[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]






 
                  FEDERAL CYBERSECURITY AFTER THE OPM
            DATA BREACH: HAVE AGENCIES LEARNED THEIR LESSON?

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           NOVEMBER 16, 2016

                               __________

                           Serial No. 114-125

                               __________

Printed for the use of the Committee on Oversight and Government Reform





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                      
                           ________

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 24-915 PDF               WASHINGTON : 2017       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001   
                      
                      
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois
CYNTHIA M. LUMMIS, Wyoming           ROBIN L. KELLY, Illinois
THOMAS MASSIE, Kentucky              BRENDA L. LAWRENCE, Michigan
MARK MEADOWS, North Carolina         TED LIEU, California
RON DeSANTIS, Florida                BONNIE WATSON COLEMAN, New Jersey
MICK MULVANEY, South Carolina        STACEY E. PLASKETT, Virgin Islands
KEN BUCK, Colorado                   MARK DeSAULNIER, California
MARK WALKER, North Carolina          BRENDAN F. BOYLE, Pennsylvania
ROD BLUM, Iowa                       PETER WELCH, Vermont
JODY B. HICE, Georgia                MICHELLE LUJAN GRISHAM, New Mexico
STEVE RUSSELL, Oklahoma
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                 David Rapallo, Minority Staff Director
                          Mike Flynn, Counsel
                           Willie Marx, Clerk
                                 ------                                

                 Subcommittee on Information Technology

                       WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking 
MARK WALKER, North Carolina              Member
ROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois
                                     TED LIEU, California
                                     
                                     
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on November 16, 2016................................     1

                               WITNESSES

Ms. Renee P. Wynn, Chief Information Officer, NASA
    Oral Statement...............................................     4
    Written Statement............................................     6
Mr. Jonathan Alboum, Chief Information Officer, U.S. Department 
  of Agriculture
    Oral Statement...............................................    13
    Written Statement............................................    15
Mr. Robert Klopp, Deputy Commissioner and Chief Information 
  Officer, Social Security Administration
    Oral Statement...............................................    18
    Written Statement............................................    20

                                APPENDIX

 Statement from Representative Gerald E. Connolly................    44


                  FEDERAL CYBERSECURITY AFTER THE OPM



            DATA BREACH: HAVE AGENCIES LEARNED THEIR LESSON?

                              ----------                              


                      Wednesday, November 16, 2016

                  House of Representatives,
            Subcommittee on Information Technology,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:19 a.m., in 
Room 2154, Rayburn House Office Building, Hon. Will Hurd 
[chairman of the subcommittee] presiding.
    Present: Representatives Hurd, Blum, Chaffetz, Kelly, 
Connolly, and Lieu.
    Mr. Hurd. The Subcommittee on Information Technology will 
come to order.
    And, without objection, the chair is authorized to declare 
a recess at any time.
    Good morning, everyone. In September, the chairman 
announced the release of a majority staff report on the data 
breaches at the Office of Personnel Management. This committee 
spent a year digging into what went wrong at OPM. We looked at 
everything from how the hackers got in to what technologies OPM 
was buying while responding to the incident. And while we 
learned a great deal, there was an unfortunate conclusion that 
the damage of this data breach could have been mitigated.
    It's impossible to prevent all data breaches, especially 
when we are talking about a determined and sophisticated 
adversary. But we can deter and mitigate the effects of these 
breaches. Some of that, like investigation, attribution, and 
prosecution, is outside the agency's control. But other 
aspects, like improving cybersecurity protections and 
continuous monitoring, are squarely within agencies' CIOs' 
control. That is why we need to get into the weeds on 
everything from access controls to vulnerability management to 
make sure we aren't making it easy for hackers to get access to 
our sensitive data.
    And this is a conversation that starts with the agency's 
CIO. CIOs are the focal point for all things information 
technology at every Federal agency, department, office, and 
bureau. That is why this subcommittee has worked together to 
ensure the continued implementation of FITARA and, more 
broadly, making sure that CIOs have the necessary authorities 
to finally bring Federal systems into the 21st century.
    The House recently passed my bill, the MGT Act, cosponsored 
by Mr. Connolly, Chairman Chaffetz, Ranking Member Cummings, 
ranking member and my friend Ms. Kelly, the majority leader, 
the minority whip, and Mr. Lieu from California, which 
incentivizes agency CIOs to modernize their agencies' outdated 
legacy IT to fiscal responsibility. I urge the Senate to pass 
the MGT Act this Congress so that the incoming administration 
has the necessary tools to modernize our outdated and insecure 
Federal IT. This is a shared responsibility. Congress can't 
hold agency CIOs accountable for what's going on in IT if those 
CIOs don't have the necessary authority to get the job done. We 
need CIOs staying at their posts for longer than the current 2-
year average. If we're going to move the ball forward, we need 
Federal CIOs not only with the necessary authorities to make 
their vision a reality but who are sticking around long enough 
to see it happen. This is why the OPM CIO was such a focus of 
the OPM data breach report and its recommendations. We need 
empowered, accountable, and competent CIOs, which brings us to 
our panel here today.
    We need a serious conversation about the role of the 
Federal CIOs and information security. The President recently 
announced the creation of a Federal CISO, the Chief Information 
Security Officer, that will report to the Federal CIO. Should 
that be a model for Federal agencies, the CISO reporting to a 
CIO, or should the CISO report directly to the head of the 
agency? Does the head of an agency need to hear two voices on 
questions of IT procurement, computer systems, data storage, 
and balancing the needs of the production environment with 
those of cybersecurity? This is an open question that this 
subcommittee has not yet explored. But I think it is an 
important question moving forward as we continue to conduct 
oversight of Federal information security policies and 
practices.
    And, finally, we need to address how these agencies 
transition their information technology over to the new 
administration. Each agency will have unique challenges. And I 
would like to hear from our witnesses how they are going to 
facilitate this transition. We are making progress in 
information technology and cybersecurity, and I'm committed to 
ensuring that we don't backslide on this profound national 
security challenge.
    Ultimately, cybersecurity is a collaborative effort that is 
going to require continuous attention and effort from all 
parties to make sure our data is safe.
    And I'm glad my partner in crime in this endeavor is the 
gentlelady from Illinois, Ms. Kelly, the ranking member of the 
Subcommittee on Information Technology and my friend, and I'd 
now like to recognize her for her opening statement.
    Ms. Kelly. Good morning. And thank you, Chairman Hurd, and 
welcome back. Thank you for holding this important hearing on 
the state of Federal cybersecurity in the wake of the OPM data 
breach. And I thank the witnesses for joining us today to 
testify. Cybersecurity is a critical concern for both the 
public and private sectors, as the recent breaches affecting 
millions of people at the Office of Personnel Management and 
Yahoo illustrate.
    In our investigation of the OPM data breach, we discovered 
that a sophisticated nation-state adversary targeted both OPM 
and private sector companies performing services for the 
government in order to steal sensitive information about 
Federal employees. In fact, the OPM breach was achieved using 
credentials taken from one of our OPM's contractors. The 
minority staff memorandum concluded that Federal cybersecurity 
is intertwined with government contractors and that cyber 
requirements for government contractors are inadequate. In the 
past 2 years, Congress passed and President Obama signed into 
law the Federal Information Security Modernization Act of 2014, 
known as FISMA, and the Federal Cybersecurity Enhancement Act 
of 2015 known as the FCEA. These laws create stringent 
standards for agency information security programs and will 
implement innovative technology, such as the EINSTEIN Federal 
detection and intrusion prevention system, as well as 
multifactor authentication--losing my words. Congress has a 
responsibility to ensure that agencies are complying with these 
enacted pieces of legislation.
    This past July, the committee sent bipartisan letters to 
the 24 CFO Act agencies requesting information on FISMA and 
FISMA compliance and FCEA implementation progress. We are here 
today to discuss agency compliance with FISMA and agency 
progress on the upcoming December 2016 deadline for FCEA 
implementation.
    I understand that the Office of Management and Budget 
recently issued a report on FISMA-required independent 
evaluations of agency information security systems for fiscal 
year 2015. This report shows a decline in agency FISMA scores 
over the past year for our three witnesses' agencies here 
today. Each agency's independent evaluation of their 
information security programs highlights the strength of their 
individual programs and areas that can use improvement. One of 
the key aspects of FISMA is moving from a check-the-box 
mentality of cybersecurity to an approach of continuous 
monitoring and reporting. I would like to hear from our 
witnesses as to how Congress can help them achieve that goal. I 
would like to hear if any challenges are being encountered in 
the implementation of FCEA-required programs and practices.
    I want to again thank our witnesses for their testimony 
today. Effective Federal cybersecurity is possible through 
cooperation between agencies and Congress. I look forward to 
having a discussion on how we can better work together to 
develop policies that will secure not only agency systems but 
private sector systems as well.
    Again, thank you, Mr. Chairman. I've long said that Federal 
Government needs to lead by example when it comes to improving 
our national cybersecurity. And I'm proud of this step we've 
taken in this subcommittee toward this goal. But it's clear 
that we have much more work ahead. And I look forward to 
continuing our work together in Congress.
    Mr. Hurd. I do too. I'd like to thank the ranking member.
    I'm going to hold the record open for 5 legislative days 
for any members who would like to submit a written statement.
    I'd now like to recognize our panel of witnesses. I'm 
pleased to welcome Ms. Renee Wynn, chief information officer at 
NASA; Mr. Jonathan Alboum, chief information officer at the 
U.S. Department of Agriculture--thank you for being here, sir--
and Mr. Robert Klopp, deputy commissioner and chief information 
officer at the Social Security Administration. Welcome to you 
all.
    And pursuant to committee rules, all witnesses will be 
sworn in before they testify. So please rise and raise your 
right hands. Raise your right hands.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    Thank you. Please be seated.
    Let the record reflect that the witnesses answered in the 
affirmative.
    In order to allow ample time for discussion, please limit 
your testimony to 5 minutes. Your entire written record will be 
made part of our record.
    And now I'd like to recognize Ms. Wynn for 5 minutes for 
your opening statement.

