[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
FEDERAL INFORMATION SECURITY: CURRENT CHALLENGES AND FUTURE POLICY
CONSIDERATIONS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
ORGANIZATION, AND PROCUREMENT
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
MARCH 24, 2010
__________
Serial No. 111-145
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PRINTING OFFICE
65-549 PDF WASHINGTON : 2011
____________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts JOHN J. DUNCAN, Jr., Tennessee
WM. LACY CLAY, Missouri MICHAEL R. TURNER, Ohio
DIANE E. WATSON, California LYNN A. WESTMORELAND, Georgia
STEPHEN F. LYNCH, Massachusetts PATRICK T. McHENRY, North Carolina
JIM COOPER, Tennessee BRIAN P. BILBRAY, California
GERALD E. CONNOLLY, Virginia JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois JEFF FLAKE, Arizona
MARCY KAPTUR, Ohio JEFF FORTENBERRY, Nebraska
ELEANOR HOLMES NORTON, District of JASON CHAFFETZ, Utah
Columbia AARON SCHOCK, Illinois
PATRICK J. KENNEDY, Rhode Island BLAINE LUETKEMEYER, Missouri
DANNY K. DAVIS, Illinois ANH ``JOSEPH'' CAO, Louisiana
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
JUDY CHU, California
Ron Stroman, Staff Director
Michael McCarthy, Deputy Staff Director
Carla Hultberg, Chief Clerk
Larry Brady, Minority Staff Director
Subcommittee on Government Management, Organization, and Procurement
DIANE E. WATSON, California, Chairman
PAUL E. KANJORSKI, Pennsylvania BRIAN P. BILBRAY, California
JIM COOPER, Tennessee AARON SCHOCK, Illinois
GERALD E. CONNOLLY, Virginia JOHN J. DUNCAN, Jr., Tennessee
HENRY CUELLAR, Texas JEFF FLAKE, Arizona
JACKIE SPEIER, California BLAINE LUETKEMEYER, Missouri
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
MIKE QUIGLEY, Illinois
Bert Hammond, Staff Director
C O N T E N T S
----------
Page
Hearing held on March 24, 2010................................... 1
Statement of:
Bond, Philip, president, TechAmerica; John Gilligan,
president, the Gilligan Group, Inc.; Alan Paller, director
of research, Sans Institute; and Christopher Fountain,
president and CEO, Secureinfo Corp......................... 72
Bond, Philip............................................. 72
Fountain, Christopher.................................... 97
Gilligan, John........................................... 82
Paller, Alan............................................. 91
Kundra, Vivek, Chief Information Officer, Office of
Management and Budget; Gary ``Gus'' Guissanie, Acting
Deputy Assistant Secretary of Defense for Cyber, Identity,
and Information Assurance, U.S. Department of Defense; John
Streufert, Deputy Chief Information Officer for Information
Security, Bureau of Information Resources Management, U.S.
Department of State; and Gregory Wilshusen, Director,
Information Security Issues, Government Accountability
Office..................................................... 7
Guissanie, Gary ``Gus''.................................. 16
Kundra, Vivek............................................ 7
Streufert, John.......................................... 29
Wilshusen, Gregory....................................... 40
Letters, statements, etc., submitted for the record by:
Bond, Philip, president, TechAmerica, prepared statement of.. 74
Connolly, Hon. Gerald E., a Representative in Congress from
the State of Virginia, prepared statement of............... 5
Fountain, Christopher, president and CEO, Secureinfo Corp.,
prepared statement of...................................... 100
Gilligan, John, president, the Gilligan Group, Inc., prepared
statement of............................................... 85
Guissanie, Gary ``Gus'', Acting Deputy Assistant Secretary of
Defense for Cyber, Identity, and Information Assurance,
U.S. Department of Defense, prepared statement of.......... 18
Kundra, Vivek, Chief Information Officer, Office of
Management and Budget, prepared statement of............... 10
Paller, Alan, director of research, Sans Institute, prepared
statement of............................................... 92
Streufert, John, Deputy Chief Information Officer for
Information Security, Bureau of Information Resources
Management, U.S. Department of State, prepared statement of 31
Wilshusen, Gregory, Director, Information Security Issues,
Government Accountability Office, prepared statement of.... 42
FEDERAL INFORMATION SECURITY: CURRENT CHALLENGES AND FUTURE POLICY
CONSIDERATIONS
----------
WEDNESDAY, MARCH 24, 2010
House of Representatives,
Subcommittee on Government Management,
Organization, and Procurement,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2 p.m., in
room 2154, Rayburn House Office Building, Hon. Diane E. Watson
(chairwoman of the subcommittee) presiding.
Present: Representatives Watson, Connolly, Bilbray, Duncan,
and Luetkemeyer.
Staff present: Bert Hammond, staff director; Valerie Van
Buren, clerk; Adam Bordes and Deborah Mack, professional staff
members; Charles Phillips, minority chief counsel for policy;
and John Ohly, minority professional staff member.
Ms. Watson. The Committee on Oversight and Government
Reform will now come to order.
Today's hearing will review the Federal Information
Security Act [FISMA] of 2002, and agency efforts to improve the
security, integrity, and reliability of the Federal
Government's information systems.
In addition, today's hearing will address legislation
introduced by me last week to amend FISMA, H.R. 4900, the
Federal Information Security Amendments Act of 2010.
I welcome all of our distinguished panelists and look
forward to your testimony, and apologize for being late; we
were in a very important meeting.
So, without objection, the Chair and ranking minority
member will have 5 minutes to make opening statements, followed
by opening statements not to exceed 3 minutes by any other
Member who seeks recognition.
Without objection, Members and witnesses may have 5
legislative days to submit a written statement or extraneous
materials for the record.
Now, I would like to wish everyone here a good afternoon
and welcome to the Government Management Subcommittee's
oversight hearing on the state of Federal Information Security
and agency efforts to comply with the Federal Information
Security Management Act, and we will also discuss proposed
legislation I recently introduced to amend FISMA, the Federal
Information Security Amendments Act of 2010. I look to our
witnesses and your testimony, and we appreciate your presence
here today.
Since enactment of FISMA legislation in 2002, this
subcommittee has held annual oversight hearings on agency
efforts to meet the standards and policies prescribed under the
current FISMA framework. While some agencies have shown great
success in harnessing both technology and human capital to
reduce their overall cyber risk profiles, many others simply
comply with the basic annual reviews and periodic assessments
required under FISMA that reveal only a fraction of the threats
and the vulnerabilities facing them.
It is clear that the notion of being in compliance with
current law does not equal having adequate security across an
agency's IT infrastructure. Furthermore, the vast majority of
Federal agencies still have not met the basic cybersecurity
requirements outlined in the FISMA legislation. According to
statistics from GAO's testimony and OMB's annual FISMA report
to Congress, 23 out of 24 agencies have been identified as
having weaknesses in their agency-wide information security
programs.
Although these figures do not speak to the depths of
problems that agencies have, it tells us that many still view
security as a measure of efficiency or productivity, and not as
a pillar of necessity or national security. It also indicates
that OMB has not used its enforcement authority and budget
power to force agencies to make effective information security
a fundamental requirement in their daily operations and
strategic plans.
While some may view these problems as insurmountable, I
believe there are managerial blueprints at some agencies that
have proved effective in reducing their exposure to cyber
threats. For example, the State Department has utilized a
number of mechanisms, including stronger baseline internal
controls, newly developed performance metrics, and advanced
system monitoring capabilities for reducing their risk exposure
by nearly 90 percent.
These outcomes are by no means perfect. But they underscore
the ability of agencies to both prioritize the mitigation of
their largest cyber vulnerabilities while working to meet the
minimum security standards and policies prescribed for all of
their IT assets.
So, as we move forward with policy goals for reforming
FISMA, we must try not to look for a silver bullet as a
solution for information security deficiencies, but to develop
a harmonized policy framework that addresses our current
managerial, planning, technological, and leadership
shortcomings across the Government.
It is in response to these challenges and deficiencies that
I have introduced H.R. 4900, the Federal Information Security
Amendments Act of 2010. The bill before us is a combination of
multiple policy recommendations and legislative proposals,
including those from President Obama's recent cyberspace policy
review, the CSI Commission on Cybersecurity for the 44th
Presidency and the GAO. It includes a combination of visions to
strengthen our managerial, our technical, and our strategic
planning objectives while flexible enough for individual
agencies to address their unique information security profiles.
The bill establishes a National Office for Cyberspace
within the Executive Office of the President. The Director of
the National Office for Cyberspace, appointed by the President
and subjected to Senate conformation, will be charged with
overseeing the cybersecurity posture of the Federal Government.
The Office's mission will be to develop and manage through an
interagency board consisting of OMB, civilian, military, and
other agencies that will oversee the crafting of policies and
guidance that are responsive to combating the changing nature
of cyber threats Government-wide.
I firmly believe the establishment of the National Office
for Cyberspace will provide both the Presidential leadership
and policy focus capabilities that are needed for addressing
our cyber deficiencies Government-wide. The legislation also
moves agencies away from the current paper-intensive process
used to monitor agencies' compliance with FISMA policies and
procedures and, instead, will require agencies to utilize
automated technologies and outcome-based performance measures
for determining their true cyber risk profile.
