[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                   ENHANCING CYBERSECURITY OF THIRD-PARTY 
                        CONTRACTORS AND VENDORS

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 22, 2015

                               __________

                           Serial No. 114-47

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                               ____________
                               
                               
                         U.S. GOVERNMENT PUBLISHING OFFICE
97-335 PDF                       WASHINGTON : 2015                         
            
________________________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
            
             
             
             
             COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                    Sean McLaughlin, Staff Director
                 David Rapallo, Minority Staff Director
                           Sarah Vance Clerk
                             
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 22, 2015...................................     1

                               WITNESSES

Mr. Tony Scott, Chief Information Officer, Administrator, Office 
  of Electronic Government and Information Technology, Office of 
  Management and Budget
    Oral Statement...............................................     4
    Written Statement............................................     7
Ms. Donna K. Seymour, Chief Information Officer, Office of 
  Personnel Management
    Oral Statement...............................................    11
    Written Statement............................................    13
Mr. Gregory C. Wilshusen, Director of Information Security 
  Issues, Government Accountability Office
    Oral Statement...............................................    16
    Written Statement............................................    18
Mr. Eric A. Fischer, Senior Specialist in Science and Technology, 
  Congressional Research Service
    Oral Statement...............................................    38
    Written Statement............................................    40

                                APPENDIX

Questions and Responses to Ms. Seymour from Mr. Chaffetz, Mr. 
  Cummings, and Mr. Connolly.....................................    78

 
     ENHANCING CYBERSECURITY OF THIRD-PARTY CONTRACTORS AND VENDORS

                              ----------                              


                       Wednesday, April 22, 2015,

                  House of Representatives,
      Committee on Oversight and Government Reform,
                                           Washington, D.C.
    The committee met, pursuant to call, at 9:35 a.m., in Room 
2247, Rayburn House Office Building, the Honorable Jason 
Chaffetz [chairman of the committee] presiding.
    Present: Representatives Chaffetz, Mica, Walberg, Amash, 
Massie, Meadows, DeSantis, Mulvaney, Buck, Walker, Hice, 
Russell, Carter, Grothman, Hurd, Palmer, Cummings, Maloney, 
Norton, Clay, Lynch, Connolly, Cartwright, Duckworth, Kelly, 
Lawrence, Lieu, Plaskett, DeSaulnier, and Lujan Grisham.
    Chairman Chaffetz. The Committee on Government Reform will 
come to order.
    Without objection, the chair is authorized to declare a 
recess at any time.
    One of the most serious national security challenges we 
currently face as a Nation is the security of our Country's 
information and communications infrastructure. I am encouraged 
this committee is leading a bipartisan effort to address our 
Government's cybersecurity, and I want to thank Ranking Member 
Cummings for bringing this issue to the committee's attention 
and for his tenacity in insisting that we address this in an 
aggressive way and, thus, we are here today.
    The stakes are high. Hackers are targeting extremely 
sensitive information related to our national security. Hackers 
recently hit the White House, State Department networks. They 
are accessing a range of sensitive information. But these are 
not isolated incidents. Cyber attacks against government assets 
are becoming more frequent and they are more sophisticated then 
ever. Over the past eight years, the number of information 
security incidents has risen by more than 1,000 percent, if not 
more, and they are happening at the private sector at an 
increasing and alarming rate.
    One of the members of our team that knows a lot about this 
we are proud to have as the subcommittee chairman on our IT 
Subcommittee is the general from Texas, Mr. Hurd. I would like 
to give him time at this point.
    Mr. Hurd. Thank you, Mr. Chairman. I join you in thanking 
Ranking Member Cummings for bringing this important issue to 
the committee's attention.
    This is not a new problem. The Government Accountability 
Office has identified the security of Federal information 
systems and critical infrastructure as a government-wide high-
risk issue every year since 1997. Congress recently took action 
to address the cybersecurity threat. Last year we passed an 
update to the Federal Information Security Management Act, or 
FISMA, of 2014. This committee, and particularly the IT 
Subcommittee, which I chair, intends to closely monitor the 
implementation of FISMA 2014 because FISMA is the backbone of 
the Federal response to the cybersecurity threat.
    A key aspect of these reforms was increased accountability 
and transparency for OMB and DHS and all Federal agencies with 
regard to cybersecurity, and Federal agencies are now required 
to report to Congress when their networks are hacked. This 
increased transparency will allow Congress to better understand 
how our Government is protecting some of our most sensitive 
information.
    Concerns about cybersecurity are not limited to government 
networks. Hackers have successfully breached the networks of 
government contractors like USIS and KeyPoint. Their computer 
networks contain extremely sensitive information about 
thousands of Federal employees cleared to access classified 
information. In fact, almost one-third of all personnel who 
provide security services at the 24 major Federal agencies are 
contractors. So we have to make sure government contractors are 
protecting the information we entrust them to protect.
    After all, as the chairman said, if one of our Nation's 
most secure networks, the White House, is vulnerable and 
susceptible to these attacks, then how do we know to what 
extent other agencies and contractors are preparing themselves?
    Mr. Chairman, I look forward to working with you and the 
ranking members and members on both sides of the aisle in this 
process. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    We will now recognize the ranking member of the full 
committee, Mr. Cummings, for five minutes.
    Mr. Cummings. Thank you very much, Mr. Chairman. I thank 
you for agreeing to my request to hold today's hearing on the 
cybersecurity challenges posed by contractors and third-party 
vendors.
    Over the past several years we have seen an alarming 
increase in the number of major data breaches that originated 
with contractors and vendors. Just last year, Target and Home 
Depot were breached by hackers who gained access to the 
retailers' networks by using credentials stolen from the 
computer systems of vendors that did business with these 
companies.
    Federal agencies are not immune. The breach of the Postal 
Service last year originated from a phishing attack on a 
contractor for the agency. Last year, contractors with the 
Office of Personnel Management were subjected to a 
sophisticated cyber attack and tens of thousands of sensitive 
personnel records were compromised. One of those contractors 
was a company called USIS. At the time, it was the largest 
provider of background information investigative services to 
the Federal Government.
    USIS is currently at the center of a billion dollar civil 
fraud suit brought by the Justice Department for allegedly 
dumping incomplete background investigation reports to OPM over 
a four and a half year time period. According to the Justice 
Department, USIS deliberately took this action to increase 
profits. Apparently, the company's desire to increase profits 
also may have been to blame for its failure to make cyber 
investments necessary to secure the large amounts of sensitive 
personal information it should have been protecting on its 
networks.
    On September 3rd, 2014, committee staff received a briefing 
from security experts at the Department of Homeland Security, 
the Office of Director of National Intelligence, and OPM, all 
of whom analyzed the cyber attack against USIS. While much of 
that briefing was sensitive, one point may be discussed 
publicly. Press accounts had initially reported that the attack 
may have compromised the personal information of up to 27,000 
Federal employees.
    However, government cybersecurity experts believe this 
number is a floor and not a ceiling. The actual number of 
individuals affected by USIS's data breach is still not yet 
known, but these experts believe that the personal information 
of many more Federal employees may have been compromised.
    Unfortunately, investigating the USIS data breach has been 
particularly challenging. That is because neither USIS nor its 
parent company, Altegrity, have fully complied with this 
committee's request for answers.
    Today's hearing is a recognition that the Federal 
Government faces increased cyber risks from contractors. But as 
I mentioned earlier, this is a challenge the private sector 
faces as well.
    I have repeatedly pressed for more rigorous oversight of 
cybersecurity in both private and public sectors. Although we 
had little success in the previous Congress, I am encouraged by 
the bipartisan approach we have taken on this very critical 
issue and I hope it continues.
    So, Mr. Chairman, I want to thank you again for agreeing to 
hold today's hearing. In addition, I understand that our staffs 
are meeting tomorrow to discuss a possible follow-on hearing 
with some of these private sector entities. And I want to thank 
you for continuing to work with me.
    While our ranking member is not here yet, I would yield a 
minute to my colleague, Mr. Connolly, who has worked very hard 
on these issues over the years. He might have a brief 
statement.
    Mr. Connolly. I thank the ranking member for his 
generosity.
    Obviously, cybersecurity is a sophisticated and evolving 
national challenge. Meeting the daunting threat requires a 
broad whole-Government and industry approach that 
simultaneously enhances what I believe are the three pillars of 
an effective approach to cybersecurity: people, policy, and 
practices.
    No better demonstration of this importance of individuals 
in securing information systems than the truism that the number 
one cybersecurity threat or vulnerability facing any company is 
the behavior of its own employees. Indeed, the best 
cybersecurity policies in the world won't amount to a hill of 
beans if an organization's culture does not translate good 
policy into better practice.
    So I really look forward to hearing the testimony today. I 
look forward to working with you, Mr. Chairman, and you, Mr. 
Cummings, as we move forward with some legislative remedies to 
what I think is a vexing and growing problem that affects both 
the domestic and, frankly, defense and intelligence sides of 
the Federal Government. Thank you.
    Chairman Chaffetz. Thank you. The gentleman yields back.
    I will hold the record open for five legislative days for 
any members who would like to submit a written statement.
    We will now recognize our first panel of witnesses.
    Pleased to welcome Mr. Tony Scott, Chief Information 
Officer and Administrator of the Office of Electronic 
Government and Information Technology at the Office of 
Management and Budget. My understanding is, Mr. Scott, this is 
your first time testifying before Congress in your new role as 
the Federal CIO, and we appreciate you being here. It will be 
an interesting experience. You have done a lot of important 
work here. You have a very impressive resume and background, 
and we look forward to working with you in your new role, and 
appreciate you being here today.
    Ms. Donna Seymour is the Chief Information Officer at the 
Office of Personnel Management. Again, we welcome you.
    Mr. Gregory Wilshusen is the Director of Information 
Security Issues at the Government Accountability Office, 
otherwise known as the GAO.
    And Dr. Eric Fischer is the Senior Specialist in Science 
and Technology at the Congressional Research Service. We 
appreciate you, doctor, for being here today. We very much 
value what the CRS does for all members, both sides of the 
aisle, and we appreciate the organization and the good work 
that is done there. We rely heavily on it and we look forward 
to your testimony today.
    Pursuant to committee rules, all witnesses are to be sworn 
before they testify, so if you will please rise and raise your 
right hands.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    [Witnesses respond in the affirmative.]
    Chairman Chaffetz. Let the record reflect that all 
witnesses have answered in the affirmative.
    In order to allow time for discussion, we would appreciate 
it if you would hold your verbal comments to five minutes. We 
have a little generosity on that, but please be assured that 
your entire written statement will be entered into and made 
part of the record.
    So, with that, Mr. Scott, we will now recognize you for 
five minutes.