                       WITNESS STATEMENTS

                   STATEMENT OF RENEE P. WYNN

    Ms. Wynn. Good morning. Chairman Hurd, Ranking Member 
Kelly, and members of the subcommittee, thank you for allowing 
me today to appear before you to address NASA's efforts to 
effectively manage and protect our information technology 
resources. Like other Federal agencies, malicious threats to 
NASA's networks are constantly evolving, which means our work 
is never done. Thus, I want to reassure you today that IT is a 
top priority at NASA. As NASA's chief information officer, my 
office works to ensure that NASA's IT systems are safeguarded 
from attack, assessed against stringent Federal and agency 
security requirements, and appropriately monitored for 
compromise. Each day, thousands of NASA personnel, contractors, 
academics, and members of the public access part of NASA's IT 
infrastructure, a complex array of information systems 
geographically dispersed. This infrastructure plays a critical 
role in every aspect of NASA's mission, from transforming the 
way we fly, to controlling spacecraft, to processing scientific 
data.
    Unfortunately, there is no single approach or tool that can 
predict, counter, and mitigate the wide range of attacks that 
threaten networks. NASA works constantly to identify and 
counter attacks by implementing proactive and adaptable 
security measures. We also work closely with the Department of 
Homeland Security and other Federal agencies to implement new 
technologies and share best security practices, partnerships 
which have improved NASA's security posture. For example, under 
FISMA metrics, NASA has made improvements in our anti-phishing, 
malware, and network defense. We have significantly reduced our 
cybersecurity risk as measured by the Department of Homeland 
Security's cyber hygiene report. NASA now has a permanent chief 
information security officer, or CISO, who works on operational 
IT security and compliance matters with all of NASA Center 
CISOs, as well as the Federal chief information security 
officers.
    Like all agencies, NASA is adjusting to new laws and 
directives designed to improve the entire Federal Government's 
IT security posture. While NASA is making progress in some 
security metrics, much work remains. As we move forward and 
find new ways to work across NASA, our metrics may 
unfortunately dip as we uncover and we work to resolve new 
issues. However, as new technologies come online and culture 
issues are resolved, we expect to see improved metrics in 2017.
    Through the implementation of our business services 
assessment, or BSA, we took a hard look at how we manage IT. 
This BSA outlined a series of steps the agency should take and 
is taking to optimize and protect our IT assets. The BSA 
results will ensure that IT is seen as a strategic agency 
resource establishing clear direction for NASA's CIO to approve 
the agency's IT spend plan for non-highly specialized and 
highly specialized IT. In my personal opinion, this BSA is a 
gift which says NASA supports you as the CIO, and we do want 
you to transform the way NASA manages IT.
    These are big steps forward for NASA, and NASA should be 
commended for taking the necessary steps to improve. We know 
there still is a lot of work to do. Thus, I want to end my 
remarks by assuring you that protecting and evolving NASA's IT 
infrastructure is and will remain an agency priority. We look 
forward to working with Congress, the Government Accountability 
Office, the NASA inspector general, and other Federal 
stakeholders to effectively implement a restructured and 
strengthened IT security program at NASA.
    I would be happy to answer any questions you may have.
    [Prepared statement of Ms. Wynn follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    
    
    Mr. Hurd. Thank you for your remarks, Ms. Wynn. And thanks 
for being here again.
    Mr. Alboum, you're recognized now for 5 minutes for your 
opening remarks.

