[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



 
  FEDERAL INFORMATION SECURITY: CURRENT CHALLENGES AND FUTURE POLICY 
                             CONSIDERATIONS

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                     ORGANIZATION, AND PROCUREMENT

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________


                             MARCH 24, 2010

                               __________

                           Serial No. 111-145

                               __________

Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform




[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                              __________


                        U.S. GOVERNMENT PRINTING OFFICE
65-549 PDF                    WASHINGTON : 2011
____________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected].  











              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York         DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts       JOHN J. DUNCAN, Jr., Tennessee
WM. LACY CLAY, Missouri              MICHAEL R. TURNER, Ohio
DIANE E. WATSON, California          LYNN A. WESTMORELAND, Georgia
STEPHEN F. LYNCH, Massachusetts      PATRICK T. McHENRY, North Carolina
JIM COOPER, Tennessee                BRIAN P. BILBRAY, California
GERALD E. CONNOLLY, Virginia         JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois               JEFF FLAKE, Arizona
MARCY KAPTUR, Ohio                   JEFF FORTENBERRY, Nebraska
ELEANOR HOLMES NORTON, District of   JASON CHAFFETZ, Utah
    Columbia                         AARON SCHOCK, Illinois
PATRICK J. KENNEDY, Rhode Island     BLAINE LUETKEMEYER, Missouri
DANNY K. DAVIS, Illinois             ANH ``JOSEPH'' CAO, Louisiana
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
JUDY CHU, California

                      Ron Stroman, Staff Director
                Michael McCarthy, Deputy Staff Director
                      Carla Hultberg, Chief Clerk
                  Larry Brady, Minority Staff Director

  Subcommittee on Government Management, Organization, and Procurement

                 DIANE E. WATSON, California, Chairman
PAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California
JIM COOPER, Tennessee                AARON SCHOCK, Illinois
GERALD E. CONNOLLY, Virginia         JOHN J. DUNCAN, Jr., Tennessee
HENRY CUELLAR, Texas                 JEFF FLAKE, Arizona
JACKIE SPEIER, California            BLAINE LUETKEMEYER, Missouri
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
MIKE QUIGLEY, Illinois
                      Bert Hammond, Staff Director
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 24, 2010...................................     1
Statement of:
    Bond, Philip, president, TechAmerica; John Gilligan, 
      president, the Gilligan Group, Inc.; Alan Paller, director 
      of research, Sans Institute; and Christopher Fountain, 
      president and CEO, Secureinfo Corp.........................    72
        Bond, Philip.............................................    72
        Fountain, Christopher....................................    97
        Gilligan, John...........................................    82
        Paller, Alan.............................................    91
    Kundra, Vivek, Chief Information Officer, Office of 
      Management and Budget; Gary ``Gus'' Guissanie, Acting 
      Deputy Assistant Secretary of Defense for Cyber, Identity, 
      and Information Assurance, U.S. Department of Defense; John 
      Streufert, Deputy Chief Information Officer for Information 
      Security, Bureau of Information Resources Management, U.S. 
      Department of State; and Gregory Wilshusen, Director, 
      Information Security Issues, Government Accountability 
      Office.....................................................     7
        Guissanie, Gary ``Gus''..................................    16
        Kundra, Vivek............................................     7
        Streufert, John..........................................    29
        Wilshusen, Gregory.......................................    40
Letters, statements, etc., submitted for the record by:
    Bond, Philip, president, TechAmerica, prepared statement of..    74
    Connolly, Hon. Gerald E., a Representative in Congress from 
      the State of Virginia, prepared statement of...............     5
    Fountain, Christopher, president and CEO, Secureinfo Corp., 
      prepared statement of......................................   100
    Gilligan, John, president, the Gilligan Group, Inc., prepared 
      statement of...............................................    85
    Guissanie, Gary ``Gus'', Acting Deputy Assistant Secretary of 
      Defense for Cyber, Identity, and Information Assurance, 
      U.S. Department of Defense, prepared statement of..........    18
    Kundra, Vivek, Chief Information Officer, Office of 
      Management and Budget, prepared statement of...............    10
    Paller, Alan, director of research, Sans Institute, prepared 
      statement of...............................................    92
    Streufert, John, Deputy Chief Information Officer for 
      Information Security, Bureau of Information Resources 
      Management, U.S. Department of State, prepared statement of    31
    Wilshusen, Gregory, Director, Information Security Issues, 
      Government Accountability Office, prepared statement of....    42


  FEDERAL INFORMATION SECURITY: CURRENT CHALLENGES AND FUTURE POLICY 
                             CONSIDERATIONS

                              ----------                              


                       WEDNESDAY, MARCH 24, 2010

                  House of Representatives,
            Subcommittee on Government Management, 
                     Organization, and Procurement,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2 p.m., in 
room 2154, Rayburn House Office Building, Hon. Diane E. Watson 
(chairwoman of the subcommittee) presiding.
    Present: Representatives Watson, Connolly, Bilbray, Duncan, 
and Luetkemeyer.
    Staff present: Bert Hammond, staff director; Valerie Van 
Buren, clerk; Adam Bordes and Deborah Mack, professional staff 
members; Charles Phillips, minority chief counsel for policy; 
and John Ohly, minority professional staff member.
    Ms. Watson. The Committee on Oversight and Government 
Reform will now come to order.
    Today's hearing will review the Federal Information 
Security Act [FISMA] of 2002, and agency efforts to improve the 
security, integrity, and reliability of the Federal 
Government's information systems.
    In addition, today's hearing will address legislation 
introduced by me last week to amend FISMA, H.R. 4900, the 
Federal Information Security Amendments Act of 2010.
    I welcome all of our distinguished panelists and look 
forward to your testimony, and apologize for being late; we 
were in a very important meeting.
    So, without objection, the Chair and ranking minority 
member will have 5 minutes to make opening statements, followed 
by opening statements not to exceed 3 minutes by any other 
Member who seeks recognition.
    Without objection, Members and witnesses may have 5 
legislative days to submit a written statement or extraneous 
materials for the record.
    Now, I would like to wish everyone here a good afternoon 
and welcome to the Government Management Subcommittee's 
oversight hearing on the state of Federal Information Security 
and agency efforts to comply with the Federal Information 
Security Management Act, and we will also discuss proposed 
legislation I recently introduced to amend FISMA, the Federal 
Information Security Amendments Act of 2010. I look to our 
witnesses and your testimony, and we appreciate your presence 
here today.
    Since enactment of FISMA legislation in 2002, this 
subcommittee has held annual oversight hearings on agency 
efforts to meet the standards and policies prescribed under the 
current FISMA framework. While some agencies have shown great 
success in harnessing both technology and human capital to 
reduce their overall cyber risk profiles, many others simply 
comply with the basic annual reviews and periodic assessments 
required under FISMA that reveal only a fraction of the threats 
and the vulnerabilities facing them.
    It is clear that the notion of being in compliance with 
current law does not equal having adequate security across an 
agency's IT infrastructure. Furthermore, the vast majority of 
Federal agencies still have not met the basic cybersecurity 
requirements outlined in the FISMA legislation. According to 
statistics from GAO's testimony and OMB's annual FISMA report 
to Congress, 23 out of 24 agencies have been identified as 
having weaknesses in their agency-wide information security 
programs.
    Although these figures do not speak to the depths of 
problems that agencies have, it tells us that many still view 
security as a measure of efficiency or productivity, and not as 
a pillar of necessity or national security. It also indicates 
that OMB has not used its enforcement authority and budget 
power to force agencies to make effective information security 
a fundamental requirement in their daily operations and 
strategic plans.
    While some may view these problems as insurmountable, I 
believe there are managerial blueprints at some agencies that 
have proved effective in reducing their exposure to cyber 
threats. For example, the State Department has utilized a 
number of mechanisms, including stronger baseline internal 
controls, newly developed performance metrics, and advanced 
system monitoring capabilities for reducing their risk exposure 
by nearly 90 percent.
    These outcomes are by no means perfect. But they underscore 
the ability of agencies to both prioritize the mitigation of 
their largest cyber vulnerabilities while working to meet the 
minimum security standards and policies prescribed for all of 
their IT assets.
    So, as we move forward with policy goals for reforming 
FISMA, we must try not to look for a silver bullet as a 
solution for information security deficiencies, but to develop 
a harmonized policy framework that addresses our current 
managerial, planning, technological, and leadership 
shortcomings across the Government.
    It is in response to these challenges and deficiencies that 
I have introduced H.R. 4900, the Federal Information Security 
Amendments Act of 2010. The bill before us is a combination of 
multiple policy recommendations and legislative proposals, 
including those from President Obama's recent cyberspace policy 
review, the CSI Commission on Cybersecurity for the 44th 
Presidency and the GAO. It includes a combination of visions to 
strengthen our managerial, our technical, and our strategic 
planning objectives while flexible enough for individual 
agencies to address their unique information security profiles.
    The bill establishes a National Office for Cyberspace 
within the Executive Office of the President. The Director of 
the National Office for Cyberspace, appointed by the President 
and subjected to Senate conformation, will be charged with 
overseeing the cybersecurity posture of the Federal Government. 
The Office's mission will be to develop and manage through an 
interagency board consisting of OMB, civilian, military, and 
other agencies that will oversee the crafting of policies and 
guidance that are responsive to combating the changing nature 
of cyber threats Government-wide.
    I firmly believe the establishment of the National Office 
for Cyberspace will provide both the Presidential leadership 
and policy focus capabilities that are needed for addressing 
our cyber deficiencies Government-wide. The legislation also 
moves agencies away from the current paper-intensive process 
used to monitor agencies' compliance with FISMA policies and 
procedures and, instead, will require agencies to utilize 
automated technologies and outcome-based performance measures 
for determining their true cyber risk profile.
    By utilizing new monitoring and measuring capabilities, 
agencies will have much more complete data at their disposal 
for mitigating their most significant vulnerabilities and 
combating future cyber threats.
    Last, the bill requires OMB and agencies to inter-cooperate 
information security into their procurement decisions through 
secure acquisition requirements for commercial products and 
services, and vulnerability assessments for major information 
technology investments. I believe those provisions offer us the 
best way forward to ensure that information security is built 
into our agency systems in a technology-neutral manner from the 
beginning of the procurement life cycle.
    In closing, I believe reducing our exposure to current and 
future cyber threats will require both managerial discipline 
and policy flexibility. While the legislation I offer is not 
perfect, I believe it provides us a way forward to reducing our 
cyber risks across the Government, while instilling policy 
leadership on cybersecurity at the highest levels of our 
Government.
    Once again, I welcome our panelists today and I look 
forward to their testimony and their feedback.
    At this point, I would like now to yield to our 
distinguished ranking minority member, Mr. Bilbray of 
California.
    Mr. Bilbray. Thank you, Madam Chair. Madam Chair, your 
opening statement was so well drafted and so comprehensive and 
so well delivered that I just ask for unanimous consent that my 
written statement be entered into the record.
    Ms. Watson. Without objection.
    Mr. Bilbray. And just quickly pointing out that this is 
quite an appropriate step that we move forward here. We are 
seeing that the cyber world is becoming not only a tool, but an 
essential foundation for the Federal Government's ability to 
perform our constitutional responsibilities. Everything from, 
now, employment verification to we are looking at the taxation 
system, the IRS's ability to use it has just been a huge boom. 
The security at our ports of entry to our military 
applications, to our health care service capability. All of 
these are going to expand extensively, and should, to be able 
to make sure the Federal Government is as effective and 
efficient and as cost-effective as possible.
    Along with that great opportunity comes a huge threat, and 
I think that we will find that what you are doing here today, 
if we do this right and follow through with this appropriately, 
will not only be defending those components that we see today, 
but be actually creating a vehicle that will protect the future 
expansion, which will probably be tenfold of what we see today.
    So, again, I appreciate the introduction of the bill. We 
will work at trying to improve it. Nothing is perfect, but we 
will darn well do our best to make sure that we create this 
defense shield as strong as possible. And I yield back, Madam 
Chair.
    Ms. Watson. Thank you.
    I now yield to Mr. Connolly.
    Mr. Connolly. Thank you, Madam Chairman. I would ask my 
full statement be entered into the record.
    Ms. Watson. Without objection.
    Mr. Connolly. I thank the Chair.
    If I could add one point, one of the concerns I have, among 
many, is that we get the architecture, the managerial 
architecture of cybersecurity and information technology in 
general in the Federal Government right. The President, by 
Executive order, has created a position of Chief Technology 
Office, which I applaud. I believe we have to, however, create 
a statutory framework for that position and the cybersecurity 
position as well. So making sure we understand, moving forward, 
in a statutory framework, beyond just an administrative 
framework, what those pieces are and what those 
responsibilities are, and how the org chart works I think is 
very important, given the resources we are going to be putting 
into these efforts.
    So one of the things I certainly want to do--and I have 
introduced legislation, H.R. 1910--I have yet to hear from the 
administration on that bill, but I want to certainly 
incorporate elements of that into whatever we do by way of 
reauthorization of FISMA, and I intend to do just that.
    Thank you, Madam Chairman.
    [The prepared statement of Hon. Gerald E. Connolly 
follows:]
[GRAPHIC] [TIFF OMITTED] T5549.001