                       WITNESS STATEMENTS

                    STATEMENT OF TONY SCOTT

    Mr. Scott. Thank you, Chairman Chaffetz and Ranking Member 
Cummings and members of the committee. Thank you for the 
opportunity to appear before you today.
    I started as the Federal Chief Information Officer just 
over two months ago, and I am excited for the opportunity to 
speak with you today about OMB's role in Federal cybersecurity. 
I am also pleased to join the panel, as everyone here has an 
important role to play in strengthening cybersecurity.
    Federal cybersecurity oversight is one of my 
responsibilities as Federal CIO and head of the OMB Office of 
E-Government and Information Technology. My office is 
responsible for two things: first, developing and overseeing 
the implementation of Federal IT policy and, second, through 
the United States Digital Service, providing onsite expertise 
to agencies with high impact facing IT programs. My team is 
also leading the government-wide implementation of the Federal 
Information Technology Acquisition Reform Act, known as FITARA, 
and the Federal Information Security Modernization Act of 2014, 
FISMA, both of which passed last year.
    Strengthening Federal cybersecurity is one of the 
Administration's top priorities and a duty that I take very 
seriously. Having recently left a private sector CIO role, I 
can attest to the fact that having a strong cybersecurity 
program is critical to ensuring mission success. This is no 
different in the Federal Government. Given the evolving threat 
landscape, it is imperative that we do everything we can and 
everything in our power to ensure the security of Government 
information and networks. In this interconnected world, we have 
to ensure that agencies, the contractors that support them, and 
the citizens we serve are all protected.
    I would like to start by providing an overview of OMB's 
role in Federal cybersecurity, discuss some recent incidents 
related to third-party contractors and vendors, and some of the 
steps OMB is taking to strengthen Federal cybersecurity 
practices.
    OMB and my office recently announced the creation of a 
dedicated unit called the E-Gov Cyber Unit. This unit will 
conduct oversight through initiatives, such as CyberStat 
reviews and will drive FISMA implementation. We will continue 
to work closely with DHS, who is our operational partner, and 
with agencies who directly lead their own cybersecurity 
efforts. These efforts are critical in confronting today's 
cyber threats and improving our ability to deal with threats in 
the future.
    In 2014 alone, several high-profile cyber incidents across 
our Nation made headlines for their scope, their scale, and 
their impact. The Federal Government and those acting on its 
behalf are not immune from this threat activity, as has been 
noted. Specifically and related to today's discussion, cyber 
incidents have involved vendors responsible for conducting 
background investigations on behalf of the Federal Government. 
In close partnership with DHS and other appropriate agencies, 
OMB responded quickly and oversaw the government-wide response 
to mitigate these incidents.
    DHS worked closely with vendors that conduct background 
investigations to mitigate this incident, and OMB, in its 
policy and oversight role, took immediate action to address 
identified challenges. First, through the President's 
Management Council, OMB conducted a review of agencies' cyber 
security programs to identify risks and implementation gaps. 
During this response to these incidents and our subsequent 
review, two things became clear: first, third-party contractors 
and vendors were inconsistently implementing protections over 
sensitive data and, second, Federal agencies did not have 
adequate contractual language and policy direction to guide how 
contractors and agencies should respond to incidents.
    Based on this review, agencies were directed to identify 
and review relevant contracts to ensure compliance with current 
laws and OMB guidance and, second, OMB directed an interagency 
effort to collect and disseminate contracting best practices 
relative to cybersecurity.
    In closing, I think it is obvious that securing our 
information is a great challenge, and this will remain a core 
focus of this Administration. We look forward to working with 
Congress on legislative actions that may further protect our 
Nation's critical networks and systems, and I thank the 
committee for holding this hearing and for your commitment to 
improving Federal cybersecurity. When it is time, I would be 
pleased to answer any questions you may have.
    [Prepared statement of Mr. Scott follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Hurd. [Presiding] Thank you, Mr. Scott.
    Ms. Seymour, you are now recognized for five minutes.

                 STATEMENT OF DONNA K. SEYMOUR

    Ms. Seymour. Chairman Chaffetz, Ranking Member Cummings, 
and members of the committee, thank you for inviting me to 
participate in today's hearing to examine the cybersecurity of 
third-party contractors. I am happy to be here with you today 
to share OPM's experiences in the important area of 
cybersecurity.
    As the Chief Information Office of the Office of Personnel 
Management, I am responsible for the information technology 
that supports OPM's mission to recruit, retain, and honor a 
world-class workforce. Director Archuleta tasked me with 
conducting a thorough assessment of the state of IT at OPM, 
including cybersecurity. Director Archuleta's goal, as laid out 
in the OPM Strategic Plan, is to innovate IT infrastructure at 
OPM in a way that protects sensitive information entrusted to 
us by the Federal workforce and the American people.
    OPM and its contractors are under constant attack by 
advanced persistent threats and criminal actors. These 
adversaries are sophisticated, well funded, and focused. In an 
average month, OPM thwarts almost 2.5 billion confirmed 
attempts to hack its network. These attacks will not stop. If 
anything, they will increase.
    While we need to focus on how to prevent attacks, we know 
from the NIST cybersecurity framework it is equally important 
that we focus on how to detect, investigate, and mitigate 
attacks. In the past year, OPM and some of its contractors 
became the victims of cyber attacks. Throughout the process of 
analyzing the breaches, OPM worked closely with the US-CERT at 
DHS, the FBI, and other agencies. We also worked with the 
Office of Management and Budget, the CIO Council, and the 
Privacy Council. OPM followed OMB protocols, informing the 
agency response team investigating the incidents, and making 
notifications.
    We learned there were significant differences in our 
ability to understand and respond to these attacks because of 
the way sensitive information is exchanged, because of 
technical architecture, and because of the contractual 
relationship with the company.
    The way in which the Government shares sensitive 
information with the company is important to understand. In one 
case, company-owned laptops connected directly to the OPM 
network; in another case, company-owned laptops connected to 
the company's network and then to OPM network. If laptops 
connect directly to the Government network, it is easier to 
assess their security posture and limit the exposure of the 
sensitive information.
    The architecture of the network is important because it 
provides a framework for how sensitive information is stored, 
accessed, and exchanged, and it defines the boundaries for 
protecting the network. If the network is well defined and the 
data is segregated, it is easier to protect. A well architected 
network also makes it easier to investigate incidents. And, of 
course, network logs help us understand what might have 
happened during an incident.
    When the Government has a well-defined relationship with a 
contractor that specifically addresses information security and 
incident management, it is easier to work with the company to 
obtain information and plan remediation efforts. As a result of 
lessons learned this past year, the agencies have collaborated 
with the help of OMB and the Office of Federal Procurement 
Policy and the CIO Council to share lessons learned. This 
includes contracting clauses that strengthen our relationship 
with contractors.
    For example, at the onset of the contract, a security 
assessment serves as a method to review the security features 
in place to protect sensitive information. This assessment 
should be validated by an independent assessment organization. 
But this only provides a prospective of the security posture at 
a point in time. An information security continuous monitoring 
program is essential to enabling insight into the security 
posture of a system on a recurring basis.
    Director Archuleta recognizes cybersecurity as an agency 
priority. OPM's 2016 budget request included $21 million to 
complete the modernization of our IT infrastructure. This 
funding is critical to continue the progress we have made so 
far in protecting data from relentless adversaries. For 
example, OPM is implementing information security continuous 
monitoring both in our own network and systems, as well as our 
contractor systems.
    We look at security controls on a rotating, more frequent 
basis, identifying vulnerabilities in real time given the 
changing nature of threats. Plans of actions and milestones are 
created and tracked to remediate concerns. OPM has also grown 
its cybersecurity capability, which will allow us to do onsite 
technical inspections of contractor networks in the future.
    Thank you for this opportunity to testify today. I am happy 
to address any questions you may have.
    [Prepared statement of Ms. Seymour follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
             
    Mr. Hurd. Thank you, Ms. Seymour.
    Mr. Wilshusen, you are recognized for five minutes.

