[Senate Hearing 111-662]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 111-662
 
   MORE SECURITY, LESS WASTE: WHAT MAKES SENSE FOR OUR FEDERAL CYBER 
                                DEFENSE

=======================================================================


                                HEARING

                               before the

                FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT
                   INFORMATION, FEDERAL SERVICES, AND
                  INTERNATIONAL SECURITY SUBCOMMITTEE

                                 of the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE


                                 of the

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 29, 2009

                               __________

       Available via http://www.gpoaccess.gov/congress/index.html

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs




                  U.S. GOVERNMENT PRINTING OFFICE
53-852                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware           JOHN McCAIN, Arizona
MARK PRYOR, Arkansas                 GEORGE V. VOINOVICH, Ohio
MARY L. LANDRIEU, Louisiana          JOHN ENSIGN, Nevada
CLAIRE McCASKILL, Missouri           LINDSEY GRAHAM, South Carolina
JON TESTER, Montana                  ROBERT F. BENNETT, Utah
ROLAND W. BURRIS, Illinois
PAUL G. KIRK, JR., Massachusetts

                  Michael L. Alexander, Staff Director
     Brandon L. Milhorn, Minority Staff Director and Chief Counsel
                  Trina Driessnack Tyrer, Chief Clerk
                                 ------                                

 SUBCOMMITTEE ON FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, 
              FEDERAL SERVICES, AND INTERNATIONAL SECURITY

                  THOMAS R. CARPER, Delaware, Chairman
CARL LEVIN, Michigan                 JOHN McCAIN, Arizona
DANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas              GEORGE V. VOINOVICH, Ohio
CLAIRE McCASKILL, Missouri           JOHN ENSIGN, Nevada
ROLAND W. BURRIS, Illinois

                    John Kilvington, Staff Director
                Erik Hopkins, Professional Staff Member
    Bryan Parker, Staff Director and General Counsel to the Minority
                   Deirdre G. Armstrong, Chief Clerk


                            C O N T E N T S

                                 ------                                
Opening statement:
                                                                   Page
    Senator Carper...............................................     1
Prepared statements:
    Senator Carper...............................................    31
    Senator McCain...............................................    34

                               WITNESSES
                       Thursday, October 29, 2009

Hon. Tom Davis, former U.S. Representative from the State of 
  Virginia.......................................................     4
Vivek Kundra, Federal Chief Information Officer, Administrator 
  for Electronic Government and Information Technology, U.S. 
  Office of Management and Budget................................    12
Gregory C. Wilshusen, Director, Information Technology Security 
  Issues, U.S. Government Accountability Office..................    14
John Streufert, Chief Information Security Officer, and Deputy 
  Chief Information Officer for Information Security, Bureau of 
  Information Resource Management, U.S. Department of State......    16

                     Alphabetical List of Witnesses

Davis, Hon. Tom:
    Testimony....................................................     4
    Prepared statement...........................................    36
Kundra, Vivek:
    Testimony....................................................    12
    Prepared statement...........................................    39
Streufert, John:
    Testimony....................................................    16
    Prepared statement...........................................    51
Wilshusen, Gregory C.:
    Testimony....................................................    14
    Prepared statement...........................................    45

                                APPENDIX

Questions and responses for the Record from:
    Mr. Kundra with attachments..................................    58
    Mr. Wilshusen................................................    84
    Mr. Streufert................................................    92
Charts (2) provided for the Record...............................    99


   MORE SECURITY, LESS WASTE: WHAT MAKES SENSE FOR OUR FEDERAL CYBER 
                                DEFENSE

                              ----------                              


                       THURSDAY, OCTOBER 29, 2009

                                 U.S. Senate,      
        Subcommittee on Federal Financial Management,      
              Government Information, Federal Services,    
                               and International Security  
                      of the Committee on Homeland Security
                                        and Governmental Affairs,  
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:33 p.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Thomas R. 
Carper, Chairman of the Subcommittee, presiding.
    Present: Senator Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Good afternoon, everyone, and especially 
good afternoon, Congressman Tom Davis, whose sister, niece, and 
nephews live in the State of Delaware. We are grateful to you 
for coming today and sharing with us your advice and counsel.
    The issue du jour is cyber warfare. It isn't science 
fiction. It is reality. Over the past few years, we have heard 
alarming reports that criminals, hackers, even foreign nations 
have deeply penetrated our government's most sensitive 
networks, including the offices of some of us right here in 
Congress.
    In fact, just last week, the Congressionally-established 
U.S.-China Economic and Security Review Commission reported 
that China is strategically developing offensive capabilities 
that could be used against us in a future military conflict. 
Further, there have been reports that some of the previously 
successful cyber attacks against agency networks may have left 
behind what is commonly known as a back door, essentially a 
technological means for the bad guys to get back into our 
networks without anyone ever knowing about it.
    These vulnerabilities could be used against us by those who 
might want to do us harm by stealing sensitive information 
stored on our military networks or by shutting down critical 
networks just when we need them the most. Imagine the 
terrifying scenario of a hacker creating uncertainty as to the 
validity of the data residing on the Federal Aviation 
Administration's (FAA) air traffic control systems. That is 
exactly the kind of scenario I hope our hearing today prevents.
    But the threat of a cyber attack isn't something new. In 
fact, in 2002, Congress passed what is known as the Federal 
Information Security Management Act (FISMA), to help prevent 
many of the problems that we are going to be discussing today. 
That legislation brought greater attention to the issue of 
cyber security and it helped to establish greater 
accountability within agencies. Overall, I think we would agree 
that it is a step in the right direction.
    However, some 7 years after the passage of FISMA and 
approximately $40 billion later, I am troubled to learn that 
the Office of Management and Budget (OMB) does not track how 
much agencies spend on cyber security, nor does the agency 
measure those expenditures and whether those expenditures 
actually resulted in improved security. Even more troubling, 
agencies may be constrained from implementing the most basic 
cyber security best practice because of inflexible 
requirements.
    Now, allow me to put this into perspective. Federal 
agencies have spent more on cyber security than the entire 
gross domestic product of North Korea, who some have speculated 
is maybe involved with some of those cyber attacks. That is 
unacceptable.
    Some of the problems with FISMA implementation are a direct 
result of OMB's decisions over the years, while others are due 
to agency neglect. Still other problems lay at the feet of 
those of us here on Capitol Hill. In essence, there is blame 
enough to go around for all.
    However, at today's hearing, we have an opportunity to 
discuss some concrete ways to correct some of those wrongs, and 
that is what we are going to do.
    For example, one wasteful and ineffective area that OMB and 
agencies can target is what is known as the ``certification and 
accreditation'' process. The certification and accreditation 
process is essentially a process whereby agencies evaluate 
every 3 years what defense security protections are in place to 
prevent attacks on their systems. The process costs taxpayers 
about $1.3 billion--that is billion with a ``b''--every year, 
and it produces a good deal of paperwork that ends up stored in 
binders in some clutter-filled rooms. In fact, those rooms look 
a lot like this one. In fact, that is one of them. There are, I 
think, others that look like it.
    But we can see 3 years' worth of reports from the 
Department of State, just one department, which cost them a 
total of $38 million. These reports would be worth the price 
tag if the tactics that hackers used were as static as the 
words typed on a piece of paper. But hackers change how they 
attack us daily and their numbers, unfortunately, continue to 
grow.
    And yet it seems like OMB thinks that a snapshot of agency 
preparedness every 3 years will somehow defend our critical 
networks. But instead, billions of dollars are spent every year 
on ineffective and useless reports, similar to the chart 
pictured here.\1\ Meanwhile, we continue to get attacked.
---------------------------------------------------------------------------
    \1\ The chart referred to appears in the Appendix on page 99.
---------------------------------------------------------------------------
    However, testifying today will be a representative from the 
Department of State on our second panel who saw an opportunity 
to spend his agency's cyber security budget more wisely. 
Instead of spending money on ineffective paper-based reports, 
the State Department decided to focus on developing a system 
that monitored their global networks on a continuing basis.
    If you take a look at the second chart that has just been 
put up,\1\ we can see the results of the hard work at the 
Department of State. According to that Department, they were 
able to reduce the amount of risk to their agency by 90 percent 
in a single year. I am told that this was achieved by 
developing a system that makes sense, uses effective metrics, 
and holds people accountable. In essence, the Department of 
State can prove that they have better security at a fraction of 
the cost that they were previously paying.
---------------------------------------------------------------------------
    \1\ The chart referred to appears in the Appendix on page 100.
---------------------------------------------------------------------------
    So as we progress through this hearing, I would like our 
witnesses to keep in mind that moving to a model more like the 
one at the Department of State requires no new legislation, 
costs less than or the same as the current paperwork-laden 
method, and will better protect our country. That is the kind 
of cyber security that makes sense to me, and I suspect that is 
the kind of cyber security that would make sense to most people 
in this country.
    In fact, my colleagues and I introduced a bill last 
session, and we have introduced it again this year, which would 
require all agencies to move to a proactive approach like the 
one that the Department of State has taken.
    In addition to requiring continuous monitoring of security 
controls and putting a strengthened Chief Information Security 
Officer in each agency, our bill would enhance the role of the 
Department of Homeland Security in cyber security. The 
Department would share information with agencies on where cyber 
attacks have been successful so that they can better prioritize 
their security enhancements.
    Further, our bill would require agencies to use their 
enormous purchasing power to persuade vendors to develop and 
sell more secure IT products and services in the first place.
    Again, our thanks to each of our witnesses. We certainly 
look forward to what you have to say, share with us, and to 
responding to our questions.
    We will be joined as the afternoon goes on by others on our 
Subcommittee, but rather than sit here waiting for them for 
hours, we are going to dive right in with our first panel. As I 
telegraphed earlier, we will receive our testimony from former 
Congressman Tom Davis, who represented, I think, a 
Congressional district in the Northern part of Virginia, a 
State where I grew up. His service in the U.S. House of 
Representatives--how many terms did you serve there?
    Mr. Davis. Seven.
    Senator Carper. Seven terms. Did it seem like eight?
    Mr. Davis. It seemed like 20 at the end. [Laughter.]
    Senator Carper. Congressman Davis was the principal author 
of a number of pieces of legislation, but he was also the 
principal author of the Federal Information Security Management 
Act of 2002, lovingly called FISMA, which is the subject that 
we are going to be discussing here today.
    He also held numerous oversight hearings on the 
implementation of FISMA and is considered an expert on the 
issue. I would like for the record to show that my name and the 
word ``expert'' have almost never been used in the same 
sentence. [Laughter.]
    We are pleased to have Mr. Davis with us, who is certainly 
an expert on this issue and very knowledgeable about a bunch of 
other things. It is a real pleasure to work with him. We are 
trying to make some progress on, among other issues, figuring 
out a path forward for the U.S. Postal Service.
    But I understand that we will hear where you believe 
improvements can be made with the agency implementation and 
perhaps with the language itself, so we thank you for your 
previous service to our country and for your willingness to be 
of service again here today.
    You are recognized to proceed for the next half hour--no, I 
will ask you to keep it fairly close to 5 minutes, but if you 
run a little over that, it is not going to trouble anybody too 
much. So thanks so much for coming, and your entire statement 
will be made part of the record.