    Ms. Watson. Thank you.
    We now yield to Mr. Duncan for an opening statement.
    Mr. Duncan. Well, thank you very much, Madam Chairwoman. 
Certainly, this is a very important topic. The statistics are 
almost mind-boggling. In spite of all the money that is being 
spent on this and all the efforts that are being made, the 
number of security incidents keeps going up.
    Our committee memorandum tells us that there were roughly 
90,000 breaches in 2008, and that figure went to the figure 
that we have in our folder, 108,710, in 2009. It reminded me 
that several years ago, as I was coming back from lunch in 
Knoxville 1 day, I heard on the CBS radio national news in my 
car that the top secret files at the Pentagon had been broken 
into. It was something approximately 250,000 times that year, 
or 200,000 times. And that figure was matched a few months ago 
in this committee when we had the head of a company that said, 
just to show that they could do it, they downloaded 250,000 
individual tax returns.
    So, because of all these things, I have begun to wonder if 
there really is such a thing as cybersecurity, or is it just 
something for companies to make money off of. I would be very 
interested in the testimony. Unfortunately, because of 
previously scheduled appointments, I was only going to be able 
to be here from 2 until 2:45, and my 2:45 appointment is 
already here. So I apologize to the witnesses.
    But I can assure you that I will read your testimony and 
your responses to what I have just said with great interest, 
because I am becoming more and more skeptical. It seems to me 
that something needs to be done, but are we pouring money down 
a rat hole? You know, it seems to me that we started out 
controlling the computers, and now they control us. And I know 
that all the young people worship their computers, but, this 
security business, I think people need to realize that anything 
that they put into a computer is just not secure at all, at 
least at this point.
    Thank you.
    Ms. Watson. Thank you.
    Now that we have no further opening statements, it is the 
policy of the Committee on Oversight and Government Reform to 
swear in all witnesses before they testify, and I would like to 
ask all of you to stand and raise your right hands.
    [Witnesses sworn.]
    Ms. Watson. Let the record reflect that the witnesses 
answered in the affirmative.
    I will now introduce our panelists.
    Mr. Vivek Kundra is the Chief Information Officer at the 
Office of Management and Budget. Mr. Kundra was appointed as 
the first Federal CIO of the United States by President Obama 
in March 2009. In this capacity, he directs the policy and 
strategic planning of Federal information technology 
investments and is responsible for oversight of Federal 
technology spending. Prior to joining the Obama administration, 
Mr. Kundra served in Mayor Fenty's cabinet as the Chief 
Technological Officer for the District of Columbia and Governor 
Kaine's cabinet as Assistant Secretary of Commerce and 
Technology for the Commonwealth of Virginia.
    Mr. Gary ``Gus'' Guissanie is the Acting Deputy Assistant 
Secretary of Defense for Identity and Information Assurance at 
the Department of Defense. There, he is charged with 
implementing DOD programs that require planning, monitoring, 
coordinating, and integration of information assurance across 
its component agencies.
    Mr. Streufert is the Deputy Chief Information Office for 
Information Security at the Department of State. He is 
responsible for providing oversight and guidance for 
information assurance activities, including security policy 
development, risk management, systems authorization, training 
and awareness, compliance reporting, and performance measures. 
Prior to his tenure at State, he served in various IT 
management roles at USAID, USDA, and the U.S. Navy.
    Mr. Gregory Wilshusen serves as the Director of Information 
Security Issues at GAO. His work involves examining Federal 
information security practices and trends at Federal agencies, 
and he is the GAO's leading expert on FISMA implementation.
    I would like to ask all of you, and I ask that each of the 
witnesses now give a brief summary of their testimony, and we 
would like to have you keep this summary under 5 minutes in 
duration if you can, because your complete written statement 
will be included in the hearing record. And I would like to 
please start with Mr. Kundra.

 STATEMENTS OF VIVEK KUNDRA, CHIEF INFORMATION OFFICER, OFFICE 
OF MANAGEMENT AND BUDGET; GARY ``GUS'' GUISSANIE, ACTING DEPUTY 
    ASSISTANT SECRETARY OF DEFENSE FOR CYBER, IDENTITY, AND 
    INFORMATION ASSURANCE, U.S. DEPARTMENT OF DEFENSE; JOHN 
  STREUFERT, DEPUTY CHIEF INFORMATION OFFICER FOR INFORMATION 
  SECURITY, BUREAU OF INFORMATION RESOURCES MANAGEMENT, U.S. 
     DEPARTMENT OF STATE; AND GREGORY WILSHUSEN, DIRECTOR, 
 INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