               STATEMENT OF GREGORY C. WILSHUSEN

    Mr. Wilshusen. Chairman Hurd, Ranking Member Cummings, and 
members of the committee, thank you for the opportunity to 
testify at today's hearing.
    As you know, Federal agencies and their contractors depend 
on interconnected networks and computer systems to carry out 
mission-related functions. The security of these networks and 
systems is vital to maintaining public confidence and 
preserving our Nation's security, prosperity, and well-being.
    Safeguarding Federal computer systems and information, 
however, is a continuing concern. The number of information 
security incidents, both cyber and non-cyber, reported by 
Federal agencies continues to rise, increasing from about 5,500 
in fiscal year 2006 to over 67,000 in fiscal year 2014. 
Similarly, the number of incidents involving personal 
information more than doubled in recent years, to over 27,600 
in 2014.
    As discussed with your staff, my testimony today will 
describe cyber threats affecting Federal and contractor 
systems, and the challenges in securing them.
    Before I begin, Mr. Chairman, if I may, I would like to 
recognize my esteemed colleagues who were instrumental in 
developing my written statement. With me today is Larry 
Crossland, an Assistant Director of Information Security, who 
led this issue. In addition, Rosanna Guerrero, Lee McCracken, 
Fatima Jahan, Chris Bazinsky, and Bill Cook, who are all back 
at the office, also made significant contributions.
    Mr. Chairman, the Federal Government and its contractors 
face an evolving array of cyber threats. These threats can be 
intentional or unintentional. Unintentional threats can be 
caused by defective computer equipment, careless or poorly 
trained employees, or natural disasters that inadvertently 
disrupt systems.
    Intentional threats can be both targeted and untargeted 
attacks from a variety of sources, including criminal groups, 
hackers, disgruntled insiders, nations, and terrorists. These 
sources vary in terms of their capabilities, willingness to 
act, and motives, which can include seeking monetary gain or 
pursing an economic, political, or military advantage. In 
particular, adversaries possessing sophisticated levels of 
expertise and abundant resources, sometimes referred to as 
advanced persistent threats, pose increasing risks.
    Cyber adversaries have a variety of tools and techniques to 
perpetuate and perpetrate attacks. These include malicious 
software, social engineering, phishing, denial of service, zero 
day exploits, and, in sophisticated attacks, may use a 
combination of these and other techniques.
    The number of cyber attacks vastly increases the reach and 
impact due to the fact that attackers do not need to be 
physically close to the victims and can more easily remain 
anonymous. The risks posed by cyber attacks is heightened by 
the vulnerabilities in Federal networks and systems.
    Specifically, weaknesses in security controls continue to 
threaten the confidentiality, integrity, and availability of 
the systems supporting Federal operations. Most major Federal 
agencies have deficient information security. For fiscal year 
2014, 19 of the 24 major agencies reported inadequate 
information system controls for financial reporting purposes, 
and inspectors general at 23 of these agencies cited it as a 
major management challenge.
    Federal agencies face several challenges in protecting 
their systems. These include designing and implementing risk-
based information security systems and programs, addressing 
cybersecurity for building and access control systems, 
enhancing oversight of contractors providing IT services, 
improving security incident response activities, responding to 
breaches of personally identifiable information, and 
implementing security privacy programs at small agencies.
    Underscoring the importance of these matters, we once again 
designated Federal information security as a government-wide, 
high-risk area in this year's update to the high-risk report, a 
designation that has remained in place since 1997. This year we 
also expanded the area to include protecting the privacy of 
personally identifiable information.
    Until Federal agencies successfully address these 
challenges, including implementing the hundreds of outstanding 
recommendations made by GAO and agencies' inspectors general, 
Federal systems and information will remain at increased and 
unnecessary risk of unauthorized disclosure, modification, and 
loss.
    Mr. Chairman, Ranking Member Cummings, members of the 
committee, this concludes my statement. I would be happy to 
answer your questions.
    [Prepared statement of Mr. Wilshusen follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
       
    Mr. Hurd. Thank you, sir.
    Dr. Fischer, you are recognized for five minutes.

                  STATEMENT OF ERIC A. FISCHER

    Mr. Fischer. Good afternoon, Chairman Hurd, Ranking Member 
Cummings, and distinguished members of the committee. On behalf 
of the Congressional Research Service, thank you for the 
opportunity to testify today.
    I will try to put what you have heard from prior witnesses 
in context with respect to both long-term challenges and near-
term needs in cybersecurity and the Federal roles in addressing 
them.
    The technologies that process and communicate information 
have become ubiquitous and are increasingly integral to almost 
every facet of modern life. These technologies and the 
information they manage are collectively known as cyberspace, 
which may well be the most rapidly evolving technology space in 
human history. This growth refers to not only how big 
cyberspace is, but also to what it is: social media, mobile 
devices, cloud computing big data, and the Internet of things. 
These are all recent developments and all are increasingly 
important facets of cyberspace. It is difficult to predict how 
cyberspace will continue to evolve, but it is probably safe to 
expect the evolution to continue for many years.
    That is not to say that all of cyberspace has changed. 
Basic aspects of how the Internet works are decades old, and 
obsolete hardware and software may persist for many years. 
These characteristics of the cyberspace environment present a 
daunting challenge for cybersecurity, whether for Federal 
agencies, third-party contractors and vendors, or even the 
general public.
    But design incentives and consensus are also major long-
term challenges for cybersecurity. Building security into the 
design of cyberspace has proven to be difficult. The incentive 
structure within cyberspace does not particularly favor 
cybersecurity, and significant barriers persist for developing 
consensus on what cybersecurity involves and how to implement 
it effectively.
    Furthermore, no matter how important those four challenges 
are, they do not diminish the need to secure cyberspace in the 
short-term. That includes reducing risk by removing threats, 
hardening vulnerabilities, and taking steps to lessen the 
impacts of cyber attacks. It also includes addressing needs 
such as reducing barriers to information sharing, building a 
capable cybersecurity workforce, and fighting cybercrime.
    Federal agencies play significant roles in addressing both 
near-term needs and long-term challenges. Under FISMA, all 
Federal agencies are responsible for securing their own 
systems. Private sector contractors acting on behalf of Federal 
agencies must also meet FISMA requirements. In fiscal year 
2014, Federal agencies spent $12.7 billion on those activities, 
equivalent to about 13 percent of agency information technology 
budgets.
    Now, Federal agencies also have responsibilities for other 
cybersecurity functions, as summarized in my written testimony. 
Research and development, along with education, are the two 
probably most focused on addressing long-term challenges. 
Others, such as technical standards and support, law 
enforcement, and regulation focus more on meeting immediate 
needs.
    The Department of Defense, as an example, is responsible 
for military operations and protection of its own systems, in 
addition to some other cybersecurity activities. DOD includes 
the National Security Agency, which is also a member of the 
intelligence community. DOD has the largest annual investment 
of any Federal agency both in information technology and in 
cybersecurity.
    The Department of Homeland Security fulfills several 
cybersecurity functions, developing, for example, new 
cybersecurity technologies and other tools. It coordinates the 
operational security of Federal systems under FISMA, including 
information sharing and technical support. It also plays a 
significant role in law enforcement related to cybercrime, with 
DOJ, of course, being the lead agency in that regard.
    But perhaps it is best known as coordinating Federal 
efforts to improve the security of critical infrastructure, 
most of which is controlled by the private sector. Those 
activities include information sharing incident response and 
technical support. Most private sector department activities 
are voluntary, but DHS also has some regulatory authority for 
the transportation and chemical sectors.
    Now, the role of Federal regulation in cybersecurity has 
been a significant source of controversy, along with how to 
remove barriers to information sharing while protecting 
proprietary and personal information, and the proper roles of 
different Federal agencies in various cybersecurity activities, 
including regulation.
    With respect to specifically the third-party vendors and 
contractors, it may be useful to note that a large proportion, 
roughly half, of recent Federal investment in information 
technology has been for procurement and acquisition of products 
and services. In addition, of course, vendors and contractors 
who provide other kinds of products and services increasingly 
rely on information technology in their businesses.
    Also, I should mention that NIST is in the process of 
developing guidance for agencies to apply to other non-Federal 
systems that contain or process controlled, but unclassified, 
Federal information.
    That concludes my testimony. Once again, thank you for 
asking me to appear before you today.
    [Prepared statement of Mr. Fischer follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
        