TESTIMONY OF HON. TOM DAVIS,\1\ FORMER U.S. REPRESENTATIVE FROM 
                     THE STATE OF VIRGINIA

    Mr. Davis. Thank you, Chairman Carper. I really appreciate 
your efforts to improve information security and I am grateful 
for the opportunity to testify here today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Davis appears in the Appendix on 
page 36.
---------------------------------------------------------------------------
    For 14 years, I represented the 11th District of Virginia, 
the home of the Internet. I would note for the record that I 
retired undefeated and unindicted.
    Senator Carper. That is quite an accomplishment. 
[Laughter.]
    Mr. Davis. I was also honored to serve as a member of the 
House Committee on Oversight and Government Reform, first as 
the chairman of the District of Columbia Subcommittee, the 
least sought after Subcommittee chairmanship in the House, then 
as chairman of the Technology and Procurement Policy 
Subcommittee, then 4 years as chairman and my last 2 years as 
the ranking member. My Congressional service coincided with the 
proliferation of the Internet and the explosion of new 
capabilities that came along for both the public and the 
private sector.
    It was clear the revolution in interconnectivity had the 
potential to fundamentally change governmental operations and 
service delivery. However, it also created a new form of 
vulnerability, one in which traditional protections of 
geographic distance and physical strength were irrelevant.
    For these reasons, I made information technology management 
and security a focus of my work in Congress. Federal agencies 
needed to take this threat seriously and ensure proper 
procedures and tools were in place to protect information 
systems. Similarly, Congress needed a clear picture of the 
information security posture of the Federal Government in order 
to conduct effective oversight.
    FISMA, which I championed in 2000 and 2002 and which had 
the concurrence from this Committee, was intended to help 
provide such a framework. FISMA required Federal agencies under 
the direction of the Office of Management and Budget to create 
a comprehensive risk-based approach to information security 
management. It further requires annual IT security reviews, 
reporting, and remediation planning at Federal agencies. These 
requirements were based on best practices, and in addition to 
safeguarding information were intended to make security 
management an integral part of an agency's operation.
    At the time FISMA was enacted, no coordinated priority 
existed to address the threat of cyber attacks. Technology was 
evolving rapidly. Rather than taking a prescriptive approach, 
we believed agencies needed to walk before they could run, and 
putting procedures and protocols in place was an important 
first step in protecting government's critical infrastructure.
    Since its enactment, FISMA has undoubtedly served to 
elevate the importance of information management and 
information security in government, and I am proud of the 
progress we have made. That said, there is room for updates and 
improvement, and your legislation, I think, is a very positive 
step in that direction. It is time to really take FISMA to the 
next level.
    While I believe the requirements listed in FISMA would be 
components of any sound information security plan, the need at 
present is to operationalize its implementation. This would 
involve tools such as Red Team penetration tests. It would also 
require appropriate performance measures and, as the time 
between a penetration and detection, the time to deploy a 
security patch once it has been released, and the time to 
complete a root cause analysis when a security breach does 
occur, I am pleased your language references both penetration 
tests and performance measures.
    Three other key ingredients: Responsibility, Authority, and 
Accountability.
    Chief Information Security Officers (CISOs), may be 
responsible for overall information security planning, but they 
can't be just the bad men when things go wrong. Responsibility 
for an information security program permeates an organization, 
from the head of the agency to every employee. Most of the 
security breaches that have grabbed headlines in recent years 
aren't the result of some evil cyber genius but Federal 
employees failing to adhere to basic security protocols--a lost 
laptop, a stolen Blackberry, computers never returned when an 
employee leaves an agency. These can result in the personal 
information of untold thousands being put at risk.
    CISOs might have to come up with the protocols, but the 
rank and file have to adhere to them. As Congress looks at 
information security issues, it might be wise to consider 
uniform procedures, training, and penalties to reduce theft, 
loss, or other adverse events. I might add, in the private 
sector, training is very critical in these areas and it is 
drummed into employees at every level.
    Your language gives CISOs authority to development, 
implement, and enforce security measures. That is important. 
There also have to be consequences, good and bad, for failures 
and successes. That is one aspect of the accountability 
component. The private sector provides some models. For 
example, the payment card industry mandates compliance with 
standards set by the PCI Security Standards Council. Failure to 
adhere to these standards results in a business losing the 
ability to conduct transactions with payment cards. Now, that 
exact example isn't going to fit the Federal system, but we 
need carrots and we need sticks that promote compliance and 
punish negligence.
    Another aspect of accountability deals with funding. 
Federal Government spending has risen sharply in recent years, 
but to what end? We have to link performance in this specific 
instance, performance of information security products and 
services, with spending decisions. Simply asking for more or 
providing more isn't going to fix the problem, nor is it going 
to serve the interest of the American people.
    In closing, I would like to reiterate my appreciation for 
the work you are doing on information security. The information 
age is indeed a strange new world in which a mischievous 
teenager could be just as dangerous as a terrorist organization 
or malevolent government. I am committed to helping however I 
can to make sure our Federal systems are up to the task and 
that our oversight mechanisms are commensurate to the need, and 
I think your legislation is a good step forward. Thank you.
    Senator Carper. Thank you very much, Congressman.
    I don't know if you have ever done this, but one of the 
things I have done for a number of years as a new Senator here, 
whenever it is one of my colleagues' birthdays, I actually call 
them on the phone if we are not in session and just wish them a 
happy birthday, track them down wherever they are, around the 
country or really around the world. Those are calls that I 
enjoy, and I think my colleagues do. I do the same thing with 
members of my staff, former members of my staff and just family 
and friends.
    I don't know if this is true, but it is in my briefing 
notes so it must be true--but I am told that today happens to 
be the birthday of the Internet, and I was thinking about maybe 
just sending an e-mail out and seeing how well it can get 
around and cover as much of the Internet as we could---- 
[Laughter.]
    But I understand that 40 years ago, I'm told, in 1969, the 
first message was sent out on the Internet, and I understand 
that the message also ended up crashing the Internet. 
[Laughter.]
    So today's hearing is timely.
    I would just ask, Congressman Davis, as one of the 
principal authors and Congressional overseers of the FISMA 
legislation, you know all too well that there have been some 
successes and some challenges since its adoption. For example, 
it seems that OMB has historically focused on agency compliance 
rather than on agency outcomes. And I must say, we are real 
good at focusing on process and compliance rather than 
outcomes.
    Arne Duncan was just in Delaware, the Secretary of 
Education, and he spent a fair amount of time at the University 
of Delaware 2 days ago talking about the need for us in 
education to focus not on process, but on outcomes. It turns 
out that is not just in education, but it is in this regard, as 
well.
    Could you take a few minutes maybe and explain to us where 
you think there are opportunities to improve agency cyber 
security? It seems like the sophistication of the attacks 
dramatically evolves every year. We just met with an agency 
head in the current Administration who shared with us just how 
many cyber attacks are occurring every day on his agency, on 
the agency that he leads. It is alarming. But this training has 
led to a huge increase in the number of reported breaches by 
agencies.
    As you know, I have been trying to lead the effort to 
reform FISMA and really strengthen it to make it the 
legislation that I think you, as its principal author, hoped it 
would be so that agencies focus their limited resources on 
improving security rather than just producing the kind of 
paperwork that we see over here to my right.
    Some of the improvements that we have been suggesting, such 
as continuous monitoring, seem like they make a lot of sense, 
and the best part of this idea is that it doesn't require a 
bill to be passed by Congress. However, the previous 
Administration didn't seem all that interested in making any 
changes to the current reporting structure, at least not during 
their final year. I think they just said, we will let the new 
folks take care of that.
    So that is a big way of leading me to this question, and I 
would just ask, Congressman Davis, what are your thoughts on 
this idea, and are there other opportunities that either us on 
this Committee, Subcommittee, or the Administration should be 
looking into?
    Mr. Davis. Well, thank you. That is a pretty broad range, 
but let me take a stab. Let me note first that in your second 
panel, you look at the State Department and what they have 
done. This is an agency that has paid careful attention to not 
just compliance, but also operationally what to do, and I think 
you are going to get some glimpse of some of the things that 
can be done across other agencies when they give it the 
appropriate attention.
    You know, it is hard to legislate priorities. It has really 
got to come from the Executive Branch, because our managers 
have so many different things to do, so many boxes to check, 
that at the end of the day, they make everything a priority and 
nothing becomes a priority. And that is one of the 
difficulties. This legislation will help, but if an 
administration or an agency head doesn't buy into this, it is 
difficult to make it really as operational as we would like it. 
Anybody can check a box. That is not hard to do. But making 
this a priority--and you will hear in the next panel, I think, 
some good ideas on this.
    You can't just involve the heads of the agencies or the 
CISOs, as I have noted before. You need to get a buy-in at all 
levels. This has to be part of what every employee does. It has 
to be drilled into them through training. They have to 
understand, anybody that deals with any entry point, any secure 
network, that they have to really be on top of that 24 hours a 
day.
    A lot of our problems result from just plain negligence, 
people that didn't take this seriously. It wasn't drilled into 
them as part of their jobs. It means everybody has to be 
trained, that really, our whole systems are vulnerable at our 
weakest point, and our weakest point is any entry point, and 
frankly, any employee.
    I like the certification process you talk about in this 
bill. I like the idea that using the purchasing power of the 
government to not just drive down costs, but you can get a 
congruity of products that way. One of the difficulties in 
government is we are so stovepiped. We have agencies even 
within agencies that aren't talking with each other. I think 
using that purchasing power, maybe allowing the Group 70 
Schedule in GSA to be utilized by States and locals--well, not 
just Group 70, the schedules for any cyber products to be 
included in that could be helpful in getting the same kind of 
products that everybody is using appropriately certified. There 
is just a lot of room here if we will make it a priority, and I 
think you have included some of those in the bill.
    Finally, the carrots and sticks are tough in government. 
How do you reward? How do you punish the people that aren't 
doing this? You can always do it through bonuses and you can do 
it through promotions and those kind of things, but that has to 
come from management. It has to come from a buy-in from the 
top.
    And you are right. We banged our head in the previous 
Administration trying to take this to a different level and get 
their interest in it. But what so often happens with 
administrations, they have so many different things to do and 
different agency heads, that without a lot of additional money, 
this doesn't become the priority. They want to make sure that 
they are advancing their mission and they will take a chance of 
a cyber attack hoping it doesn't occur on their watch and spend 
the money in other areas.
    Senator Carper. I appreciate the kind words you have had to 
say about the legislation we have reintroduced this year. If 
you were on this side of the dais, where you sat for many 
years, and had an opportunity to contribute to the legislation, 
to amend it, to make better what we have introduced, any 