                   STATEMENT OF VIVEK KUNDRA

    Mr. Kundra. Great. Good afternoon, Madam Chairwoman and 
members of the subcommittee. Thank you for the opportunity to 
testify on the state of Federal information security and the 
current challenges we face.
    Cybersecurity is a Presidential priority and across the 
administration we are working on this issue. I work closely 
with the President's Cybersecurity Coordinator, Howard Schmidt, 
and the Federal Chief Technology Officer, Aneesh Chopra.
    Eight years ago, when FISMA was enacted, the mobile 
computing revolution and the Internet were not as pervasive as 
they are today. Agencies are leveraging technologies and 
business models today that were not present at the time, from 
cloud computing to mobile platforms. These new models increase 
efficiency, but also leave agencies struggling with questions 
on how they apply FISMA's requirements in an environment where 
boundaries no longer determine security points. Agencies have 
made significant progress in complying with FISMA requirements; 
yet, the Federal Government is still far from secure.
    The annual FISMA measures have led agencies to focus on a 
culture of compliance. However, we cannot get to security 
through compliance alone. Significant issues have hindered the 
Federal Government's effectiveness in cybersecurity, including 
a lack of coordination, a culture focused on compliance, a 
failure to take an enterprise approach, and a fragmented 
research and development agenda.
    To coordinate the many cybersecurity activities across the 
Government, the President appointed Howard Schmidt. Mr. Schmidt 
serves as a key member of the President's national security 
staff while working in tandem with the private sector on 
cybersecurity. Additionally, the Department of Homeland 
Security, in coordination with the White House and various 
stakeholders from Government and industry, is developing a 
National Cyber Incident Response Plan. This plan will focus on 
outlining key roles and responsibilities across the Nation, 
linking all levels of Government and the private sector.
    In 2009, we began shifting agencies to a culture that would 
focus more on performance and less on compliance. Last October, 
OMB launched CyberScope, a platform which collects performance 
metrics enabling meaningful analysis of the agency's security 
posture. Since metrics are policy statements that influence how 
agencies deploy resources, OMB established a task force to 
develop performance-based security metrics.
    This work resulted in a three-tiered approach that will be 
implemented through CyberScope. Data feeds, security posture 
questions, and making sure that we are specifically focusing on 
the risks at specific agencies, from Health and Human Services 
to the Department of Defense to the State Department, which 
have very different missions and risk profiles. This approach 
will provide essential information about agency security 
postures, activities, and threats.
    We should also drive agencies toward continuous monitoring 
of security-related information across their organizations. It 
is necessary to take an enterprise approach to cybersecurity. 
That is why we are leveraging governmentwide vehicles to enable 
agencies to purchase security tools efficiently. To energize 
the Nation's research and development efforts, the 
administration is encouraging innovation in game-changing 
technologies to shift the advantage from the attacker to the 
defender. These activities include efforts such as National 
Cyber Leap Year and the National Research and Development 
Summit we just did, the creation of a group designed to look at 
the financial services sector and create a test bed where we 
could model scenarios that we need to defend against and also 
the establishment of an industry, academia, and government 
working group to explore cybersecurity insurance as a market 
force to improve security across the board.
    Security is a journey, not a destination. We are moving 
forward. For example, the Government has won praise for their 
work done to contained Conficker. A representative of the 
Conficker Working Group, an independent group of private sector 
companies focused on defeating the Conficker worm said, ``For 
the first time the government is taking the lead in a technical 
security issue, rather than lagging.''
    This is where we want to be. Unfortunately, the State 
Department spent $133 million over the last 6 years on 
paperwork compliance. But under the leadership of John they 
have made significant changes to how they approach this 
problem. But what we really need to do is not file paperwork in 
metal cabinets. Instead, we should shift to constantly testing 
for weaknesses. That is why the President's 2011 budget 
provides funding for red teams and blue teams to conduct 
penetration testing on Federal systems.
    A secure trusted computing environment in the Federal 
Government is the responsibility of everyone involved; agency 
heads, the Federal work force, and contractors who support us. 
This will not be easy, nor will it take place overnight. 
Together with the Cybersecurity Coordinator, Howard Schmidt, 
and the Chief Technology Officer, Aneesh Chopra, we will 
continue to address challenges that face our Nation in 
cyberspace.
    Thank you for the opportunity to testify. I look forward to 
your questions.
    [The prepared statement of Mr. Kundra follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Ms. Watson. Thank you, Mr. Kundra.
    Now, Mr. Guissanie, you may proceed.

              STATEMENT OF GARY ``GUS'' GUISSANIE

    Mr. Guissanie. Good afternoon, Chairwoman Watson, 
Congressman Bilbray, and members of the Government Management, 
Organization, and Procurement Subcommittee. My name is Gus 
Guissanie, and I represent the Office of the Assistant 
Secretary of Defense for Networks and Information Integration 
and the Department of Defense Chief Information Officer. I want 
to thank you for the opportunity to appear before the 
subcommittee to discuss issues related to governmentwide 
information security, the Department's efforts to comply with 
FISMA mandates, and initiatives to enhance the Nation's 
cybersecurity.
    Cybersecurity is and has been a critical priority for the 
Department of Defense. Our information systems, which are 
globally distributed and connected to coalition and interagency 
partners, are essential to our DOD missions; therefore, we must 
have a robust, assured enterprise network.
    In concert with the administration's Government-wide 
information security objectives, we support a focus on 
continuous monitoring and the use of real-world penetration 
testing to ensure a robust security posture. However, the DOD 
policy of conducting stringent security testing prior to an 
authorization to operate remains a critical element of 
information assurance.
    The Department has found FISMA in its current form to have 
significant strengths in improving cybersecurity, and would 
point out that any deficiencies in implementations are not, in 
and of themselves, sufficient justification for major change or 
reform.
    One construct that the Department believes is valuable in 
the current statute and should be retained is the 
organizational relationship between the Agency Chief 
Information Officer [CISO], and the Agency CIO. A CISO cannot 
effective function if separated organizationally from the CIO 
and the operational activity being protected.
    I would now like to highlight some DOD initiatives taken to 
secure our systems within the framework of current FISMA 
legislation.
    The Department has been working to develop information 
assurance metrics at the strategic and operational levels both 
within the Department and the broader Federal community. As we 
seek metrics which provide our leadership decisionmaking 
insight, we are working toward the capability to accomplish 
risk scoring in prioritized vulnerability remediation based on 
actual threat activity to enable a more active and flexible 
defense.
    The Department is also implement a series of initiatives 
aligned to our DOD information assurance strategy with several 
accelerated in fiscal year 2009 by the Comprehensive National 
Cybersecurity Initiative. For example, we are deploying a host-
based security solution for continuous monitoring and 
protection against threats. We are hardening our unclassified 
network by improving censoring, filtering, and access control 
at our Internet access points or gateways, thus limiting 
exposure of critical information. By changing our access 
control technologies and methodologies to ensure that only our 
public-facing servers are accessible from the Internet, we have 
reduced this attack surface by 96 percent.
    We have expanded cooperation with hour defense industrial 
base to protect unclassified defense-related research, 
development, and procurement information, and we are also 
working with the Department of Homeland Security to develop a 
multi-pronged approach for managing supply chain risks arising 
from the globalization of the information and communications 
technology marketplace.
    A skilled cyber work force is the most critical component 
of our defense against cyber adversaries. Therefore, the 
Department is continuing to raise the bar through our Workforce 
Improvement Program, extend our IA range capability, and ensure 
quality training is available to our work force. Additionally, 
the 106 National Centers of Academic Excellence in IA Education 
are producing graduates with the right skills to become a 
world-class cyber work force.
    I would like to conclude by emphasizing that we continue to 
work toward a resilient and dependable enterprise network for 
the Department and the Nation. We are accomplishing this 
through collaboration with other Federal agencies to resolve 
security issues impacting Government-wide shared services and 
infrastructure. The DOD CIO is managing a diverse portfolio to 
enable worldwide operations supporting over 2\1/2\ million 
users that is aggressively working to get ahead of the daunting 
global security challenge.
    I am happy to take your questions.
    [The prepared statement of Mr. Guissanie follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Ms. Watson. Thank you.
    Now, Mr. Streufert, you may proceed.

                  STATEMENT OF JOHN STREUFERT

    Mr. Streufert. Good afternoon, Chairwoman Watson, Ranking 
Member Bilbray, and distinguished members of the subcommittee. 
I am pleased to have this opportunity to testify before the 
subcommittee regarding the Department of State's capabilities 
for securing its global information and technology 
infrastructure. The Department serves as the diplomatic front 
line in over 270 overseas posts by serving its 70,000 users 
with the worldwide network and mission-essential software 
applications.
    The foreign policy mission makes an inviting target for 
attack by highly skilled cyber adversaries. However, the 
Department's layered approach to risk management allows 
multiple levels of protection. This protection is accomplished 
by implementing a matrix of technical, operational, and 
management security controls designed to thwart network 
threats, detect, and mitigate vulnerabilities, and strengthen 
business operations.
    In my role as the Chief Information Security Officer, I 
have become familiar with the benefits, shortcomings, and 
promising opportunities to buildupon the current Federal 
Information Security Management Act of 2002. Our goal is to 
ensure system security for diplomacy while continuously 
improving the return on investment for each dollar spent on 
cybersecurity.
    The passage of the FISMA Act in 2002 served as a game-
changing event for the Federal agency community. FISMA applies 
to all information used by or on behalf of the Federal 
department or agency. In this respect, the establishment of a 
holistic information security program and the responsibility of 
accounting to oversight entities, including Congress, served as 
a valuable check in determining the health of an agency's 
information security program.
    The Federal cybersecurity landscape has changed over the 
past 5 years. The implementation of a Federal cybersecurity 
program has typically been implemented in past years through 
manual processes and compliance checks which have competed with 
the need to implement Web 2.0 technologies in a secure manner, 
just to name one among many. Meanwhile, our cyber problems have 
dramatically escalated in severity and frequency. Since 2008, 
the number of security-related trouble tickets opened in our 
organization has more than doubled, while malicious code 
attacks has increased by 47 percent.
    In October 2009, OMB launched CyberScope, a secure data 
collection platform for reporting and formed an interagency 
task force charged with developing metrics for information 
security. Important to our efforts, the National Institute of 
Standards introduced Special Publication 800-37 and an update 
to increase the emphasis on continuous monitoring. Of special 
note, the Department of State began supplementing FISMA 
compliance reports and studies with a risk scoring program 
scanning every computer and server connected to its network not 
less than every 36 hours on eight factors and twice a month for 
safe configurations of software.
    The Risk Scoring Program utilizes best practices such as 
the Consensus Audit Guidelines, which we have mapped against 
the way the Department is being attacked. The Department 
utilizes the Common Vulnerability Scoring System from NIST 
where scanning tools tag specific risks with point values 
between 0 and 10, with 10 being the highest vulnerability. When 
the problem is resolved, risk points are deducted. To this 
point, the State Department Risk Scoring Program has 
implemented a subset of the Consensus Audit Guideline controls 
that are adaptable to automated verification.
    In the first year of site scoring ending July 2009, overall 
risk on the Department's key unclassified network measured by 
the Risk Scoring Program was reduced by nearly 90 percent in 
overseas sites and 89 percent in domestic sites. Scores have 
been relatively stable since then. Notwithstanding this 
reduction to date, the Department has decided to make it three 
times more difficult to achieve the same letter grades as part 
of an ongoing commitment to continuous improvement of this kind 
in the future.
    These methods, however limited, have allowed one critical 
piece of the Department's information security program to move 
from snapshot in time previously available under FISMA to a 
program that scans for weaknesses on servers and personal 
computers continuously, identifies weak configurations each 15 
days, issues letter grades monthly to senior managers tracking 
the progress for their organization in closing against known 
vulnerabilities the last 30 days. It is the Department's 
objective to expand automated verification to as many Consensus 
Audit Guideline control categories as possible, to all 
infrastructure and applications as soon as possible, limited 
only by available resources.
    In short, the details of this program empower 
administrators of our systems with targeted daily attention to 
conduct remediation and the summaries empower executives to 
oversee the most serious problems.
    The balance of my statement references additional layers of 
control, including a 24/7 network watch program, close 
coordination with incident management at US-CERT; 
implementation of EINSTEIN 2 for situational awareness; 
important emphasis on Cyber Threat Analysis which we share with 
other members of the foreign affairs community; a Global 
Security Scanning program, a Cybersecurity Incident Program to 
assure that our employees do not commit acts of cyber misuse or 
abuse; an awareness training program that we conduct not only 
for ourselves, but for other members of the Federal Government 
under the information security line of business.
    I want to conclude by emphasizing the Department's policy, 
technology, business processes, and partnerships in place 
continue to evolve and meet the ongoing challenges of security 
threats in the cyber environment.
    I would like to thank the subcommittee members for this 
opportunity to speak before you today, and I would be pleased 
to respond to any of your questions.
    [The prepared statement of Mr. Streufert follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Ms. Watson. One of the things I wanted to followup with you 
before we got to questions, I understand that you are 
considering a kind of Ambassador post within the Department to 
oversee this. You might want to just speak on it for half a 
minute before we go on.
    Mr. Streufert. Yes, ma'am. My immediate responsibilities 
have to do with the internal networks of the Department of 
State, but I would be happy to forward any questions that you 
would have about that legislation to those in our organization 
that deal with foreign policy aspects of the cybersecurity.
    Ms. Watson. Why don't you just give us a summary of what 
you have already been considering? That would be information 
for us.
    Mr. Streufert. I am sorry, I don't have that information 
available.
    Ms. Watson. No, you can send it to us.
    Mr. Streufert. Just send it to you?
    Ms. Watson. Yes.
    Mr. Streufert. OK, very good. I would be happy to, ma'am.
    Ms. Watson. Thank you so much.
    Mr. Wilshusen, we are going to take your testimony and then 
we are going to recess for about 25 minutes to a half hour. We 
have four to five votes on the floor. Thank you.