    Mr. Hurd. Thank you, Dr. Fischer, and thanks to everyone on 
the panel for your opening remarks.
    We will begin questioning with my colleague from Florida, 
Mr. Mica.
    Mr. Mica. Well, thank you, Mr. Chairman.
    Let me ask, first, a general question. It appears that 
there is a fairly significant increase. The information I have 
is just since 2014 a 15 percent increase in incidents of some 
of the security risks or incidences. Is that correct, Mr. 
Scott? So we are seeing a fairly significant increase? Maybe 
each one of you could tell me what we are seeing overall or 
what you anticipate we are facing. Is this something that was 
just the last year or are we now expecting this to continue to 
increase?
    Mr. Scott. First of all, I would say my experience in both 
the private sector and everything I have seen in the public 
sector would suggest that there has been a steady increase in 
attacks and incidents over a period of time.
    Mr. Mica. But this is fairly accurate, the 15 percent 
increase just in 2014?
    Mr. Scott. That sounds reasonable.
    Mr. Mica. Security incidents?
    Mr. Scott. Yes.
    Mr. Mica. Ms. Seymour, are you seeing the same thing?
    Ms. Seymour. We are seeing an increase, sir, and I would 
say some of that is due to the fact that we are moving from 
paper into IT, and as we do that, more of that sensitive 
information----
    Mr. Mica. You have more activity. So you expect more 
incidents.
    Mr. Wilshusen?
    Mr. Wilshusen. Yes, I would say that is probably reasonable 
to say 15 percent in fiscal year 2014. The numbers I have on 
incidents that were reported by Federal agencies to the US-CERT 
showed about a 10 percent increase.
    Mr. Mica. And that is up?
    Mr. Wilshusen. That is up, yes, for fiscal year 2014 over 
fiscal year 2013.
    Mr. Mica. And Ms. Seymour just said that some of it is 
because we are shifting from paper to computer and cloud and a 
whole host of other things.
    Mr. Wilshusen. Right. I would say over the last nine years 
or so it has increased over 1,100 percent. It is basically like 
a stairway, if you will.
    Mr. Mica. It is going up.
    Mr. Wilshusen. Going up and up. And I think there are 
several reasons for that, one of which might be just agencies 
are better in terms of detecting and reporting incidents. But I 
think it also reflects that there is a very active threat 
environment that is growing, as well as the continued 
vulnerabilities of Federal systems.
    Mr. Mica. And that is going to be the second part of my 
question, where the risk comes from. You are a little bit ahead 
of me.
    Dr. Fischer, you are also seeing the increase and the basis 
for the increase. Some they mentioned is that there is more 
activity, going again to the computer base----
    Mr. Fischer. I guess what I would like to add to what the 
other witnesses said is that there is certainly consensus that 
there is a general increase. Now, with respect to a specific, 
also, there is a lot of evidence that the rate of increase is 
actually accelerating; it is not just a certain number per 
year, but each year those numbers go up. And a number of 
different measures would reflect that. So basically we can 
expect continued increase.
    Mr. Mica. Continued increase.
    Okay, the other thing, too, is the risk, where is the risk 
coming from. Some risk is State-based. You know, these 
incidents are being initiated by other States, rogue or 
whatever, and then rogue, say, individuals who can penetrate 
the system. Where is the risk coming from that you all see? 
Let's just go down the line real quick. Mr. Scott?
    Mr. Scott. It comes from a number of different factors. You 
mentioned one, State-based.
    Mr. Mica. Is that most of it?
    Mr. Scott. It depends on who the target is.
    Mr. Mica. And then most of the risk that we should fear, is 
it from that, or should it be from rogue operators?
    Mr. Scott. There are people who want to get PII for 
monetary gain; there are people who are looking for 
intellectual property for industrial espionage. There is a wide 
variety of motivations for this.
    Mr. Mica. Again, what poses the biggest risk, the State or 
the rogue?
    Mr. Scott. It depends on your area of interest.
    Mr. Mica. National security and economy.
    Mr. Scott. Security and economy I think both industrial 
espionage and PII and government information are the high risk 
areas.
    Mr. Mica. And the other thing, too, is we are seeing more 
of the contracts for some of these services go to the private 
sector, as opposed to in-house Government. Does that pose more 
of a risk? And are we putting in place means to require that 
they have in place protections that are adequate when they 
contract this work out?
    Mr. Scott. I don't think it, out of necessity, increases 
the risk as long as good practice and procedures are followed; 
and that is true whether it is an in-house-run operation or 
something that is contracted out. So the answer is it will 
depend on the regime that is going it.
    Mr. Mica. Thank you, Mr. Chair.
    Mr. Hurd. Thank you, sir.
    I would like to now recognize Mr. Lynch from Massachusetts 
for five minutes.
    Mr. Lynch. Thank you, Mr. Chairman.
    I also want to just commend my colleague, Mr. Cummings, the 
gentleman from Maryland. I remember over the past couple of 
years we had the breaches at JPMorgan and Home Depot and 
Target, where the gentleman from Maryland asked to have a 
hearing like this in the face of that breach, and he was denied 
by the previous chairman.
    I know when we had the 800,000 workers that were affected 
in the U.S. Postal Service breach and the State Department 
breach, again the ranking member asked to have a hearing on the 
breaches and cybersecurity then and again we were denied by the 
previous chairman.
    I just want to say that it probably reflects the new 
leadership, the new chairman, the gentleman from Utah, Mr. 
Chaffetz, that we are finally addressing this problem, and I 
think it bodes well not just for the committee and the work we 
are doing, but also I think for the American people, the people 
that we are supposed to be protecting. But again I want to 
thank Mr. Cummings for his leadership on this issue.
    I happened to run across a report that was done by the New 
York State Department of Financial Services, and I would ask 
unanimous consent that we might enter this into the record, Mr. 
Chairman.
    Mr. Hurd. Without objection, so moved.
    Mr. Lynch. Thank you.
    [The information follows:]
    [This report can be found at: http://www.dfs.ny.gov/about/
press2014/pr140505--cyber--security.pdf]
    Mr. Lynch. What they did is they went through and they 
looked at what the banks in New York were doing in the face of 
a lot of these breaches. This was obviously on the private 
sector side. And while I understand we are looking at the 
Federal side, I think that there are some lessons learned here.
    I think that the importance of a meaningful sort of public-
private partnership on protecting cybersecurity is necessary 
because so many times the Government is actually relying on 
third parties in the private sector to protect their 
information. I think the President pointed out that we have to 
have a very tight collaboration between banks and financial 
services companies and third-party vendors.
    To this end, I was a little bit shocked by the report of 
the New York State Department of Financial Services. They 
examined 40 regulated banking organizations and the report 
reveals that the Wall Street efforts to mitigate security risks 
of outside firms leaves great room for improvement, to say the 
least. While 90 percent of the banking organizations surveyed 
reported that they have information security requirements in 
place, the requirements are across a broad spectrum. There were 
some banks that required data encryption that was in 
communication, but not data encryption when the information was 
at rest. So people could hack into the system and get the 
information that was not encrypted.
    Others had access controls, data classification, and 
disaster recovery plans. In addition, nearly all of the 
surveyed banking organizations report they have implemented 
policies that require both initial and periodic review of 
third-party vendors.
    However, less than half of those banks, and there is great 
reputational risk as well as financial risk for these firms to 
allow a breach, so they should be motivated, less than 50 
percent of these institutions conduct any type of onsite 
assessments like Ms. Seymour mentioned in her testimony and 
only 46 percent are required to conduct onsite assessments of 
so-called high-risk third-party vendors such as check payment 
processors and trading settlement operations and data 
processing companies. Only about a third of them are required 
to conduct periodic onsite assessments of high-risk third-party 
stakeholders during the life of their entire contract, and 
those respondents included 50 percent of large institutions 
reported that they use encryption, again, for data that is in 
communication, but not when it is at rest.
    I suspect that with the motivation that these banks have, 
they have a larger compliance rate than we do in the Federal 
Government, and I want to know from you collectively--and I 
appreciate that you all do great work. Mr. Fischer, CRS is one 
of our favorite groups; they help Congress enormously. But if 
the private sector is failing so miserably, what lessons are 
there for us and what are we doing to try to step up our game 
to protect the information that the Federal Government has 
within its custody?
    Mr. Scott. Thank you. Let me, for context, also describe a 
little bit of the fact that this is also a moving target. What 
was satisfactory even two or three years ago is no sort of 
table steaks in terms of, you know, where you just get started. 
So I think it is important to recognize that that will likely 
also continue to be the case.
    What we are doing in OMB is we are conducting CyberStat 
reviews with each of the agencies that asks them to report and, 
in consultation with us, look at their maturity level across a 
number of different dimensions, many of which you mentioned; 
and then we will ask each of the agencies to set goals and we 
will measure progress against those goals. And each of these 
have to be a risk-based assessment to start with. So some 
agencies have different kinds of risks than other ones do. So 
that is an important part of the work that our unit is doing.
    Then the second thing is, through our CIO Council and our 
CIO counsel, disseminating information and sharing best 
practices, as well as the guidance that we provide during the 
normal course of our work.
    Mr. Hurd. Thank you, Mr. Scott.
    I would now like to recognize Mr. Russell from Oklahoma for 
five minutes.
    Mr. Russell. Thank you, Mr. Chairman.
    Mr. Scott, in your role as FED CIO, you will have a great 
deal of influence over IT policies and practices that Federal 
agencies must implement. Given your role as a technologist and 
an IT specialist with years of private sector experience, can 
you give us a general sense of your impression of the State and 
Federal information security?
    Mr. Scott. Thank you for the question. So, nine weeks in, 
it is a little difficult for me to give you a sort of 
comprehensive answer to that, but what I have observed so far 
is that there is a range, and that range is dependent on the 
agency that we are talking about here. It is why we are doing 
the CyberStat reviews and why we are going through the 
processes that we are going through. So at the end of that 
process I hope to have a more comprehensive view across the 
Federal agency.
    That said, I would tell you there is no agency, even the 
ones that we have looked at so far, who we believe are doing a 
really good job who would say we are done or we have done 
enough and it is the end of job. Everyone believes there is 
more that we can and should do.
    Mr. Russell. Thank you for that.
    Mr. Wilshusen, the Partnership for Public Service released 
a report last week that concluded the Federal Government is not 
