that. What process did you go 
through--is that currently encrypted or did you delete 
information from that file?
    Mr. Brachfeld. This--this drive did not--I'm very careful, 
I am careful about what I do. This drive, I have the proper 
certifications, before I would leave the building with this, 
that it was wiped. And I have the technology that was used to 
wipe the drive. I have it certified that it has no information 
on it at this point. It is clear and again----
    Mr. McHenry. Mr. Brill, could your company retrieve data 
off of that ``wiped'' hard drive?
    Mr. Brill. Sir, if the drive is wiped properly and 
completely, the answer is generally you cannot. Here is the 
problem. Either there's a big difference between ``I believe I 
wiped the drive'' and ``I wiped the drive.'' We find, for 
example, that organizations sometimes discover that a 
disgruntled employee may have run a wiping program to get rid 
of data that would incriminate them. But not all wiping 
programs are created equally effectively. And some of them work 
very, very well and some of them work not well at all. That's 
why it's important not just to say ``wipe the drive'' but as I 
think the Inspector General has suggested, that it be wiped in 
a forensically acceptable way and possibly tested afterwards to 
make sure that when we say there's no data that, in fact, there 
is no data.
    Mr. McHenry. Thank you for your testimony. I certainly 
appreciate it. And I don't think this is necessarily about 
contractors is Mr. Brachfeld's point; it is about secure chain 
of possession of sensitive information.
    And, Mr. Chairman, I think this is a larger cultural issue 
with archives in terms of employee satisfaction and following 
basic procedures. And I certainly appreciate your leadership in 
making sure that we have good oversight of this to make sure we 
correct this.
    Mr. Clay. Thank you, Mr. McHenry, for your line of 
questioning. Mr. Cuellar is recognized for 5 minutes.
    Mr. Cuellar. Thank you very much, Mr. Chairman.
    Ms. Thomas, let me ask you, looking at the big picture, 
looking at this in hindsight, what do you think the weaknesses 
are in this IT security? And also as the colleague just 
mentioned, when you look at not only in your area, but in the 
food chain or the custody down the line.
    Just tell me overall, what do you think the weaknesses are?
    Ms. Thomas. I think one of the things that is happening is 
that, as Mr. Brill has sort of alluded to, technology is moving 
at such a fast pace that things--processes and procedures that 
were acceptable 6 months ago may not be acceptable today.
    I know that when I moved to Virginia 30 years ago, my 
driver's license number was my Social Security number. I think 
our Social Security numbers were used on a lot of 
documentation. You were asked to, when you wrote a check; write 
your driver's license on it. That was your Social Security 
    When all of the information--not all the information but a 
good deal of the information became electronic and much easier 
to manipulate and use in nefarious ways and all the data was in 
a more concentrated small device, like Paul has mentioned, it's 
becoming more and more of a challenge to deal with that and to 
protect that information.
    So our procedures, our policies, have to catch up to the 
reality of today and continuously change as technology changes.
    Mr. Cuellar. You said that we got to get our policies to 
try--looking at the word ``try''--to catch up, are you caught 
    Ms. Thomas. I think we are at the moment, but as Mr. Brill 
has said, technology tomorrow, I don't know.
    Mr. Cuellar. But you should have something in place that 
lets you keep up----
    Ms. Thomas. And that is certainly what the administration 
is doing, that's what OMB is doing, NIST is doing, and we are 
following those procedures.
    Mr. Cuellar. Let's talk about the internal audit that you 
conducted on your IT security. When was that performed and by 
    Ms. Thomas. We had a contractor, SAIC, come in and review 
all of our IT security.
    Mr. Cuellar. When was that?
    Ms. Thomas. It was this past year.
    Mr. Cuellar. What was the conclusion?
    Ms. Thomas. Well, they came up with a series of 
recommendations, I think I said 29 recommendations--at least 
29--all of which we are working to implement. Most of them have 
been by now, and we're working on all of them.
    Mr. Cuellar. Out of 29, how many have been implemented?