By utilizing new monitoring and measuring capabilities,
agencies will have much more complete data at their disposal
for mitigating their most significant vulnerabilities and
combating future cyber threats.
Last, the bill requires OMB and agencies to inter-cooperate
information security into their procurement decisions through
secure acquisition requirements for commercial products and
services, and vulnerability assessments for major information
technology investments. I believe those provisions offer us the
best way forward to ensure that information security is built
into our agency systems in a technology-neutral manner from the
beginning of the procurement life cycle.
In closing, I believe reducing our exposure to current and
future cyber threats will require both managerial discipline
and policy flexibility. While the legislation I offer is not
perfect, I believe it provides us a way forward to reducing our
cyber risks across the Government, while instilling policy
leadership on cybersecurity at the highest levels of our
Government.
Once again, I welcome our panelists today and I look
forward to their testimony and their feedback.
At this point, I would like now to yield to our
distinguished ranking minority member, Mr. Bilbray of
California.
Mr. Bilbray. Thank you, Madam Chair. Madam Chair, your
opening statement was so well drafted and so comprehensive and
so well delivered that I just ask for unanimous consent that my
written statement be entered into the record.
Ms. Watson. Without objection.
Mr. Bilbray. And just quickly pointing out that this is
quite an appropriate step that we move forward here. We are
seeing that the cyber world is becoming not only a tool, but an
essential foundation for the Federal Government's ability to
perform our constitutional responsibilities. Everything from,
now, employment verification to we are looking at the taxation
system, the IRS's ability to use it has just been a huge boom.
The security at our ports of entry to our military
applications, to our health care service capability. All of
these are going to expand extensively, and should, to be able
to make sure the Federal Government is as effective and
efficient and as cost-effective as possible.
Along with that great opportunity comes a huge threat, and
I think that we will find that what you are doing here today,
if we do this right and follow through with this appropriately,
will not only be defending those components that we see today,
but be actually creating a vehicle that will protect the future
expansion, which will probably be tenfold of what we see today.
So, again, I appreciate the introduction of the bill. We
will work at trying to improve it. Nothing is perfect, but we
will darn well do our best to make sure that we create this
defense shield as strong as possible. And I yield back, Madam
Chair.
Ms. Watson. Thank you.
I now yield to Mr. Connolly.
Mr. Connolly. Thank you, Madam Chairman. I would ask my
full statement be entered into the record.
Ms. Watson. Without objection.
Mr. Connolly. I thank the Chair.
If I could add one point, one of the concerns I have, among
many, is that we get the architecture, the managerial
architecture of cybersecurity and information technology in
general in the Federal Government right. The President, by
Executive order, has created a position of Chief Technology
Office, which I applaud. I believe we have to, however, create
a statutory framework for that position and the cybersecurity
position as well. So making sure we understand, moving forward,
in a statutory framework, beyond just an administrative
framework, what those pieces are and what those
responsibilities are, and how the org chart works I think is
very important, given the resources we are going to be putting
into these efforts.
So one of the things I certainly want to do--and I have
introduced legislation, H.R. 1910--I have yet to hear from the
administration on that bill, but I want to certainly
incorporate elements of that into whatever we do by way of
reauthorization of FISMA, and I intend to do just that.
Thank you, Madam Chairman.
[The prepared statement of Hon. Gerald E. Connolly
follows:]
[GRAPHIC] [TIFF OMITTED] T5549.001
Ms. Watson. Thank you.
We now yield to Mr. Duncan for an opening statement.
Mr. Duncan. Well, thank you very much, Madam Chairwoman.
Certainly, this is a very important topic. The statistics are
almost mind-boggling. In spite of all the money that is being
spent on this and all the efforts that are being made, the
number of security incidents keeps going up.
Our committee memorandum tells us that there were roughly
90,000 breaches in 2008, and that figure went to the figure
that we have in our folder, 108,710, in 2009. It reminded me
that several years ago, as I was coming back from lunch in
Knoxville 1 day, I heard on the CBS radio national news in my
car that the top secret files at the Pentagon had been broken
into. It was something approximately 250,000 times that year,
or 200,000 times. And that figure was matched a few months ago
in this committee when we had the head of a company that said,
just to show that they could do it, they downloaded 250,000
individual tax returns.
So, because of all these things, I have begun to wonder if
there really is such a thing as cybersecurity, or is it just
something for companies to make money off of. I would be very
interested in the testimony. Unfortunately, because of
previously scheduled appointments, I was only going to be able
to be here from 2 until 2:45, and my 2:45 appointment is
already here. So I apologize to the witnesses.
But I can assure you that I will read your testimony and
your responses to what I have just said with great interest,
because I am becoming more and more skeptical. It seems to me
that something needs to be done, but are we pouring money down
a rat hole? You know, it seems to me that we started out
controlling the computers, and now they control us. And I know
that all the young people worship their computers, but, this
security business, I think people need to realize that anything
that they put into a computer is just not secure at all, at
least at this point.
Thank you.
Ms. Watson. Thank you.
Now that we have no further opening statements, it is the
policy of the Committee on Oversight and Government Reform to
swear in all witnesses before they testify, and I would like to
ask all of you to stand and raise your right hands.
[Witnesses sworn.]
Ms. Watson. Let the record reflect that the witnesses
answered in the affirmative.
I will now introduce our panelists.
Mr. Vivek Kundra is the Chief Information Officer at the
Office of Management and Budget. Mr. Kundra was appointed as
the first Federal CIO of the United States by President Obama
in March 2009. In this capacity, he directs the policy and
strategic planning of Federal information technology
investments and is responsible for oversight of Federal
technology spending. Prior to joining the Obama administration,
Mr. Kundra served in Mayor Fenty's cabinet as the Chief
Technological Officer for the District of Columbia and Governor
Kaine's cabinet as Assistant Secretary of Commerce and
Technology for the Commonwealth of Virginia.
Mr. Gary ``Gus'' Guissanie is the Acting Deputy Assistant
Secretary of Defense for Identity and Information Assurance at
the Department of Defense. There, he is charged with
implementing DOD programs that require planning, monitoring,
coordinating, and integration of information assurance across
its component agencies.
Mr. Streufert is the Deputy Chief Information Office for
Information Security at the Department of State. He is
responsible for providing oversight and guidance for
information assurance activities, including security policy
development, risk management, systems authorization, training
and awareness, compliance reporting, and performance measures.
Prior to his tenure at State, he served in various IT
management roles at USAID, USDA, and the U.S. Navy.
Mr. Gregory Wilshusen serves as the Director of Information
Security Issues at GAO. His work involves examining Federal
information security practices and trends at Federal agencies,
and he is the GAO's leading expert on FISMA implementation.
I would like to ask all of you, and I ask that each of the
witnesses now give a brief summary of their testimony, and we
would like to have you keep this summary under 5 minutes in
duration if you can, because your complete written statement
will be included in the hearing record. And I would like to
please start with Mr. Kundra.
STATEMENTS OF VIVEK KUNDRA, CHIEF INFORMATION OFFICER, OFFICE
OF MANAGEMENT AND BUDGET; GARY ``GUS'' GUISSANIE, ACTING DEPUTY
ASSISTANT SECRETARY OF DEFENSE FOR CYBER, IDENTITY, AND
INFORMATION ASSURANCE, U.S. DEPARTMENT OF DEFENSE; JOHN
STREUFERT, DEPUTY CHIEF INFORMATION OFFICER FOR INFORMATION
SECURITY, BUREAU OF INFORMATION RESOURCES MANAGEMENT, U.S.
DEPARTMENT OF STATE; AND GREGORY WILSHUSEN, DIRECTOR,
INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
STATEMENT OF VIVEK KUNDRA
Mr. Kundra. Great. Good afternoon, Madam Chairwoman and
members of the subcommittee. Thank you for the opportunity to
testify on the state of Federal information security and the
current challenges we face.
Cybersecurity is a Presidential priority and across the
administration we are working on this issue. I work closely
with the President's Cybersecurity Coordinator, Howard Schmidt,
and the Federal Chief Technology Officer, Aneesh Chopra.
Eight years ago, when FISMA was enacted, the mobile
computing revolution and the Internet were not as pervasive as
they are today. Agencies are leveraging technologies and
business models today that were not present at the time, from
cloud computing to mobile platforms. These new models increase
efficiency, but also leave agencies struggling with questions
on how they apply FISMA's requirements in an environment where
boundaries no longer determine security points. Agencies have
made significant progress in complying with FISMA requirements;
yet, the Federal Government is still far from secure.
The annual FISMA measures have led agencies to focus on a
culture of compliance. However, we cannot get to security
through compliance alone. Significant issues have hindered the
Federal Government's effectiveness in cybersecurity, including
a lack of coordination, a culture focused on compliance, a
failure to take an enterprise approach, and a fragmented
research and development agenda.
To coordinate the many cybersecurity activities across the
Government, the President appointed Howard Schmidt. Mr. Schmidt
serves as a key member of the President's national security
staff while working in tandem with the private sector on
cybersecurity. Additionally, the Department of Homeland
Security, in coordination with the White House and various
stakeholders from Government and industry, is developing a
National Cyber Incident Response Plan. This plan will focus on
outlining key roles and responsibilities across the Nation,
linking all levels of Government and the private sector.