thoughts of what you would do, or what you would have us do, to 
strengthen it further?
    Mr. Davis. I alluded to one part in my testimony and that 
is the fact that we are losing a lot of information and a lot 
of secure information just by employees and contractors 
mishandling this information, taking computers home. In the 
case of the Veterans Administration, the employee that took 
this home that had his computer stolen, it wasn't even 
encrypted. We have now changed that through protocols.
    But we are still--we have lost Census information, we have 
lost hand-helds. We have people leaving with their computers 
from government and sensitive information and nobody has 
bothered to get it back. I think writing that into law would be 
very helpful in terms of those kind of protections and making 
sure that at least we are not being careless about this. If we 
are going to get penetrated and hit, make them earn it. Don't 
make it easy. And I think sometimes, as I said, any careless 
employee can lose confidential information if it is not handled 
right. I think that ought to be written into this.
    Senator Carper. Alright. Thank you.
    I suspect you have been following the current debate about 
whether there ought to be a cyber coordinator, which is 
supposed to help prioritizing and align agency efforts. As you 
know, FISMA clearly gives the responsibility for coordinating 
the Federal Government's cyber security to OMB's Administrator 
for E-Government. However, I am concerned that the people who 
work in that office may not have the cyber security 
qualifications that are needed or necessary to make sure that 
agencies are cost-effectively securing their networks. In fact, 
I am even more troubled that OMB has never asked, apparently, 
how much money they spend on cyber security.
    What are your thoughts on the role of the E-Government 
office in the larger cyber security discussion, and what do you 
believe should be the role of that office in overseeing agency 
cyber security?
    Mr. Davis. Well, you are going to hear from Vivek Kundra, 
who is very able. He will have a perspective on that now, 
having come to the Federal Government. He used to be with the 
Commonwealth of Virginia, where he did an outstanding job. I am 
glad the Administration has recognized his capability. So he 
may have a little bit different perspective.
    But coming from the legislative perspective on this, I 
think you are spot on. The E-Government is the head of that 
area. It may not have expertise in this particular area. Even 
more important, I think, is navigating the land mines of 
getting a consistency across government in terms of how this is 
going to be implemented.
    OMB, Homeland Security, I don't know how you want to pick 
this. A Cyber Czar, though, or someone who has that particular 
expertise and can navigate this so the Administration can get 
everybody kind of marching to the same protocols, using the 
same systems, instead of having it so stovepiped and 
factionalized as it is now, is just a very important part of 
solving this problem.
    Senator Carper. Alright. Thanks.
    Let me just follow up on that with another question that 
relates to this. I understand that you have been briefed on 
some of the benefits that the State Department has been able to 
achieve with their new system. I was just wondering if there 
were any risks associated with following that model. Sometimes, 
as a recovering governor, we used to say that what would work 
in Delaware may not work in Virginia. It may not work in 
Missouri. It may work in Texas, but it works in Delaware. But 
in some cases, there is one model that will serve in a variety 
of different States, and in this case, agencies. But I wonder 
if there are any risks with following the model that they have 
pursued at the State Department? What do you see are some----
    Mr. Davis. Well, I am not sure--first, I think State has 
done just an outstanding job, and what they have done is they 
have paid attention. They have taken the legislation seriously 
and you have a dedicated cadre up there at the top that have 
driven this.
    What works at State may not work at Commerce. It may not 
work in intelligence. I am not probably smart enough to know 
that. But the one thing State has shown us is that when you get 
agency officials that take this seriously, they can make a huge 
difference. And, of course, State has been vulnerable to a 
number of attacks, which I think has heightened their awareness 
of this. I hope it doesn't take cyber attacks in some of these 
other agencies to get them to up their awareness--but it is 
just a good model of how you have people sitting around a room 
thinking about what are their possible vulnerabilities and 
coming up with a program to combat that.
    Again, I don't know if I am qualified to talk about what 
would work at different agencies and what the vulnerabilities 
are, but that is just a good example. Their FISMA grade has 
been excellent, not just because they checked the right boxes, 
but because they have been operational in what they have done, 
as well.
    Senator Carper. OK. One of the things we are trying to 
encourage agencies to do more of is this notion of continuous 
monitoring, rather than just taking a snapshot every 3 years, 
but to focus on this and monitor every day. Are there any 
pitfalls with that that come to mind?
    Mr. Davis. Well, the one pitfall when you are not just 
monitoring it but when you are testing these is you run into 
the Freedom of Information Act (FOIA) situation. You don't want 
everybody to know what your vulnerabilities are. I think you 
need to keep a cap on that so that you can make the appropriate 
corrections.
    The other thing I would add is there is a lot we can learn 
from the private sector. The private sector has had to deal 
with these issues even more than government, the banking 
system, in particular, with the kind of penetrations that they 
are getting, the hits they are getting. Opening up that 
dialogue with the private sector is important to understand 
what they have gone through and some of the innovations that 
they have made. The difficulty comes in the FOIA laws. It comes 
with antitrust. It comes from tort law and their ability to 
share that information with us, and that is a dialogue, I 
think, that needs to continue. But they can be a part. There is 
a lot of expertise out there in the private sector we want to 
harness and bring into government.
    Senator Carper. Two more questions and I am all done. In 
the Federal Information Security Management Act (FISMA) bill 
that you helped to create, the Inspectors General are required, 
I believe it is annually, to evaluate whether agencies are 
doing the kind of security that they say they are doing in this 
regard. For example, the Inspectors General use paperwork from 
the certification and accreditation process to evaluate whether 
agency security is really effective.
    I understand that if all the agencies moved to an approach 
like the one they have over at State, not much paperwork is 
going to be produced. In fact, it seems to me that an Inspector 
General could come at any time during the year, see whether the 
agency's security is actually effective. I don't know if this 
is a question you would be prepared to answer, but do you think 
that is true, and what should be the role of the IGs in this?
    Mr. Davis. Well, the IGs are independent. I mean, that is 
the one reason that I think they are equipped to do this as 
opposed to someone else who could be under the thumb of the 
agency. You really want an independent to look at that. Now, 
the IGs operate differently in different departments. They have 
different burdens that they have to meet. But they bring an 
independence to this which I think is critically important.
    Senator Carper. And finally, you served on the House 
Committee on Oversight and Government Reform for, I think you 
said, maybe 14 years, as Chairman for 6 years, as Ranking 
Member for another 2 years, and during that time, you and I 
were able to work together to identify a couple of potentially 
wasteful practices in the Federal Government, and I think in 
one or two cases, we actually made some positive changes.
    What do you see as the greatest opportunity for improving 
the efficiency of cyber security spending in the Federal 
Government?
    Mr. Davis. Well, I think contracting. All this really comes 
down to contracting, and when it is done ad hoc in stovepipes 
by different agencies, not sharing information, not building it 
together, you get a lot of systems that, at the end of the day, 
some are better than others. They don't talk to each other. It 
has to get coordinated.
    One of the things I like about this bill is you use our 
purchasing power together to drive those products and I think 
that will bring it together much better than we have today. We 
spend a lot of money. We don't always get what we want in 
government contracting across the board. But in this particular 
case, I think--I like your concepts that you have in this bill, 
government using its power. I think that will drive a congruity 
of products that is absolutely necessary in this case to get 
this solved.
    Senator Carper. Alright. Well, those are my questions. Some 
of my colleagues who are waiting back in the anteroom until you 
leave--no, they are not, but when some of my colleagues show 
up, whether they show up or not, some of them are going to have 
some questions that they would like to send along----
    Mr. Davis. You can always get them to me. We are happy to 
respond. You have a great second panel, as well, and thanks for 
allowing me to share my views.
    Senator Carper. It is great to see you. Thanks so much for 
your previous service to our country, and not just for the 
folks in Virginia, but also in Delaware and the other 48 
States.
    Mr. Davis. Thank you.
    Senator Carper. Good luck. Take care.
    The second panel is welcome to approach the table and take 
your seats. Gentlemen, welcome. It is good to see you all, and 
thank you for taking the time to be with us today.
    I understand from Erik Hopkins, who has worked on this 
legislation for a couple of years now, that we have on a dolly 
up here some of the paperwork that kind of flows from--is it 
just one agency? Not just from one agency, but from one system, 
is that right, one system within one agency, their paperwork 
from their certification and accreditations. If that is just 
one system and one agency, I hate to think what would be the 
case for the whole government.
    Be careful, Mr. Streufert. You are not going to have a 
place to sit here very soon. Well, that gives us some idea. 
That is a fair amount of paperwork. And again, that is one 
system and one agency. We wouldn't be able to see you guys--you 
probably wouldn't be able to get in the room--if we had all of 
them gathered here today.
    Let me make some introductions to kick off our second 
panel. We are going to hear from Vivek Kundra, who was 
appointed Federal Chief Information Officer of the United 
States by President Obama in March of this year. We are glad to 
see you are still able to sit up and take nourishment and to be 
here with us today. You look none the worse for wear.
    As Congressman Davis mentioned earlier, prior to his taking 
his current position, Mr. Kundra served in Mayor Fenty's 
cabinet as the Chief Technology Officer for the District of 
Columbia and in Governor Kaine's cabinet as Assistant Secretary 
of Commerce and Technology for the Commonwealth of Virginia. 
You are great to be here and we appreciate your service and 
thank you for your presence.
    Our next witness is no stranger before our Subcommittee. 
Mr. Wilshusen. He is the Director of Information Security 
Issues at the Government Accountability Office. We are told 
today by our chaplain, Chaplain Barry Black, Chaplain for the 
U.S. Senate, he said the words that people most enjoy hearing 
in their lives is the sound of their own name. Among the words 
that they least like to hear are their own name mispronounced, 
so we will try to get your names right. But I will say, none of 
your parents made this easy for a guy like me. [Laughter.]
    So please bear with me. But I am told you have over 28 
years of auditing, financial management, information systems 
experience starting at the age of 12, and you have been at it 
for quite a while. Before joining GAO in 1997, Mr. Wilshusen 
held a variety of public and private sector positions, so we 
thank you for coming back today.
    Our last witness is John Streufert. Your name doesn't look 
like ``Stroy-fert,'' but it is, isn't it? I bet it has been 
mispronounced once or twice, hasn't it?
    Mr. Streufert. Yes. Every day.
    Senator Carper. You are the Chief Information Security 
Officer at the Department of State. You are like our hero here 
today, and we are here to celebrate what you have done and to 
try to find out if it is something we can replicate in other 
agencies.
    I am told that since starting your current job, you have 
been recognized for outstanding leadership and improving cyber 
security at both the Department of State and the U.S. Agency 
for International Development (USAID). In fact, Mr. Streufert 
was a recipient of the Distinguished Presidential Rank Award in 
2004 for his work at USAID, and I understand that you will show 
us once again how we can improve cyber security, so good for 
you.
    With that having been said, we will turn to Mr. Kundra as 
our first witness and ask you to proceed. Your statements will 
be made part of the record, so feel free to summarize as you 
wish. But you are recognized. Thank you.