    Ms. Thomas. I would have to provide that for the record. I 
don't know how many.
    [The information referred to follows:]

    Mr. Cuellar. You don't know right now how many have been 
    Ms. Thomas. I do not know. I know it's more than 50 
percent, probably more like three-quarters.
    Mr. Cuellar. You can see how that can be a problem. If you 
do an internal audit to see what your weaknesses are and we 
haven't implemented, how long would it take you to implement 
100 percent of the recommendations, of 29 recommendations?
    Ms. Thomas. I know that the CIO is working on implementing 
all of the recommendations, and I am going to say that within 
the next 6 months. And I may have to correct that after I talk 
to the CIO. I'm sorry.
    Mr. Cuellar. So if we are going to try to keep up with the 
changes that you mentioned, have your policy keep up, we have 
to wait another 6 months to implement those?
    Ms. Thomas. These are identified weaknesses which we are 
trying to correct in all instances. Some are more serious than 
others. Those are the ones that we have tackled first.
    Mr. Cuellar. Well, let me ask you, Mr. Brachfeld, was this 
in fact an audit, and who performed it?
    Mr. Brachfeld. It technically cannot be considered an 
audit. It was performed by SAIC under what is called a Program 
Review for Information Service Management Assistance. It's 
called PRISMA. So it's not technically allowed to be called an 
audit. It was not an audit. It does not--in fact; SAIC in their 
PRISMA report, specifically states that it's not an audit.
    Mr. Cuellar. What would you classify that?
    Mr. Brachfeld. It's a review that was done for management, 
in addition to the audit work that we do. Where we have 
determined that IT Security is a material weakness, management 
opted to get a second opinion, so to speak, and contracted for 
SAIC to do that work. They came out with a finding of 29; I 
believe it was, weaknesses that they identified.
    Mr. Cuellar. Now you have reviewed those, that matter. Do 
you know how many of the 29 recommendations NARA has 
    Mr. Brachfeld. My IT auditors, whom I have a tremendous 
amount of faith in and who have been right throughout in terms 
of their analysis, determined that 27 of the 29 have not been 
adopted to date. We believe that only two have been closed out 
and completed to our satisfaction.
    Mr. Cuellar. Mr. Chairman, can I just follow on up on that? 
Twenty-seven out of the 29 have not been implemented?
    Mr. Brachfeld. That was reported on September, I believe, 
9th or 20th. It was reported just this past month to 
management. We put together a matrix defining why we believe 27 
to 29 had not been corrected. We requested a meeting in 
September to discuss this. And it is now November 5th, and our 
request for a meeting has not been addressed.
    Mr. Cuellar. And the question, Mr. Chairman, was--I believe 
Ms. Thomas' testimony was that more than half or three-quarters 
of it had been implemented, and Mr. Brachfeld is saying that, 
according to his folks, that only two have been implemented and 
the meeting has not been set up, and I find that a little 
    Mr. Clay. Sounds like there is some discrepancy. Thank you.
    Now, Ms. Thomas, you assured the subcommittee in July that 
in regard to the theft or loss of the Clinton administration 
hard drive, you would act with swift and appropriate 
disciplinary action. Have you made your determinations as to 
the causes of the theft or loss, and what specific actions have 
you taken?
    Ms. Thomas. The determination of what, how the hard drive 
went missing, was stolen, is an investigatory responsibility of 
the Inspector General. So we are waiting for the investigation 
to be complete. We have, however, determined that there were 
certainly internal control weaknesses that allowed whatever 
happened to happen, and we have made substantial changes in the 
way the controls of the equipment--who can have access to it--
and we are ready to take disciplinary action against those 
people who were not following existing policy. But we are 
waiting for the end of the investigation.
    Mr. Clay. You could take action now in your agency?
    Ms. Thomas. We have been requested not to by the Inspector 
General. Yes, but we could take action now, were it not for 
that standing request.