                  STATEMENT OF JONATHAN ALBOUM

    Mr. Alboum. Chairman Hurd, Ranking Member Kelly, and 
members of the subcommittee, thank you for your diligent work 
on cybersecurity and the IT scorecard. I appreciate having this 
opportunity to share USDA's efforts to strengthen its 
cybersecurity posture over the last few years.
    The Department of Agriculture touches the lives of all 
Americans. Protecting USDA customer, partner, and employee data 
is a top priority for Secretary Vilsack and me. Together, we 
work across USDA to ensure we have the right tools and culture 
as new threats emerge. In terms of cybersecurity tools, I'm 
pleased to tell the committee that USDA has successfully 
completed our initial implementation of EINSTEIN 3A. USDA 
employs a risk-based approach to cybersecurity, prioritizing 
resources where they will have the most significant impact. 
EINSTEIN is key to this approach. Over the coming weeks, we 
will continue to work with DHS to bring additional EINSTEIN 
capabilities online. And we fully expect to meet all of the 
December deadlines.
    I'm also proud to share that USDA is one of the leading 
agencies participating in the DHS continuous diagnostic and 
mitigation program, also known as CDM. I've made this a 
priority for the Department. We are currently implementing the 
capabilities of phase 1, which gives us increased insight into 
what is on our network. This improved visibility helps us to 
prioritize future modernization initiatives and protect the 
information of the people we serve. EINSTEIN and CDM, combined 
with our security operation center, or SOC, position USDA to 
proactively detect, prevent, and mitigate cyber attacks. The 
USDA SOC is starting to use big data technologies to analyze 
trends and anomalies by correlating security data from multiple 
sources. We have partnered with the Defense Advanced Research 
Projects Agency, DARPA, to pilot many of these tools. As pilots 
like these demonstrate positive results, USDA will explore the 
potential for a departmentwide rollout.
    Additionally, my team routinely conducts penetration 
testing assessments to identify security vulnerabilities in our 
systems. These findings are used to develop plans to remediate 
risk and improve system security.
    USDA also created a list of high-value assets and has 
worked with DHS to perform additional penetration testing 
assessments of these systems over the past year.
    Effective cybersecurity is as much about education and 
culture as it is about having the right tools in place. 
Secretary Vilsack strongly supports my office in ensuring that 
USDA senior executives and employees understand their daily 
role in preserving the Department's reputation as a trusted 
government partner.
    In the past year, I created scorecard to build awareness of 
the Department's cybersecurity posture. Every 2 weeks, 
component agency heads are provided with a status of key 
cybersecurity hygiene factors for their organizations. This 
increased insight gives USDA officials the information they 
need to balance programmatic requirements with continuous 
improvements in cybersecurity. For example, this approach 
supported our drive to increase the usage of personal identity 
verification, or PIV, cards across the department. Over the 
past 16 months, we increased our usage rate from 15 percent to 
over 92 percent for nonprivileged users and from 6 percent to 
over 96 percent for privileged users.
    USDA employees face an increasing number of malicious 
emails and social engineering cyber attacks like phishing. 
Through a recent anti-phishing campaign, we recognized that 
additional safeguards, like email subject-line warning 
messages, were needed to render phishing attacks less 
effective. As a result of these activities, USDA achieved a 
greater than 50 percent reduction in the click rate of 
simulated phishing attempts. Further, my team and I fully 
support the push for additional measures to improve information 
sharing across government to enhance cybersecurity readiness 
and response. In May 2016, USDA became the first department to 
develop and successfully test new procedures required by the 
Federal Cybersecurity Enhancement Act for notifying Congress 
within 7 days of a major incident.
    As threats continue to proliferate and to adapt to existing 
defenses, USDA, like all government agencies, will need 
appropriate resources to employ emerging technologies and new 
approaches to mitigate these risks. For example, the 
Department's fiscal year 2017 budget included a requested 
increase of $10 million to enhance USDA cybersecurity 
capabilities. It is critically important that we discuss these 
issues and related impacts.
    So, again, I want to thank you for holding this hearing to 
shed light on this important topic. I'm grateful for the 
opportunity to share information about our progress in 
strengthening USDA's cybersecurity program. USDA is committed 
to an open and continuous dialogue with Congress about new 
opportunities to improve our defenses. I look forward to your 
questions. Thank you.
    [Prepared statement of Mr. Alboum follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
    
    Mr. Hurd. Thank you, sir.
    Mr. Klopp, you're on the clock for 5 minutes. We welcome 
your opening remarks.