    TESTIMONY OF VIVEK KUNDRA,\1\ FEDERAL CHIEF INFORMATION 
     OFFICER, ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND 
  INFORMATION TECHNOLOGY, U.S. OFFICE OF MANAGEMENT AND BUDGET

    Mr. Kundra. Good afternoon, Chairman Carper. Thank you for 
the opportunity to testify on the Federal Information Security 
Management Act and information security posture of the U.S. 
Government.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Kundra appears in the Appendix on 
page 39.
---------------------------------------------------------------------------
    Our Nation's security and economic prosperity depend on our 
digital infrastructure. The President's Cyberspace Policy 
Review stated that cyber security threats are some of the most 
significant economic and national security challenges of the 
21st Century.
    The groups of State and non-State actors that target U.S. 
citizens, businesses, and Federal agencies is growing 
exponentially. Daily, there are millions of attempts to attack 
open ports and vulnerable applications across our government.
    The Federal Government's current security posture does not 
adequately confront the real-time threat factors that we face 
on a daily basis. Hiring challenges, a focus on compliance, and 
cumbersome reporting have inhibited effective cyber security 
management. The Federal Information Security Management Act of 
2002 raised awareness across the Federal Government regarding 
information security, yet significant progress is essential 
when it comes to execution.
    To advance the Federal Government's security posture, the 
Administration is taking steps in key areas, such as human 
capital management, performance management, cost analysis, and 
risk management. For example, in the area of human capital 
management, we expedited the hiring authority for up to 1,000 
cyber security professionals across the Department of Homeland 
Security. This will enable DHS to recruit skilled cyber 
analysts, developers, and engineers to secure our country by 
securing our Nation against cyber attacks.
    To enhance the performance monitoring, last week, we 
actually launched CyberScope, an online platform for agencies 
to submit security information that will allow us to analyze 
and monitor the Federal Government's security posture in a 
comprehensive manner. Prior to 2009, it took three full-time 
employees to compile hundreds of spreadsheets that were e-
mailed to OMB by agencies in response to FISMA reporting 
requirements. This laborious, unsecure process inhibited 
insight into the security posture of the government. The 
threats we face change daily, yet our legacy reporting 
processes have been tied to manual, annual, and quarterly 
processes to evaluate how secure we are.
    The CyberScope platform will be leveraged to develop a 
cyber security dashboard that will unlock the value of 
agencies' submissions when it comes to FISMA reporting and also 
the real-time posture across the Federal Government. Just as 
the IT dashboard took us from a static, paper-based environment 
to a dynamic, digital environment, the new cyber security 
dashboard will provide the government with a real-time view of 
threats facing us and our vulnerabilities.
    For example, the State Department is supplementing its 
FISMA reporting with a risk-scoring program that you alluded to 
that scans every computer and server connected to its network 
at least 36 hours on multiple security factors. Rather than 
just conducting certifications and accreditations every 3 
years, continued monitoring must be the norm across the 
government.
    To enable effective security cost analysis, we are asking 
agencies for detailed security cost information for the first 
time. We recognize that the best security is baked into the 
systems and the architecture and investments that agencies are 
making. Therefore, we see this as the beginning of the process 
of obtaining relevant data. In the coming years, detailed cost 
data combined with performance-based metrics will allow OMB and 
agencies to effectively manage and make informed decisions when 
it comes to risk.
    To better manage risk, OMB has established a task force 
that was launched last month to develop forward-leaning metrics 
and making sure that those metrics are actually focused on 
outcomes rather than process. To solicit the best ideas, we 
have reached out across the Federal community as well as the 
private sector. OMB plans to release the metrics for fiscal 
year 2010 along with a road map of how we are going to move 
from a culture of compliance to a culture of outcomes in the 
first quarter of 2010. What gets measured gets done.
    The threats we face are numerous, evolving faster than our 
cyber defenses, and they have the potential to do great harm to 
our cyber infrastructure. From the launch of CyberScope to the 
hiring of up to 1,000 new DHS cyber security experts, the 
Administration is committed to strengthening our cyber defense. 
A secure, trusted computing environment in the Federal 
Government is the responsibility of everyone involved, from 
agency heads to those charged with oversight. It entails 
employees, contractors, and the American people all working 
together.
    This will not be easy, nor will it occur overnight. Our 
current actions represent important steps toward a strong cyber 
defense and begin the shift from a culture of compliance to one 
focused on real security to protect the digital infrastructure 
that is so vital to our economic prosperity and national 
security.
    Thank you for the opportunity to testify. I look forward to 
your questions.
    Senator Carper. You bet. It is I who thank you.
    Mr. Wilshusen, please proceed. Thank you, and welcome back.

  TESTIMONY OF GREGORY C. WILSHUSEN,\1\ DIRECTOR, INFORMATION 
  TECHNOLOGY SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 
                             OFFICE

    Mr. Wilshusen. Mr. Chairman, thank you for the opportunity 
to participate in today's hearing on how agencies can establish 
cost effective cyber defense.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wilshusen appears in the Appendix 
on page 45.
---------------------------------------------------------------------------
    FISMA, which was enacted in 2002, was intended to provide a 
comprehensive framework for ensuring the effectiveness of 
security controls over information resources that support 
Federal operations and assets. It also requires agencies and 
OMB to annually report on the adequacy and effectiveness of 
agency information security programs and compliance with the 
provisions of the Act. To help meet these requirements, OMB 
established a uniform set of information security measures that 
all Federal agencies report on annually.
    Mr. Chairman, in light of questions about whether agencies 
are measuring the right things in securing their systems, you 
requested that GAO examine how organizations develop and use 
metrics to assess the performance and effectiveness of their 
information security activities. In a report being released 
today, we describe the key types and attributes of information 
security performance measures and the practices of leading 
organizations in developing and using them, and compare those 
measures and practices with those used by 24 major Federal 
agencies and OMB.
    Leading organizations and experts identified measures that 
generally fell into three major types: Compliance, control 
effectiveness, and program impact. They stressed the importance 
of developing and using different types of measures to ensure 
the measurement process is comprehensive and useful in 
achieving their information security goals. They also reported 
that all such measures generally have certain characteristics 
or attributes. These attributes include being measurable, 
meaningful, repeatable, and actionable.
    Further, these organizations and experts indicated that the 
successful development of measures depends on adherence to a 
number of key practices, including focusing on risks, involving 
stakeholders, assigning accountability for measures, and 
linking them to business goals.
    Mr. Chairman, we have determined that Federal agencies have 
not always followed these key practices. While agencies have 
developed measures that generally fall into each of the three 
major types, on balance, they rely primarily on compliance 
measures, which have a limited ability to gauge program 
effectiveness. Agencies stated that, for the most part, they 
predominately collected measures on compliance because they 
were focused on measures associated with OMB's FISMA reporting 
requirements.
    In addition, while most agencies have developed some 
measures that include the four key attributes identified by 
leading organizations, these attributes were not always present 
in all agency measures. Further, agencies have not consistently 
followed key practices in developing measures, such as focusing 
on risks.
    Last, the measures established by OMB for FISMA reporting 
purposes are primarily compliance-based. They focus on whether 
control activity was implemented, not how well or how 
effectively that control was implemented. Consequently, OMB's 
report to Congress provides limited information about the 
effectiveness of agencies' information security programs and 
the security posture of the Federal Government.
    In our report, we recommended that OMB provide direction 
and guidance to agencies in developing and using measures that 
better address the effectiveness of their information security 
programs. We also recommended that OMB revise its annual FISMA 
reporting guidance to require reporting on a balanced set of 
performance measures, including measures that focus on 
effectiveness of control activities and program impact, and to 
revise its annual report to Congress to better provide 
information on the effectiveness of agency security programs, 
the extent to which major risks are being addressed, and 
progress that has been made in improving the security posture 
of the Federal Government.
    OMB has generally agreed with our recommendations. 
Implementing these recommendations will help to focus attention 
on activities that will enhance the effectiveness of security 
controls and improve the cyber defense of Federal computer 
systems and information.
    Mr. Chairman, this concludes my statement. I would be happy 
to respond to any questions that you may have.
    Senator Carper. Good. Thank you so much. Mr. Streufert, you 
are number four.