In 2009, we began shifting agencies to a culture that would
focus more on performance and less on compliance. Last October,
OMB launched CyberScope, a platform which collects performance
metrics enabling meaningful analysis of the agency's security
posture. Since metrics are policy statements that influence how
agencies deploy resources, OMB established a task force to
develop performance-based security metrics.
This work resulted in a three-tiered approach that will be
implemented through CyberScope. Data feeds, security posture
questions, and making sure that we are specifically focusing on
the risks at specific agencies, from Health and Human Services
to the Department of Defense to the State Department, which
have very different missions and risk profiles. This approach
will provide essential information about agency security
postures, activities, and threats.
We should also drive agencies toward continuous monitoring
of security-related information across their organizations. It
is necessary to take an enterprise approach to cybersecurity.
That is why we are leveraging governmentwide vehicles to enable
agencies to purchase security tools efficiently. To energize
the Nation's research and development efforts, the
administration is encouraging innovation in game-changing
technologies to shift the advantage from the attacker to the
defender. These activities include efforts such as National
Cyber Leap Year and the National Research and Development
Summit we just did, the creation of a group designed to look at
the financial services sector and create a test bed where we
could model scenarios that we need to defend against and also
the establishment of an industry, academia, and government
working group to explore cybersecurity insurance as a market
force to improve security across the board.
Security is a journey, not a destination. We are moving
forward. For example, the Government has won praise for their
work done to contained Conficker. A representative of the
Conficker Working Group, an independent group of private sector
companies focused on defeating the Conficker worm said, ``For
the first time the government is taking the lead in a technical
security issue, rather than lagging.''
This is where we want to be. Unfortunately, the State
Department spent $133 million over the last 6 years on
paperwork compliance. But under the leadership of John they
have made significant changes to how they approach this
problem. But what we really need to do is not file paperwork in
metal cabinets. Instead, we should shift to constantly testing
for weaknesses. That is why the President's 2011 budget
provides funding for red teams and blue teams to conduct
penetration testing on Federal systems.
A secure trusted computing environment in the Federal
Government is the responsibility of everyone involved; agency
heads, the Federal work force, and contractors who support us.
This will not be easy, nor will it take place overnight.
Together with the Cybersecurity Coordinator, Howard Schmidt,
and the Chief Technology Officer, Aneesh Chopra, we will
continue to address challenges that face our Nation in
cyberspace.
Thank you for the opportunity to testify. I look forward to
your questions.
[The prepared statement of Mr. Kundra follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you, Mr. Kundra.
Now, Mr. Guissanie, you may proceed.
STATEMENT OF GARY ``GUS'' GUISSANIE
Mr. Guissanie. Good afternoon, Chairwoman Watson,
Congressman Bilbray, and members of the Government Management,
Organization, and Procurement Subcommittee. My name is Gus
Guissanie, and I represent the Office of the Assistant
Secretary of Defense for Networks and Information Integration
and the Department of Defense Chief Information Officer. I want
to thank you for the opportunity to appear before the
subcommittee to discuss issues related to governmentwide
information security, the Department's efforts to comply with
FISMA mandates, and initiatives to enhance the Nation's
cybersecurity.
Cybersecurity is and has been a critical priority for the
Department of Defense. Our information systems, which are
globally distributed and connected to coalition and interagency
partners, are essential to our DOD missions; therefore, we must
have a robust, assured enterprise network.
In concert with the administration's Government-wide
information security objectives, we support a focus on
continuous monitoring and the use of real-world penetration
testing to ensure a robust security posture. However, the DOD
policy of conducting stringent security testing prior to an
authorization to operate remains a critical element of
information assurance.
The Department has found FISMA in its current form to have
significant strengths in improving cybersecurity, and would
point out that any deficiencies in implementations are not, in
and of themselves, sufficient justification for major change or
reform.
One construct that the Department believes is valuable in
the current statute and should be retained is the
organizational relationship between the Agency Chief
Information Officer [CISO], and the Agency CIO. A CISO cannot
effective function if separated organizationally from the CIO
and the operational activity being protected.
I would now like to highlight some DOD initiatives taken to
secure our systems within the framework of current FISMA
legislation.
The Department has been working to develop information
assurance metrics at the strategic and operational levels both
within the Department and the broader Federal community. As we
seek metrics which provide our leadership decisionmaking
insight, we are working toward the capability to accomplish
risk scoring in prioritized vulnerability remediation based on
actual threat activity to enable a more active and flexible
defense.
The Department is also implement a series of initiatives
aligned to our DOD information assurance strategy with several
accelerated in fiscal year 2009 by the Comprehensive National
Cybersecurity Initiative. For example, we are deploying a host-
based security solution for continuous monitoring and
protection against threats. We are hardening our unclassified
network by improving censoring, filtering, and access control
at our Internet access points or gateways, thus limiting
exposure of critical information. By changing our access
control technologies and methodologies to ensure that only our
public-facing servers are accessible from the Internet, we have
reduced this attack surface by 96 percent.
We have expanded cooperation with hour defense industrial
base to protect unclassified defense-related research,
development, and procurement information, and we are also
working with the Department of Homeland Security to develop a
multi-pronged approach for managing supply chain risks arising
from the globalization of the information and communications
technology marketplace.
A skilled cyber work force is the most critical component
of our defense against cyber adversaries. Therefore, the
Department is continuing to raise the bar through our Workforce
Improvement Program, extend our IA range capability, and ensure
quality training is available to our work force. Additionally,
the 106 National Centers of Academic Excellence in IA Education
are producing graduates with the right skills to become a
world-class cyber work force.
I would like to conclude by emphasizing that we continue to
work toward a resilient and dependable enterprise network for
the Department and the Nation. We are accomplishing this
through collaboration with other Federal agencies to resolve
security issues impacting Government-wide shared services and
infrastructure. The DOD CIO is managing a diverse portfolio to
enable worldwide operations supporting over 2\1/2\ million
users that is aggressively working to get ahead of the daunting
global security challenge.
I am happy to take your questions.
[The prepared statement of Mr. Guissanie follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you.
Now, Mr. Streufert, you may proceed.
STATEMENT OF JOHN STREUFERT
Mr. Streufert. Good afternoon, Chairwoman Watson, Ranking
Member Bilbray, and distinguished members of the subcommittee.
I am pleased to have this opportunity to testify before the
subcommittee regarding the Department of State's capabilities
for securing its global information and technology
infrastructure. The Department serves as the diplomatic front
line in over 270 overseas posts by serving its 70,000 users
with the worldwide network and mission-essential software
applications.
The foreign policy mission makes an inviting target for
attack by highly skilled cyber adversaries. However, the
Department's layered approach to risk management allows
multiple levels of protection. This protection is accomplished
by implementing a matrix of technical, operational, and
management security controls designed to thwart network
threats, detect, and mitigate vulnerabilities, and strengthen
business operations.
In my role as the Chief Information Security Officer, I
have become familiar with the benefits, shortcomings, and
promising opportunities to buildupon the current Federal
Information Security Management Act of 2002. Our goal is to
ensure system security for diplomacy while continuously
improving the return on investment for each dollar spent on
cybersecurity.
The passage of the FISMA Act in 2002 served as a game-
changing event for the Federal agency community. FISMA applies
to all information used by or on behalf of the Federal
department or agency. In this respect, the establishment of a
holistic information security program and the responsibility of
accounting to oversight entities, including Congress, served as
a valuable check in determining the health of an agency's
information security program.
The Federal cybersecurity landscape has changed over the
past 5 years. The implementation of a Federal cybersecurity
program has typically been implemented in past years through
manual processes and compliance checks which have competed with
the need to implement Web 2.0 technologies in a secure manner,
just to name one among many. Meanwhile, our cyber problems have
dramatically escalated in severity and frequency. Since 2008,
the number of security-related trouble tickets opened in our
organization has more than doubled, while malicious code
attacks has increased by 47 percent.
In October 2009, OMB launched CyberScope, a secure data
collection platform for reporting and formed an interagency
task force charged with developing metrics for information
security. Important to our efforts, the National Institute of
Standards introduced Special Publication 800-37 and an update
to increase the emphasis on continuous monitoring. Of special
note, the Department of State began supplementing FISMA
compliance reports and studies with a risk scoring program
scanning every computer and server connected to its network not
less than every 36 hours on eight factors and twice a month for
safe configurations of software.
The Risk Scoring Program utilizes best practices such as
the Consensus Audit Guidelines, which we have mapped against
the way the Department is being attacked. The Department
utilizes the Common Vulnerability Scoring System from NIST
where scanning tools tag specific risks with point values
between 0 and 10, with 10 being the highest vulnerability. When
the problem is resolved, risk points are deducted. To this
point, the State Department Risk Scoring Program has
implemented a subset of the Consensus Audit Guideline controls
that are adaptable to automated verification.
In the first year of site scoring ending July 2009, overall
risk on the Department's key unclassified network measured by
the Risk Scoring Program was reduced by nearly 90 percent in
overseas sites and 89 percent in domestic sites. Scores have
been relatively stable since then. Notwithstanding this
reduction to date, the Department has decided to make it three
times more difficult to achieve the same letter grades as part
of an ongoing commitment to continuous improvement of this kind
in the future.
These methods, however limited, have allowed one critical
piece of the Department's information security program to move
from snapshot in time previously available under FISMA to a
program that scans for weaknesses on servers and personal
computers continuously, identifies weak configurations each 15
days, issues letter grades monthly to senior managers tracking
the progress for their organization in closing against known
vulnerabilities the last 30 days. It is the Department's
objective to expand automated verification to as many Consensus
Audit Guideline control categories as possible, to all
infrastructure and applications as soon as possible, limited
only by available resources.