                 STATEMENT OF GREGORY WILSHUSEN

    Mr. Wilshusen. Chairwoman Watson, Ranking Member Bilbray, 
and members of the subcommittee, thank you for the opportunity 
today to participate in today's hearing on Federal information 
security.
    As we have previously testified, cyber-based threats to 
Federal systems and critical infrastructure are evolving and 
growing. Pervasive and sustained cyber attacks continue to pose 
a potentially devastating threat to the systems and operations 
of the Federal Government.
    Over the past few years, agencies have experienced an 
increasing number and a wide range of incidents involving data 
loss or theft, computer intrusions, and privacy breaches, 
underscoring the need for improved security practices and 
controls. While much progress has been made in identifying and 
implementing these controls, much work remains.
    Madam Chair, today I will discuss Federal agencies' efforts 
to secure their information systems and opportunities to 
enhance Federal cybersecurity.
    For fiscal year 2009, agencies have reported mixed progress 
in securing their systems and implementing key security 
activities. For example, although agencies collectively 
reported providing security awareness training and specialized 
security training to an increasing percentage of their 
personnel, they also reported testing the security controls and 
contingency plans for a decreasing percentage of their systems.
    In addition, Federal systems continue to be afflicted by 
persistent control weaknesses. Most of the 24 major agencies in 
our review had weaknesses in security safeguards that are 
intended to control logical and physical access to IT 
resources, manage the secure configurations of those resources, 
and ensure the prompt recovery of service and the continuity of 
operations should unexpected incidents occur. To illustrate, 21 
of 24 major agencies noted inadequate controls over their 
financial systems were either of significant deficiency or 
material weakness.
    An underlying cause for these weaknesses is that agencies 
have not yet fully or effectively implemented key elements of 
their information security programs as required by FISMA. As a 
result, they remain vulnerable to the unauthorized disclosure 
and modification of sensitive information and the disruption of 
mission-critical operations.
    Fortunately, opportunities exist to enhance Federal 
cybersecurity. Agencies can implement the hundreds of 
recommendations that GAO and agency IGs have made to resolve 
specific control deficiencies and program shortfalls. Agencies 
can also expand use of automated tools to perform security 
functions and increase their efficiency in securing and 
monitoring networks. These actions will help agencies to better 
manage the configuration of security features and to prevent, 
limit, and detect unauthorized access to networks and systems.
    In addition, as we have previously recommended, OMB and the 
workgroup it has convened should develop a balanced set of 
performance measures that focus on risk and produce better 
information to gage the status and effectiveness of security 
efforts. The effective implementation of several Government-
wide initiatives can also lead to improved cybersecurity. For 
example, addressing several challenges we have identified 
associated with implementing the Comprehensive National 
Cybersecurity Initiative, which is a collection of 12 projects 
intended to bolster security on Federal networks, will enhance 
its chances of success.
    Another opportunity is implementing the trusted internet 
connections EINSTEIN and Federal Desktop Core Configuration 
Initiatives. These initiatives are intended to consolidate and 
secure external access points, including those to the Internet; 
provide network intrusion detection capability; and establish 
secure configurations for Windows-based workstations. We have 
ongoing work that addresses the status and implementation of 
these initiatives.
    Finally, opportunities exist to strengthen Federal guidance 
and the national strategy for cybersecurity. In panel 
discussions that we hosted, cybersecurity experts identified 12 
key improvements that are essential in their view to improving 
the strategy in our national cybersecurity posture. Consistent 
with our prior work, implementing these improvements can 
bolster security of our Nation's most critical Federal and 
private sector cyber infrastructure.
    In summary, Federal agencies continue to tread water in 
securing their systems and countering the growing and evolving 
cyber threat. Nevertheless, opportunities exist to improve 
cybersecurity, but they required a concerted response to ensure 
that Federal systems are sufficiently safeguarded.
    Madam Chair, this concludes my statement. I would be happy 
to answer any questions.
    [The prepared statement of Mr. Wilshusen follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Ms. Watson. Thank you so very much, panel. We will recess 
now until about 3:45, and we will see you back here for 
questions and then panel two. Thank you so very much.
    [Recess.]
    Ms. Watson. We shall resume the committee.
    I was listening very intently to Mr. Kundra's report, and 
you mentioned Mr. Howard Schmidt, the new White House Cyber 
Coordinator, while you were testifying. Could you describe for 
us what his role and responsibilities are in securing our 
Federal information infrastructure? As you know, my legislation 
calls for the codification of a National Office of Cyberspace 
and Grants, and its extensive authority for implementing and 
enforcing information and security responsibilities. So we 
would like to know more about Mr. Schmidt's role. Thank you.
    Mr. Kundra. Sure. Howard Schmidt, as the coordinator of 
cybersecurity within the White House, works both at the 
National Security Council and the National Economic Council, 
recognizing that their vital interests in terms of being able 
to protect the Nation, at the same time making sure we are 
balancing that with economic decisions across the board.
    Also, when you think about from a national security 
perspective, the Comprehensive National Cyber Initiative, both 
of us work very, very closely together to make sure that, as we 
look at equities, whether it is the Department of Defense, 
Homeland Security, the private sector, that we are coordinating 
our efforts and are moving forward in a direction that makes us 
more secure, rather than spending a tremendous amount of energy 
on the friction that results historically from a lack of 
coordination and who owns cybersecurity in one area versus the 
other.
    Ms. Watson. One proposal in my bill requires OMB to 
incorporate secure product and service acquisition requirements 
into agency contracting practices, as well as to require IT 
investments to have vulnerability assessments completed before 
programs can move forward. So can you tell us how these 
proposals are complementary to some programs already in place 
at GSA and what you might consider to be technical barriers 
that we might be able to remove?
    Mr. Kundra. Part of what we need to be able to do across 
the Federal Government is not bolt on security afterwards. A 
lot of times what ends up happening is systems end up going 
live or they evolve. Some of the systems may be 30 years old 
and everybody is trying to bolt on security, and the challenges 
as addressed by the panel, with a huge focus on generating a 
lot of reporting.
    And if we looked at the FISMA report, one of the key 
findings here is investments we are making when it comes to the 
human capital side, making sure that employees who are focused 
on cybersecurity across the public sector are not necessarily 
experts in writing reports, but are actually people who are 
trained and understand how to not just configure and manage 
routers and switches and servers and desktops and firewalls, 
but can make sure that as we deploy these systems we build an 
architecture that doesn't say, you know what, we are going to 
move forward and certify this system, and come back 3 years 
from today and hope that it is as secure, test it. What we are 
trying to shift everyone to is this notion of a continuous 
monitoring.
    But what we are also doing is we are making sure that 
across the board, in terms of procurements, that we are 
creating schedules where you have enterprise procurements, 
whether it is moving toward a networks contract or whether it 
is blanket purchase agreements for software, whether it is any 
virus or firewalls or data loss prevention technologies, so 
that it is easier to procure these technologies and, from an 
OMB perspective, for us to be able to look at where we are 
actually spending money. And, frankly, security investments are 
best when they are actually baked into the systems that we are 
looking at and not where they are treated at discreet 
investments cross the board.
    Ms. Watson. Can you describe what actually is working? I 
think we know that there are firewalls in some agencies that 
are lax, but what is actually working today?
    Mr. Kundra. What is working right now is--let's look at 
Homeland Security Presidential Directive around HSPD-12, which 
is smart cards, the issuance of these smart cards across the 
board. What we have been able to do in this year alone, we have 
seen a 60-plus percent rise in the issuance of these smart 
cards because we focused on it. We have had these 
accountability sessions that we call text ed sessions----
    Ms. Watson. Now, the smart card you are talking about, who 
has that card? How is it distributed? Where is it and where is 
it given?
    Mr. Kundra. The way these smart cards work, they are 
actually designed to be able to be given to Federal employees 
and contractors who work on Government systems. And part of 
what we are trying to do now is that the issuance of these 
cards has moved forward. In the Department of Defense, for 
example, these cards are used to actually log into some of the 
systems. And what we are trying to do is make sure that across 
the Federal Government--here is one of these smart cards----
    Ms. Watson. Wait a minute. Do you have a fingerprint on 
that and a mug shot?
    Mr. Kundra. As well as a photograph, there is a chip, there 
are a couple of bar codes and there is some imagery.
    Ms. Watson. I mean, can someone really hack in and change 
that and steal your identify through those?
    Mr. Kundra. And that is why these smart cards are very, 
very important, because one of the challenges we also face is 
making sure that the very people who are accessing our systems, 
we know who they are, we know when they are logging into the 
systems, we know what information they are getting access to. 
So this initiative is successful. Now what we need to do is 
sort of the second part of this, which is hard work on making 
sure that every single agency across the Federal Government is 
not just issuing these cards, but actually making sure that the 
systems are configured to be able to use these cards.
    DOD has done a good job in this area. A number of other 
agencies have moved forward in making sure they are integrating 
them. But the vision here is to also make sure that we are 
using these smart cards for physical access, which is getting 
in and out of buildings, and logical access, which is getting 
in and out of systems across the Federal Government.
    Ms. Watson. And using these cards and the information that 
we have, what bothers me is that we still have a barrier in 