  TESTIMONY OF JOHN STREUFERT,\1\ CHIEF INFORMATION SECURITY 
 OFFICER AND DEPUTY CHIEF INFORMATION OFFICER FOR INFORMATION 
   SECURITY, BUREAU OF INFORMATION RESOURCE MANAGEMENT, U.S. 
                      DEPARTMENT OF STATE

    Mr. Streufert. Good afternoon, Chairman Carper. I am 
pleased to have this opportunity to testify before the 
Subcommittee regarding the Department of State's capabilities 
for securing its global information and technology 
infrastructure.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Streufert appears in the Appendix 
on page 51.
---------------------------------------------------------------------------
    The Department serves as the diplomatic front line in over 
270 overseas posts by serving its 70,000 users with the 
Worldwide Network and mission essential software applications. 
The foreign policy mission makes an inviting target for attack 
by highly-skilled cyber adversaries. However, the Department's 
layered approach to risk management allows multiple levels of 
protection.
    In my role as the Chief Information Security Officer, I 
have become intimately familiar with the benefits, 
shortcomings, and promising opportunities to build upon the 
current Federal Information Security Management Act of 2002. 
Our goal is to ensure system security for diplomacy while 
continuously improving the return on investment for each dollar 
spent.
    The passage of FISMA served as a game-changing event for 
the Federal agency community. FISMA applies to all information 
used on behalf of Federal departments and agencies on behalf of 
American citizens. It established a holistic information 
security program and also the responsibility of accounting to 
oversight entities, including Congress. Together, these served 
as valuable checks in determining the health of an agency's 
information security program.
    However, the Federal cyber landscape has changed in the 
past 5 years. The implementation of Federal cyber security has 
been typically undertaken through manual processes and 
compliance checks, like in conducting an annual inventory of 
systems, testing security not less than annually, reporting 
quarterly on weaknesses to OMB and performing certification and 
accreditation studies every 3 years.
    Our cyber problems, though, have dramatically escalated in 
severity and frequency. In a typical week, the Department of 
State blocks 3.5 million spam e-mail and intercepts 4,500 
viruses and detects over a million external probes to our 
network. Of that number, in the past 2 years, the percentage of 
malicious code attacks recorded at the Department of State on 
trouble tickets has jumped from 38 percent in the year ending 
August 2008 to 79 percent just 12 months later for that same 
period. The volatility of changes to security-sensitive changes 
has been equally problematic.
    Ongoing demands for certification and accreditation studies 
similar to this single system that I have shown the 
documentation for here, amounted over 6 years to the 
expenditure of $133 million, amassing a total of 50 shelf feet, 
or 95,000 pages for just the 150 major information systems that 
we were monitoring to this degree. This does not include the 
databases for tracking system inventory or tracking the plans 
of action and milestones to resolve the pending weaknesses. 
This equates to the cost of the CSA report, not including the 
related products, like the security plans, of roughly $1,400 
per page.
    And indeed, if there is any particular problem with this, 
it is not the content of the report, it is the fact that you 
could get a false sense of security that these snapshots 
produce results on paper that are extraordinarily accurate but 
out of date within days of being published, in fact, perhaps 
out of date even in the time that it took to print these 2,000 
pages.
    In contrast, this month, the Office of Management and 
Budget launched CyberScope, a secure streamlined interactive 
data collection platform far more efficient in allowing and 
also allowing research and analysis across Federal agencies. 
The U.S. Chief Information Officer has similarly and in support 
of this formed an interagency task force charged with 
developing outcome-focused metrics for information security 
performance by all Federal agencies and departments, including 
the Department of State. Final metrics based on this work are 
expected to be released later this fiscal year.
    For its part, the Department began supplementing its FISMA 
compliance reports and studies with a risk scoring program that 
scanned every computer and server connected to its network not 
less than every 36 hours on eight factors and twice a month for 
safe configurations with software. This risk scoring program 
utilizes best practices, such as the Consensus Audit 
Guidelines, which was a collaborative effort between government 
and industry.
    To assess the vulnerabilities, we use the Common 
Vulnerability Scoring System of the National Institute of 
Standards and Technology and the Department of Homeland 
Security, where scanning tools tag specific risks with point 
values between zero and 10, with 10 being the highest 
vulnerability. When the problem is resolved in this method, 
risk points are deducted and a better score comes to the 
technical team and organizations. This computation occurs no 
matter where they are located across the world.
    Since mid-July, overall risk on the Department's key 
unclassified network, measured by the Risk Scoring Program, has 
been reduced by 90 percent in overseas sites and 89 percent at 
domestic sites, as the chart indicates.\1\ These methods have 
allowed one critical piece of the Department's information 
security program to move from snapshots in time to a program 
that scans for weaknesses continually, identifies weak 
configurations each 15 days, recalculates the most important 
problems to fix in priority order on a daily basis, and issues 
letter grades of A-plus through F monthly to managers so that 
accountability for progress can be taken for every organization 
as experience has indicated for them over the past 30 days. The 
various score reports tabulate risk scores by region, compare 
progress overseas to our domestic sites, and creates 
enterprise-wide summaries for senior management.
---------------------------------------------------------------------------
    \1\ The chart referred to appears in the Appendix on page 100.
---------------------------------------------------------------------------
    In short, these details empower administrators with 
targeted daily attention to conduct remediation and offer 
summaries to empower experts to our executives to oversee the 
most serious problems.
    Mr. Chairman, I want to conclude by emphasizing that the 
Department's policies, technologies, business processes, and 
partnerships in place continue to evolve and continue to meet 
the challenges as the threats change in the cyberspace 
environment. I thank you and the Subcommittee for this 
opportunity to speak before you today and would be pleased to 
respond to any of your questions.
    Senator Carper. Thanks, Mr. Streufert, for that testimony. 
Thanks for being a good role model over at the State Department 
and USAID for the rest of us.
    I just want to start with this chart,\1\ and it looks like 
a reduced risk of cyber vulnerabilities, about 89 percent at 
the State Department headquarters from July 2008 to July 2009, 
and 90 percent abroad. Did you anticipate this kind of progress 
in a year when you were getting into this? Did you anticipate 
this kind of a record of achievement?
---------------------------------------------------------------------------
    \1\ The chart referred to appears in the Appendix on page 100.
---------------------------------------------------------------------------
    Mr. Streufert. At the Agency for International Development 
(AID), we had a similar progress, a two-thirds reduction in a 
6-month period, so we had a feeling that it was possible but 
had not yet tested this on the scale of an organization the 
size of the State Department. We were certainly very pleased, 
and at that point, we began discussing what had been found with 
our colleagues.
    Senator Carper. You mentioned this in your testimony. I 
want you to go back. Kind of walk us through again why were you 
so successful at the State Department and at AID before that? 
What were the key elements again, please?
    Mr. Streufert. This is an instance where support 
beneficially comes from many parts of the organization. It 
begins, as Congressman Davis indicated, with strong support at 
the top, and I am pleased to say that the senior leadership of 
the State Department has been very supportive at each step on 
the way.
    Senator Carper. When you say senior, how senior? What are 
we talking about?
    Mr. Streufert. Under Secretary for Management Patrick 
Kennedy, and he has assembled an E-Government Oversight Board 
for the Department of State. I have been able to speak on 
progress before this group twice in the last year. So there has 
been strong involvement from the top of the organization.
    The next beneficial thing that one needs is the 
coordination and----
    Senator Carper. Why do you suppose the folks at the top 
were so supportive?
    Mr. Streufert. Well, we understand that strong information 
security is essential for our mission. We are spread in 24 time 
zones. The ability to send and receive information in support 
of American citizens services, and in support of the passport 
and visa process are vital to our mission. We understand that 
we depend on the information systems, and therefore the 
security related to them.
    Senator Carper. OK. Other than support at the top, what 
were the other key elements in your success?
    Mr. Streufert. We brought together a coalition of 11 
different organizations inside the State Department that worked 
on technology matters, and that set the template where we could 
begin our regular scanning. And after that point, when we 
deployed the system, the fact that the individuals at each of 
the embassies and consulates and headquarters organizations 
could understand exactly what they needed to fix, it was of 
substantial benefit to them to get some of the positive 
reductions in risk points that the chart and our experience 
indicates.
    Senator Carper. Now, talk to us about other agencies being 
able to replicate the success that you enjoyed at the State 
Department. Other than cloning you, moving the agency heads 
from State over to--cloning them and moving them into the other 
agencies, how transferrable is this to other agencies? What do 
you think might transfer and what might not?
    Mr. Streufert. One item that we always mention in 
discussion with other cabinet departments is that we used 
information that was already being collected in our 
organization for other purposes, including producing the 
certification and accreditation reports. Eighty percent of the 
information, as an example, was an outgrowth of what we needed 
to manage our servers and personal computers already. So it was 
simply a question of lifting that data up and out of where it 
was at the local level and then putting it in the security 
warehouse. Once there, our dashboard calculates grades and 
shows the most serious problems that need to be worked on.
    Since many of the other parts of the Federal Government 
have this software, the primary things to work on are assuring 
that all of the networks are connected and that they have the 
support structures in place in order to put the security 
information out to the managers who want to make the changes. 
And I should hasten to add, the progress at the State 
Department came from thousands of individuals that were working 
every day on their most serious problems, and that is where the 
progress indeed came from.
    Senator Carper. Let me ask, first, Mr. Kundra, and then Mr. 
Wilshusen about replicating this kind of success. How do we go 
about doing that? In fact, it may be something you have already 
begun. I don't know.
    Mr. Kundra. Yes. We started talking about this back in 
April, and within the Federal CIO Council, Susan Swart, who is 
the CIO at the State Department, has been sharing this approach 
with our colleagues. But if you look at what we are doing 
across the Federal Government, CyberScope is the first step in 
that direction in terms of if you looked at the previous 
approach, it was manual, it was based on a lot of paperwork and 
didn't really produce meaningful insight where we could slice 
and dice information across the Federal Government so we could 
compare what was happening at Health and Human Services versus 
State versus DOD versus Department of Energy. The first step is 
to make sure that we are getting data and information so we 
could get meaningful insight.
    The second part of that, which is the task force that we 
are spending a lot of energy and we would love to share the 
metrics with you and get feedback from the Congress at the end 
of November, and these metrics are essentially going to be 
focused on game changing ways where we can address real 
security. So not necessarily asking the question, do you have a 
patch management program, but getting to the point which is how 
long does it take you to actually patch those systems.
    And thinking about the Red Teams, it is not enough to just 
say we have this file room that you pointed to. I talk about 
how the files you see in that room are actually far more secure 
than the very systems they are supposed to protect. So how do 
we get Red Teams to validate that the information that is out 
there, we are testing it against what we know in terms of 
agencies and it makes it really difficult right now across the 
Federal Government to spot patterns. So if we see a threat 
vector that may start at the State Department, how do we know 
we don't have the same threat vector at Health and Human 
Services?
    So we are in the early phases in terms of deploying a 
Federal Government-wide approach. But the key here, as 
Congressman Davis said, is to move away from this culture of 
compliance and really move towards execution. How do we get 
these things done and how do we apply some of these 
methodologies? And I know that DHS and the National Institute 
of Standards and Technology (NIST) are actually working with 
the State Department to think through how this can be scaled 
across other Federal agencies.
    Senator Carper. Mr. Wilshusen, same question in terms of 
replicability. What do you think we ought to be able to 
replicate and why not?
    Mr. Wilshusen. Well, I had the privilege of Mr. Streufert 
giving me a presentation of his system last week, and so I 