In short, the details of this program empower
administrators of our systems with targeted daily attention to
conduct remediation and the summaries empower executives to
oversee the most serious problems.
The balance of my statement references additional layers of
control, including a 24/7 network watch program, close
coordination with incident management at US-CERT;
implementation of EINSTEIN 2 for situational awareness;
important emphasis on Cyber Threat Analysis which we share with
other members of the foreign affairs community; a Global
Security Scanning program, a Cybersecurity Incident Program to
assure that our employees do not commit acts of cyber misuse or
abuse; an awareness training program that we conduct not only
for ourselves, but for other members of the Federal Government
under the information security line of business.
I want to conclude by emphasizing the Department's policy,
technology, business processes, and partnerships in place
continue to evolve and meet the ongoing challenges of security
threats in the cyber environment.
I would like to thank the subcommittee members for this
opportunity to speak before you today, and I would be pleased
to respond to any of your questions.
[The prepared statement of Mr. Streufert follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. One of the things I wanted to followup with you
before we got to questions, I understand that you are
considering a kind of Ambassador post within the Department to
oversee this. You might want to just speak on it for half a
minute before we go on.
Mr. Streufert. Yes, ma'am. My immediate responsibilities
have to do with the internal networks of the Department of
State, but I would be happy to forward any questions that you
would have about that legislation to those in our organization
that deal with foreign policy aspects of the cybersecurity.
Ms. Watson. Why don't you just give us a summary of what
you have already been considering? That would be information
for us.
Mr. Streufert. I am sorry, I don't have that information
available.
Ms. Watson. No, you can send it to us.
Mr. Streufert. Just send it to you?
Ms. Watson. Yes.
Mr. Streufert. OK, very good. I would be happy to, ma'am.
Ms. Watson. Thank you so much.
Mr. Wilshusen, we are going to take your testimony and then
we are going to recess for about 25 minutes to a half hour. We
have four to five votes on the floor. Thank you.
STATEMENT OF GREGORY WILSHUSEN
Mr. Wilshusen. Chairwoman Watson, Ranking Member Bilbray,
and members of the subcommittee, thank you for the opportunity
today to participate in today's hearing on Federal information
security.
As we have previously testified, cyber-based threats to
Federal systems and critical infrastructure are evolving and
growing. Pervasive and sustained cyber attacks continue to pose
a potentially devastating threat to the systems and operations
of the Federal Government.
Over the past few years, agencies have experienced an
increasing number and a wide range of incidents involving data
loss or theft, computer intrusions, and privacy breaches,
underscoring the need for improved security practices and
controls. While much progress has been made in identifying and
implementing these controls, much work remains.
Madam Chair, today I will discuss Federal agencies' efforts
to secure their information systems and opportunities to
enhance Federal cybersecurity.
For fiscal year 2009, agencies have reported mixed progress
in securing their systems and implementing key security
activities. For example, although agencies collectively
reported providing security awareness training and specialized
security training to an increasing percentage of their
personnel, they also reported testing the security controls and
contingency plans for a decreasing percentage of their systems.
In addition, Federal systems continue to be afflicted by
persistent control weaknesses. Most of the 24 major agencies in
our review had weaknesses in security safeguards that are
intended to control logical and physical access to IT
resources, manage the secure configurations of those resources,
and ensure the prompt recovery of service and the continuity of
operations should unexpected incidents occur. To illustrate, 21
of 24 major agencies noted inadequate controls over their
financial systems were either of significant deficiency or
material weakness.
An underlying cause for these weaknesses is that agencies
have not yet fully or effectively implemented key elements of
their information security programs as required by FISMA. As a
result, they remain vulnerable to the unauthorized disclosure
and modification of sensitive information and the disruption of
mission-critical operations.
Fortunately, opportunities exist to enhance Federal
cybersecurity. Agencies can implement the hundreds of
recommendations that GAO and agency IGs have made to resolve
specific control deficiencies and program shortfalls. Agencies
can also expand use of automated tools to perform security
functions and increase their efficiency in securing and
monitoring networks. These actions will help agencies to better
manage the configuration of security features and to prevent,
limit, and detect unauthorized access to networks and systems.
In addition, as we have previously recommended, OMB and the
workgroup it has convened should develop a balanced set of
performance measures that focus on risk and produce better
information to gage the status and effectiveness of security
efforts. The effective implementation of several Government-
wide initiatives can also lead to improved cybersecurity. For
example, addressing several challenges we have identified
associated with implementing the Comprehensive National
Cybersecurity Initiative, which is a collection of 12 projects
intended to bolster security on Federal networks, will enhance
its chances of success.
Another opportunity is implementing the trusted internet
connections EINSTEIN and Federal Desktop Core Configuration
Initiatives. These initiatives are intended to consolidate and
secure external access points, including those to the Internet;
provide network intrusion detection capability; and establish
secure configurations for Windows-based workstations. We have
ongoing work that addresses the status and implementation of
these initiatives.
Finally, opportunities exist to strengthen Federal guidance
and the national strategy for cybersecurity. In panel
discussions that we hosted, cybersecurity experts identified 12
key improvements that are essential in their view to improving
the strategy in our national cybersecurity posture. Consistent
with our prior work, implementing these improvements can
bolster security of our Nation's most critical Federal and
private sector cyber infrastructure.
In summary, Federal agencies continue to tread water in
securing their systems and countering the growing and evolving
cyber threat. Nevertheless, opportunities exist to improve
cybersecurity, but they required a concerted response to ensure
that Federal systems are sufficiently safeguarded.
Madam Chair, this concludes my statement. I would be happy
to answer any questions.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you so very much, panel. We will recess
now until about 3:45, and we will see you back here for
questions and then panel two. Thank you so very much.
[Recess.]
Ms. Watson. We shall resume the committee.
I was listening very intently to Mr. Kundra's report, and
you mentioned Mr. Howard Schmidt, the new White House Cyber
Coordinator, while you were testifying. Could you describe for
us what his role and responsibilities are in securing our
Federal information infrastructure? As you know, my legislation
calls for the codification of a National Office of Cyberspace
and Grants, and its extensive authority for implementing and
enforcing information and security responsibilities. So we
would like to know more about Mr. Schmidt's role. Thank you.
Mr. Kundra. Sure. Howard Schmidt, as the coordinator of
cybersecurity within the White House, works both at the
National Security Council and the National Economic Council,
recognizing that their vital interests in terms of being able
to protect the Nation, at the same time making sure we are
balancing that with economic decisions across the board.
Also, when you think about from a national security
perspective, the Comprehensive National Cyber Initiative, both
of us work very, very closely together to make sure that, as we
look at equities, whether it is the Department of Defense,
Homeland Security, the private sector, that we are coordinating
our efforts and are moving forward in a direction that makes us
more secure, rather than spending a tremendous amount of energy
on the friction that results historically from a lack of
coordination and who owns cybersecurity in one area versus the
other.
Ms. Watson. One proposal in my bill requires OMB to
incorporate secure product and service acquisition requirements
into agency contracting practices, as well as to require IT
investments to have vulnerability assessments completed before
programs can move forward. So can you tell us how these
proposals are complementary to some programs already in place
at GSA and what you might consider to be technical barriers
that we might be able to remove?
Mr. Kundra. Part of what we need to be able to do across
the Federal Government is not bolt on security afterwards. A
lot of times what ends up happening is systems end up going
live or they evolve. Some of the systems may be 30 years old
and everybody is trying to bolt on security, and the challenges
as addressed by the panel, with a huge focus on generating a
lot of reporting.
And if we looked at the FISMA report, one of the key
findings here is investments we are making when it comes to the
human capital side, making sure that employees who are focused
on cybersecurity across the public sector are not necessarily
experts in writing reports, but are actually people who are
trained and understand how to not just configure and manage
routers and switches and servers and desktops and firewalls,
but can make sure that as we deploy these systems we build an
architecture that doesn't say, you know what, we are going to
move forward and certify this system, and come back 3 years
from today and hope that it is as secure, test it. What we are
trying to shift everyone to is this notion of a continuous
monitoring.
But what we are also doing is we are making sure that
across the board, in terms of procurements, that we are
creating schedules where you have enterprise procurements,
whether it is moving toward a networks contract or whether it
is blanket purchase agreements for software, whether it is any
virus or firewalls or data loss prevention technologies, so
that it is easier to procure these technologies and, from an
OMB perspective, for us to be able to look at where we are
actually spending money. And, frankly, security investments are
best when they are actually baked into the systems that we are
looking at and not where they are treated at discreet
investments cross the board.
Ms. Watson. Can you describe what actually is working? I
think we know that there are firewalls in some agencies that
are lax, but what is actually working today?
Mr. Kundra. What is working right now is--let's look at
Homeland Security Presidential Directive around HSPD-12, which
is smart cards, the issuance of these smart cards across the
board. What we have been able to do in this year alone, we have
seen a 60-plus percent rise in the issuance of these smart
cards because we focused on it. We have had these
accountability sessions that we call text ed sessions----
Ms. Watson. Now, the smart card you are talking about, who
has that card? How is it distributed? Where is it and where is
it given?