    Mr. Clay. Mr. Brachfeld, is it complete?
    Mr. Brachfeld. The investigation--your question is, is your 
investigation complete? No. We are actively investigating it. 
We have new information which I cannot discuss publicly at this 
open hearing, but we do have progress in our investigation. And 
as the nature of the investigation is extremely sensitive, the 
acting Archivist is correct. We respectfully requested that 
they hold off, because we don't want to do anything at this 
point that could damage our investigation.
    So in that case, that is correct. We have respectfully 
requested that disciplinary action be held back pending the 
furtherance of our investigation or in support of our 
    Mr. Clay. Thank you for that response.
    Mr. Powner, can you estimate the cost of integrating 
increments one and two down the line? I mean, you stated that 
it was a project at $550 million?
    Mr. Powner. Right, $550 million life cycle cost. We have 
spent about half of that to date. We do not have clear 
integration costs going forward.
    Here is the problem, not only with the integration costs 
going forward, but when you look at the outyear increments, 3, 
4 and 5, how are we going to allocate the remaining money? 
There is a serious question with the remaining money to be 
spent, including those integration costs, whether we are going 
to get a full operational capability by 2012.
    If you look at the track record to date, I think the answer 
is likely no. And so what we want to see is real clear plans 
for the next three increments and exactly what's going to be 
delivered so we can measure to that.
    This is similar in cost, Mr. Chairman--we were here a year 
ago talking about FTCA. That was a $500 million contract at one 
time, a system at one time that doubled quickly. We want to 
avoid a situation like that.
    Mr. Clay. Has there been a--I guess we will call it a 
cavalier attitude with taxpayers' money in this instance?
    Mr. Powner. I wouldn't say that. But I would say that the 
management discipline that we would like to see from the 
government is clearly not where we want it to be. And I will 
give you an example where we look at these contractor reports 
and we see contractor reports where they're spending money, 
receiving funds, but not getting the work done. There's a 
program management technique that is OMB-endorsed, called 
earned value management. We look at those reports and scrub 
    And what we need here is we need the program office to pay 
close attention to those reports so that we are overseeing the 
contractor and the government is in charge, not the contractor.
    Mr. Clay. Would you supply this committee with a summary 
report of the spending to this date and what problems you see 
are on the horizon as far as the spending is concerned with 
this program?
    Mr. Powner. Yes, we can do that, Mr. Chairman.
    Mr. Clay. Thank you so much. And I notice that you may have 
wanted to get in on the discussion earlier on whether there are 
industry standards that NARA could use that would have helped 
this situation. Did you have a comment?
    Mr. Powner. Well, the one comment on the multiple 
classifications, GAO has done a lot of work on sensitive but 
unclassified data. This is dated; but 2 to 3 years ago, there 
were over 70 classifications of sensitive but unclassified 
data. And I think the quick answer to the Congressman's 
question is consolidating those many classifications is a clear 
work in progress and it's incomplete.
    Mr. Clay. Thank you for that response.
    Mr. Brill, any comment on industry standards?
    Mr. Brill. I think if there is anything to be said about 
industry standards, there's recognition that the more complex 
you make any program, the more likely you are to have problems. 
If you can keep things simple, if you can classify things in a 
limited number of buckets, and you have some clear rules about 
what to do in each case, then it is much more likely that 
you're going to have a very high degree of success in that 
    We see all the time--you know, my work is kind of divided 
in two, sir. In some cases, we are brought in, in advance, to 
try and avoid problems. But in a lot of cases, we're the 
firemen. We're the guys who get the call when something 
terrible happens, and I think it would be fair to tell you that 
when that happens, we can end up, in most cases, classifying 
the incident into one of two major buckets. One is ``It 
happened.'' The other is, ``It happened, but it shouldn't have 
happened.'' It was an avoidable problem that, if rules had been 
followed--if, for example, something as simple as a patch from 
a vendor had been applied to a computer, wouldn't have 
happened. If a firewall was properly configured, wouldn't have 
    If we can manage those, if we can avoid the avoidable 
incidents by simplification, by good management, by good 
followup, by good audits, that is key.