                   STATEMENT OF ROBERT KLOPP

    Mr. Klopp. Thank you. Good morning, Chairman Hurd and 
Ranking Member Kelly.
    Earlier I provided a status update in my written testimony, 
which I won't repeat here. But I would like to share a couple 
of updates, provide a review of our Department of Homeland 
Security reporting, and share some thoughts tied to the OPM 
breach report.
    First regarding the status of our EINSTEIN implementation, 
the agency completed phase 3 of this program in March of this 
year. And it's been in production since then. So we were early.
    Next, regarding our implementation CDM, which has been 
mentioned here, we're on schedule to deploy phase one of that 
in December. So we're on track there as well.
    Now, I want to talk a little bit about some of the ongoing 
Department of Homeland Security reporting. What we see is sort 
of a continuous process of discovery and remediation. DHS has 
come onsite twice to evaluate high-value assets. This resulted 
in 16 recommendations. They called out two critical items, one 
of which was a vulnerability. Eight of these items are 
resolved, including both critical items. Five recommendations 
are complete but require sort of continuous improvement. Two 
are in progress and were resolved in this fiscal year. And one 
around network segmentation is actually a very large project 
which we'll begin in fiscal year 2017.
    As you may know, the DHS scans the agency weekly, producing 
cyber hygiene reports. I'm happy to report that it found no 
critical vulnerabilities since the inception of this program.
    DHS also produces monthly vulnerability reports. This 
process sort of continuously reports that we score in the top 
three, with the smallest number of vulnerabilities of any 
reporting agency.
    Proactively the agency runs daily inhouse penetration tests 
managed through an automated system. In 2016, we identified 
1,872 vulnerabilities and remediated them on the average of 
every 22 days.
    The agency participates in an annual financial statement 
audit. In fiscal year 2015, auditors found no material 
weaknesses, one significant deficiency, and produced 59 
findings and recommendations. Since these findings, we have 
implemented automated support to request new access to systems 
to schedule the removal of access for departing staff and 
progressed in all but one of the 59 findings.
    Most importantly, I'm happy to report that the agency has 
no major incidents to report to date.
    Regarding the OPM breach report, we took this report very 
seriously. In the interest of time, let me sort of focus on 
what we think is the most far reaching of the 10 
recommendations. That was recommendation No. 2 regarding the 
deployment of a zero-trust model. I'd like to give you sort of 
an example of our intention and direction on that. We are 
implementing now a new zero-trust capability for systems 
administrators where access is revoked and renewed with each 
new administrative task. These administrators don't get any 
permanent passwords. As you may know, systems administrators 
hold the keys to the kingdom. By implementing a zero-trust 
model for sys admins, first, we expect to significantly upgrade 
our posture.
    I think all of the, you know, witnesses here are testifying 
about the increased threat of cyber attack. It's not a 
surprise. And some are suggesting that we need to take a more 
aggressive stance as a government with regard to that. But I 
think our IT systems are sort of the equivalent of B-52s: 
dependable, but outdated and vulnerable. We appreciate this 
committee's awareness of the need for IT modernization and 
appreciate even more the bipartisan measure, H.R. 6004, which 
you mentioned. It's a really important step. But H.R. 6004 is 
an unfunded vehicle. And what we need is funding. To defend our 
IT assets to the standard you and the public expect, we need 
the cyber equivalent of defense spending. And we need a fully 
funded investment in IT modernization.
    So I'd like to thank you for your support. And now I'm 
happy to take any questions you might have.
    [Prepared statement of Mr. Klopp follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Mr. Hurd. Thank you, sir.
    And I'll recognize myself for 5 minutes.
    Ms. Wynn, when did you start in your position?
    Ms. Wynn. I started with NASA on July 13 in 2015. And I 
became the chief--I started as the deputy CIO, and I became the 
chief information officer at the end of September of 2015.
    Mr. Hurd. Gotcha. So if my math is correct, about a year? A 
little bit under?
    Ms. Wynn. Just slightly over a year, going toward 14 
months.
    Mr. Hurd. So I guess we're in November now.
    There's been plenty of reports about how, over the summer, 
NASA's--the Agency Consolidated End-user Service, or do you 
call it ACES--yeah--was operating under a conditional authority 
to operate since July 24. My understanding is that you declined 
to sign off on the authority to operate for ACES because of a 
difference of opinion between your office and the contractor 
operating the system. That--the issue was over patching, it 
seems like. Now, I think this is a--actually a good news story, 
right? Because you obviously felt you had the authorities to do 
those kinds of things, and you're using your technical 
judgement.
    Can you walk us through the thought process during that 
decision?
    Ms. Wynn. Yes.
    Mr. Connolly. Would my friend yield just for a second?
    Mr. Hurd. Sure.
    Mr. Connolly. Forgive me, but I have a hearing upstairs, 
but I didn't want to miss this. I just ask unanimous consent my 
opening statement be entered into the record. Forgive me, I've 
got to go back upstairs to another hearing on the census. But 
someday hopefully the good Lord will give me the gift of 
bilocation.
    Thank you, Mr. Chairman.
    Mr. Hurd. Without objection. Thank you.
    Mr. Hurd. Ms. Wynn.
    Ms. Wynn. NASA will get to work on that bilocation.
    Yes. So, yes, the authority to operate for our end-user 
services, we have several of them. It's a very complex set of 
systems. The one in particular had to do with the client-based 
devices that we use, computers and that. And it was presented 
to me on July 25. The presentation is on the security risks and 
how those risks were being--to be mitigated. And upon that, I 
asked if they can look me in the eye and say free and clearly 
they would recommend signature. And on that date, they 
presented to me the package as we usually go through. And at 
that point, both on the operational side as well as the 
gentleman who was brought in for security to serve as the 
acting acting CISO as our acting CISO was on vacation, on the 
operational side recommended--said that they could not 
recommend to me signature because we had a discrepancy on 
numbers of devices as well as the status of the patches and how 
quickly they were being deployed and the status of that 
deployment. So it was both a timing and an end effort. And the 
gentleman who was acting as the acting acting CISO for me at 
the time said that he also could not agree to--could not 
recommend signature for the authority to operate. And so I 
asked a series of questions. What does that really mean? And in 
this instance, we didn't have enough data to make a sufficient 
risk determination on whether the ATO should be signed or not. 
And so, at that point, I said that I would not sign and that 
work needed to be done on the side of both NASA as well as HPES 
to get the work done. By that Friday--so this was a Monday--by 
that Friday, I had signed the authority to operate because we 
were able to see and understand the risks that I would be 
signing off on.
    Mr. Hurd. So did that give anyone at NASA heartburn? Did 
you receive any flack for not signing off on an ATO? Because if 
I remember correctly, the news coverage at the time--I think 
the term was ``unprecedented step.'' And I imagine that a CIO 
letting a major system authorization to operate expire turned 
some heads.
    Ms. Wynn. Yes, Chairman, it did turn some heads. So the 
actions rate when one does this action, news of this 
significance would spread fast. So I made sure that the chief 
information security officers around our centers, as well as 
our chief information officers around the centers, were aware 
of my decision. And then my next step was to inform the 
Administrator and the Deputy Administrator of the action that I 
had taken, as well as letting our press office know, as well we 
figured that there would be--this would leak out and become 
information and headlines. And so I was supported by everybody 
for making this decision. And I would do it again. I wish that 
we hadn't ever reached that point. And so we worked on some 
prevention efforts. HPES has definitely stepped up to the plate 
in terms of working with us. And they and my team have actually 
responded very positively that the authorities to operate, as 
you said, are not to be rubber-stamped. If my signature's on 
that and there had been a breach the next day, then it would be 
very obvious that I would not have done the job that I was 
asked to do on behalf of the NASA as well as the Federal 
Government.
    Mr. Hurd. Well, I'd like to commend you on making a tough 
decision. And these are the kinds of decisions that we want to 
see more CIOs making. That's the whole reason we're empowering 
you to make these types of decisions.
    So I'd like to answer a procurement question a little here. 
And so if a system doesn't get the approved ATO, how does that 
work? You know, does that--do you have the authority to change, 
move? Does that void the contract? How does that--can you give 
me some insight onto that process?
    Ms. Wynn. NASA's procurement for an information system has 
the security requirements--the Federal security requirements in 