can't really attest to the accuracy of the data that he 
presents, but a couple of things----
    Senator Carper. Would you say that the accuracy is probably 
pretty skeptical?
    Mr. Wilshusen. Well, I just don't have data or evidence to 
show that it is accurate. I can't say one way or the other. We 
just haven't done the tests on that.
    But what his system shows is a lot of promise. With regard 
to replicability, one of the key aspects that it relies upon is 
the ability to have automated tools in place that have the 
capability to reach, touch, and then scan each of the devices 
that are covered under this particular system. Now, the 
Department of State has, according to their system, about 
30,000 devices that are covered by this particular system.
    It does at the present, as I understand it, cover Windows 
workstations and servers. And so presumably, it might be able 
to be replicated at other agencies to address those particular 
servers if those other agencies allow a central point to be 
able to go out and reach all those devices throughout the 
entire organization, and that may or may not be the case. I 
just don't know.
    Senator Carper. Erik Hopkins, sitting right behind me, just 
handed me a note that says, ``Agencies are making the decision 
right now to spend another $1.3 billion to produce the 
paperwork we see here. Is there anything we can do about 
that?'' It is a pretty good question.
    Mr. Wilshusen. It is, indeed. Certainly, as you know, FISMA 
requires that agencies implement cost-effective solutions to 
mitigate their risks, and one has to make the assessment, is 
spending this amount of money on preparing presumably the 
certification and accreditation documents appropriate?
    If it is just to prepare paperwork, that is not really 
cost-effective--the agency would not be receiving the true 
value of the execution of the underlying processes that are 
represented by that paperwork. Primarily, are they assessing 
the risks? Are they developing and documenting controls that 
mitigate those risks? And then are they providing the training 
to staff, to implement those controls, testing and evaluating 
those controls to make sure that they are operating as intended 
and are effective? And then remediating deficiencies as those 
become known?
    Those are all activities that are required under FISMA with 
regard to agencies' information security programs and some of 
the activities that are required in order to go through the 
certification and accreditation process. So if the process is 
just to check off boxes on paperwork, then that is not very 
useful. The important part is that the agencies are effectively 
performing these processes in order to implement controls that 
effectively protect their systems.
    Senator Carper. Mr. Kundra.
    Mr. Kundra. If I can add to that, I want to make sure as we 
look at the paperwork that we are seeing here in systems that 
the State Department is talking about and other agencies, I 
agree in terms of the fact that the pendulum has definitely 
swung too much towards a paperwork exercise. But I also want to 
caution that some of these systems have very sensitive 
information regarding the personal information of the American 
people, Social Security numbers, and the processes conducted on 
these systems are also very sensitive.
    So although I recognize that there is a lot of paperwork 
here, it is very important to make sure that this is also a 
process that ensures accountability for the business owners in 
terms of making sure that before a system goes online, have 
they done a risk assessment? Have they thought about all the 
risks? Do they have the right controls in place in terms of 
running the system? Have they made sure that they have back-ups 
and thought through the processes required to connect this to 
other systems?
    But what has happened, unfortunately, is a lot of agencies 
are also treating this as a paperwork exercise rather than 
saying, look, just like if an airplane were to take off, the 
first flight, you would go through a number of checks, but 
after it takes off, you need to make sure that you are 
monitoring all the dials and the gauges to understand where you 
are in the air. What has happened is, unfortunately, a lot of 
agencies are substituting and are looking at these processes as 
a 3-year exercise rather than saying, what do we do on an 
ongoing basis after the system goes live? What do we do to make 
sure that we are monitoring risk on a real-time basis?
    Senator Carper. Alright. Mr. Wilshusen, did you want to add 
anything else?
    Mr. Wilshusen. Yes, I did. I would just echo what Mr. 
Kundra mentioned is the fact that it is critical that agencies 
provide a monitoring capability and test and evaluates the 
effectiveness of their controls on a regular, current basis, 
because the threats change, the vulnerabilities change daily. 
Waiting every 3 years at specific points in time is not 
adequately addressing those risks and threats. That is one of 
the benefits of what Mr. Streufert has done at the Department 
of State. As he mentioned, he is scanning his systems every 2 
weeks to look for certain weaknesses and configuration changes 
and that is an important control.
    Senator Carper. When there is a penetration, sometimes 
whoever the penetrator is leaves a back door to allow somebody 
to come back in later on and create mischief. In a case where 
that has happened, they have left a back door open. How would 
your continuous monitoring and updating at the State Department 
solve that problem, Mr. Streufert?
    Mr. Streufert. This is a very critical question in 
Congressman Davis's testimony as well as your own. The problem 
is that there are back doors and then the action step of 
deploying the Red Teams that do penetration tests trying to 
break into the systems. We believe this concern and the 
practice of penetration tests is so good and worth continuing 
all across the government and expanding it, as your bill 
indicates, is that when we did this at the State Department, we 
found that 80 percent of the successful attacks which were 
modeled in the penetration test were ethical hacking, as it is 
called. We invite people to break in, though a surprise to us, 
but with our understanding that it would be done. Eighty 
percent of the successful attacks were based on known 
vulnerabilities.
    Senator Carper. Known to whom?
    Mr. Streufert. Known to the National Institute of Standards 
in this National Vulnerability Database that we use for 
scoring. And so we know those problems are there. I would liken 
it unto a burglar that can kick through a screen door to get 
into a system and cause mischief, and once inside, what the 
penetration tests show is that known vulnerabilities and weak 
configurations, both referenced by Mr. Wilshusen in his 
remarks, can allow lateral movement inside the networks.
    So it is not that we will be able to prevent every attack. 
It is that the higher that the risk score is by these methods 
the National Institute of Standards and DHS have provided to 
us, the more likely that we will be exposed to a very easy 
attack. If it is within our control to change, and, in fact, we 
prove that it is possible at the Department of State over a 
period of just 12 months to have a significant effect, we 
should do it as part of our responsibilities of protecting the 
systems of the government.
    Senator Carper. Alright. Thank you.
    Mr. Wilshusen. This is consistent with the results of our 
audits that we conduct at various different Federal agencies in 
that we often find deficiencies that are related to unpatched 
systems and other known vulnerabilities that have not been 
corrected by the agencies. There have been a number of other 
reports by private organizations that have consistently 
reported that many successful attacks are based upon known 
vulnerabilities for which patches have been available, some for 
6 months or more. And so it is imperative that agencies take 
appropriate steps to immediately address those vulnerabilities 
and mitigate them before they can be exploited.
    Senator Carper. Alright. Thank you.
    I should have asked this question sooner, but I didn't. I 
will go back to it now. Something that you said, Mr. Streufert, 
kind of triggered this for me. When you look back to 
Congressman Davis's presentation, some of the comments that he 
made, is there anything there that you would want to go back 
and kind of underline as especially important and noteworthy, 
or something maybe you disagreed with?
    Mr. Kundra. I think the approach of Red Teams, essentially 
making sure that the government is focused on constantly trying 
to find and penetrating our national infrastructure so that we 
can get ahead of some of these threats, recognizing that if we 
take an offense when it comes to our defense, we will be in a 
much better situation than just having a strategy that focuses 
on defense.
    Senator Carper. OK. Mr. Wilshusen.
    Mr. Wilshusen. I would agree with Mr. Kundra's remarks. I 
would also agree with Mr. Davis's remarks related to having an 
independent evaluation of agencies' information security 
programs and that it is essential to have IGs be able to 
examine and review the controls in the programs at their 
particular agency. Having an independent evaluation is 
critical, and in my mind, there are opportunities to improve 
the effectiveness of those evaluations by assuring that they 
are being performed in accordance with Generally Accepted 
Government Auditing Standards and that they do, in fact, 
include testing of the systems on a regular, frequent basis.
    Senator Carper. OK. In other discussions we have had on the 
issue of cyber security attacks and being ready for them and 
being able to deter them or turn them back, some of the experts 
we talk with have suggested that we simply need to do a better 
job in contracting to make sure that the systems that we are 
buying as a government, whether it is by agency or Federal 
Government-wide, that they are better technology, just better 
able by virtue of the way they are made and provided to the 
agency to turn back attacks. I wonder to what extent did that 
play a role in the State Department in terms of replicating, if 
there are any lessons that we can take from that for the rest 
of our government.
    Mr. Streufert. I think that there are many ways that the 
acquisition process could support this effort, and as we are 
just in the beginning of the continuous monitoring phase of our 
security programs in the government, we would want to take note 
and try to get it right the first time.
    One thing that the Department of State has already begun 
implementing is the idea of associate contractor agreements 
when we go out and compete our technical services work. This 
idea was first employed in the Department of Defense with the 
B-1B bomber, and the idea was that it was functionally 
necessary for that airplane to hire many different contractors 
that did the different parts of the airplane. But the question 
was, would they be invited to work together, and so a clause 
with associate contractor agreements was placed in the overall 
contract and all of the subcontractors that they would work 
together. We believe that this is one of the factors at the 
State Department that, over time, we will be able to improve by 
making awards and asking the contractors to work together.
    The second element under acquisition, the 20 most important 
controls or consensus audit guidelines, is a view that many key 
government and industry professionals in the security field 
believe that we need tools around each of the 15 of the 20 
categories that are susceptible to automated verification at 
the State Department. Our programs currently only implement 
about four or five of the 15 areas that are under the 
continuous evaluation and grading program. So if we awarded a 
contract that had multiple providers for those 15 tools, then 
the most compelling and innovative ways that industry would 
give to the government would be regularly refreshed. So I think 
a multiple-award contract would be very helpful.
    Senator Carper. Mr. Kundra.
    Mr. Kundra. The other area I would like to add is as we 
think about the public-private partnership, it is very 
important to recognize that we need to approach cyber security 
from an ecosystem perspective, thinking about what technologies 
are we buying, how are we buying them, and what are the default 
settings in a lot of the software and hardware that we procure.
    An example would be what we are doing with Microsoft in 
terms of an operating system strategy, which is that if you 
look at a Federal desktop core configuration, by fundamentally 
changing the default settings, because most software companies 
are going to design software and operating systems and have the 
default settings so they are extremely easy to use, yet from a 
public sector perspective, there are a lot of things that we 
need to change to make sure that we are leaning towards greater 
security to protect the privacy and security of the American 
people.
    So through this strategy, we have partnered with Microsoft 
and we actually create a model configuration that prevents a 
majority of the attack vectors that are out there. And 
especially as we move towards a new platform with Windows 7, we 
are working closely with Microsoft through NIST and DOD to make 
sure that their core configuration is a secure one before we 
even deploy it across the Federal Government.
    Senator Carper. Alright. Thank you. Mr. Wilshusen.
    Mr. Wilshusen. I would just like to add that the U.S. 
Government spends about $70 billion a year on IT products and 
services. I think that is the correct number. So there is a 
certain leverage that the Federal Government has when it 
procures these products and services to require certain minimum 
security requirements. Certainly that will help potentially 
enhance the security features on products that it buys and that 
could also apply to other marketplaces, as well.
    Having standard settings and standard requirements can also 
potentially lead to cost savings, as well. One of the benefits 
that we looked at when we had our review on Federal encryption 
efforts was the Smart Buy program over at GSA in which agencies 
were able to buy cost-effective encryption technologies at 
almost pennies on the dollar, not quite, but at a huge cost 
savings because they were able to take advantage of volume 
discounts. So there are advantages to leveraging the Federal 
procurement dollar and its acquisition policies.
    Senator Carper. In a day and age when we have seen in the 
first 8 years of this decade, we literally doubled our Nation's 