communicating. You know, I am still wrapped up in what happened 
on Christmas Day and why our Secretary did not know that there 
was someone getting on a plane in another country, entering our 
airspace and being a tremendous threat. Thank God they caught 
him, but what happens there? Why isn't that information 
communicated?
    Mr. Kundra. Part of what is also happening within 
information sharing environment is making sure that across the 
board, across Federal systems that they are configured not just 
to share information from a technical perspective, but also 
from a management perspective, recognizing that this is not 
necessarily a technical problem; recognizing what are the 
important things that we need to focus on, what is the 
information that is vital, and how do we simply so we recognize 
as we see these threats.
    What is really interesting from a security perspective, as 
John testified, from the State Department's perspective, how 
they are able to look at certain--create certain grades across 
the different embassies and figure out where are they secure 
versus where are they not secure so they can focus their 
attention, their energy, and finite resources on the highest 
priority problems. The only way we are going to be able to 
attack cybersecurity is by focusing--sort of the 80/20 rule, 
focusing on 80 percent of the problems that we recognize are 
confronting us today as we think long-term about how do we get 
to 100 percent.
    The challenge we have is that our adversaries are 
constantly evolving. The threat is a real-time threat and we 
are constantly seeing the threat vectors change over time. That 
is why, when we think about our research and development 
agenda, it is vital, as we look at our R&D agenda, to make sure 
that we are making investments that are going to yield 
dividends down the line to shift the advantage so that the 
defender has a greater opportunity rather than the attacker, 
because the attacker has to get it right once.
    Ms. Watson. I am going to yield now to the ranking member, 
Mr. Bilbray.
    Mr. Bilbray. Thank you, Madam Chair.
    Mr. Kundra, while I have you before us, there is something 
that just sort of came up, and that is this issue of 
information sharing, whatever. I am sure you read the 9/11 
Commission report about the firewalls that created the 
opportunity for people to actually move within the United 
States, and though information was available with one 
department, the other department didn't have any access in it; 
and that was actually probably more statutory than it was a 
problem of the incapability of systems.
    You are aware of the 9/11?
    Mr. Kundra. Yes, sir.
    Mr. Bilbray. OK. Because one of the things that really 
ought to be a lesson for us on this, as we bring this up, Madam 
Chair, is a member of the 9/11 terrorists--not the 9/11 
terrorists, but the D.C. sniper, where you had a fingerprint 
that was detected at a murder site in Alabama. Except for one 
little incident we never would have been able to catch this 
individual because even though we had all of his fingerprints, 
but the fact that one department was not allowed to have access 
into another department, we had those firewalls, and it is 
something the 9/11 really said we needed to point to. And I 
just tell you that. Luckily, the 9/11 terrorists had committed 
a misdemeanor which allowed his immigration fingerprints and 
biometrics to be brought over to the FBI, so then when the 
Alabama officer asked to check the fingerprints, we were able 
to have access.
    The question is this: How many crimes and stuff are going 
on right now because not just Homeland Security isn't sharing 
it, but a lot of other agencies may have information and data 
that can't be shared now? I just ask you to take a look at 
that. 9/11 has said it. We haven't done enough about that. But 
information sharing and tearing down those firewalls are 
something we haven't done enough of, and I ask you to look at 
that.
    The other question is again--and we brought it up, and 
maybe it is overplayed and whatever, and that is the securing 
of not only through different systems, but the biometrics are 
one thing we can talk about.
    One of the things that we had a hearing today about is 
legislation about telecommuting and this issue of computers 
being able to be accessed through the internet. Can you talk to 
me about the challenges you see there, like what happened to 
Snowmageddon here, when we started having people working at 
home during that period but using the Internet to access? We 
basically have to say there are certain people that just cannot 
be allowed to work over the Internet in this issue. Comments? 
Let me just open it up.
    Mr. Kundra. Sure. A part of what we want to be able to do 
in the broader context of deploying technology is make sure 
that, on the one hand, we are leveraging innovation; whether 
that is mobile technology in terms of cell phones and PDAs that 
allow you to have access to real-time information or 
telecommuting, for that matter. And as we think about the 
Federal Government and where we are headed, whether the 
investments we are making in cloud computing or the shift 
toward where we want to be able to attract the best and 
brightest people across the country, is recognizing that there 
are inherent risks, but at the same time addressing and 
confronting those risks.
    So if we look at telecommuting, for example, GSA had 
significant number of employees who were telecommuting. The 
Patent and Trademark Office, on a regular basis, has a 
significant number of employees telecommuting. So does the GAO, 
which is one of the leaders of the Government in terms of 
telecommuting.
    But what we need to be able to do is make sure, like with 
the smart card, being able to authenticate people across those 
systems; and these artificial boundaries that we had before in 
the Federal Government, where we believed you could build a 
citadel and walls around a system, in the new computing 
paradigm, unfortunately, security is going to have to be baked 
in at the data element layer, protecting every piece of data. 
And part of what CIOS and Chief Information Security Officers 
across the Federal Government are dealing with is figuring out 
how do we, on the one hand, leverage these technologies and, on 
the other hand, make sure that we are providing the appropriate 
security controls.
    And I am sure Gus and John can comment on this too, given 
that they have missions that are not necessarily just within 
the United States, but all over the world, and addressing 
security in the global context.
    Mr. Bilbray. Comments, gentlemen?
    Mr. Guissanie. Yes, sir. That is a very interesting 
example. The issue with telecommuting back into an 
organization's information system is if you are using, for 
instance, a DOD laptop and you take that home and you use your 
broadband connection to come back into DOD, we can do that 
securely; we can establish a secure link using your broadband 
connection. We trust the computer you have because we gave it 
to you, and that makes to fairly safe for you to essentially 
work from home. The trouble we have is people don't always have 
the resources to provide the laptop. In many places in DOD the 
laptop has become the desktop, so it is pretty easy to use; 
other places they haven't.
    The problem with using the home computer, which lots of 
folks advocate--why can't they just telecommute from their home 
computer--is the home computer probably isn't very secure. 
Somebody has been out on the internet doing things and visiting 
various sites and they have picked up viruses and malware, and 
now they turn around and try to get into the Department's 
information system and I have a problem.
    So we have been looking at virtualization technology in the 
Department for a way to kind of get around that problem, and 
that essentially means establishing a little virtual 
environment that is safe and secure on a platform like your 
home computer that is isolated from the bad kind of malware 
that might be on that computer.
    So in preparation for the pandemic that we all anticipated 
we might encounter this year, the Department looked at how to 
do that on a widespread basis. So we came up with a CD-ROM that 
we called a boot disc, and it contained a mini operating system 
and it would work on both an Apple computer and a Microsoft-
based computer, and you could take it home and it would load up 
onto the RAM and create its own little virtual environment, and 
it could only go to one place. It would understand what network 
it was supposed to connect to. It would allow me to securely 
authenticate with my smart card into the network and then you 
could essentially run it just off remote desktop, just like it 
was on your office computer. When you were finished, nothing 
was left, no residue was left on the home computer, so there is 
nothing sensitive there for anybody to find, and because you 
created that virtual environment, there wasn't any way that 
somebody who was sitting on that computer that shouldn't be 
could get into the Department.
    So we didn't have a pandemic, but those discs were used, I 
understand, quite extensively during Snowmageddon, and we had 
quite a success in people being able to telecommute because 
they had the disc sitting there.
    Mr. Bilbray. I am glad to hear that. What I worry about 
when we talk about the smart card, I look at the Pentagon and 
worry that we are using the same pass card, access card that we 
did in 9/11, with no biometric confirmation. Are we looking at 
the smart card utilizing biometric confirmation so not just 
somebody with the card, but somebody with the right biometrics? 
In other words, when you steal the card, you better steal the 
index finger too, right?
    Mr. Guissanie. Yes, sir. Currently, the smart cards we have 
are two-factor authentication: the smart card itself, which has 
some things in it, and then there is a PIN that you have to 
know to make that work. The three-factor authentication would 
be something you are, for instance, a thumb print. So we have 
been looking at that. Currently, the cost and the technology is 
a little bit prohibitive to make that work when I have to issue 
4 million cards out, but we are approaching that. So that way 
it is the PIN, your thumb print makes it active, they know it 
is you, and then the technology, the cryptography on the card 
allows that to establish a secure connection.
    Mr. Bilbray. Do you realize since 1978 the California 
driver's license has had the ability to use biometric 
confirmation?
    Mr. Guissanie. No, sir, I was not aware of that.
    Mr. Bilbray. That is why every time we go in to get our 
license renewed, they get one more fingerprint on us.
    Thank you very much, Madam Chair.
    Ms. Watson. Yes. I would like to go to Mr. Streufert now 
and ask about your risk scoring program. Can you summarize for 
us the key technical administrative and physical controls or 
elements of this program that have enabled State to have such a 
significant reduction in its cyber risk profile? I am very 
concerned about the decentralization nature of our embassies, 
our bureaus, and our consulates. How is State able to manage 
the implementation of the FISMA security requirements? So if 
you could kind of expand on that.
    Mr. Streufert. Yes, Madam Chairwoman. We use the scanners 
that we have had available for a number of years to turn out 
the three-ring binder reports for the Federal Information 