that I am--we would need to work on procurement clauses, and I 
think these would need to be broad Federal Government clauses, 
in terms of ramifications of an authority to operate and what 
would happen after that. The CIO, in concert with the rest of 
the agency, would need to be able to work out whether that 
system needed to be shut down and modernized or upgraded or--
because not every system is the same. Others are not in a clean 
position to say, ``Okay, we just can't do this anymore,'' and 
go that. So we would need some flexibilities to make those 
determinations. But I believe that procurement clauses would 
need to be added for the benefit of the Federal Government.
    Mr. Hurd. So am I understanding your statement correctly, 
you would like to have that authority?
    Ms. Wynn. I would like to have that authority.
    Mr. Hurd. Mr. Alboum, do you have any opinions on this 
topic on ATOs and budget authorities and things?
    Mr. Alboum. Sure. Thank you, sir. So, in the year or so 
that I've been the USDA CIO, I have not been in a situation 
where I've had to disapprove an ATO or not sign. However, 
similar to Ms. Wynn, I see within the U.S. Department of 
Agriculture the support to make the right decisions. We have an 
enterprise IT board that we're able--that is composed of our 
Under Secretaries, Chairman, the Deputy Secretary, where we can 
bring challenging IT decisions before that board and have a 
robust conversation. So we have done that. Not on an ATO, 
however.
    On the point regarding procurements, having that contract 
language, I think, would be very good, and I agree that it 
would need to be something that's government-wide. We'd have to 
understand how that works, as oftentimes, with the 
establishment of an ATO, there's a component that is--the 
contractor's required to do. There's a component that the 
Federal staff has to do. So having good very clear roles and 
responsibilities and very clear timelines would be critical. 
Procurement language--contract language would definitely help.
    Mr. Hurd. Mr. Klopp, any opinions on this?
    Mr. Klopp. Actually, we had a very similar situation to the 
NASA situation where we had a very large contractor who was 
running our call center and how--was not compliant. We took a 
little bit different approach, which was that we revoked the 
permanent ATO and provided them with a provisional ATO that 
extended for 90 days, and then continued to extend that and put 
pressure on them threatening the unprecedented move that Renee 
went to, but never actually pulling the trigger on it. In the 
end, it took us about a year to get that system completely 
compliant. But the pressure and threat of pulling the ATO is 
what allowed us to do it. So I would probably--I mean, I would 
certainly agree if we were able to have the kind of--some sort 
of legal wording in there that forced venders to do this as one 
more lever on top of them, that would be really valuable for 
us.
    Mr. Hurd. Because I would even take it a step further and, 
you know, in the MGT Bill, when we get that passed the Senate--
Senate, I hope you're listening--this is an opportunity--
because if you had to change, if you had to move in a different 
direction, I would consider that savings. All right? That is, 
if some project had to stop, I would consider that savings and 
would be able to go into the working capital fund that you 
would continue to have access to for 3 years, right? So that is 
an additional tool so that you're not having to run against the 
clock. And I think what most people don't recognize is that 
your systems, your networks, are so big and there's so many 
devices on it that changing a system in the course of a year is 
next to impossible. And that's why you need the additional 
flexibilities with those resources. And so that would be the 
next logical continuation of this topic.
    Ms. Wynn, the ACES, is it currently operating on a 
conditional or has it gotten a standard ATO?
    Ms. Wynn. Our ACES contract is on an ATO that, like Rob was 
talking about, that's running on an 18-month timeframe. So--and 
we've got regular meetings on both the ATO as well as making 
sure that our teams, NASA and HPES, are working together to 
ensure that the next ATO is either longer or has the right 
timeframe for checks and balances.
    Mr. Hurd. And, Mr. Alboum, am I to infer from your 
statements that USDA does not currently have any systems 
operating without an ATO?
    Mr. Alboum. No. That's not correct. There are some systems 
that don't have an ATO. USDA's employed an ongoing assessment 
process. And we assess one-third of all of the controls of each 
system--we have 329 systems--annually. So it is possible, 
during the assessment of those controls, we will find something 
that requires us to revoke an ATO and work with an agency to 
get back into compliance. So the number of systems we have and 
the number of systems that have a valid ATO is in flux because 
of this process. So, again, to your point, I think it's a good 
thing if we find something that says we're not going to have an 
ATO for this system right now. We're going to work to correct 
it.
    Mr. Hurd. Gotcha. Thank you.
    I'd like to now recognize Ms. Kelly for her lines of 
questioning.
    Ms. Kelly. Thank you, Mr. Chair.
    I wanted to dig a little deeper into the cyber requirements 
for government contractors. In my opening statement, I 
mentioned that the minority staff of this committee found that 
Federal cybersecurity is intertwined with government 
contractors and that cyber requirements for government 
contractors are inadequate. So, in response, OPM has 
strengthened its contracting requirements by heightening 
incidence reporting and access to contractors' systems.
    Ms. Wynn, would you agree that having increased incident 
reporting requirements and access to contractor systems will 
enhance Federal cybersecurity? And if you agree, how so?
    Ms. Wynn. Congresswoman, the answer is yes.
    Ms. Kelly. And do you have similar requirements for 
contractors at NASA?
    Ms. Wynn. We have the--a lot of the standard clauses 
required to pass along the Federal requirements onto those 
contractors, and we work to enforce those as well.
    Ms. Kelly. Okay. And has NASA taken any other measures 
regarding cybersecurity in the wake of the OPM breach?
    Ms. Wynn. Yes, we have. We've done a couple of efforts. One 
is, is that, at NASA, given some of the sensitive work that we 
do and intellectual property that we have, we are definitely a 
target for hackers. And so we've got a number of--not getting 
too technical, but we've got air gap systems. We take a look at 
what our high-value assets are. In fact, we're working right 
now to trim the list of high-value assets so that it's a single 
list for the agency, instead of one from a cyber perspective 
and another for safety. Because safety and cyber go hand in 
glove for NASA, as they would probably for any Federal agency. 
And we--with our new Federal CISO, we're also taking a hard 
look--not Federal CISO. She works NASA. Sorry. She's taking a 
hard look at our processes and procedures and making sure that 
we are in fact doing the best that we can do with tools and 
bringing in assistance from other Federal agencies.
    Ms. Kelly. Thank you. And our other witnesses, have your 
agencies done anything to enhance the cybersecurity--cyber 
requirements for contractors in response to the breach?
    Mr. Alboum. Yeah. So we have an incident response policy as 
USDA that contractors are required to follow if they're to lose 
personally identifiable information or sensitive but 
unclassified kinds of information. So that is something that 
USDA contractors are required to follow.
    Mr. Klopp. Yeah, I would say sort of two things. One is 
SSA's really a little bit different than most other agencies in 
that 75 percent of the work we do in the agency is done with 
Feds instead of with contractors. So it's a little bit less of 
a problem for us. But it's--the problem is still there.
    I would say two things that we've done that are critically 
important. One is we've just upgraded the sort of automated 
support we have for managing contractors and--which means that 
it makes it--there's a more automated mechanism for us to make 
sure that when a contractor rotates out, that we instantly take 
away all access they have to the systems. That is really 
significant. We were having problems where people would leave, 
the contractor wouldn't notify us, and they might have retained 
access for some period of time. So I think we've got that 
fixed.
    The second thing I would go back to is this sort of, you 
know, zero-trust rule. What we're doing now is, by implementing 
this new system that allows systems administrators to really 
have to renew a password every time they take on a task, it 
basically allows us to give administrative rights to 
contractors knowing that those rights will disappear within a 
day.
    Ms. Kelly. Is there a breadth or are there a breadth of 
contractors that you can use? Or is it the same people all the 
time, the same contractors? Or do you have a lot of options, do 
you feel?
    Mr. Klopp. Well, I mean, I think that there are, you know, 
what we refer to affectionately as the ``cartel.'' Right? So 
there's a bunch of big ones. But one of the things I think is 
really an exciting new trend going on that was sort of driven 
by the GSA 18F folks and by the U.S. Digital Services folks is 
the idea of allowing us access through contracting vehicles to 
smaller, more niche contracting agencies that have a really 
different kind of a profile and a different attitude as well. 
And so those things will, I think, improve the quality of some 
of the contractors we get at the cost of having some 