well positioned to recruit a capable cybersecurity workforce. 
How does recruitment and retention of cyber talent factor in 
the Government's operational ability to maintain effective 
cybersecurity?
    Mr. Wilshusen. Well, clearly, it is one of the underlying 
causes, to make sure that the Federal Government and Federal 
agencies have technically competent individuals that help to 
secure their systems. We did a report a couple years ago to 
talk to human capital cybersecurity challenges within the 
Federal Government. What many agencies indicated to us, at 
least the ones we reviewed, stated that identifying those 
individuals and retaining them that had the technical security 
competencies is one of their biggest challenges. They are able 
to fill many of the other information security type of 
activities and positions, but those that had the technical 
capabilities has been a challenge because they are competing 
against a number of different organizations outside of 
Government, and those individuals are in somewhat short supply.
    Mr. Russell. Ms. Seymour, the Sony hack featured an 
infrastructure attack, meaning hackers not only stole data, but 
they also destroyed the network itself. What do you think the 
motivations of this type of attack are, and do you see that 
there will be more of this in the future? And, if so, what can 
we do to protect against it?
    Ms. Seymour. Thank you for the question, sir. I think that 
as we look at the motivations of these adversaries, I think we 
have to keep in mind that there is a holistic state of 
protection that we have to put in place. Some of our 
adversaries are just interested in the data and, in fact, they 
don't want to destroy the network because they want to set 
themselves up a way to come back in and get data in the future. 
Some of them it is just malicious, not for financial gain on 
themselves, but for denying access and causing the company or 
the agency a great deal of expense.
    So we have to look at security from infrastructure 
perspective all the way through to our applications and we have 
to look at it from a user-based perspective as well as to the 
advanced persistent threats that we have.
    Mr. Russell. Thank you.
    Dr. Fischer, your knowledge and breadth of so many of these 
issues, where do you see the threat going as we try to put up 
these defenses? I mean, they are obviously going to anticipate 
that. What do you see is the attitude of the attacks and those 
that will perpetrate them? If we could think forward, where 
would that go so that we can get ahead of the curve instead of 
always reacting behind it?
    Mr. Fischer. Well, sir, part of that I think depends on the 
whole question of the incentive structure that I mentioned. So 
now often people will talk about, well, who are the threat 
actors? You have State actors, hacktivists, cyber criminals, 
maybe some terrorists and a few other sort of classic hackers 
involved. So they have different motivations and different 
incentives.
    So it seems that it depends, once again, on what the sector 
is specifically that is being attacked, or the particular 
agency or entity, what the motivation of the particular 
attacker is.
    I think that one way to think about this is to realize that 
once the public recognizes that cybersecurity is a critical 
part of the value proposition for anything they do, that is 
going to help greatly ameliorate the situation. And the other 
challenges I mentioned in my testimony are also important.
    Mr. Russell. Thank you for that.
    And thank you, Mr. Chairman.
    Mr. Hurd. Again, I would like to now yield five minutes to 
Mrs. Maloney, from New York.
    Mrs. Maloney. Thank you, Mr. Chairman and Ranking Member, 
and all of the panelists today for focusing on this important 
issue. As we speak, they are debating cybersecurity on the 
floor. It is one of the few areas where there is a joint cause, 
a joint goal, and joint cooperation because it is so serious, 
such a threat to the economy and to privacy and really to our 
technology and security of our Country.
    We, unfortunately, had in 2014 several high-profile data 
breaches of Federal agencies, breaches really that happened 
because of the contractors in the case of the Postal Service 
data breach, where over 800,000 current and former employees 
had their personal information compromised; and the loss of 
sensitive personal information of tens of thousands of Federal 
employees occurred because of data breaches of USIS and 
KeyPoint, two very large Federal contractors.
    So I would like to hear what lessons were learned from 
these experiences and how it plans to apply those lessons to 
minimize the risk of these breaches in the future, and we will 
start with you, Ms. Seymour, from OPM. What are the chief 
lessons that you learned and how are the contractors 
cooperating? And anyone else who would like to jump in and add 
to the chief lessons that we have learned from these 
unfortunate situations.
    Ms. Seymour. Thank you for the question, ma'am. What we 
learned from those breaches is it is important to have a 
contractual relationship that is well defined with those 
contractors. At OPM we had very well defined contract clauses 
in our contracts, and that helped us have a better conversation 
with the contractor when the breaches occurred.
    Mrs. Maloney. Well, did you make any changes after these 
two breaches to make them better with your contracts, with your 
requirements? Have you made any specific changes?
    Ms. Seymour. Yes, ma'am. We have done two things. One is we 
have reviewed our contract clauses to strengthen them, and the 
second thing that we are doing is we are reviewing all of our 
contracts to make sure that we have the appropriate clauses 
across the board in our OPM contracts.
    Mrs. Maloney. So what are the appropriate clauses? What do 
you have to get in there to protect the Government in your 
contracts?
    Ms. Seymour. Clauses that require segregation of data. One 
of the lessons that we learned is that if you have a network 
where all the data is commingled, then it is very difficult to 
protect the data, to segregate the data, understand what the 
adversaries are about and, therefore, protect that information. 
If the data is well architected and segregated, you have a 
better chance of understanding what the adversaries are after 
and putting better protections around it in a very quick 
manner.
    Mrs. Maloney. Now, who got this information? When USIS and 
KeyPoint deal, who were the hackers? What was the breakdown?
    Ms. Seymour. At OPM, ma'am, we don't assign attribution. So 
I would have to defer to other agencies who do that kind of 
work.
    Mrs. Maloney. Okay. But could it happen now? Could it 
happen again? Or have the changes you made protected 
information?
    Ms. Seymour. First of all, KeyPoint has made numerous 
changes in their network and we are assessing those changes. 
OPM, as well, has made tremendous strides in its security and 
changing the architect of its nature.
    Mrs. Maloney. So you have reduced the risk, right?
    Ms. Seymour. Yes, ma'am.
    Mrs. Maloney. But how did you do it? How did you reduce the 
risk? You separated data. What else did you do?
    Ms. Seymour. You put firewalls between your systems so that 
you can better separate and better protect the information so 
that when you understand what the adversaries are after, you 
can strengthen your controls. We also have worked very hard on 
training for our users. Regardless of the security controls 
that you have in your network, one phishing attempt and a user 
clicks on a bad link and contracts malware is very dangerous.
    Mrs. Maloney. Mr. Scott, in your written testimony you 
indicated that one of the lessons learned from the USIS and 
KeyPoint data breaches was third-party contractors and vendors 
were inconsistently implementing protections. Can you explain 
what cybersecurity protections contractors had been 
inconsistently implementing?
    Mr. Scott. It really falls into a couple of areas. One is 
what we require of the--and I am speaking broadly across a 
number of contracts across the Federal Government. So what we 
require in terms of initially our rights to look at and inspect 
their information security measures, number one.
    Also, what they are supposed to do in terms of responding 
to an incident, the time frames that we allow and who they are 
supposed to notify. We were inconsistent on some of those 
activities. And then, thirdly, sorry, I have to look at my 
notes here. And also who they notify. We were inconsistent on. 
So when and who they notify.
    Mrs. Maloney. Okay, thank you. Any additional information 
will have to be sent to me because I am well over my time. 
Thank you so much.
    I yield back.
    Mr. Hurd. Thank you.
    I would now like to recognize the gentleman from Georgia, 
Mr. Hice.
    Mr. Hice. Thank you, Mr. Chairman.
    Dr. Fischer, let me begin with you. Just from a general 
guess or estimation, how often are Federal agencies attacked by 
nation states?
    Mr. Fischer. Well, that is probably a question that could 
be more effectively answered by an agency such as NSA because, 
obviously, a lot of the attacks that happen are not going to be 
made public once they are discovered. But, obviously, attacks 
by nation states are considered a very serious concern, 
particularly for agencies involved in----
    Mr. Hice. Well, of course they are, but you wouldn't have 
any guess? Just generally speaking, I am curious what 
percentage are we looking at.
    Mr. Fischer. I wouldn't want to give you a number that was 
inaccurate, but we would be happy to get back to you with that.
    Mr. Hice. Okay, if you would, please get back with me on 
that. Would you have any idea which nation states have been 
most active in attacking Federal agencies?
    Mr. Fischer. Well, generally speaking, the ones that are 
identified publicly are nation states like China, and Russia to 
some extent, and also Iran. You know, the sort of usual players 
in that regard.
    Mr. Hice. Okay. Would those same nation states be 
responsible for attacking companies as well as Federal 
agencies?
    Mr. Fischer. Well, there is certainly some evidence to 
that, at least in some cases. It really depends on what the 
nation state's motivation is and what they are looking for. So 
in the case of China, for example, there is an interest in 
obtaining intellectual property, so there is some evidence that 
they have, in fact, attacked some private companies.
    Mr. Hice. Okay. Would you try to get some more information 
back to us on that?
    Mr. Fischer. Sure. I would be happy to do that.
    Mr. Hice. Mr. Wilshusen, what recommendations has GAO made 
to various agencies as it relates to management, oversight of 
contractors in regard to cybersecurity?
    Mr. Wilshusen. We issued a report last year that addressed 
this very same issue in terms of overseeing the security 
controls implemented by contractors of Federal agencies, and we 
noted that many of the agencies did not have adequate policies 
and procedures documented in order to provide that level of 
oversight that was needed and, consequently, particularly with 
respect of independently assessing the effectiveness of the 
security controls that are implemented by those contractors, so 
we made a number of recommendations to agencies that we 
reviewed to take such actions.
    Mr. Hice. Have they been responsive to those 
recommendations?
    Mr. Wilshusen. They generally agreed with our 
recommendations, and that is something that we do follow up on.
    Mr. Hice. You do follow up?
    Mr. Wilshusen. Yes, we do.
    Mr. Hice. Okay.
    Ms. Seymour, OPM was one of the agencies reviewed by GAO. 
What steps has OPM taken to improve?
    Ms. Seymour. Thank you for the question, sir. Again, we are 
doing a holistic review of our contracts to make sure we have 
the appropriate security clauses in them. We have also 
strengthened those clauses. We have also enhanced our technical 
capability to do onsite inspections with contractors, and that 
is a program that is evolving in OPM, and we plan to start that 
this year.
    Mr. Hice. All right, so it is evolving. But is there 