Security Management Act and we decided that the frequency of 
doing those reports every 3 years was just not enough for us, 
along the lines of my testimony that our number of malicious 
code attacks has increased by 47 percent. So we set about a 
task of trying to increase that frequency and we found that we 
could physically go in and collect the things instead of once 
every 3 years, we could collect it every 15 days.
    And on another set of factors, eight of them, we could 
actually do not less than every 36 hours to the far reaches of 
the planet, let's say to Colonia, the capital of Micronesia, 
where you were the Ambassador. So by collecting that 
information--and I checked again this morning--we can find any 
particular problem on any of the workstations in the embassy 
that you used to watch and total up what is the average risk 
for each of those personal computer devices and the server 
which helps the operations of the embassy. And we can duplicate 
that across all 260 embassies and our some 100 locations in the 
domestic United States.
    So that information comes back to a central point and we 
are able to not only assess the risk for each location and how 
they stack up against their counterparts, but also look at 
trends. So when the recent attack that occurred, the so-called 
Google virus, we knew where that was in our organization and we 
charged 40 points the first week when that wasn't taken care 
of, and the second week we charged 80 points for it, the third 
week we did 120, the following week we did 160. You can see the 
trend.
    We are now up to 320 negative points for not getting on top 
and fixing that virus as fast as we should. And we can tell you 
across our entire organization where it has been done and not 
done, and after a point, if they don't take care of business, 
it turns like elementary school into a C, D, or F, and that 
report goes to the Ambassador, the assistant secretary, and 
that calls for a little closer inspection on the part of the 
people that do security in our Department.
    Ms. Watson. Well, are we training our consular officers up 
on all of this? Because my concern, when we put Homeland 
Security together, you know, 750,000 employees under this 
umbrella, and I felt that the consular corp should not go 
underneath it; it should stand alone in the State Department, 
because they have a very specialized set of skills. So I am 
wondering how is it working out under Homeland Security and 
that particular set of skills. I mean, are you training up your 
consular officers out in the embassies?
    Mr. Streufert. Well, we try. The functions that I am most 
familiar with are the information systems support for software 
applications that might help in the managing of passports and 
visas. Everyone in the organization, no matter what embassy 
they are, have access to these reports and what their progress 
is, and we ran statistical reports on whether it was a large 
embassy or a small one like Colonia, and we found that really 
the most important factor was to get the critical security 
information in the hands of the people that could make a 
difference.
    So for those that work directly for the Department of 
State, we are able to find out what the situation is, and we 
have not in fact had serious training problems. In fact, what 
we found is that this system uses the time more efficiently of 
our security professionals. So whereas we used to have about 60 
people who wrote certification and accreditation reports, by 
the time we implemented this system, we estimate that there are 
4,135 people with significant security responsibilities that 
are protecting our infrastructure.
    Now, I have to say that at the moment we are concentrating 
on servers and personal computers. There are many aspects of 
the Consensus Audit Guidelines that we have not yet reached, 
like our routers and firewalls and some of those other items. 
So the State Department has a beginning on this, but I won't 
say that there aren't quite a few things that we yet need to 
work on.
    Ms. Watson. I am really pleased that we are having this 
hearing today, and I want Mr. Bilbray to really know that we 
are trying to improve on our cyber management, and I am pleased 
to hear what the State Department is doing, because I do know 
that out there in these remote embassies you don't necessarily 
get updated on what is available to you, and the training is 
not always available to these people. And I thought, oh, my 
goodness, putting them under Homeland Security will just 
complicate. So I am glad you are aware and that you are 
actually doing something about it.
    Let me go very quickly to Mr. Greg Wilshusen. Your 
testimony states that for fiscal year 2009, 36 percent of all 
cyber incidents reported to US-CERT at DHS are still under 
investigation. Can you summarize what the largest categories of 
incidents reported were and what the statistics tell us about 
future or emerging threats?
    Mr. Wilshusen. Yes, I would be glad to. Based upon our 
analysis of the information that agencies are required to 
report to the US-CERT, this year, for fiscal year 2009, the 
number of incidents increased tremendously, from about 16,800 
in fiscal year 2008 to just about 30,000 for fiscal year 2009. 
Of those, four key categories of these incidents include 
unauthorized access in which an individual was able to gain 
unauthorized access to an information or to a system; improper 
usage, that is when the acceptable use policies of that system 
or network was inappropriately used; and malicious code, and 
that is a key one, too.
    That was comprised of about 23 percent of all of the 
incidents and events reported to US-CERT, and that is when a 
Trojan or malicious software was actually installed on a 
computer. And then the biggest area had to do with those 
incidents that are still under investigation, and those are 
ones in which it is suspected that an incident or an event has 
occurred, but the extent of it or the character of that 
incident had not yet been fully determined. So agencies were 
required to go ahead and report that and they are still under 
investigation by those agencies.
    Ms. Watson. OK, I would like now to ask our ranking member 
if he has a question.
    Mr. Bilbray. Yes. I just want to make sure that I don't 
pass the representative from the State Department. You know, we 
talk about a lot of things, but I think one of the great 
successes is the VISIT system. Huge data acquired. I mean, it 
is astonishing how much data has gone through there. If 
publicly you can talk about it, have we had any problems with 
unauthorized access into that system as being a major problem, 
or have we had a major problem with people being able to access 
that information when you needed it?
    Mr. Streufert. Well, of course, the information that we 
draw upon to protect the borders comes from a combination of 
systems, including those that originate from the consular 
officers and our embassies and consulates and domestic 
locations, and that information is----
    Mr. Bilbray. Let me interrupt you and just tell you, as 
somebody who crosses the border probably more than most would 
prefer and coming in port of entries, the system from the 
immigrant's point of view is absolutely fantastic.
    In fact, I really think, Madam Chair, we ought to be 
talking about allowing Americans to voluntarily go into that 
system of using the biometrics, whatever, because you have 
American citizens lining up, waiting to be interviewed, but you 
have a great system where foreign nationals, because they are 
pre-cleared, the biometrics are there, they whip right through.
    So I just have to tell you, from observation, it really 
seems to be very much appreciated by the foreign nationals.
    Mr. Streufert. Thank you, sir. Of course, we endeavor to 
make it as customer-friendly as we possibly can balanced 
against the security needs of protecting the border. The US-
VISIT system is one that is actually hosted and managed by one 
of the elements of the Department of Homeland Security. But to 
your specific point, there are data exchanges between the 
Department of Homeland Security and the State Department, and 
one of the things that we try to do is to make sure that all of 
the systems that maintain our part of that potential handoff to 
Homeland Security are as well protected as possible.
    Mr. Bilbray. Because if you don't do it right, when they 
fly into the airport, that system is going to have a problem.
    Mr. Streufert. Exactly.
    Mr. Bilbray. Thank you very much.
    I yield back, Madam Chair.
    Ms. Watson. Thank you.
    I will yield to Mr. Luetkemeyer, if he might have 
questions.
    Mr. Luetkemeyer. Thank you, Madam Chair. I don't have any 
questions at this time.
    Ms. Watson. This is still our first panel.
    Mr. Luetkemeyer. That is very good. Thank you.
    Ms. Watson. Thank you.
    All right, I want to thank all of the panelists. Thank you 
for indulging us and waiting around and your patience. We 
appreciate it. So we will not dismiss this panel and we will 
call up panel No. 2. Thank you so very much for your testimony.
    Panel No. 2. If you will stand, please. It is the policy of 
the Committee on Oversight and Government Reform to swear in 
all witnesses before they testify, and I would like to ask all 
of you to stand and raise your right hands.
    [Witnesses sworn.]
    Ms. Watson. Let the record reflect that the witnesses 
answered in the affirmative.
    Now I will take a moment to introduce our distinguished 
panelists. I would first like to start with Mr. Philip Bond, 
who is the president of TechAmerica. Mr. Bond is also president 
of the World Information Technology Services Alliance [WITSA], 
a network of industry associations representing 70 high-tech 
trade groups around the world. Previously, Mr. Bond served as 
Under Secretary of the U.S. Department of Commerce for 
Technology, and from 2002 to 2003 served concurrently as Chief 
of Staff to the Commerce Secretary, Donald Evans.
    Mr. Gilligan is the president of the Gilligan Group and 
has, for over 25 years, been in managerial services in leading 
large information technological organizations. Prior to joining 
the private sector, Mr. Gilligan served as the Chief 
Information Officer of both the U.S. Air Force and the 
Department of Energy. He also serves as a member of several 
boards and advisory groups, including Software Engineering 
Institute and the Commission on Cybersecurity for the 44th 
Presidency.
    Mr. Alan Paller is the director of research at the SANS 
Institute, where he is responsible for overseeing all research 
programs. His work at SANS includes overseeing the Internet 
Storm Center and an industry-early warning system, the 
publication NewsBites, and participation in other collaborative 
efforts to identify and mitigate new and emerging cyber 
threats.
    Mr. Christopher Fountain is the president and CEO of 
SecureInfo Corp., which provides information assurance 
solutions to both civilian and military customers across the 
Government. He has a successful track record of leading and 
growing companies, with over 22 years of experience in the 
information technology industry field.
    I welcome all of you and I ask that each one of our 
witnesses now give a brief summary of their testimony and 
please try and keep your summary under 5 minutes in duration, 
if you can, because your complete written statement will be 
included in the hearing record. So, Mr. Bond, would you please 
proceed? And thank you for being here.