administrative issues because we'll be dealing with more 
companies.
    Ms. Kelly. Do you have any response?
    Ms. Wynn. Yeah. So NASA does have a lot of contractors, and 
we have a lot of partnerships, different types of partnerships, 
with the private sector as well as academics and a lot of work 
with the public. And so we use some of the bigger contractors. 
We use some of the smaller contractors. We try to make sure 
that we give a lot of opportunities to our small businesses. 
So, on the backside of that, it means you're going to have to 
have a lot of smart folks to be integrators, either whether 
it's within the contracting community integration and ensuring 
that they're collaborating and cooperating. The other side is 
they bring systems to the table as well. And so you also have 
to make sure that you've got really good systems integration. 
And so NASA is pretty accustomed to systems integration. And so 
for us to have a whole breadth of contractors and their 
capabilities and what they work on allows us to then be in a 
pretty good position in terms of managing those differences. 
Because every time you add a contract, you had overhead and 
responsibility on the Federal Government side. And you've got 
to be good at that for that to be--to work for you.
    Ms. Kelly. Any comment? It's up to you. You don't have to.
    Mr. Alboum. No. Sure. I think what's been said is very 
accurate. The government is going to rely on contractors to do 
particular tasks and support work. And the idea of having 
competition and having healthy competition between companies is 
the way we want USDA to operate. We don't want to be locked 
into vendors. The idea that some venders come into the 
government, and they feel, ``Well, they'll always be here,'' 
we're working very hard to change that. That sort of mentality 
breeds the opportunity for people to feel--sometimes the 
contractors to feel like they are employees and to take 
liberties or to maybe think, ``Well, these rules don't apply to 
us.'' So we want to make sure that all of our venders that we 
rely on and have good relationships with recognize that they're 
there to do a particular job, that we will re-compete that work 
as appropriate, and there are no guarantees that they will 
remain in position to continue to do that work if they don't do 
a good job, if we don't think that they're following 
appropriate security protocols, they don't respect the 
environment that they're operating within.
    Ms. Kelly. Thank you. I yield back.
    Mr. Hurd. Thank you.
    And now I'd like to recognize the distinguished gentleman 
from Iowa, Mr. Blum, for his remarks and questions.
    Mr. Blum. Thank you, Chairman Hurd.
    I'd like to welcome the witnesses today. Thank you very 
much for being here, imparting your wisdom on us. I'd like to 
talk specifically about the Social Security system, Mr.--it's 
Klopp, correct? The Disability Case Processing System. I 
understand, in 2008, we undertook a very large project to 
consolidate I think it was 54 fragmented custom systems, which 
we see a lot of this across government, and this is good to get 
rid of these customized fragmented systems into one system. I 
also understand we've spent, to date, over $400 million on this 
project. I'm from Iowa. And in Iowa, $400 million is a lot of 
money.
    So, first of all, Mr. Klopp, I'd like to have you give me 
an update on the status of this effort. Where are we at?
    Mr. Klopp. Sure. So, in about 2010, we made the decision 
that this project was, we'll say, too big for the--our IT staff 
to execute. And so we did a competitive bid and outsourced the 
development of this system to Lockheed Martin and their partner 
MicroPact. They worked on this for several years. About the 
time I came in, it became clear to me that this was off track 
pretty badly. They had already spent about $300 million.
    Mr. Blum. I'm sorry to interrupt. Just in your professional 
estimation, how can it be off track when we're talking about 
that kind of money?
    Mr. Klopp. Yeah, you know, it's a great--it's a good 
question. I think how it gets off track is--is, in this 
particular case, I think that they just were off track from the 
beginning. I think the way they were trying to solve the 
problem fundamentally was broken. And, look, I mean, I'll be 
really clear. I think that for this to have gone as far as it 
did is a gigantic execution problem with our contractors and 
also a problem on oversight. We should never have let it go so 
far before we stopped it. I came in as CTO. Originally, I took 
a look at the architecture, suggested some----
    Mr. Blum. But if I could ask, what happened to the previous 
CEO--CIO?
    Mr. Klopp. The previous----
    Mr. Blum. I assume they were terminated----
    Mr. Klopp. No.
    Mr. Blum. --since it was off track?
    Mr. Klopp. No. The previous CIO was not terminated. I think 
that there was some shuffling around within our oversight group 
as people were sort of slapped for not overseeing this, right. 
You know, I mean, to be honest, there's a variety of places 
where oversight might have come from, and I think there was 
failure across the board there. So the previous CIO did not--
was not fired as a result of this failure, but----
    Mr. Blum. Was he promoted?
    Mr. Klopp. No.
    Mr. Blum. Do you know if he was given--was he given a 
bonus?
    Mr. Klopp. No longer at the agency. Yeah, I don't know 
about that. That all happened before I came. So all I can say 
is, you know, with that regard, is I came in, saw it was off 
track, established some very objective engineering-level 
criteria to be able to demonstrate that the software that was 
being built was fundamentally broken. When in fact it was 
proven it was fundamentally broken, we shut the project down. 
We were still left with the problem that you identified, which 
is we had 54 disparate systems that ran on green screens that 
was just--it was just terrible. So, in October, we started a 
new project, which we called DCPS2, extremely modern, deployed 
in the cloud----
    Mr. Blum. October what year are we talking about?
    Mr. Klopp. Last year.
    Mr. Blum. Just last year.
    Mr. Klopp. Yeah, or a year ago in October. Yeah. So we've 
been at it for a little over a year.
    Mr. Blum. So this started in 2008, and in 2015, we started 
over after 7 years.
    Mr. Klopp. That's correct.
    Mr. Blum. And how many hundreds of millions were spent, 
would you estimate?
    Mr. Klopp. I believe that we spend $340 million up to the 
point that we shut it down.
    Mr. Blum. That's breathtaking.
    Mr. Klopp. Yeah, I don't disagree. Yep.
    Mr. Blum. I'm sorry. Continue. What is the status?
    Mr. Klopp. So the new system is now moving along at a, you 
know, proper pace. Currently, our run rate is about $25 million 
a year. So far less than these kinds of numbers that you heard 
before. We will deploy our first production release to the 
DDSes in December. So there will actually be cases running 
through this thing. So we're well past all of this, is it going 
to work; is it not going to work? That kind of stuff. And we 
believe that we're on the right path. And in fact, what we 
really believe is that--that we're--we're demonstrating, I 
think, in a really profound way that using the kind of modern 
software development techniques and cloud infrastructure that 
we would hope to be able to use over and over and over again if 
Chairman Hurd's bill gets through everybody, I think that this 
proves that we can modernize. And the cost of modernization is 
a fraction of these hundred million dollar projects. We will 
complete this project for significantly less than the money 
that was burnt last time.
    Mr. Blum. When's your estimation of when it will be 
complete?
    Mr. Klopp. You know, that's an interesting question. One of 
the odd things about agile software development, which is what 
we do these days, is that really we view these things not as 
projects anymore but as products. And like any product, we 
could continuously improve the product. As technology changes 
we would just try to incorporate those changes. And so the way 
we look at it is more of a question of, is the $25 million a 
year run rate that we spend on this, is it worth spending 
another $25 million next year for the enhancements that we can 
see in the backlog? So we view these--this thing as a product 
development, not as a project that will have an end.
    Mr. Blum. I'm from the private sector, and one thing that's 
very frustrating is, in Washington, D.C., there seems to be no 
penalty for failure. In fact, the answer usually to failure is: 
Let's spend more money. We're not spending enough of the 
taxpayer money.
    And the money that we have wasted prior to you coming to 
the agency is absolutely stunning. It's breathtaking. This is 
what people are tired of. Is there a phase 1 document done on 
the design of the system that people signed off on, Lockheed--
your contractor signs off on, people in government sign off on 
and say, ``This is what we want built,'' and everyone agrees to 
it? Is there a document that's created before the first piece 
of code is programmed?
    Mr. Klopp. Yeah. So I believe the first time through, there 
was a detailed description of what needed to be built. I 
wouldn't call that an architecture document. The architecture 
and execution of building around those requirements was under 
the control of the contractors. So what we did is very clearly 
specified what we wanted them to build. And then there was an 
execution problem in actually getting that built.
    Mr. Blum. We need accountability. Either the contractors 
made a mistake and we shouldn't pay them, which would happen in 
the private sector, or the government officials who signed off 
in the agency made a mistake and they should be terminated. One 