accountability? You are staying on top of that issue?
    Ms. Seymour. Yes, sir, there absolutely is. We have a very 
well articulated process that we are moving to for continuous 
monitoring, as opposed to taking an every three year look at 
security controls on both our Government networks, as well as 
the contractor networks.
    Mr. Hice. Okay, thank you.
    Mr. Scott, let me come to you. The report by GAO last year 
reported the need for these controls on contractors and 
oversight thereof, and it was mentioned a while ago you were 
answering the six Federal agencies were evaluated, five of the 
six came back being inconsistent in all of this. As a result, 
there evidently is some confusion, as was brought up. What is 
being done to resolve the confusion?
    Mr. Scott. So we will use our regular process to issue 
guidance for consistent application of the best practices that 
I talked about earlier. That is probably the main thing that we 
will do to clarify. And there are requirements even in FISMA 
that actually help us from a law perspective as well.
    Mr. Hice. When can we expect a timetable for implementing 
all of this?
    Mr. Scott. I think you should expect in the next few months 
would be the expectation there.
    Mr. Hice. Okay. Thank you.
    Thank you, Mr. Chairman.
    Mr. Hurd. Thank you.
    Now I would like to recognize Mr. Cartwright, from 
Pennsylvania, for five minutes.
    Mr. Cartwright. Thank you, Mr. Chairman.
    Over the last few years a number of high-profile network 
compromises have left the private personal information on 
literally millions of people exposed, often taken from 
supposedly secure private sector and Government computer 
networks. Some of the attacks appear to come from foreign 
governments, as Mr. Hice was just exploring; some of them 
simply from criminals.
    The highly publicized compromise of JPMorgan Chase's 
network let the personal information of 76 million households 
and 7 million small business customers flow out of company 
servers. Over the past eight years, the private records of 
nearly 30 million New Yorkers were exposed by data breaches. 
The USIS and KeyPoint compromises resulted in the theft of 
sensitive information from the background investigations of 
nearly 70,000 employees of the Federal Government.
    Now, in a lot of compromises like this, what mitigates some 
of the damage done is data encryption. While it is obviously 
unfortunate if a company or agency is hacked, employees or 
customers can take some solace in the fact that, if their data 
was encrypted, their personal information is not at risk, even 
though it was exposed. If you can't read it, you can't use it.
    Mr. Wilshusen, my question is for you. Over the years, GAO 
has conducted a number of assessments of cyber issues related 
to the Federal Government. When agencies do not have encryption 
policies in place, how does that affect what you are finding in 
your investigations?
    Mr. Wilshusen. We would certainly report on that because, 
indeed, encryption is one of those key controls to help protect 
the confidentiality and even the integrity of sensitive 
information. What we often find, too, is even when agencies may 
encrypt certain data like credentials and user IDs and that, 
they may use a lesser form or less secure form of encryption 
that can still be broken. Even though the information may be 
encrypted, the algorisms are such that they can be readily 
broken by competent individuals with the techniques and 
technologies to do that, so we also make recommendations for 
agencies to implement encryption in accordance with the current 
NIST standards.
    Mr. Cartwright. Very good. So it is the quality of the 
encryption that matters very much.
    Mr. Wilshusen. It is another factor; first, having 
encryption, and then making sure it is strong.
    Mr. Cartwright. But then also the consistency of using 
encryption all the time. My understanding is that private 
companies and even some Federal agencies are under no pressure 
to use encryption at all times, even when that data has been 
determined to be considered sensitive. My question is, again, 
Mr. Wilshusen, is that true? And what concerns does that 
create? And is it something Congress should be looking into 
further?
    Mr. Wilshusen. Well, it is maybe true with regard to like 
private sector companies. Unless they are regulated and are 
required to use encryption, like perhaps certain banks might be 
required to if they are regulated, but other companies, it 
would be generally up to their own determination whether or not 
and their business risk if they deem it appropriate. But they 
run the risk, as some of the recent incidents have shown, of 
having sensitive information being compromised and placed at 
risk.
    Mr. Cartwright. Well, it is not just a question of what is, 
but it is also what should be. What do you think, does Congress 
have a role in enforcing and requiring encryption?
    Mr. Wilshusen. I think Congress has a role in considering 
those issues and making the determination on whether that is in 
the best interest given all the potential implications of that. 
Certainly, it is your prerogative to make that determination 
and to consider it. Encrypting sensitive data is a basic 
fundamental security control, and I would certainly recommend 
that most companies use it to the extent that they have 
sensitive information that needs protection.
    Mr. Cartwright. How about you, Dr. Fischer? Weigh in on 
that for us.
    Mr. Fischer. Well, the only thing I would like to add in 
addition is that it is also important to consider the kind of 
costs associated with encryption, because why is it that we 
don't all use encryption at home? Because it can be difficult 
for us to implement. The same thing can apply in the context of 
a company or even a Federal agency.
    So if the use of encryption seems to basically, while it 
may help to meet the cybersecurity part of the mission, 
actually interferes with or perceives to interfere with the 
operational part of the mission, then often organizations may 
choose the operational part of the mission. So this raises the 
whole question about how does one make sure that security is 
usable. Because if security is not usable, basically people 
find a workaround.
    Mr. Cartwright. Well, this is a fascinating topic, but I am 
out of time, so thank you, gentlemen.
    I yield back.
    Mr. Hurd. Thank you.
    I would like to now recognize Mr. DeSantis, from Florida, 
for five minutes.
    Mr. DeSantis. Thank you, Mr. Chairman.
    Thank you to the witnesses.
    When we have victims of cyber attacks, one of the issues is 
attribution. Where did this come from? I know that they emanate 
in Eastern Europe, Russia, China, whatever. So how do the 
agencies work with Homeland Security, the FBI, and other law 
enforcement in order to trace attacks back to the source when 
they happen?
    Mr. Scott, do you want to give that a shot?
    Mr. Scott. Sure. So let me just go through the process. So 
when an agency discovers there is something going on that they 
are suspicious about, DHS becomes the agency for the Federal 
Government that is the first response and deals with that. 
Then, depending on what they find, they may call in other 
agencies if there are suspicious of, you know, backers outside 
the Country or criminals or whatever. So who is called then 
would depend on what is found after the initial call is made.
    Mr. DeSantis. So that would be the type of thing if it was 
an attack on someone's bank account, they would inform the 
Secret Service, let's say?
    Mr. Scott. Yes, potentially.
    Mr. DeSantis. How are the agencies managing mobile device 
security? I know that when I was active duty in the military 
and you put in your CAC card, there are all these encryption 
certificates, everything. But if someone just has a mobile 
device and they want to conduct business on that, how do you 
ensure that that is something that has integrity?
    Ms. Seymour. I can tell you from OPM's perspective, sir, 
what we have done is implemented security appliances so that we 
don't allow random mobile devices to connect to our network. So 
all of our mobile devices, my mobile device, is controlled, and 
there is encryption on the phone so that, if I lose it, my 
network operation center and security operation center can 
invalidate that device, wipe the data from it, and it is 
encrypted while it is on the phone. So those types of 
appliances and tool sets that we can install on our network are 
very important; they track every device that is on our network.
    Mr. DeSantis. And if that is not used, then there is more 
vulnerability to a cyber attack?
    Ms. Seymour. Yes, sir. It is very important to understand 
what is connected to your network, how it is connected to your 
network, and what the security controls are on those devices 
that are connected to your network.
    Mr. DeSantis. So there are policies? Are employees limited 
in what they can download onto the mobile device?
    Ms. Seymour. Yes, sir. That is one of the issues that we 
work through. If it is a Government-issued phone, then we have 
much more control over that. If it is a privately owned phone 
and bring-your-own-device type of environment, then we have to 
work through other issues about we may confiscate that phone or 
that mobile device for a security incident response, as a for 
instance.
    Mr. DeSantis. What about are employees are allowed to kind 
of just do their own email, apart from the Federal Government?
    Ms. Seymour. I don't know if I would couch it that way. 
There are controls that we put in our networks that prevent the 
bulk download of email, like to a private account. But clearly 
because of the way we communicate with the private sector and 
others, if I wanted to forward an email from my work account to 
my personal account, I may be able to do that in certain 
networks. But we also have ways of white-listing or black-
listing certain addresses that you can't forward things to.
    Mr. DeSantis. Would an employee, if they just had their own 
email server, could they just use that, or would you make them 
use the Government system with the protections?
    Ms. Seymour. We would make them use the Government system, 
absolutely.
    Mr. DeSantis. Thanks.
    I yield back the balance of my time.
    Mr. Hurd. The gentleman yields back.
    I would like to now recognize the ranking member of the 
Information Technology Subcommittee, Ms. Kelly, from Illinois, 
for five minutes.
    Ms. Kelly. Thank you, Mr. Chair.
    Welcome. Some of the recent major data breaches at 
Government agencies and Government contractors have 
specifically targeted personally identifying information, or 
PII. For example, the U.S. Postal Service data breach, over 
800,000 of its current and former employees' personal 
information was compromised. USIS and KeyPoint contractors that 
perform background checks for the Federal Government suffered 
breaches last year also, potentially exposing tens of thousands 
of Federal employees' personal information.
    Mr. Wilshusen, what are some of the challenges agencies 
face in working with contractors?
    Mr. Wilshusen. I think there are several challenges. One 
is, of course, just making sure that contractors and the 
Federal agencies clearly delineate the roles and 
responsibilities of each party, one, with respect to 
implementing security, but also, two, with respect to detecting 
and reporting on incidents that may occur.
    Another challenge is just making sure that the security 
requirements that contractors are required to follow are in 
fact clearly communicated. One of the things that is important 
to know is that the contractors have full knowledge of what the 
type of security controls they are to implement to protect 
Federal information, and then, secondly, is to assure that 
Federal agencies have some assurance that the contractors are 
effectively implementing those security requirements either 
through an independent assessment or some sort of assessment 
that the agency does, because the agency is still responsible 
for the security of its information even though it may be 
operated or maintained by a third party.