Mr. Kundra. The way these smart cards work, they are
actually designed to be able to be given to Federal employees
and contractors who work on Government systems. And part of
what we are trying to do now is that the issuance of these
cards has moved forward. In the Department of Defense, for
example, these cards are used to actually log into some of the
systems. And what we are trying to do is make sure that across
the Federal Government--here is one of these smart cards----
Ms. Watson. Wait a minute. Do you have a fingerprint on
that and a mug shot?
Mr. Kundra. As well as a photograph, there is a chip, there
are a couple of bar codes and there is some imagery.
Ms. Watson. I mean, can someone really hack in and change
that and steal your identify through those?
Mr. Kundra. And that is why these smart cards are very,
very important, because one of the challenges we also face is
making sure that the very people who are accessing our systems,
we know who they are, we know when they are logging into the
systems, we know what information they are getting access to.
So this initiative is successful. Now what we need to do is
sort of the second part of this, which is hard work on making
sure that every single agency across the Federal Government is
not just issuing these cards, but actually making sure that the
systems are configured to be able to use these cards.
DOD has done a good job in this area. A number of other
agencies have moved forward in making sure they are integrating
them. But the vision here is to also make sure that we are
using these smart cards for physical access, which is getting
in and out of buildings, and logical access, which is getting
in and out of systems across the Federal Government.
Ms. Watson. And using these cards and the information that
we have, what bothers me is that we still have a barrier in
communicating. You know, I am still wrapped up in what happened
on Christmas Day and why our Secretary did not know that there
was someone getting on a plane in another country, entering our
airspace and being a tremendous threat. Thank God they caught
him, but what happens there? Why isn't that information
communicated?
Mr. Kundra. Part of what is also happening within
information sharing environment is making sure that across the
board, across Federal systems that they are configured not just
to share information from a technical perspective, but also
from a management perspective, recognizing that this is not
necessarily a technical problem; recognizing what are the
important things that we need to focus on, what is the
information that is vital, and how do we simply so we recognize
as we see these threats.
What is really interesting from a security perspective, as
John testified, from the State Department's perspective, how
they are able to look at certain--create certain grades across
the different embassies and figure out where are they secure
versus where are they not secure so they can focus their
attention, their energy, and finite resources on the highest
priority problems. The only way we are going to be able to
attack cybersecurity is by focusing--sort of the 80/20 rule,
focusing on 80 percent of the problems that we recognize are
confronting us today as we think long-term about how do we get
to 100 percent.
The challenge we have is that our adversaries are
constantly evolving. The threat is a real-time threat and we
are constantly seeing the threat vectors change over time. That
is why, when we think about our research and development
agenda, it is vital, as we look at our R&D agenda, to make sure
that we are making investments that are going to yield
dividends down the line to shift the advantage so that the
defender has a greater opportunity rather than the attacker,
because the attacker has to get it right once.
Ms. Watson. I am going to yield now to the ranking member,
Mr. Bilbray.
Mr. Bilbray. Thank you, Madam Chair.
Mr. Kundra, while I have you before us, there is something
that just sort of came up, and that is this issue of
information sharing, whatever. I am sure you read the 9/11
Commission report about the firewalls that created the
opportunity for people to actually move within the United
States, and though information was available with one
department, the other department didn't have any access in it;
and that was actually probably more statutory than it was a
problem of the incapability of systems.
You are aware of the 9/11?
Mr. Kundra. Yes, sir.
Mr. Bilbray. OK. Because one of the things that really
ought to be a lesson for us on this, as we bring this up, Madam
Chair, is a member of the 9/11 terrorists--not the 9/11
terrorists, but the D.C. sniper, where you had a fingerprint
that was detected at a murder site in Alabama. Except for one
little incident we never would have been able to catch this
individual because even though we had all of his fingerprints,
but the fact that one department was not allowed to have access
into another department, we had those firewalls, and it is
something the 9/11 really said we needed to point to. And I
just tell you that. Luckily, the 9/11 terrorists had committed
a misdemeanor which allowed his immigration fingerprints and
biometrics to be brought over to the FBI, so then when the
Alabama officer asked to check the fingerprints, we were able
to have access.
The question is this: How many crimes and stuff are going
on right now because not just Homeland Security isn't sharing
it, but a lot of other agencies may have information and data
that can't be shared now? I just ask you to take a look at
that. 9/11 has said it. We haven't done enough about that. But
information sharing and tearing down those firewalls are
something we haven't done enough of, and I ask you to look at
that.
The other question is again--and we brought it up, and
maybe it is overplayed and whatever, and that is the securing
of not only through different systems, but the biometrics are
one thing we can talk about.
One of the things that we had a hearing today about is
legislation about telecommuting and this issue of computers
being able to be accessed through the internet. Can you talk to
me about the challenges you see there, like what happened to
Snowmageddon here, when we started having people working at
home during that period but using the Internet to access? We
basically have to say there are certain people that just cannot
be allowed to work over the Internet in this issue. Comments?
Let me just open it up.
Mr. Kundra. Sure. A part of what we want to be able to do
in the broader context of deploying technology is make sure
that, on the one hand, we are leveraging innovation; whether
that is mobile technology in terms of cell phones and PDAs that
allow you to have access to real-time information or
telecommuting, for that matter. And as we think about the
Federal Government and where we are headed, whether the
investments we are making in cloud computing or the shift
toward where we want to be able to attract the best and
brightest people across the country, is recognizing that there
are inherent risks, but at the same time addressing and
confronting those risks.
So if we look at telecommuting, for example, GSA had
significant number of employees who were telecommuting. The
Patent and Trademark Office, on a regular basis, has a
significant number of employees telecommuting. So does the GAO,
which is one of the leaders of the Government in terms of
telecommuting.
But what we need to be able to do is make sure, like with
the smart card, being able to authenticate people across those
systems; and these artificial boundaries that we had before in
the Federal Government, where we believed you could build a
citadel and walls around a system, in the new computing
paradigm, unfortunately, security is going to have to be baked
in at the data element layer, protecting every piece of data.
And part of what CIOS and Chief Information Security Officers
across the Federal Government are dealing with is figuring out
how do we, on the one hand, leverage these technologies and, on
the other hand, make sure that we are providing the appropriate
security controls.
And I am sure Gus and John can comment on this too, given
that they have missions that are not necessarily just within
the United States, but all over the world, and addressing
security in the global context.
Mr. Bilbray. Comments, gentlemen?
Mr. Guissanie. Yes, sir. That is a very interesting
example. The issue with telecommuting back into an
organization's information system is if you are using, for
instance, a DOD laptop and you take that home and you use your
broadband connection to come back into DOD, we can do that
securely; we can establish a secure link using your broadband
connection. We trust the computer you have because we gave it
to you, and that makes to fairly safe for you to essentially
work from home. The trouble we have is people don't always have
the resources to provide the laptop. In many places in DOD the
laptop has become the desktop, so it is pretty easy to use;
other places they haven't.
The problem with using the home computer, which lots of
folks advocate--why can't they just telecommute from their home
computer--is the home computer probably isn't very secure.
Somebody has been out on the internet doing things and visiting
various sites and they have picked up viruses and malware, and
now they turn around and try to get into the Department's
information system and I have a problem.
So we have been looking at virtualization technology in the
Department for a way to kind of get around that problem, and
that essentially means establishing a little virtual
environment that is safe and secure on a platform like your
home computer that is isolated from the bad kind of malware
that might be on that computer.
So in preparation for the pandemic that we all anticipated
we might encounter this year, the Department looked at how to
do that on a widespread basis. So we came up with a CD-ROM that
we called a boot disc, and it contained a mini operating system
and it would work on both an Apple computer and a Microsoft-
based computer, and you could take it home and it would load up
onto the RAM and create its own little virtual environment, and
it could only go to one place. It would understand what network
it was supposed to connect to. It would allow me to securely
authenticate with my smart card into the network and then you
could essentially run it just off remote desktop, just like it
was on your office computer. When you were finished, nothing
was left, no residue was left on the home computer, so there is
nothing sensitive there for anybody to find, and because you
created that virtual environment, there wasn't any way that
somebody who was sitting on that computer that shouldn't be
could get into the Department.
So we didn't have a pandemic, but those discs were used, I
understand, quite extensively during Snowmageddon, and we had
quite a success in people being able to telecommute because
they had the disc sitting there.
Mr. Bilbray. I am glad to hear that. What I worry about
when we talk about the smart card, I look at the Pentagon and
worry that we are using the same pass card, access card that we
did in 9/11, with no biometric confirmation. Are we looking at
the smart card utilizing biometric confirmation so not just
somebody with the card, but somebody with the right biometrics?
In other words, when you steal the card, you better steal the
index finger too, right?
Mr. Guissanie. Yes, sir. Currently, the smart cards we have
are two-factor authentication: the smart card itself, which has
some things in it, and then there is a PIN that you have to
know to make that work. The three-factor authentication would
be something you are, for instance, a thumb print. So we have
been looking at that. Currently, the cost and the technology is
a little bit prohibitive to make that work when I have to issue
4 million cards out, but we are approaching that. So that way
it is the PIN, your thumb print makes it active, they know it
is you, and then the technology, the cryptography on the card
allows that to establish a secure connection.
Mr. Bilbray. Do you realize since 1978 the California
driver's license has had the ability to use biometric
confirmation?