debt, we ran it up by another $1.4 trillion last year, and 
likely even more this year, every time we can save some pennies 
on the dollar, that is good. It sounds like in this case it is 
quarters on the dollar, which is even better.
    A couple more questions and then we will wrap it up. This 
would be a question really for the entire panel. In the current 
FISMA legislation that we have drafted, Inspectors General must 
evaluate whether agencies are securing their systems like they 
say that they are securing them. That means that agencies are 
spending $1.3 billion to produce the paperwork that the IGs use 
to evaluate agency effectiveness. IGs then must spend even more 
time and more money, perhaps another $1 billion or so, to see 
whether the paperwork was accurate. So the government ends up 
spending maybe over $2 billion, maybe it is $2.3 billion or so, 
on a process that is basically flawed. It doesn't make a lot of 
sense to me, and I don't think to others, as well.
    Could each of you just take a couple of moments and tell us 
what you think the role of the IG should be in cyber security? 
And maybe better yet, how do we make the partnership between an 
agency and that agency's IG more proactive, more collaborative, 
so that we aren't wasting or they aren't wasting so much money? 
Do you want to go first, Mr. Streufert?
    Mr. Streufert. Yes, Senator Carper. This is a key question. 
The first thing we might say is that these products in the 
three-ring binders here, a systems security plan, a contingency 
plan, testing plans, test results, these are all important 
things to do. What the finding of the State Department is, that 
with the modern tools that are increasingly available since 
FISMA was put into law, we can do that 72 times more frequently 
than the 3-year standard of producing these binders.
    So the first thing to say is that as we look at the 
possibility for continuous monitoring, the discussions between 
the departments and the OIGs could be on data that was as fresh 
as 15 days old, as opposed to what I will have to do unless 
there is an adjustment. It will take me a full 8 months to 
produce these 2,000 pages for the third time when I know that 
many elements of that data I am already collecting every 2 to 
15 days.
    I would say that our conversations with the OIG would be 
stronger if we had common measuring sticks for security, not 
just in the vulnerability area, which we have already done very 
well, but many other parts of our security program. And if we 
had an agreement between the parties that managed the security 
program of what were the criteria for evaluation in advance, 
not just within an individual cabinet department but across the 
entire government, we would be able to compare the relative 
security between one cabinet department or agency and another.
    I think the worst mistake of all we could make, even though 
the dramatic nature of some of our expenditures of C&As, is to 
make the mistake of doing less than we are currently doing. So 
notwithstanding, I would be the first person to say that we 
should try to use automated means rather than paper. We want to 
make sure before we set aside the paper methods that we would 
do our very best to make sure we have a stronger system than 
the one that we just left behind.
    Senator Carper. Mr. Wilshusen.
    Mr. Wilshusen. And I would also agree to a large extent 
with what Mr. Streufert said, in that many of these documents 
that are being prepared are not being prepared just for the 
benefit of the auditor, but, in fact, are being prepared in 
order to adequately protect the systems that are being covered 
by those documents.
    Now, having said that, certainly auditors have a 
responsibility to review the effectiveness of security 
controls, and that includes testing a subset of systems. In our 
examinations, while we do look at certain documents that are 
the products or byproducts and artifacts of agency processes, 
we are also looking at how systems are actually configured and 
testing the effectiveness of those controls. So it is more than 
just reviewing documents. It is actually doing a more in-depth 
review, and that is what IGs are doing and should be doing, as 
well, in addition to reviewing some of the artifacts that are 
generated from agency security processes.
    Senator Carper. Alright. Mr. Kundra, you get the last word 
on this question, and then I have one more separate question 
for you and we will call it a day.
    Mr. Kundra. I think it is impossible to confront a real-
time threat, such as cyber warfare or adversaries and State 
actors and organized crime that are actively trying to hack 
into our systems, with a process that is built around annual 
reporting, quarterly reporting, or whether you do it on a 
monthly basis. What needs to happen in terms of the 
relationship between the IGs and the CIOs is that they need to 
have greater transparency into the same data and moving toward 
a real-time platform so they could both see what is happening 
on a real-time basis and constructively move the security 
posture of the U.S. Government rather than relying on reports 
that are created.
    By the time that report is printed and handed over to the 
IG, there is already a new threat factor that is created on a 
real-time basis. The velocity at which these threats come and 
the frequency cannot be addressed with a filing cabinet like 
this.
    Senator Carper. Good point. Thank you.
    And the last question, I think I will direct it just to Mr. 
Kundra unless other panelists think he mis-answers the 
question, then you can correct him. In your current position, 
how do you like what you are doing? Are you enjoying it? Is it 
challenging? Do you ever get to go home at night?
    Mr. Kundra. It is great. Very little sleep, but it is an 
enormous opportunity to serve the country and to advance the 
President's technology agenda.
    Senator Carper. Alright. Good. In your current position, I 
think you are maybe the person responsible for overseeing the 
effectiveness of our Federal Government's cyber defense, and 
that is a government, as we know, that is composed of hundreds, 
maybe thousands of different systems. I am told that you have 
relatively few, if any, cyber security experts that work for 
you and I find that of concern, maybe even troubling.
    But I find it even more troubling that OMB, which is known 
for their budget prowess, has never asked for a detailed 
accounting of what an agency spends on cyber security. I don't 
know if that is true, but if it is true, why do you think it 
has been the case? Why hasn't OMB, as far as I know, ever said, 
well, what are you all spending for cyber security? And to 
follow up, if that is true, are you going to do anything to 
correct that situation?
    Mr. Kundra. Sure. So that was actually one of the most 
shocking things when we tried to do analysis as far as cyber 
security was concerned. One was that the information that was 
being submitted to OMB was being submitted in these 
spreadsheets, hundreds of spreadsheets that were being mailed 
in.
    Two was, from a cost perspective, what was being collected 
was aggregate security information. So what we did immediately 
is for the 2009 report, we are getting to the detailed cost 
allocation when it comes to information security, so we know 
where is the government spending when it comes to products, 
human capital, and specifically computer network attacks 
(CNAs). And unfortunately, with a lack of that information, 
what we aren't able to do is effective comparative analysis 
between one agency and another, and more importantly, a deeper 
understanding of how do our investments line up with our 
vulnerabilities and where do we need to make those appropriate 
investments.
    But we are working very closely with DHS and the U.S. 
Computer Emergency Readiness Team (US-CERT) specifically, and 
as part of the FISMA reporting requirements in CyberScope, we 
are going to be collecting all that data.
    Senator Carper. If you will all just bear with me for one 
moment, please.
    [Pause.]
    Senator Carper. I know I said the last question was the 
last question. I am going to try to squeeze one more in here 
before we let you go. Again, this is for Mr. Kundra, and if 
others want to chime in, go ahead.
    I think OMB has the ability to ask agencies if they would 
follow a model similar to that of the Department of State. Do 
you think that conducting a pilot, or maybe having a number of 
agencies basically say, we want you to follow something 
similar, do you think that is a good idea? Maybe it is 
something you have given some thought to, or maybe you are 
planning on doing it, or maybe you don't think it is a good 
idea, but would you just think out loud for us on that?
    Mr. Kundra. Sure. I actually think it is a great idea. That 
is one of the reasons the State Department is actually talking 
to the Veterans Administration. It is making the tool, the 
software actually available to NIST and DHS, also, to figure 
out how can that be scaled, recognizing that across Federal 
agencies, HHS is going to have a very different environment. 
But what is going to be common is they all have desktops, 
certain network infrastructure, from routers to switches, and 
figuring out how can we make sure that we are not duplicatively 
spending money and creating new tools if we can leverage best 
practices across a Federal Government.
    From an OMB perspective, it is very important for us to get 
the threat matrix across the entire Federal Government. So how 
do we roll up this information at a DHS level so we get a real-
time posture from a security perspective?
    Senator Carper. OK. Do you all want to comment at all on 
what Mr. Kundra said? You don't have to, but if you would like 
to, you are welcome to do so. Did he do OK?
    Mr. Streufert. Yes. We very much appreciate the leadership 
of Mr. Kundra and OMB on the issues of CyberScope to make our 
reporting more efficient, and his very early willingness to 
look at issues like dashboards. I think that our collective 
commitment should be to one of continuous improvement. The 
State Department has some ideas on this and we have worked on 
it some. We want to share that with others. But I believe what 
will happen is Vivek invites, and he already has done so, 
conversations more widely in government that good ideas will 
come from all of the cabinet departments that we will be well 
served to fold in and come up with the strongest possible 
product as a government together.
    Senator Carper. OK. I think we will wrap it up at this 
point. I have another hearing that started at 9:30 this morning 
that is still going on on climate change legislation. It will 
be a full day.
    A couple of thank yous. One to Mr. Streufert, to you and 
your colleagues. I know you said it is not just you, there are 
a lot of people involved at the State Department that are 
responsible for the progress that is being made there and for 
the example that you are able to provide for other Federal 
agencies. But thank you for your leadership, and our 
commendation is to you and to your colleagues. As we used to 
say in the Navy, Bravo Zulu.
    I want to thank Mr. Wilshusen for the report that we 
received from you and your colleagues on cyber security 
metrics. It is one I requested, I believe last year, but thanks 
for that report.
    And Mr. Kundra, thank you for taking on this responsibility 
and giving it 110 percent, maybe more than that.
    We are going to stay on this. We are going to push forward 
on the legislation and get it enacted if we can. I know the 
Chairman and Ranking Member of the full Committee on Homeland 
Security and Governmental Affairs are interested in passing 
even more comprehensive legislation on cyber security, and 
there is some discussion of folding our piece into that, or 
maybe moving what we are doing on its own if we want to try to 
get it out there and moving along.
    But thank you for helping inform our legislative path just 
a little bit better today. I would encourage, Mr. Kundra, for 
you and our friends at OMB to use this model that works and 
other models that work and to replicate that success.
    But maybe one or two points that I will make, and maybe I 
am being redundant, but I will go ahead and make them anyway. I 
think repetition can be helpful.
    But the first point is we are spending way too much money 
on a process that is flawed from the beginning. That is not to 
take anything away from Congressman Davis and others who were 
involved in the FISMA legislation from 2002, but it is a 
process that is flawed. Writing a report about security is not 
the same as investing in security, and with so much at stake, 
we should be doing a much better job.
    The irony of it is, we had a luncheon speaker at our weekly 
caucus luncheon today who runs a big Federal agency and he 
shared with us just some up-to-date information about the kind 
of attacks that are underway every day, every hour, every 
minute. It really puts this in real time and with a real sense 
of urgency.
    My next point is the fact that OMB is, I think, the only 
one who really can make this happen absent Congress passing a 
bill. I would again say, Mr. Kundra, actually take a hard look 
at what you can do, and I sense that you are already doing 
that, to make sure that we don't waste another year, another $1 
billion, if not more, to do something that doesn't work very 
well.
    My last point is the fact that, obviously, that we all need 
to work together. I am pleased to see with the three of you 
here before us, it is a pretty good model of how we can 
cooperate and I hope that we are part of that, as well. But 
technology changes so fast that without a partnership between--
not just among agencies, but also between the Legislative 
Branch and the Executive Branch, Americans, unfortunately, are 
going to end up on the losing end, and we don't want that to 
happen.
    I am going to ask, I think, for you all to come back to me, 
I will put this in writing, but to come back to us in maybe 2 
weeks with opportunities that you believe will lead to 
efficiencies in defending our networks. If you do that, I would 
be grateful. If you get any other questions from my colleagues, 
then if you would respond to those within 2 weeks, that would 
be terrific.
    Thank you all very much for coming today, for your 
testimony, and for the work that you are doing. I would 
encourage you to continue on and we will do our best to have 
you back. Thank you.
    And with that having been said, this hearing is adjourned.
    [Whereupon, at 4:07 p.m., the Subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