    STATEMENTS OF PHILIP BOND, PRESIDENT, TECHAMERICA; JOHN 
  GILLIGAN, PRESIDENT, THE GILLIGAN GROUP, INC.; ALAN PALLER, 
DIRECTOR OF RESEARCH, SANS INSTITUTE; AND CHRISTOPHER FOUNTAIN, 
              PRESIDENT AND CEO, SECUREINFO CORP.

                    STATEMENT OF PHILIP BOND

    Mr. Bond. Thank you, Chairwoman Watson and Ranking Member 
Bilbray. Thank you very much. I was privileged to testify 
before you in 2007 on this subject, to say that it was time to 
focus on results rather than compliance, and thrilled to hear 
that is exactly the focus of your draft legislation. Two and a 
half years after that, with some more consultation in the 
meantime, we are very much looking forward to FISMA 2.0.
    Today, I want to offer an updated version of the 
recommendations I made 2\1/2\ years ago, because we think they 
are still pertinent. But first I want to acknowledge the new 
era that we are in, unprecedented attention at the White House, 
from Federal CIOS, and here on Capitol Hill; the White House, 
of course, with the new Cybersecurity Coordinator. TechAmerica, 
yesterday, released its 20th survey of Federal CIOS. Their No. 
1 strategic issue: cybersecurity. And here on Capitol Hill, 
more than 12 active cybersecurity bills under consideration 
right now.
    I am proud to say, on behalf of our members, the industry 
has responded with companies coming forward with new solutions, 
new technologies faster than ever before, and with their 
clients addressing the needs to manage risk and enhance 
collaboration with industry partners. Examples would be 
Lockheed Martin's new Cyber Security Technology Alliance, 
Microsoft's leadership in taking down the Waledac Botnet, and 
the private sector's quick response on the Conficker worm, 
exhibiting exactly the kind of nimbleness that they offer to 
their partners in the Federal Government.
    So we commend the Chair in taking this important step and 
focusing again on actual security, not just compliance.
    Let me mention the six reforms that we have updated and 
think are still relevant.
    One is to reform the agency information security approval 
process, that is, the way they work with private sector 
partners to make sure that it is as uniform as it can be.
    Second, to remove barriers to innovation. This is what 
Vivek Kundra referred to as the culture of compliance, which 
makes a culture which is not welcoming to new approaches, 
because if they can use a time-tested one and check the box, 
that complies, but it doesn't necessarily embrace the new 
innovative solutions.
    Third, we would say increase accountability and authority 
for the CIOS and Chief Information Security Officers, CISOs, 
and to provide a forum where they can collaborate regularly.
    Fourth, we agree with the need to enhance Federal cyber 
risk management. You heard a great example from the State 
Department. This would mean, by the way, more security 
clearances for information security professionals, more 
agencies with real-time access to some of the classified 
information, because you don't know what you don't know.
    Fifth, we need to harmonize and enhance the audit and 
oversight methods used, thinking primarily of IGs here. You 
need to make those processes as uniform as you can so that it 
is not terribly different; and then, of course, that they are 
informed on what is a very technical subject, as they are doing 
their reviews.
    Sixth, we would urge expanding Federal cyber response 
capabilities, and that would mean codifying and improving the 
standing of US-CERT and helping to pave the way for what we 
think, from the industry side, is very important: co-located, 
meaning working side-by-side, the best of the private sector 
and the best in the public sector, to address this national 
challenge.
    In closing, I would just note that FISMA is now almost 8 
years old. The reform has been in discussion for a number of 
years. And while the ideal is always a comprehensive bill 
addressing all aspects of cybersecurity, that can be a great 
legislative challenge. So we would just observe and acknowledge 
that we don't want the perfect to be the enemy of the good, and 
if we get late in the session, we would urge that FISMA reform 
not wait. And we believe, to use Mr. Bilbray's terminology, 
with a little more perfection, the tiers bill would be great 
progress. Thank you.
    [The prepared statement of Mr. Bond follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Ms. Watson. Thank you so much, Mr. Bond.
    We will proceed to Mr. Gilligan.

                   STATEMENT OF JOHN GILLIGAN

    Mr. Gilligan. Good afternoon, Chairwoman Watson and 
Congressman Bilbray and members of the subcommittee. I would 
like to thank you for this opportunity to address the committee 
and congratulate you, Chairwoman Watson, for the Federal 
Information Security Amendments Act of 2010. I believe it is an 
important step in the Nation's efforts to provide the secure 
and reliable information technology enterprise that we need.
    Like many of you, I have a personal sense of urgency for 
making dramatic improvements in cybersecurity in the Federal 
Government. This sense of urgency is informed by the growing 
threat to our way of life, resulting from fundamental 
weaknesses in the computers and networks that have become the 
foundation of our Nation's prosperity. I have watched over the 
past decades as our cyber threat has grown steadily and the 
pace of our ability to protect against these threats has 
continued to be slowed by a lack of attention and, in many 
cases, poorly focused efforts. I believe the subcommittee's 
proposed legislation contains the key focus areas needed to 
make rapid progress against the growing threat. Before I 
describe these elements, I would like to characterize some of 
the aspects of the current cybersecurity problem as background.
    First, I would acknowledge that the Federal Information 
Security Management Act of 2002 was a positive step in 
improving Government security. The law established the 
imperative for Federal managers to put strong emphasis on 
cybersecurity and highlighted the need to use a risk-based 
approach to identify and implement minimum security controls.
    While the FISMA had many positive elements, the 
implementation of FISMA has been less than fully effective. For 
example, rather than focusing on minimum controls as required 
by the law, OMB policy guidance to Federal agencies has been to 
implement the entire catalog of controls, over 300 separate 
controls, published by the National Institutes of Standards and 
Technology. This is not possible for any Government agency of 
any size, and has resulted in a scattershot approach to 
improving security.
    Moreover, the strong desire to measure and to assign grades 
to Federal agencies has resulted in placing emphasis on 
characteristics that can be easily measured, rather than on 
controls and activities that best reflect effective security. 
As a result, in general, the required FISMA metrics were 
manually generated, had little correlation to actual security, 
and were costly to produce. In addition, the areas emphasized 
in the metrics did not encourage investments or improvements 
that would have long-lasting improvement and security, such as 
improved used of automated controls.
    Unfortunately, the implementation of FISMA has been like 
getting on a treadmill as a means to get to a destination. A 
treadmill is great if all you want is exercise, but it is not a 
good way to reach a destination. To continue the metaphor, in 
the implementation of FISMA, the Federal Government has 
certainly burned a lot of calories, but we are a long way to go 
from reaching our destination of dramatically improving 
security of our Federal systems.
    While total security is beyond our current reach for the 
foreseeable future, there are many things that we can and 
should do to dramatically reduce our vulnerability to attacks, 
especially from those attackers who are relatively 
unsophisticated. Studies have shown that the relatively 
unsophisticated attacker group constitutes the majority of 
current attacks, roughly 80 percent as assessed by the National 
Security Agency. Unfortunately, our current cybersecurity 
defense mechanisms in the Government today are configured so 
fragmented and weak that a malicious individual with virtually 
no computer skill can download a canned attack from the World 
Wide Web and can cause significant harm to cyber systems. 
Recent collaborative efforts among the Government and the 
private sector have resulted in guidance for organizations to 
help focus on the top security control areas and to make 
effective use of automation. In essence, this effort is focused 
on addressing the 80 percent problem of the cyber threat.
    Specifically, a little over a year ago, a group of security 
experts from the National Security Agency and other defense 
organizations, the Department of Homeland Security, Department 
of Justice, and the National Laboratories, along with 
colleagues in the private sector, collaborated on the 
identification of the most common attack patterns against cyber 
systems. They subsequently identified corresponding security 
controls along with automated means to implement these 
controls. Automation is the only practical way to deal with 
this complex problem.
    The consensus effort among these security experts produced 
a guideline entitled 20 Critical Controls for Effective Cyber 
Defense: Consensus Audit Guidelines, and John Streufert 
referred to them as Consensus Audit Guidelines. This document 
describes the 20 most critical cyber attacks and the controls 
that are needed to protect against these attacks. In effect, 
these so-called 20 critical controls reflect the highest 
priority security necessary to ensure a core foundation of 
security for information technology infrastructure. During the 
past 18 months, the U.S. Department of State has implemented 
the 20 Critical Controls guideline and has achieved significant 
progress in improving effectiveness of cybersecurity.
    While the 20 Critical Controls are not intended to provide 
absolute security, implementation of them has proven to 
dramatically improve the ability of complex systems to 
withstand the majority of attacks. Implementing good hygiene 
security controls such as those identified in the 20 Critical 
Controls or CAG has additional benefits beyond security. 
Specifically, these benefits include reduced help desk calls, 
improved operational availability and reduced----
    Ms. Watson. Mr. Gilligan, can you conclude and we will hear 
the other two witnesses? Because we do have your statement.
    Mr. Gilligan. OK.
    Ms. Watson. Thank you.
    Mr. Gilligan. The key point here is that through this 
focused approach you can actually improve security at reduced 
cost, reduce operational cost, which is what, in my former CIO 
parlance I call sort of a no-brainer for CIOS. The key 
impediments to achieving that no-brainer implementation are 
two: one is the need for clear policy guidance that actually 
focuses on the right areas and, second, to address the cultural 
resistance that must be overcome in order to be able to 
implement effective controls at an enterprise level.
    In closing, I would say, as I look at the proposed 
legislation, I view it addresses the right areas and will be an 
effective means of helping us improve cybersecurity. Thank you.
    [The prepared statement of Mr. Gilligan follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Ms. Watson. Thank you so much.
    Mr. Paller.