    There will always be incidents. Human beings will always 
make mistakes. Machines are not infallible. So, rather than 
sometimes throwing up our hands and saying things happen, let's 
classify it simply. Let's stop the things that we can 
reasonably prevent through what I consider a commercially 
reasonable set of controls, have plans in place for what we are 
going to do if something happens in spite of our best efforts, 
and recognize, as everybody has said here, that the environment 
    The first computer that I used at the Pentagon back in 1968 
had 2,000 positions of memory, 2K. The systems in my office now 
are measured not in kilobytes but in petabytes. And one 
petabyte is 1 million gigabytes. The vast amounts of data mean 
that we have to treat it in a systematic fashion. Those who 
figure out how to do that, how to build the security into the 
network, build it into the systems, tend to have fewer 
mistakes. And the mistakes that occur don't fall into that 
tragic category of ``We could have prevented this.''
    Mr. Clay. Thank you so much. The gentlewoman from 
California is recognized for 5 minutes, Ms. Watson.
    Ms. Watson. Thank you so much, Mr. Chairman. And I came in 
late and probably a lot of this has been already discussed.
    But what would each one of you recommend after the 
investigation into the breaches, into the delays and so on, 
what would you recommend as we move forward? Because this 
valuable information that is stored in the Archives, if there 
are breaches or if the machinery in some way collapses, what 
kind of backup systems do we need to have? What do we need to 
build into our base equipment so, as you said, Mr. Brill, these 
things should not have happened? Can any of you look forward 
and tell us what you would like to see?
    Mr. Brachfeld. I guess I'll tackle it. It's my nature; what 
can I do.
    There are two different issues here in terms of the 
breaches and the events that transpired. I think that if you 
look at NARA today, we have policies and procedures that are 
defined because they have been derived from NIST and OMB. So we 
have that piece of the equation.
    The question, as we move forward now, is ensuring through 
training and oversight that there's compliance with those 
requirements and, as appropriate, punishment. Because those 
regulations which are on our books, which are in our 
requirements, say that if people violate the security 
provisions, appropriate administrative and potentially criminal 
action and criminal charges----
    Ms. Watson. Who should do the oversight?
    Mr. Brachfeld. I'm not a program official. I do audits 
investigations. The agency is in charge with oversight of 
programs, ensuring that their programs are implemented and 
successful. So the agency needs to do that piece of the puzzle. 
I'm there to provide whatever guidance and support I can in 
that regard. And should somebody or an entity fail to live up 
to their requirements, I'm there to do investigations. And if 
it turns criminal, I'm there to do the criminal 
investigations--and my staff.
    Ms. Watson. Who determines there should be an 
investigation? Whose responsibility would that be?
    Mr. Brachfeld. That's my decision. If I'm alerted to--it 
happens all the time. We get hotline calls. We get people 
coming to us. We get formal referrals. Once my office becomes 
aware of an event or events, we make a decision. My Assistant 
Inspector General for audits and Assistant Inspector General 
for investigations, we work the issue. We make determinations.
    If we believe it's a potential for criminal, we work 
through the Department of Justice, as we are required by law to 
do. If we believe it's administrative, we take a different 
track. Or if we believe that nothing inappropriate happened and 
it's not my responsibility in that regard, we may just do a 
referral. But it weighs on my shoulders and we address that.
    Ms. Watson. Mr. Brill, you were mentioning that we should 
have standards. What should we do in order to avoid these kinds 
of, well, breaches? I don't know what you would do. But what 
would you suggest?
    Mr. Brill. It's as good a word as any, I suspect. You know, 
it's an interesting thing. I have been sitting here thinking 
about something and it's this. Back in about 1975, I was an 
Army Reserve officer. I served Active and Reserve for 38 years. 
And I was assigned to the Office of the Secretary of Defense as 
a mobilization designee. And we started looking, even back 
then, at information security.