[GRAPHIC] [TIFF OMITTED] T3852.001

[GRAPHIC] [TIFF OMITTED] T3852.002

[GRAPHIC] [TIFF OMITTED] T3852.003

[GRAPHIC] [TIFF OMITTED] T3852.004

[GRAPHIC] [TIFF OMITTED] T3852.005

[GRAPHIC] [TIFF OMITTED] T3852.006

[GRAPHIC] [TIFF OMITTED] T3852.007

[GRAPHIC] [TIFF OMITTED] T3852.008

[GRAPHIC] [TIFF OMITTED] T3852.009

[GRAPHIC] [TIFF OMITTED] T3852.010

[GRAPHIC] [TIFF OMITTED] T3852.011

[GRAPHIC] [TIFF OMITTED] T3852.012

[GRAPHIC] [TIFF OMITTED] T3852.013

[GRAPHIC] [TIFF OMITTED] T3852.014

[GRAPHIC] [TIFF OMITTED] T3852.015

[GRAPHIC] [TIFF OMITTED] T3852.016

[GRAPHIC] [TIFF OMITTED] T3852.017

[GRAPHIC] [TIFF OMITTED] T3852.018

[GRAPHIC] [TIFF OMITTED] T3852.019

[GRAPHIC] [TIFF OMITTED] T3852.020

[GRAPHIC] [TIFF OMITTED] T3852.021

[GRAPHIC] [TIFF OMITTED] T3852.022

[GRAPHIC] [TIFF OMITTED] T3852.023

[GRAPHIC] [TIFF OMITTED] T3852.024

[GRAPHIC] [TIFF OMITTED] T3852.025

[GRAPHIC] [TIFF OMITTED] T3852.026

[GRAPHIC] [TIFF OMITTED] T3852.027

[GRAPHIC] [TIFF OMITTED] T3852.028

[GRAPHIC] [TIFF OMITTED] T3852.029

[GRAPHIC] [TIFF OMITTED] T3852.030

[GRAPHIC] [TIFF OMITTED] T3852.031

[GRAPHIC] [TIFF OMITTED] T3852.032

[GRAPHIC] [TIFF OMITTED] T3852.033

[GRAPHIC] [TIFF OMITTED] T3852.034

[GRAPHIC] [TIFF OMITTED] T3852.035

[GRAPHIC] [TIFF OMITTED] T3852.036

[GRAPHIC] [TIFF OMITTED] T3852.037

[GRAPHIC] [TIFF OMITTED] T3852.038

[GRAPHIC] [TIFF OMITTED] T3852.039

[GRAPHIC] [TIFF OMITTED] T3852.040

[GRAPHIC] [TIFF OMITTED] T3852.041

[GRAPHIC] [TIFF OMITTED] T3852.042

[GRAPHIC] [TIFF OMITTED] T3852.043

[GRAPHIC] [TIFF OMITTED] T3852.044

[GRAPHIC] [TIFF OMITTED] T3852.045

[GRAPHIC] [TIFF OMITTED] T3852.046

[GRAPHIC] [TIFF OMITTED] T3852.047

[GRAPHIC] [TIFF OMITTED] T3852.048

[GRAPHIC] [TIFF OMITTED] T3852.049

[GRAPHIC] [TIFF OMITTED] T3852.050

[GRAPHIC] [TIFF OMITTED] T3852.051

[GRAPHIC] [TIFF OMITTED] T3852.052

[GRAPHIC] [TIFF OMITTED] T3852.053

[GRAPHIC] [TIFF OMITTED] T3852.054

[GRAPHIC] [TIFF OMITTED] T3852.055

[GRAPHIC] [TIFF OMITTED] T3852.056

[GRAPHIC] [TIFF OMITTED] T3852.057

[GRAPHIC] [TIFF OMITTED] T3852.058

[GRAPHIC] [TIFF OMITTED] T3852.059

[GRAPHIC] [TIFF OMITTED] T3852.060

[GRAPHIC] [TIFF OMITTED] T3852.061

[GRAPHIC] [TIFF OMITTED] T3852.062

[GRAPHIC] [TIFF OMITTED] T3852.063

[GRAPHIC] [TIFF OMITTED] T3852.064

[GRAPHIC] [TIFF OMITTED] T3852.065

[GRAPHIC] [TIFF OMITTED] T3852.066

[GRAPHIC] [TIFF OMITTED] T3852.067

[GRAPHIC] [TIFF OMITTED] T3852.068

[GRAPHIC] [TIFF OMITTED] T3852.069

[GRAPHIC] [TIFF OMITTED] T3852.070

                                 