                    STATEMENT OF ALAN PALLER

    Mr. Paller. Well, this is a good day in cybersecurity, so 
thank you for inviting us. I wanted to tell you about something 
separate from this that is going on in California this weekend 
related to cybersecurity, and then we will do the other. The 
Governator and Senator Feinstein announced in October something 
called the California Cyber Challenge, which was an attempt to 
find the very talented hackers who can be part of the defense.
    Just last week the CNO, the Chief of Naval Operations, 
announced that he was going to have five scholarships for the 
kids, full scholarships, full ride for the kids who did best in 
these competitions; and there is going to be an announcement 
this weekend that there will also be, in honor of you, the 
Watson Prize, which is for the kid who comes from Los Angeles 
County who does best on the whole statewide competition; and 
they said they would continue it as long as you were able to 
give it. So I hope you will.
    You heard a lot of testimony about what is wrong and where 
we are going. I want to be very specific because you can't fix 
this in the general case; you have to fix it in the specific 
case. The law that was written probably wasn't a bad law, but 
it had enough bad elements in it that it enabled four terrible 
institutions to be created in its name. And what I mean by 
terrible is that whatever you do in legislation, you want to 
enable the defenders to be able to act at least as quickly as 
the offense, because if you hobble them, then we just don't 
have a chance. And the old law actually created four processes 
that hobbled them, and we actually now have proof.
    You heard Mr. Gilligan talk about these 20 Critical 
Controls at NSA and DHS, who really know the attacks, said 
those are the ones you have to have. We mapped them against 
each of the four processes that were instituted in the 
aftermath of FISMA and none of them look for it. Including the 
FISCAM, which is the thing that the GAO and the IGs use. They 
all look for things that were important 10 or 12 years ago and 
miss the current attacks. So I don't need to take a lot of time 
to say your bill really makes a difference.
    I would be happy to answer your questions.
    [The prepared statement of Mr. Paller follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Ms. Watson. Thank you so much.
    Mr. Fountain.

               STATEMENT OF CHRISTOPHER FOUNTAIN

    Mr. Fountain. Thank you, Chair Watson, Ranking Member 
Bilbray, and members of the committee. First, I appreciate the 
opportunity to address the committee and look forward to 
answering questions at the conclusion.
    I guess by way of background everybody has said repeatedly 
that the threat landscape has changed, there are more threats 
to our infrastructure than ever before, and that is occurring 
at the same time that we are more interconnected than ever 
before. So that is a given. So I would like to move quickly to 
what is strong about the current FISMA legislation.
    While I agree it needs to be improved--and I will talk 
about the legislation under consideration specifically after my 
comments about the current FISMA law--I think it is important 
to recognize the strengths of FISMA and any effort to amend 
FISMA not do away with things that have been quite effective. 
First, the level of awareness has been dramatically increased 
as a result of this legislation, and the 107th Congress is to 
be commended for taking these steps well before the general 
public had any awareness of what cyber even meant or what 
cybersecurity was all about.
    It also established a framework for accountability that is 
a critical component today and established more strength behind 
a security officer inside agencies. The most important point is 
that it established a framework for developing and maintaining 
guidance to be used by agencies in their effort to defend IT 
assets, and that guidance was really handed for the civilian 
government to the National Institute of Standards and 
Technology. And I have to commend NIST for the great work that 
they have done. The key point is NIST established a very 
comprehensive framework and at the same time they have allowed 
that framework to live. So the Consensus Audit Guidelines that 
have been commented upon, those are mapped now to the latest 
version of controls that are advocated or outlined in NIST 
guidance under 853.
    There is one quote that I would like to attribute to Ron 
Ross, who is the doctor or the computer scientist at NIST who 
oversees this effort. He says, ``There continues to be a notion 
that FISMA is all about paperwork and compliance. Rather, FISMA 
is about trying to improve the quality of information 
security.'' And I think the important point here is that FISMA 
is not about paperwork, it is about taking very deliberate, 
well thought-out measures to provide for better defense.
    Now, with those things said, there certainly are areas for 
improvement, and I think the legislation under consideration 
provides some very good foundations for that. And I don't 
interpret the current legislation that is under consideration 
as a wholesale rewrite of FISMA; I see that as an enhancement 
to FISMA in its current form, which I again think is a good 
thing.
    First, the one thing about current FISMA is it does not 
have real teeth. So the law today provides for reporting to 
Congress and to GAO, but there are no real consequences for 
failure to comply with FISMA. The legislation under 
consideration provides for enhanced management and oversight 
and provides for a statutory means of achieving that, which I 
applaud in this legislation.
    I do believe that the FISMA report card did lead to a 
paperwork train, but that was the reporting element, not the 
aspect of guidelines and standards that are robust and 
comprehensive.
    Also in the proposed legislation, the creation of a 
National Office for Cyberspace is a very, very sound idea and a 
very logical step forward, and I congratulate you on that move 
and wish you luck in trying to move that through the 
legislative process. As outlined in the draft, the legislation 
does require or should require statutory authority in that 
office and, in my view, I would suggest that the committee 
consider placing that office within the Department of Homeland 
Security. And I will comment more about why that is.
    In the Department of Homeland Security, that office should 
report to the President, to the Secretary of Homeland Security, 
and to the Congress directly, because this should be a function 
that cuts across all of Government and certainly is a 
Presidential issue.
    In my written testimony, there is a lot of detail about how 
I would enhance the FISMA reporting to move it to a more 
metrics-based environment, as Mr. Kundra had suggested earlier 
this afternoon. I won't focus on that today. I would rather 
focus on the statutory office of cybersecurity.
    Why DHS? I know in the current draft it is advocated to put 
that inside the White House. I would suggest at least 
consideration for Department of Homeland Security because, in 
my view, defending cyberspace is critical to defending the 
homeland. They are so tightly intertwined. Every mission across 
government requires reliable computers and networks to perform 
their mission. And even beyond the boundaries of government, 
the critical infrastructure that is managed by private sector 
companies, they rely very heavily on information assets.
    Currently within DHS there is established today an office 
for Cyber Security and Communications, CS&C, and within CS&C is 
the National Cyber Security Division. There is a high degree of 
synergy between the mission sets in those organizations and the 
mission for the proposed office of the National Office for 
Cybersecurity.
    I will read, just for reference, the NCSD mission, which is 
the National Cyber Security Division mission. ``The National 
Cyber Security Division works collaboratively with public, 
private, and international entities to secure cyberspace and 
America's cyber assets.'' By definition, they are working 
across government or across, really, the private sector and the 
government to some extent, although with the government it is 
not their core focus today.
    In my view, a National Office for Cyberspace working in 
concert with CS&C would provide for a very robust mechanism and 
set of processes to look across the entire technology landscape 
in America, the Government as well as the private sector, and 
all other elements of our infrastructure, academic and so on.
    In summary, I think it is critical that there be 
recognition that core elements of FISMA as it exists today are 
very sound and it needs to be improved. I believe that the 
legislation under consideration is timely and necessary. I 
believe that the key to the new legislation is the statutory 
authority being placed in this office that is being proposed 
and that along with statutory authority there needs to be a 
budget to allow that office to work effectively. And, again, in 
terms of Department of Homeland Security, in my view, 
protecting the homeland requires protection of our cyber 
infrastructure, and that is why I, again, would ask you to 
consider placing this function inside the Department of 
Homeland Security.
    I thank you for the opportunity to present my views.
    [The prepared statement of Mr. Fountain follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Ms. Watson. Thank you so much.
    I am now going to defer to our ranking member for a final 
question or comment.
    Mr. Bilbray. Yes, a question for Mr. Fountain. What should 
the role be from here forward of NIST?
    Mr. Fountain. I think if you look at what NIST has done--
there are a couple of things about NIST that make it a real 
special entity, in my view. And we don't do business with NIST. 
I know what Ron Ross does because obviously what he does has a 
big effect on the things we do for Government. They need to 
play a very prominent role, in my view. They work very 
collaboratively across not only Government, but I know there is 
legislation under consideration in another committee in the 
House to have NIST work with international partners on 
establishing an international framework for cybersecurity, 
because, again, cyber is not a U.S. issue; it is a global 
issue, because everything is interconnected, it is not just 
inside the United States.
    And NIST has a track record of being collaborative. I know 
they have worked and they are highly complimentary of the 
Consensus Audit Guidelines. They do believe that more needs to 
be done beyond that because addressing the top 20 
vulnerabilities won't necessarily address every vulnerability, 
and you want to have a framework that addresses the entire 
landscape. But using the CAG, or the Consensus Audit Guideline 
as a good first step is critical.
    So, in my view, they should be prominent across this issue, 
whether it is in the Office of National Cybersecurity or the 
National Office for Cybersecurity or the current CS&C, and then 
with international partners.
    Mr. Bilbray. Thank you, Madam Chair.
    Ms. Watson. I want to just end with this thought and then 
ask you to followup. What we are trying to do is to promote the 
notion of harmonizing security frameworks across civilian and 
national security systems, and lessons that you have learned in 
business in and outside of Government we would like to know 
about.
    So if you could give us your further suggestions, and we 
hope that they relate to the bill that I have out there. We 
will welcome anything that you see will help us improve, and 
remember we are looking globally, we are looking across all 
agencies, and we want to improve our communication. As we 
improve our cyberspace technology, we want to be able to have a 
profile how we can make it safe. So I invite all of you to 
contribute. And remember this is an ongoing process; every day 
there is a new development, a new technology. So whatever ideas 
we need them so we can put them into our base. And remember we 
make policy, but that policy has to change to keep up with the 
changing times.
    So I want to thank all the witnesses and Members who 
attended this hearing. Without objection, the committee will be 
adjourned.
    [Whereupon, at 4:56 p.m., the subcommittee was adjourned.]

                                 