    Ms. Kelly. Thank you.
    Mr. Scott, what guidance is provided to agencies on 
ensuring the security and privacy of personally identifiable 
information?
    Mr. Scott. Well, in our guidance, we would require agencies 
to make sure they are following FISMA, number one. We also, for 
example, are proposing an update to our Web policy requiring 
encrypted Web traffic, https, it is called, as an example, for 
Federal public-facing Web sites, and so on. So there are a 
variety of things that we would do over time, including what I 
shared earlier, which is best practices in terms of contract 
language and requirements in contracts to make sure that we 
have broadly disseminated that across the Federal Government.
    Ms. Kelly. Does OMB guidance provide flexibility to 
agencies depending on the risk assessment of the PII it 
maintains?
    Mr. Scott. I think that is a core principle that every 
agency has to go through, is where are there risks, and clearly 
that will differ from agency to agency.
    When it comes to core PII, though, I don't think there is a 
lot of difference among the agencies; PII is PII in most cases.
    Ms. Kelly. Do you think it is difficult for the Federal 
Government to recruit and retain qualified cybersecurity 
personnel?
    Mr. Scott. I think it is not just a problem for the Federal 
Government. In my last role, it took nearly six months to find 
the chief information security officer that we wanted. It was 
the most exhausting, time-consuming search I think I have done 
in my professional career. So I would say it is a challenge 
more broadly than just the Federal Government.
    Ms. Kelly. Well, is OMB doing anything special to help 
agencies find qualified candidates?
    Mr. Scott. Absolutely. So part of the Digital Services team 
that I talked about is recruiting people out of the private 
sector to come spend some time in the Federal Government and, 
in essence, serve their Country and help us solve some of these 
big challenges not just in security, but in modernizing our 
whole IT environment.
    Ms. Kelly. I yield back my time.
    Mr. Hurd. Votes have been called and the intention is to 
allow Ms. Norton to get through her questions, then we will in 
recess and pick up the questioning after votes. So, with that, 
I would like to recognize Ms. Norton, from the District of 
Columbia, for five minutes.
    Ms. Norton. Thank you very much, Mr. Chairman. I just have 
a few brief questions.
    I am trying to find an industry standard, if you will, 
because it seems as if both the public and private sector are 
having the same kinds of problems. Daily news. Both sectors 
have it. States have it. Everybody has it. In part it is 
because, whether we face it or not, this technology is 
relatively new and we still are working our way through it.
    I am wondering, don't we contract out most of this work, 
most of our work to contractors and vendors, as opposed to 
doing work in-house? I mean, I assume that NASA does work in-
house, or maybe they even contract some out. But is most of 
this work contracted out?
    Mr. Scott. I think it will vary by agency to the degree to 
which the work is contracted out, but there are certain kinds 
of work that lend themselves to contracting out, where there is 
a broad need and private industry has figured out that they can 
offer a service that Government can consume.
    Ms. Norton. Now, we in the Federal Government always use 
competitive bidding, do we not, for this work, as with other 
work?
    Mr. Scott. I think that is generally the practice, yes.
    Ms. Norton. Is that the practice in the private sector as 
well?
    Mr. Scott. I would say, in my experience, yes, it is very 
similar to what the Federal Government does in terms of 
competing, yes.
    Ms. Norton. We often look to the private sector; we say 
there is real money there, there is real people here. Somebody 
keeps shareholders by real people, unfortunately. Is there an 
industry standard beginning to develop anywhere? Is there an 
industry standard in the private sector which could be useful 
to the public sector, or are both sectors simply feeling their 
way through these problems? Yes, sir.
    Mr. Wilshusen. You mean with respect to cybersecurity 
controls?
    Ms. Norton. Yes, of course.
    Mr. Wilshusen. There are several standard-setting 
organizations that do create standards for information 
security. One is ISO, International Standards Organization, I 
believe, or International Organization for Standards. In 
addition, of course, within the Federal Government, NIST, the 
National Institutes of Standards and Technology, out of the 
Department of Commerce, implements or develops and promulgates 
information security standards, information processing 
standards for the Federal Government, as well as guidelines 
that agencies should be following.
    Just recently, NIST developed a cybersecurity framework for 
improving cybersecurity within the critical infrastructure, and 
this framework identifies a number of different standards or 
sets of standards that are available to private sector owners 
and operators of critical infrastructure that they can use to 
secure their systems.
    Ms. Norton. We have always assumed that the Federal 
Government had the most secure level of assets and the rest of 
it have to make sure they are impenetrable. Can any of that 
cross over to other agencies and help them be more secure in 
their work?
    Mr. Wilshusen. Well, I think with regard to the NIST 
standards and guidelines that it publishes, it often has a 
public announcement period and it is coordinated with some of 
the other standards organizations, so there is, I believe, 
cross-pollination, if you will, among the different standards 
at some level.
    Ms. Norton. Finally, the Affordable Health Care Act had a 
lot of glitches, but I haven't heard a lot about a lot of 
hacking there. Has that been shored up so, kind of information 
that is there, that that is fairly secure?
    Mr. Wilshusen. Well, we issued a report last September on 
the security and privacy of the Healthcare.gov Federal 
facilitated marketplace and we identified a number of 
vulnerabilities within that particular system or module of that 
system. We presently have work ongoing looking at both the 
security and privacy of some of the State-based health 
insurance marketplaces, as well as looking at the incidents 
that have been identified for Healthcare.gov by CMS.
    Ms. Norton. Have they been fairly rare?
    Mr. Wilshusen. We are still in the process of trying to 
obtain and collect the information from CMS and review it. We 
just recently received a listing of the incidents that they 
have identified and reported to us, and we are in the process 
of analyzing that. We will be issuing a report later this year.
    Ms. Norton. Thank you.
    Mr. Hurd. Thank you. Votes have been called on the House 
floor. The committee will stand in recess to allow members to 
vote and come back. We anticipate reconvening at the end of the 
last vote, and we will advise member offices regarding the 
exact time.
    The committee will stand in recess.
    [Recess.]
    Mr. Hurd. I would like to thank you all for being patient. 
The committee will now reconvene and I would like to recognize 
the ranking member, Mr. Cummings, for five minutes.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Ms. Seymour, I want to thank you for testifying today. I 
want to thank all of you for testifying.
    Every day Government agencies and contractors are the 
targets of cyber attacks. I wanted to ask you about an attack 
that happened in 2014. In March of last year, OPM's networks 
were attacked by a sophisticated cyber threat. At about the 
same time, USIS, a contractor for OPM that conducts background 
checks, was also attacked. As I understand it, the attack 
against OPM did not result in any breaches of personal 
information, but the attack against USIS did. Is that right?
    Ms. Seymour. Yes, sir, that is correct.
    Mr. Cummings. So the attack on OPM, the Government agency, 
was thwarted, but the attack on USIS, the contractor, resulted 
in the theft of thousands of personal records. Ms. Seymour, we 
want to learn from this. What protections did OPM have in place 
that USIS did not?
    Ms. Seymour. Thank you for the question, sir. Some of the 
protections had to do with the architecture that the Government 
is using versus the architecture that USIS was using. Most of 
the Government's data is in a mainframe, and in USIS they were 
in a distributed more modern environment. The adversaries in 
today's environment are typically use to more modern 
technologies, and so in this case, potentially, our antiquated 
technologies may have helped us a little bit.
    But I think also it comes down to culture and leadership, 
and one of the things that we were able to do immediately at 
OPM was to recognize the problem. We were able to react to it 
by partnering with DHS and our agencies, their partnering 
agencies to be able to put mitigations in place to better 
protect the information.
    Mr. Cummings. So those kinds of cyber protections that you 
had in place at OPM, they are expensive?
    Ms. Seymour. Yes, sir, some of them can be expensive. Some 
of the appliances that you put on a network, firewalls and 
different software to separate data and to protect it so that 
it recognizes good traffic in the network from potentially 
erroneous traffic in the network, those can be expensive. They 
are expensive sometimes to implement and then sometimes 
expensive to operate and maintain.
    Mr. Cummings. So USIS could have saved money by not 
investing in those cyber protections, is that right?
    Ms. Seymour. What I would offer, sir, is, yes, you can save 
money by not implementing security, but it is a temporary 
savings because these vulnerabilities and the breaches that we 
suffer are expensive to remediate.
    Mr. Cummings. Right. Right. So USIS is a subsidiary of a 
company called Altegrity, and Altegrity owns other subsidiaries 
that also do business with the Federal Government. On February 
11th, 2014, the committee held a hearing with the head of USIS. 
I asked him about whether Altegrity oversaw these subsidiaries 
and I also asked him about bonuses Altegrity paid to USIS 
executives during a four-and-a-half year period when USIS 
allegedly perpetrated a massive fraud against the Government. 
In response, he confirmed that Altegrity, in fact, oversaw 
these subsidiaries and that Altegrity determined those million 
dollar bonuses. Since then, neither USIS nor Altegrity has 
answered one single question we have asked them.
    So, Ms. Seymour, after you discovered the breach at USIS, 
was the company fully cooperative in responding to the 
Government's request for information about the cyber attack? 
Did they allow Federal cyber officials to investigate the 
breach of other Altegrity subsidiaries?
    Ms. Seymour. The Government was able to negotiate with USIS 
to allow US-CERT to scan their network and uncover some of the 
vulnerabilities and propose remediation steps for USIS. We were 
limited somewhat in our ability to scan the network, or US-CERT 
was limited in its ability to scan the network, again, because 
of the architecture of the USIS network, so US-CERT was given 
permission to scan two of the subnets of that network that they 
identified.
    Mr. Cummings. Chairman's indulgence. I just have one more 
question.
    Ms. Seymour, after the breach and the discovery of the 
alleged--let me go back to what you just said. Were you able to 
accomplish everything you wanted to accomplish with regard to 
USIS? I take it that you didn't get everything that you wanted.
    Ms. Seymour. It is difficult. Again, the way the network 
was architected. I can give you an example, if I might. If you 
ask me to physically secure an apartment building, but you only 
allow me to go into two apartments, I can't tell you what is in 
those other apartments. Clearly, they are part of the building 
that you have asked me to secure.
    Mr. Cummings. Yes, I got it.
    Ms. Seymour. Okay.
    Mr. Cummings. So, in answer to my question, you didn't get 
everything you wanted.
    Ms. Seymour. We were not able to go to the boundaries of 