Mr. Guissanie. No, sir, I was not aware of that.
Mr. Bilbray. That is why every time we go in to get our
license renewed, they get one more fingerprint on us.
Thank you very much, Madam Chair.
Ms. Watson. Yes. I would like to go to Mr. Streufert now
and ask about your risk scoring program. Can you summarize for
us the key technical administrative and physical controls or
elements of this program that have enabled State to have such a
significant reduction in its cyber risk profile? I am very
concerned about the decentralization nature of our embassies,
our bureaus, and our consulates. How is State able to manage
the implementation of the FISMA security requirements? So if
you could kind of expand on that.
Mr. Streufert. Yes, Madam Chairwoman. We use the scanners
that we have had available for a number of years to turn out
the three-ring binder reports for the Federal Information
Security Management Act and we decided that the frequency of
doing those reports every 3 years was just not enough for us,
along the lines of my testimony that our number of malicious
code attacks has increased by 47 percent. So we set about a
task of trying to increase that frequency and we found that we
could physically go in and collect the things instead of once
every 3 years, we could collect it every 15 days.
And on another set of factors, eight of them, we could
actually do not less than every 36 hours to the far reaches of
the planet, let's say to Colonia, the capital of Micronesia,
where you were the Ambassador. So by collecting that
information--and I checked again this morning--we can find any
particular problem on any of the workstations in the embassy
that you used to watch and total up what is the average risk
for each of those personal computer devices and the server
which helps the operations of the embassy. And we can duplicate
that across all 260 embassies and our some 100 locations in the
domestic United States.
So that information comes back to a central point and we
are able to not only assess the risk for each location and how
they stack up against their counterparts, but also look at
trends. So when the recent attack that occurred, the so-called
Google virus, we knew where that was in our organization and we
charged 40 points the first week when that wasn't taken care
of, and the second week we charged 80 points for it, the third
week we did 120, the following week we did 160. You can see the
trend.
We are now up to 320 negative points for not getting on top
and fixing that virus as fast as we should. And we can tell you
across our entire organization where it has been done and not
done, and after a point, if they don't take care of business,
it turns like elementary school into a C, D, or F, and that
report goes to the Ambassador, the assistant secretary, and
that calls for a little closer inspection on the part of the
people that do security in our Department.
Ms. Watson. Well, are we training our consular officers up
on all of this? Because my concern, when we put Homeland
Security together, you know, 750,000 employees under this
umbrella, and I felt that the consular corp should not go
underneath it; it should stand alone in the State Department,
because they have a very specialized set of skills. So I am
wondering how is it working out under Homeland Security and
that particular set of skills. I mean, are you training up your
consular officers out in the embassies?
Mr. Streufert. Well, we try. The functions that I am most
familiar with are the information systems support for software
applications that might help in the managing of passports and
visas. Everyone in the organization, no matter what embassy
they are, have access to these reports and what their progress
is, and we ran statistical reports on whether it was a large
embassy or a small one like Colonia, and we found that really
the most important factor was to get the critical security
information in the hands of the people that could make a
difference.
So for those that work directly for the Department of
State, we are able to find out what the situation is, and we
have not in fact had serious training problems. In fact, what
we found is that this system uses the time more efficiently of
our security professionals. So whereas we used to have about 60
people who wrote certification and accreditation reports, by
the time we implemented this system, we estimate that there are
4,135 people with significant security responsibilities that
are protecting our infrastructure.
Now, I have to say that at the moment we are concentrating
on servers and personal computers. There are many aspects of
the Consensus Audit Guidelines that we have not yet reached,
like our routers and firewalls and some of those other items.
So the State Department has a beginning on this, but I won't
say that there aren't quite a few things that we yet need to
work on.
Ms. Watson. I am really pleased that we are having this
hearing today, and I want Mr. Bilbray to really know that we
are trying to improve on our cyber management, and I am pleased
to hear what the State Department is doing, because I do know
that out there in these remote embassies you don't necessarily
get updated on what is available to you, and the training is
not always available to these people. And I thought, oh, my
goodness, putting them under Homeland Security will just
complicate. So I am glad you are aware and that you are
actually doing something about it.
Let me go very quickly to Mr. Greg Wilshusen. Your
testimony states that for fiscal year 2009, 36 percent of all
cyber incidents reported to US-CERT at DHS are still under
investigation. Can you summarize what the largest categories of
incidents reported were and what the statistics tell us about
future or emerging threats?
Mr. Wilshusen. Yes, I would be glad to. Based upon our
analysis of the information that agencies are required to
report to the US-CERT, this year, for fiscal year 2009, the
number of incidents increased tremendously, from about 16,800
in fiscal year 2008 to just about 30,000 for fiscal year 2009.
Of those, four key categories of these incidents include
unauthorized access in which an individual was able to gain
unauthorized access to an information or to a system; improper
usage, that is when the acceptable use policies of that system
or network was inappropriately used; and malicious code, and
that is a key one, too.
That was comprised of about 23 percent of all of the
incidents and events reported to US-CERT, and that is when a
Trojan or malicious software was actually installed on a
computer. And then the biggest area had to do with those
incidents that are still under investigation, and those are
ones in which it is suspected that an incident or an event has
occurred, but the extent of it or the character of that
incident had not yet been fully determined. So agencies were
required to go ahead and report that and they are still under
investigation by those agencies.
Ms. Watson. OK, I would like now to ask our ranking member
if he has a question.
Mr. Bilbray. Yes. I just want to make sure that I don't
pass the representative from the State Department. You know, we
talk about a lot of things, but I think one of the great
successes is the VISIT system. Huge data acquired. I mean, it
is astonishing how much data has gone through there. If
publicly you can talk about it, have we had any problems with
unauthorized access into that system as being a major problem,
or have we had a major problem with people being able to access
that information when you needed it?
Mr. Streufert. Well, of course, the information that we
draw upon to protect the borders comes from a combination of
systems, including those that originate from the consular
officers and our embassies and consulates and domestic
locations, and that information is----
Mr. Bilbray. Let me interrupt you and just tell you, as
somebody who crosses the border probably more than most would
prefer and coming in port of entries, the system from the
immigrant's point of view is absolutely fantastic.
In fact, I really think, Madam Chair, we ought to be
talking about allowing Americans to voluntarily go into that
system of using the biometrics, whatever, because you have
American citizens lining up, waiting to be interviewed, but you
have a great system where foreign nationals, because they are
pre-cleared, the biometrics are there, they whip right through.
So I just have to tell you, from observation, it really
seems to be very much appreciated by the foreign nationals.
Mr. Streufert. Thank you, sir. Of course, we endeavor to
make it as customer-friendly as we possibly can balanced
against the security needs of protecting the border. The US-
VISIT system is one that is actually hosted and managed by one
of the elements of the Department of Homeland Security. But to
your specific point, there are data exchanges between the
Department of Homeland Security and the State Department, and
one of the things that we try to do is to make sure that all of
the systems that maintain our part of that potential handoff to
Homeland Security are as well protected as possible.
Mr. Bilbray. Because if you don't do it right, when they
fly into the airport, that system is going to have a problem.
Mr. Streufert. Exactly.
Mr. Bilbray. Thank you very much.
I yield back, Madam Chair.
Ms. Watson. Thank you.
I will yield to Mr. Luetkemeyer, if he might have
questions.
Mr. Luetkemeyer. Thank you, Madam Chair. I don't have any
questions at this time.
Ms. Watson. This is still our first panel.
Mr. Luetkemeyer. That is very good. Thank you.
Ms. Watson. Thank you.
All right, I want to thank all of the panelists. Thank you
for indulging us and waiting around and your patience. We
appreciate it. So we will not dismiss this panel and we will
call up panel No. 2. Thank you so very much for your testimony.
Panel No. 2. If you will stand, please. It is the policy of
the Committee on Oversight and Government Reform to swear in
all witnesses before they testify, and I would like to ask all
of you to stand and raise your right hands.
[Witnesses sworn.]
Ms. Watson. Let the record reflect that the witnesses
answered in the affirmative.
Now I will take a moment to introduce our distinguished
panelists. I would first like to start with Mr. Philip Bond,
who is the president of TechAmerica. Mr. Bond is also president
of the World Information Technology Services Alliance [WITSA],
a network of industry associations representing 70 high-tech
trade groups around the world. Previously, Mr. Bond served as
Under Secretary of the U.S. Department of Commerce for
Technology, and from 2002 to 2003 served concurrently as Chief
of Staff to the Commerce Secretary, Donald Evans.
Mr. Gilligan is the president of the Gilligan Group and
has, for over 25 years, been in managerial services in leading
large information technological organizations. Prior to joining
the private sector, Mr. Gilligan served as the Chief
Information Officer of both the U.S. Air Force and the
Department of Energy. He also serves as a member of several
boards and advisory groups, including Software Engineering
Institute and the Commission on Cybersecurity for the 44th
Presidency.
Mr. Alan Paller is the director of research at the SANS
Institute, where he is responsible for overseeing all research
programs. His work at SANS includes overseeing the Internet
Storm Center and an industry-early warning system, the
publication NewsBites, and participation in other collaborative
efforts to identify and mitigate new and emerging cyber
threats.
Mr. Christopher Fountain is the president and CEO of
SecureInfo Corp., which provides information assurance
solutions to both civilian and military customers across the
Government. He has a successful track record of leading and
growing companies, with over 22 years of experience in the
information technology industry field.