or the other needs to be accountability, as I would think you 
would agree.
    Mr. Klopp. Yeah. So I would agree that there should be some 
accountability. The contract with Lockheed Martin and MicroPact 
was terminated. That was probably the best that we could do. I 
guess I will say, in the defense of the Federal workers that 
have to be responsible for this, is it's sort of tough if you--
the program basically punishes them for failure but doesn't 
really reward them much for success.
    Mr. Blum. And it's not the Federal workers that are the 
problem. It's the people at the very top typically or the 
contractors. One or the other.
    But do you have a private sector background, by the way?
    Mr. Klopp. Yeah. I came just a couple years ago just to try 
to help out for a few years.
    Mr. Blum. Very good. Very good. Best of luck to you, and 
we'll be checking back in to see how the progress is. Thank you 
for your testimony.
    I'm over my time, and I yield back, Mr. Chairman.
    Mr. Hurd. Before I go to Ms. Kelly, I'd like to ask a 
followup question on that, Mr. Klopp. Look, you're considered a 
political appointee, correct?
    Mr. Klopp. I am, yes.
    Mr. Hurd. So how do we prevent--you know, so $340 million 
was wasted. How do we prevent the DCPS from getting off the 
rails in a transition? Is that a fair question?
    Mr. Klopp. I think it is a fair question.
    Mr. Hurd. And, again, I don't know--either way, I don't 
know what the status is, you know, of the next administration 
and things like that. But if you're not going to be there to 
oversee it, how do we prevent this from--how do we prevent this 
from going off the rails?
    Mr. Klopp. I mean, I think it's a--I think it's a very fair 
question. I think one of the weirdest things for me as someone 
from the commercial world is the whole idea that the entire 
executive staff of not just the agency but the government is 
now about to transition out and transition in. There's no 
precedent for that in the commercial world.
    What I will say is that, when I came in 2 years ago, I knew 
that I had a 2-year time limit. And so, from the very 
beginning, I started building an organization that was going to 
be capable of continuing on after I left. I've completely re-
orged the system's organization. I've handpicked the people 
that report to me. I've handpicked the person that's running 
the DCPS project. And I'll actually tell you that I have no--
I'm really--especially with regard to DCPS, I actually have no 
worries whatsoever about the continuing success of that 
project. The bigger idea of how to modernize the whole of SSA's 
IT organization I think is a much bigger challenge and has some 
cultural impacts. And I'm actually confident that we're going 
to do--that the people behind me are going to carry on and 
modernize that organization. But I'm leaving them with a much, 
much bigger job than the guy that's running DCPS.
    Mr. Hurd. So are there already plans in place to have a 2-
week handover, 2-day handover, 2-hour handover? You know, what 
planning is ongoing to ensure a replacement is----
    Mr. Klopp. In the case of DCPS, I've been actually handing 
it over from the day I started, really. So that's why I said 
it--you know, you could have brought John Garrigues, the guy 
who is running that project from a technical perspective in and 
replaced me in this chair, and you would not have noticed any 
drop in quality. And I think that you're going to see this same 
thing when you hold hearings, you know, 3 months, 6 months from 
now when I'm gone. I think you're going to see the people that 
I've handpicked behind are switched on. They understand what's 
going on. I mean, the Federal employees in the IT world, I 
think, are much more qualified than they normally get credit 
for.
    Mr. Hurd. Are you interested in staying?
    Your comments are being recorded. We'll let you think about 
that and come back to you.
    Ms. Kelly, you're now recognized for 5 minutes.
    Ms. Kelly. I want to thank you, Mr. Klopp, for your 
thoughtfulness and not thinking, you know, who you work for but 
thinking about the American people and the industry and what 
will be a lasting effect instead of a short-term effect. So 
thank you for that.
    In its fiscal year 2015 FISMA report to Congress, OMB 
reported a decline in FISMA compliance scores for our witnesses 
here today compared to their scores in fiscal year 2014. Does 
that mean that the state of cybersecurity's going in the wrong 
direction? No. The report caveats these results saying that a 
new scoring methodology has contributed to this decline in 
scores. In other words, you can't compare test results from 
fiscal year 2015 to fiscal year 2014 because the tests changed, 
and they got harder. So these results would not show the 
situation getting worse.
    What they do show, Social Security, let's turn to you, the 
IG's audit made the significant conclusion about the choices 
you have made. The IG said, and I quote, ``SSA focused its 
limited resources on higher risk weaknesses and therefore was 
unable to implement corrective action for all aspects of their 
prior year's deficiencies.''
    Now, Mr. Klopp, that sounds to me like the IG believes you 
made rational choices. You prioritized which problems you were 
going to address with the funds available to you. But you 
didn't have enough funding to correct all the vulnerabilities 
in the agency's IT systems. Do you agree with that?
    Mr. Klopp. I do agree with that. We have spent a lot of 
time trying to look and see what we need to do in order to be 
more effective at cyber specifically. And what we find is 
that--that, you know, the people are smart and capable. The way 
we prioritize taking things on are the way you would expect us 
to, picking off the high-value, you know, most significant 
vulnerabilities first. And the problem is that the--as we 
talked about in all of our--everybody's opening remarks, the 
threat level continues to raise and the funding that we have 
available to us in order to address that threat doesn't 
increase with the threat. In the case of Social Security, the 
funding available to IT is down 30 percent in the last 3 or 4 
years. So we're trying to do more with less.
    I think that, as I mentioned earlier, of the 59 findings 
from the IG audit, we were able to make progress in 58 of them. 
Frankly, the 59th one, we very explicitly elected to not make 
progress on. So it wasn't that we couldn't. But more funding 
would certainly help.
    Ms. Kelly. With the lack of funding, how did you prioritize 
which problems to solve first? Did you consider the sensitivity 
of the PII that Social Security collects as one factor? Did you 
consider the severity of the weaknesses in your cybersecurity? 
How did you decide?
    Mr. Klopp. You know, I mean, I think that there's a couple 
of things we do. One is that we focus on sort of multilayered 
defense. And so when we saw vulnerabilities that had to do with 
the penetrating from the outside, those all become the highest 
priority things. When we find vulnerabilities on the inside 
that, if someone could get into, we focused on those high-
priority items. You know, I'm not exactly sure--and I don't 
think the IG was very specific--I said in my oral testimony 
that we are--you know, the Department of Homeland Security does 
an audit of our outside penetration tests, and they've never 
found a critical vulnerability there and that, in the inside, 
when they look at those vulnerabilities, that we're 
consistently rated as being the second or third best as far as 
the least number of vulnerabilities. I mean, we have a very 
vibrant relationship with IG. And we actually think that there 
is a discrepancy between the way they evaluate us and the way 
Homeland Security evaluates us, probably a bigger discrepancy 
than in some other agencies. But it's okay. It just means that 
we--you know, everybody had that college professor that gave 
out tougher grades than other people, right? So we--we 
appreciate IG's tough remarks. But we probably would disagree 
that we prioritize wrong.
    Ms. Kelly. Now, when it comes to funding, how much do you 
think you will need to plug up all of the holes?
    Mr. Klopp. I mean, that's a really interesting question. 
What I would say is that, you know, one of the problems we have 
is that all of the new modern products that would help us 
improve our cyber defenses, those products are being built for 
modern systems. They are being built for systems that will be 
deployed across large clusters of servers like in the cloud.
    They are being built for systems that are deployed using 
modern service-oriented architectures and modern programming 
languages and stuff like that. And a lot of our systems predate 
all of those architectural things. And so for us to upgrade 
cyber to the level that you would like us to be at really 
requires the kind of modernization that we need from the bills 
that you guys are trying to push through. So we believe that we 
need a significant investment to fuel that modernization and 
get to the point where we could sustain modernization using 
sort of our--the base funding that we have now.
    And we have asked for $300 million over 4 years in order to 
do that. And it's in the President's budget, that request.
    Ms. Kelly. I yield back.
    Mr. Hurd. I'd like to now recognize the gentleman from the 
Golden State, Mr. Lieu for his 5 minutes of questions.
    Mr. Lieu. Thank you, Mr. Chair.
    After the devastating breaches at OPM, one of the things 
the administration did is they did this 100-day cybersecurity 
sprint where they wanted agencies to go to what's called two-
factor authentication where, before you log on to your 
computer, to get in, you would need more than just a password. 