    And I remember a meeting that I had with the then-Deputy 
Assistant Secretary of Defense for Audits, and I had just 
successfully compromised a data center that I had been 
requested to test out.
    And what I said to him was this. How can you, how can you 
go before Congress and have to say that the standards that 
you're using maybe would not be acceptable in a major 
corporation? I work with corporations primarily, not 
governments. But what I found is there is an evolution. The 
standards that have come out, the internal controls, as the 
Inspector General has said, following things like Sarbanes-
Oxley, following the changes in governance, in the corporate 
world, have changed things.
    The changes that occurred in 2006 when the Federal Rules of 
Civil Procedure were modified as a result of the work of the 
Sedona Conference to recognize the importance of digital 
records in the civil litigation process--there's been a sea 
change. People are realizing that the key to this is good 
management. It's no different than it was 100 years ago.
    When we had paper records, we could preserve them, but that 
didn't mean they were going to be readable unless we preserved 
them properly and we protected them properly.
    Digital records are no different. The techniques vary, but 
the principles are the same. And isn't it always the same, 
ma'am, that responsibility has to be taken, somebody has to be 
the person that you can to talk to about it, and that there are 
standards, whether we use the ISO standards, whether we use the 
good work that's been done at NIST, whether we use the 
standards of other organizations?
    I don't really care what standards there are, but if we 
have a standard and we all agree to it, then an agency knows 
what to do. You know what you can ask them. The auditors know 
that it's a fair game, that you're testing on the basis of 
    So I think what I'm seeing is that, just as corporations 
have recognized that the way that they handled automated 
records in the past is no longer acceptable, if you did what 
you did a few years ago you're likely to find a judge holding 
that you've committed spoliation, and that there could be 
penalties for that.
    Just as I said to the guy at the Defense Department years 
ago, I think that if we are lucky as citizens, there's a two-
way street between the private sector and the public sector in 
terms of exchanging knowledge, research that's done, best 
practices. And to the extent that can be done, I think there's 
great value to be had.
    Let's see what some of the best-run companies are doing. 
Let's see why the standards are changing. Let's see what's 
being done. I think the real key in getting that information is 
perhaps the simplest thing that anyone can do. And I can 
express it in one word: Ask.
    Ms. Watson. Thank you, Mr. Chairman. I yield back.
    Mr. Clay. Thank you, Ms. Watson.
    Just as a final question, Ms. Thomas, at a hearing last 
month, we heard about your advisory committee on the electronic 
records archives. NARA believes that the advisory committee has 
been valuable in providing outside expert advice in the 
development of ERA. Its members represent expertise in an 
extremely wide range of areas. However, as far as we can tell, 
the committee does not include one expert or even anyone with 
direct experience in the area of information technology 
    Why isn't this important field represented on your advisory 
    Ms. Thomas. I don't know whether there is any specific 
person whose profession is information security. I think all of 
the members who have responsibility for systems certainly have 
responsibility for information security, security over those 
systems and therefore come to the committee with a wealth of 
experience in how they deal with their own systems.
    Mr. Clay. Well, do they bring a knowledge of information 
security like, for instance, your fellow panelist, Mr. Brill?
    Ms. Thomas. I think Mr. Brill is unique.
    Mr. Clay. I do too. But there has to be, just to have 
    Mr. McHenry. I think that is a compliment, Mr. Brill.
    Ms. Thomas. It is. It is.
    Mr. Clay. To have someone else represent that aspect of 
information technology would be probably helpful to the 
advisory committee.
    Ms. Thomas. I think you're probably right, Mr. Chairman, 
and we can certainly look at the membership and if we are 
deficient in that, having that kind of person--maybe Mr. Brill 
would even like to join ECERA.
    Mr. Clay. We will let you and Mr. Brill discuss that. If 
there are no other questions, the hearing is adjourned. Thank 
    [Whereupon, at 4 p.m., the subcommittee was adjourned.]