I welcome all of you and I ask that each one of our
witnesses now give a brief summary of their testimony and
please try and keep your summary under 5 minutes in duration,
if you can, because your complete written statement will be
included in the hearing record. So, Mr. Bond, would you please
proceed? And thank you for being here.
STATEMENTS OF PHILIP BOND, PRESIDENT, TECHAMERICA; JOHN
GILLIGAN, PRESIDENT, THE GILLIGAN GROUP, INC.; ALAN PALLER,
DIRECTOR OF RESEARCH, SANS INSTITUTE; AND CHRISTOPHER FOUNTAIN,
PRESIDENT AND CEO, SECUREINFO CORP.
STATEMENT OF PHILIP BOND
Mr. Bond. Thank you, Chairwoman Watson and Ranking Member
Bilbray. Thank you very much. I was privileged to testify
before you in 2007 on this subject, to say that it was time to
focus on results rather than compliance, and thrilled to hear
that is exactly the focus of your draft legislation. Two and a
half years after that, with some more consultation in the
meantime, we are very much looking forward to FISMA 2.0.
Today, I want to offer an updated version of the
recommendations I made 2\1/2\ years ago, because we think they
are still pertinent. But first I want to acknowledge the new
era that we are in, unprecedented attention at the White House,
from Federal CIOS, and here on Capitol Hill; the White House,
of course, with the new Cybersecurity Coordinator. TechAmerica,
yesterday, released its 20th survey of Federal CIOS. Their No.
1 strategic issue: cybersecurity. And here on Capitol Hill,
more than 12 active cybersecurity bills under consideration
right now.
I am proud to say, on behalf of our members, the industry
has responded with companies coming forward with new solutions,
new technologies faster than ever before, and with their
clients addressing the needs to manage risk and enhance
collaboration with industry partners. Examples would be
Lockheed Martin's new Cyber Security Technology Alliance,
Microsoft's leadership in taking down the Waledac Botnet, and
the private sector's quick response on the Conficker worm,
exhibiting exactly the kind of nimbleness that they offer to
their partners in the Federal Government.
So we commend the Chair in taking this important step and
focusing again on actual security, not just compliance.
Let me mention the six reforms that we have updated and
think are still relevant.
One is to reform the agency information security approval
process, that is, the way they work with private sector
partners to make sure that it is as uniform as it can be.
Second, to remove barriers to innovation. This is what
Vivek Kundra referred to as the culture of compliance, which
makes a culture which is not welcoming to new approaches,
because if they can use a time-tested one and check the box,
that complies, but it doesn't necessarily embrace the new
innovative solutions.
Third, we would say increase accountability and authority
for the CIOS and Chief Information Security Officers, CISOs,
and to provide a forum where they can collaborate regularly.
Fourth, we agree with the need to enhance Federal cyber
risk management. You heard a great example from the State
Department. This would mean, by the way, more security
clearances for information security professionals, more
agencies with real-time access to some of the classified
information, because you don't know what you don't know.
Fifth, we need to harmonize and enhance the audit and
oversight methods used, thinking primarily of IGs here. You
need to make those processes as uniform as you can so that it
is not terribly different; and then, of course, that they are
informed on what is a very technical subject, as they are doing
their reviews.
Sixth, we would urge expanding Federal cyber response
capabilities, and that would mean codifying and improving the
standing of US-CERT and helping to pave the way for what we
think, from the industry side, is very important: co-located,
meaning working side-by-side, the best of the private sector
and the best in the public sector, to address this national
challenge.
In closing, I would just note that FISMA is now almost 8
years old. The reform has been in discussion for a number of
years. And while the ideal is always a comprehensive bill
addressing all aspects of cybersecurity, that can be a great
legislative challenge. So we would just observe and acknowledge
that we don't want the perfect to be the enemy of the good, and
if we get late in the session, we would urge that FISMA reform
not wait. And we believe, to use Mr. Bilbray's terminology,
with a little more perfection, the tiers bill would be great
progress. Thank you.
[The prepared statement of Mr. Bond follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you so much, Mr. Bond.
We will proceed to Mr. Gilligan.
STATEMENT OF JOHN GILLIGAN
Mr. Gilligan. Good afternoon, Chairwoman Watson and
Congressman Bilbray and members of the subcommittee. I would
like to thank you for this opportunity to address the committee
and congratulate you, Chairwoman Watson, for the Federal
Information Security Amendments Act of 2010. I believe it is an
important step in the Nation's efforts to provide the secure
and reliable information technology enterprise that we need.
Like many of you, I have a personal sense of urgency for
making dramatic improvements in cybersecurity in the Federal
Government. This sense of urgency is informed by the growing
threat to our way of life, resulting from fundamental
weaknesses in the computers and networks that have become the
foundation of our Nation's prosperity. I have watched over the
past decades as our cyber threat has grown steadily and the
pace of our ability to protect against these threats has
continued to be slowed by a lack of attention and, in many
cases, poorly focused efforts. I believe the subcommittee's
proposed legislation contains the key focus areas needed to
make rapid progress against the growing threat. Before I
describe these elements, I would like to characterize some of
the aspects of the current cybersecurity problem as background.
First, I would acknowledge that the Federal Information
Security Management Act of 2002 was a positive step in
improving Government security. The law established the
imperative for Federal managers to put strong emphasis on
cybersecurity and highlighted the need to use a risk-based
approach to identify and implement minimum security controls.
While the FISMA had many positive elements, the
implementation of FISMA has been less than fully effective. For
example, rather than focusing on minimum controls as required
by the law, OMB policy guidance to Federal agencies has been to
implement the entire catalog of controls, over 300 separate
controls, published by the National Institutes of Standards and
Technology. This is not possible for any Government agency of
any size, and has resulted in a scattershot approach to
improving security.
Moreover, the strong desire to measure and to assign grades
to Federal agencies has resulted in placing emphasis on
characteristics that can be easily measured, rather than on
controls and activities that best reflect effective security.
As a result, in general, the required FISMA metrics were
manually generated, had little correlation to actual security,
and were costly to produce. In addition, the areas emphasized
in the metrics did not encourage investments or improvements
that would have long-lasting improvement and security, such as
improved used of automated controls.
Unfortunately, the implementation of FISMA has been like
getting on a treadmill as a means to get to a destination. A
treadmill is great if all you want is exercise, but it is not a
good way to reach a destination. To continue the metaphor, in
the implementation of FISMA, the Federal Government has
certainly burned a lot of calories, but we are a long way to go
from reaching our destination of dramatically improving
security of our Federal systems.
While total security is beyond our current reach for the
foreseeable future, there are many things that we can and
should do to dramatically reduce our vulnerability to attacks,
especially from those attackers who are relatively
unsophisticated. Studies have shown that the relatively
unsophisticated attacker group constitutes the majority of
current attacks, roughly 80 percent as assessed by the National
Security Agency. Unfortunately, our current cybersecurity
defense mechanisms in the Government today are configured so
fragmented and weak that a malicious individual with virtually
no computer skill can download a canned attack from the World
Wide Web and can cause significant harm to cyber systems.
Recent collaborative efforts among the Government and the
private sector have resulted in guidance for organizations to
help focus on the top security control areas and to make
effective use of automation. In essence, this effort is focused
on addressing the 80 percent problem of the cyber threat.
Specifically, a little over a year ago, a group of security
experts from the National Security Agency and other defense
organizations, the Department of Homeland Security, Department
of Justice, and the National Laboratories, along with
colleagues in the private sector, collaborated on the
identification of the most common attack patterns against cyber
systems. They subsequently identified corresponding security
controls along with automated means to implement these
controls. Automation is the only practical way to deal with
this complex problem.
The consensus effort among these security experts produced
a guideline entitled 20 Critical Controls for Effective Cyber
Defense: Consensus Audit Guidelines, and John Streufert
referred to them as Consensus Audit Guidelines. This document
describes the 20 most critical cyber attacks and the controls
that are needed to protect against these attacks. In effect,
these so-called 20 critical controls reflect the highest
priority security necessary to ensure a core foundation of
security for information technology infrastructure. During the
past 18 months, the U.S. Department of State has implemented
the 20 Critical Controls guideline and has achieved significant
progress in improving effectiveness of cybersecurity.
While the 20 Critical Controls are not intended to provide
absolute security, implementation of them has proven to
dramatically improve the ability of complex systems to
withstand the majority of attacks. Implementing good hygiene
security controls such as those identified in the 20 Critical
Controls or CAG has additional benefits beyond security.
Specifically, these benefits include reduced help desk calls,
improved operational availability and reduced----
Ms. Watson. Mr. Gilligan, can you conclude and we will hear
the other two witnesses? Because we do have your statement.
Mr. Gilligan. OK.
Ms. Watson. Thank you.
Mr. Gilligan. The key point here is that through this
focused approach you can actually improve security at reduced
cost, reduce operational cost, which is what, in my former CIO
parlance I call sort of a no-brainer for CIOS. The key
impediments to achieving that no-brainer implementation are
two: one is the need for clear policy guidance that actually
focuses on the right areas and, second, to address the cultural
resistance that must be overcome in order to be able to
implement effective controls at an enterprise level.
In closing, I would say, as I look at the proposed
legislation, I view it addresses the right areas and will be an
effective means of helping us improve cybersecurity. Thank you.