You would need a second form of authentication, either an ID 
card or something to that effect. Have you all done that?
    Mr. Alboum. Yes, sir. At USDA, during the period of the 
Cyber Sprint and beyond, we have achieved--96 percent of our 
privileged users use PIV cards and 100 percent use either a PIV 
card or a multifactor authentication tool, a token of some 
kind. And for our nonprivileged users, the rest of our 
workforce, we are at 92 percent for PIV cards presently.
    Mr. Lieu. And your goal is to get to 100 percent for 
everyone at some point?
    Mr. Alboum. That's the goal, but the reality is USDA has 
about 100,000 employees. There's turnover. It takes time from a 
point that someone comes on board to get them a PIV card. Our 
biggest opportunity is to dramatically decrease the time it 
takes for an individual to get a card once they come on board.
    Mr. Lieu. Thank you.
    What about NASA?
    Ms. Wynn. At NASA, this is an area where we need to 
improve, and we understand that. And so where we are with our 
privileged users, during the Cyber Sprint, we made the 100-
percent mark. For unprivileged users, this is where we have 
benefitted from having a permanent chief information security 
officer on board for a couple of months. And she has taken a 
hard look at how we measure it and who was considered in 
needing a PIV card. And so, for NASA, we will report one metric 
at the conclusion of fiscal year 2016. Our information is in 
process right now. But we are changing the universe of who 
needs to be covered by this requirement, so we are going to 
take a dip, and then we are going to go back up.
    And we have--Charlie Bolden, the Administrator, has already 
met with the new Federal Chief Information Security Officer to 
give his assurance that NASA will get to 100 percent.
    We believe it is going to take until the early part of 2018 
to make that, but we will make significant progress in fiscal 
year 2017.
    Mr. Lieu. Thank you.
    What about SSA?
    Mr. Klopp. I get to show off a little bit. We are at 100 
percent of our privileged users are using PIV cards. PIV cards 
are probably the most effective second factor because it's a 
physical thing you have to have in your hand. And, right now, 
we are at 98 percent of our unprivileged users. And, frankly, 
the reason we are only at 98 percent is because there's a small 
set of our unprivileged users who work in the 54 DDSes that was 
mentioned earlier. They are actually State employees, not 
Federal employees. And so it has just been slower for us to 
negotiate with the States and State unions and stuff like that 
in order to get that implemented.
    But I believe that we are on track to get the last 2 
percent of our unprivileged users onto PIV cards in December of 
this year.
    Mr. Lieu. Thank you. Do you let some of your employees or 
all of them access their work email from their mobile devices?
    Mr. Klopp. No.
    Mr. Lieu. Okay.
    And how about NASA? Do you let any of your employees access 
their work emails from their mobile devices?
    Ms. Wynn. Yes, we do. NASA has a very open environment 
designed for what--part of our mission is, is to share data 
openly with the public and academic and other institutions. We 
are taking a hard look and trying to thread the needle, so to 
speak, between that balance of being an open environment to 
exchange information, to advance technology and science and 
engineering, and balancing that against cybersecurity. Our new, 
as I mentioned before our new CISO is also taking a look at 
that too so that we find that delicate balance between being 
open and not putting our agency's mission at risk.
    Mr. Lieu. I assume you have cybersecurity measures in place 
for your network systems, you know, desktop computers?
    Ms. Wynn. Yes, we do.
    Mr. Lieu. If someone is connecting from a mobile device, 
does your agency do anything to try to protect that mobile 
device?
    Ms. Wynn. If it is a NASA-provided device, there are a lot 
of protections built into how we deploy it. If it's a 
personally owned device, we have protections for the network 
against that. But the device itself is not my responsibility. 
But if we should have a--if that device is creating a problem, 
we would act very swiftly on that point.
    Mr. Lieu. So I see my time is up. I would like to just 
conclude. I think the mobile device of your NASA employees will 
be the weakest link in your defense system. And whether or not 
you view it as your responsibility, it can cause you grave 
problems if they are not protected.
    Mr. Hurd. Thank you, sir.
    Mr. Klopp, you said at the beginning, the last of DHS 
technical vulnerability assessment, there were 16 progress 
recommendations or progress--16 recommendations that came from 
that? Is that correct?
    Mr. Klopp. That's correct.
    Mr. Hurd. And two were labeled--there were vulnerabilities 
or critical vulnerabilities?
    Mr. Klopp. Two were labeled as vulnerabilities. The rest 
were recommendations.
    Mr. Hurd. And you've addressed 8 of the 16 recommendations.
    Mr. Klopp. We have completely satisfied the 16 
recommendations, including both of the critical 
vulnerabilities.
    Mr. Hurd. Both of the critical vulnerabilities. That was 
going to be my question. And then how are your own internal 
ongoing assessments working in conjunction with what DHS is 
doing?
    Mr. Klopp. The DHS assessments are what's called a red team 
assessment. And so, you know, we sort of let them in and let 
them snoop around. And then they make recommendations to us. 
It's actually not usual for them to identify specific 
vulnerabilities. It's more usual for them to provide these, 
sort of, general recommendations of where we need to go, pay 
some attention. So----
    Mr. Hurd. Are you just using automated tools?
    Mr. Klopp. Pardon me?
    Mr. Hurd. Are they just using automated tools?
    Mr. Klopp. Not just using automated tools. I think they 
actually bring some very highly qualified white hat hacker 
people in to go and try to work their way into the system.
    Mr. Hurd. And the times that they have come in, they 
haven't found vulnerabilities?
    Mr. Klopp. No, I wouldn't say that. What--for example, the 
last time they came in, we were able to stop them from 
penetrating through our sort of outer wall, and so we let them 
in. They, once in, found that they were having difficulty 
creating a beacon back out. And so we let them create a beacon 
back out. And once they had--by the way, what the beacon out 
means is that, now that they are in, they can start navigating 
around because they can kind of control movement. And once we 
let them in and they found that they could move around, they 
actually found vulnerabilities in the system that we did not 
know existed and were able to identify those for us so that we 
could go get them fixed. That's exactly why we love these kinds 
of exercises, right?
    Mr. Hurd. No, it's a valuable resource and tool.
    Mr. Alboum, so, in 2015, there was no major incidents at 
USDA. In 2015, no--there was no major--you saw no major 
incidents in 2015.
    Mr. Alboum. That's correct.
    Mr. Hurd. You are monitoring 100 percent of the traffic at 
the external boundaries to determine if there is covert 
exfiltration of data. That's a good thing. I wish more people 
would be doing that. And you have deployed the EINSTEIN 3A 
capability fully, right?
    Mr. Alboum. Yes, sir.
    Mr. Hurd. But the IG also still found that there was 26 
outstanding recommendations that go back as far as 2009 and 
that 27 systems were operating with expired ATOs. And OMB 
scored y'all as--excuse me, that's the plural of ``you'' down 
in Texas--you got a 43 out of 100, the fourth worst score, and 
that's a decrease from fiscal year 2014. Are we looking at the 
right data?
    Mr. Alboum. I think that's a good question. The, you know, 
the FISMA scores are based on the IG's interpretation of 
requirements, and I don't know that every IG interprets those 
requirements the same way. I think one of the things we can do 
as a community is agree on the metrics and how to score them 
and maintain the same metrics over a period of time so we can 
track improvement.
    So you look at those scores, they demonstrate that USDA has 
opportunity to make further improvements. But the improvements 
that you'd note from 2014 are not the same improvements from 
2015. And that makes it hard to track our progress. And being 
able to track progress and show positive movement I think is 
very important from a, not just a morale perspective, but a 
recognition of the programs we support. The money that's being 
spent on cybersecurity is making things better and not just 
going into some high IT black hole, which I know some people 
fear.
    Mr. Hurd. And that's fair, and I think that's what we try 
to do on this committee in a bipartisan way: give you the tools 
to be effective. Then we are going to hold you accountable, 
right? And we can always--the answer is always going to be, 
yes, we can have more money. But we have got to make sure that 
we are using the money that we have effectively and 
efficiently, because as we already talked about, we threw away 
$340 million. All right, let's not talk about some of the her 
interoperability at some of the other agencies. And so that's 
always kind of been our goal, and we are going to continue to 
do that.
    And I appreciate y'all with your feedback today. It has 
given us food for thought and ideas on how to strengthen some 
legislation we are going to bring forward. And I appreciate you 
taking the time to appear before us today.
    And if there's no further business, without objection, this 
subcommittee stands adjourned.
    [Whereupon, at 11:30 a.m., the subcommittee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]