[The prepared statement of Mr. Gilligan follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you so much.
Mr. Paller.
STATEMENT OF ALAN PALLER
Mr. Paller. Well, this is a good day in cybersecurity, so
thank you for inviting us. I wanted to tell you about something
separate from this that is going on in California this weekend
related to cybersecurity, and then we will do the other. The
Governator and Senator Feinstein announced in October something
called the California Cyber Challenge, which was an attempt to
find the very talented hackers who can be part of the defense.
Just last week the CNO, the Chief of Naval Operations,
announced that he was going to have five scholarships for the
kids, full scholarships, full ride for the kids who did best in
these competitions; and there is going to be an announcement
this weekend that there will also be, in honor of you, the
Watson Prize, which is for the kid who comes from Los Angeles
County who does best on the whole statewide competition; and
they said they would continue it as long as you were able to
give it. So I hope you will.
You heard a lot of testimony about what is wrong and where
we are going. I want to be very specific because you can't fix
this in the general case; you have to fix it in the specific
case. The law that was written probably wasn't a bad law, but
it had enough bad elements in it that it enabled four terrible
institutions to be created in its name. And what I mean by
terrible is that whatever you do in legislation, you want to
enable the defenders to be able to act at least as quickly as
the offense, because if you hobble them, then we just don't
have a chance. And the old law actually created four processes
that hobbled them, and we actually now have proof.
You heard Mr. Gilligan talk about these 20 Critical
Controls at NSA and DHS, who really know the attacks, said
those are the ones you have to have. We mapped them against
each of the four processes that were instituted in the
aftermath of FISMA and none of them look for it. Including the
FISCAM, which is the thing that the GAO and the IGs use. They
all look for things that were important 10 or 12 years ago and
miss the current attacks. So I don't need to take a lot of time
to say your bill really makes a difference.
I would be happy to answer your questions.
[The prepared statement of Mr. Paller follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you so much.
Mr. Fountain.
STATEMENT OF CHRISTOPHER FOUNTAIN
Mr. Fountain. Thank you, Chair Watson, Ranking Member
Bilbray, and members of the committee. First, I appreciate the
opportunity to address the committee and look forward to
answering questions at the conclusion.
I guess by way of background everybody has said repeatedly
that the threat landscape has changed, there are more threats
to our infrastructure than ever before, and that is occurring
at the same time that we are more interconnected than ever
before. So that is a given. So I would like to move quickly to
what is strong about the current FISMA legislation.
While I agree it needs to be improved--and I will talk
about the legislation under consideration specifically after my
comments about the current FISMA law--I think it is important
to recognize the strengths of FISMA and any effort to amend
FISMA not do away with things that have been quite effective.
First, the level of awareness has been dramatically increased
as a result of this legislation, and the 107th Congress is to
be commended for taking these steps well before the general
public had any awareness of what cyber even meant or what
cybersecurity was all about.
It also established a framework for accountability that is
a critical component today and established more strength behind
a security officer inside agencies. The most important point is
that it established a framework for developing and maintaining
guidance to be used by agencies in their effort to defend IT
assets, and that guidance was really handed for the civilian
government to the National Institute of Standards and
Technology. And I have to commend NIST for the great work that
they have done. The key point is NIST established a very
comprehensive framework and at the same time they have allowed
that framework to live. So the Consensus Audit Guidelines that
have been commented upon, those are mapped now to the latest
version of controls that are advocated or outlined in NIST
guidance under 853.
There is one quote that I would like to attribute to Ron
Ross, who is the doctor or the computer scientist at NIST who
oversees this effort. He says, ``There continues to be a notion
that FISMA is all about paperwork and compliance. Rather, FISMA
is about trying to improve the quality of information
security.'' And I think the important point here is that FISMA
is not about paperwork, it is about taking very deliberate,
well thought-out measures to provide for better defense.
Now, with those things said, there certainly are areas for
improvement, and I think the legislation under consideration
provides some very good foundations for that. And I don't
interpret the current legislation that is under consideration
as a wholesale rewrite of FISMA; I see that as an enhancement
to FISMA in its current form, which I again think is a good
thing.
First, the one thing about current FISMA is it does not
have real teeth. So the law today provides for reporting to
Congress and to GAO, but there are no real consequences for
failure to comply with FISMA. The legislation under
consideration provides for enhanced management and oversight
and provides for a statutory means of achieving that, which I
applaud in this legislation.
I do believe that the FISMA report card did lead to a
paperwork train, but that was the reporting element, not the
aspect of guidelines and standards that are robust and
comprehensive.
Also in the proposed legislation, the creation of a
National Office for Cyberspace is a very, very sound idea and a
very logical step forward, and I congratulate you on that move
and wish you luck in trying to move that through the
legislative process. As outlined in the draft, the legislation
does require or should require statutory authority in that
office and, in my view, I would suggest that the committee
consider placing that office within the Department of Homeland
Security. And I will comment more about why that is.
In the Department of Homeland Security, that office should
report to the President, to the Secretary of Homeland Security,
and to the Congress directly, because this should be a function
that cuts across all of Government and certainly is a
Presidential issue.
In my written testimony, there is a lot of detail about how
I would enhance the FISMA reporting to move it to a more
metrics-based environment, as Mr. Kundra had suggested earlier
this afternoon. I won't focus on that today. I would rather
focus on the statutory office of cybersecurity.
Why DHS? I know in the current draft it is advocated to put
that inside the White House. I would suggest at least
consideration for Department of Homeland Security because, in
my view, defending cyberspace is critical to defending the
homeland. They are so tightly intertwined. Every mission across
government requires reliable computers and networks to perform
their mission. And even beyond the boundaries of government,
the critical infrastructure that is managed by private sector
companies, they rely very heavily on information assets.
Currently within DHS there is established today an office
for Cyber Security and Communications, CS&C, and within CS&C is
the National Cyber Security Division. There is a high degree of
synergy between the mission sets in those organizations and the
mission for the proposed office of the National Office for
Cybersecurity.
I will read, just for reference, the NCSD mission, which is
the National Cyber Security Division mission. ``The National
Cyber Security Division works collaboratively with public,
private, and international entities to secure cyberspace and
America's cyber assets.'' By definition, they are working
across government or across, really, the private sector and the
government to some extent, although with the government it is
not their core focus today.
In my view, a National Office for Cyberspace working in
concert with CS&C would provide for a very robust mechanism and
set of processes to look across the entire technology landscape
in America, the Government as well as the private sector, and
all other elements of our infrastructure, academic and so on.
In summary, I think it is critical that there be
recognition that core elements of FISMA as it exists today are
very sound and it needs to be improved. I believe that the
legislation under consideration is timely and necessary. I
believe that the key to the new legislation is the statutory
authority being placed in this office that is being proposed
and that along with statutory authority there needs to be a
budget to allow that office to work effectively. And, again, in
terms of Department of Homeland Security, in my view,
protecting the homeland requires protection of our cyber
infrastructure, and that is why I, again, would ask you to
consider placing this function inside the Department of
Homeland Security.
I thank you for the opportunity to present my views.
[The prepared statement of Mr. Fountain follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you so much.
I am now going to defer to our ranking member for a final
question or comment.
Mr. Bilbray. Yes, a question for Mr. Fountain. What should
the role be from here forward of NIST?
Mr. Fountain. I think if you look at what NIST has done--
there are a couple of things about NIST that make it a real
special entity, in my view. And we don't do business with NIST.
I know what Ron Ross does because obviously what he does has a
big effect on the things we do for Government. They need to
play a very prominent role, in my view. They work very
collaboratively across not only Government, but I know there is
legislation under consideration in another committee in the
House to have NIST work with international partners on
establishing an international framework for cybersecurity,
because, again, cyber is not a U.S. issue; it is a global
issue, because everything is interconnected, it is not just
inside the United States.
And NIST has a track record of being collaborative. I know
they have worked and they are highly complimentary of the
Consensus Audit Guidelines. They do believe that more needs to
be done beyond that because addressing the top 20
vulnerabilities won't necessarily address every vulnerability,
and you want to have a framework that addresses the entire
landscape. But using the CAG, or the Consensus Audit Guideline
as a good first step is critical.
So, in my view, they should be prominent across this issue,
whether it is in the Office of National Cybersecurity or the
National Office for Cybersecurity or the current CS&C, and then
with international partners.
Mr. Bilbray. Thank you, Madam Chair.
Ms. Watson. I want to just end with this thought and then
ask you to followup. What we are trying to do is to promote the
notion of harmonizing security frameworks across civilian and
national security systems, and lessons that you have learned in
business in and outside of Government we would like to know
about.
So if you could give us your further suggestions, and we
hope that they relate to the bill that I have out there. We
will welcome anything that you see will help us improve, and
remember we are looking globally, we are looking across all
agencies, and we want to improve our communication. As we
improve our cyberspace technology, we want to be able to have a
profile how we can make it safe. So I invite all of you to
contribute. And remember this is an ongoing process; every day
there is a new development, a new technology. So whatever ideas
we need them so we can put them into our base. And remember we
make policy, but that policy has to change to keep up with the
changing times.
So I want to thank all the witnesses and Members who
attended this hearing. Without objection, the committee will be
adjourned.
[Whereupon, at 4:56 p.m., the subcommittee was adjourned.]