the network, sir.
    Mr. Cummings. And, Ms. Seymour, after the breach and the 
discovery of the alleged fraud, OPM decided not to renew its 
contract with USIS. But I recently learned that the company may 
be planning legal action. Have you seen any signs that 
Altegrity or USIS might bring a lawsuit against OPM?
    Ms. Seymour. I am not privy to any of that information, 
sir. I have no knowledge.
    Mr. Cummings. So after failing to protect the personal data 
of tens of thousands of people, after not fully cooperating 
with the Government after the breach, after refusing to answer 
Congress's questions, now Altegrity may be planning to sue. 
There are serious questions about how Altegrity has been 
conducting business with over $2 billion in taxpayer funds it 
has received. I think we should pursue answers directly from 
Altegrity, and I will bring that up with the chairman.
    Mr. Chairman, thank you very much.
    Mr. Hurd. Thank you, Ranking Member Cummings.
    I would like to recognize myself for five minutes.
    The first question I have is to you, Mr. Scott. One, thank 
you for being here today. Like you, I think I have been here 
for four weeks longer than you have in this position, and 
having come out of the private sector most recently, trying to 
get our hands around what is really going on, and one of the 
interesting things that I find is that some very basic 
questions, the Federal Government, we haven't answered them.
    If North Korea launched a missile at San Francisco, we know 
how we would respond; the North Koreans know how we would 
respond. That is a physical-on-physical attack. A digital-on-
physical attack, we have a little bit example of that, that 
Stuxnet from a couple years ago. But what is a digital-on-
digital attack? What reaches the level of a digital act of war?
    Who is having these conversations? How are we going to go 
about answering some of these questions? I would really just 
like your insight on those issues and how we are going to come 
to some resolution as a whole of Government.
    Mr. Scott. Well, I think those kinds of questions actually 
are, frankly, outside the purview of OMB; they are really 
National Security questions and DOD kinds of questions, so in 
the few weeks that I have been here, I just haven't been 
engaged in sort of that conversation, although, like you, I am 
curious about the answers to those and I do think policy things 
are going to have to be worked out over some time. It is pretty 
clear to me that there are somewhat fuzzy lines in that space.
    Mr. Hurd. Thank you. One of the things that this committee 
as a whole and my Subcommittee on Information Technology 
specifically is going to be looking at the continued 
implementation of FISMA from 2014, and I am interested on your 
thoughts on where the guidance to all the agencies and 
departments on implementation of FISMA is and when can we 
expect some of that guidance.
    Mr. Scott. Thank you for that question. As you know, the 
FISMA law passed in the 2014 year and, since then, we have been 
taking the actual law and putting it through our OMB process in 
terms of figuring out what guidance we will issue to the 
various Federal agencies and so on. That work is well underway, 
so I think in the next several months you will see the specific 
guidance that we issue with regard to FISMA.
    Mr. Hurd. Thank you.
    Mr. Scott. And we tend to do annual updates of that, so you 
will see ongoing updates as time passed as well.
    Mr. Hurd. Excellent. Thank you.
    The next question is to you, Ms. Seymour, to follow up on 
some of the questions that Mr. Cummings had. You had mentioned 
that US-CERT was limited in their ability to scan the network 
of USIS. Why was that?
    Ms. Seymour. I can't answer that, sir, on behalf of USIS.
    Mr. Hurd. So in your role, and this is not you 
specifically, but you as the CIO of OPM, do you have enough 
authority to mandate something like that happen?
    Ms. Seymour. Within my own agency, sir?
    Mr. Hurd. Within your own agency.
    Ms. Seymour. Yes, I do. I have excellent leadership with 
Director Archuleta, and I do feel I have appropriate authority.
    Mr. Hurd. What about if it comes to a subcontractor that 
your agency is employing?
    Ms. Seymour. Again, I would defer to the contracting 
officer and I would work with the contracting officer to make 
sure that the appropriate clauses are in there, and that would 
guide the discussions that we would have with the contractor.
    Mr. Hurd. But as of right now, if you walked in and said I 
want to see this part of the network scanned, I want to do a 
vulnerability assessment of a certain part of the network that 
is being managed by a subcontractor, you would have the 
authority to be able to do that?
    Ms. Seymour. I think that there are a lot of questions 
there that we would probably engage with the contracting 
officer and legal counsel. I would like to take that question 
and get you a more complete response because I think there are 
a lot of factors there that play into that.
    Mr. Hurd. No, I appreciate that. One other issue. I know we 
are talking about FISMA here today, but at some point we will 
probably talk about FITARA. And I know this is something that 
was good legislation that was passed last year. I think it is 
pretty insane that the Federal CIO doesn't have complete 
jurisdiction over certain elements of the networks that you are 
tasked to protect, and that is unfortunate. So we will be 
looking at the implementation of that.
    I know Mr. Connolly, my colleague, is very interested in 
that, since he was part of the group that passed the 
legislation in the last cycle, so I appreciate you all being 
here.
    With that, I would like to recognize Mr. Connolly for five 
minutes.
    Mr. Connolly. I thank the chair and I thank him for his 
kind remarks.
    By the way, I would be glad to work with you. We tried to 
actually codify the role of CIO and CTO in the Federal 
Government along the lines originally proposed by the 
President. We were unsuccessful in that effort the first try, 
so I would be glad to work with you, because while some of this 
is by executive order, that does not necessarily survive a 
particular president. I do think we need to rationalize the 
hierarchy of responsibility in the Executive Branch, so 
hopefully we can work with the Executive Branch.
    This was early on and maybe didn't have the full attention 
of the Administration at the time, but, at any rate, I would be 
glad to work with the chairman, if he is interested in pursuing 
that legislatively. And I thank him again for his kind remarks. 
FITARA, although here at the Oversight and Government Reform 
Committee, we prefer to call it Issa-Connolly.
    So let me start. Mr. Scott, how would you assess plans for 
the implementation? There are a lot of elements of the reform 
bill and we, as you know, intended it not to be another pain in 
the neck overlay of responsibility that you have to report and 
do all that. We actually want it to be transformative. We want 
it to be a management tool for actually achieving efficiency, 
helping with the management structure, and looking at different 
ways to harness the power of technology to transform.
    Could you briefly just bring us up to date from your 
perspective, and you are new, how well organized are we and how 
sincere is the energy within OMB to, in fact, us it as such?
    Mr. Scott. Thank you for the question. I think the energy 
level is high, and it has certainly been the subject of a lot 
of work that my team in particular has been working on over the 
last several months. Through the process that we have used, we 
have also had a very high level of engagement with agency CIOs, 
former CIOs who have had experience in the Government, members 
of your team and others, who have all, I think, provided great 
perspective not only on the intent of FITARA, but some of the 
practical aspects of implementing. Among those are not every 
agency is the same, so there are cases where flexibility is 
going to be needed, while still retaining the absolute intent 
of the law, which is to have greater accountability and 
responsibility on the part of the CIO.
    We are about ready to enter a public comment period where 
we think we will get additional insight on that, so we look 
forward to, in a few weeks after the public comment period, 
closing it out and issuing our guidance. But, in summary, I 
would say I feel really good about where we are and where we 
are going, and I appreciate all the support that you and your 
team have provided for this.
    Mr. Connolly. And as I indicated to you in the break while 
we were voting on the floor, we would like to work with you, 
and with your office as well, Ms. Seymour, in particular, about 
implementation and how we are doing and looking at milestones, 
because we want to use oversight hearings to prod, but also to 
enhance and augment what you are doing.
    Ms. Seymour, there is a role, it seems to me, obviously, 
for OPM, especially in sort of helping to rationalize the 
current structure we have. Now, if you go to a major 
corporation and you ask, no matter how big, how many CIOs do 
you have, they look at you kind of strange and say, one. 
Believe me, I have done this in my district. It doesn't matter 
how big or small, the answer is always the same: one.
    Now, over 24 Federal agencies, we have 250 people with the 
title CIO, and we didn't, by fiat, say thou shalt only have 
one, but we created a series of incentives in the bill to give 
you the tool to help rationalize that system and make sure that 
there is one CIO vested with the authority, the responsibility, 
the accountability, the flexibility to help engineer these 
reforms.
    Could you comment on that? Because I have to tell you, from 
the private sector point of view, the Federal Government is not 
well organized, just that anecdote about how many CIOs we have, 
frankly, to effectuate the kind of management change we need to 
to be more efficient. What is OPM doing to try to take 
advantage of the new law in that respect?
    And I know my time has just expired, Mr. Chairman. I 
appreciate the indulgence just for a second. Thank you.
    Ms. Seymour. Thank you for the question, sir. We work very 
closely, I work very closely with Mr. Scott and the CIO 
Council. I think that that is an avenue where we can share 
ideas, share lessons learned, where we can, by any other title, 
whether it is CIO, Director of IT, any other title, where we 
need to come together and share and put in place policies that 
we can then implement throughout the Federal Government. I 
would say that the Federal Government is probably more complex 
and diversified than most private sector companies, so I think 
that we have to work together across these sectors.
    So in that construct we can, and we also need to make sure 
that we are not just working within the CIO Council, but that 
we work with the other councils as well, the Chief Acquisition 
Officer Council and the Chief Human Capital Officer Council. 
And when you get the proper C-suite folks together, you really 
get a lot of knowledge, expertise, and leadership to move our 
efforts forward.
    Mr. Connolly. I look forward to talking more to you about 
that.
    Would the chairman just allow either GAO or CRS, or both, 
just to comment? And I am done. But I didn't want to shut them 
out because I know they have views as well, and GAO has been 
very supportive of FITARA, otherwise known as Issa-Connolly.
    Mr. Wilshusen. Yes, sir. That work with FITARA was actually 
done by another director, but one thing I would like to comment 
on as far as a corollary, we are beginning to start an 
engagement that will be looking at the role of CISOs, Chief 
Information Security Officers, and their authorities, which, 
while of course not necessarily pertaining to FITARA in the 
role of the CIO, has some other interesting aspects to just 
what extent that the CISOs have authorities throughout their 
organizations and across the Federal Government.
    Mr. Hurd. Dr. Fischer?
    Mr. Fischer. I don't have any specific comments with 
respect to FITARA, but I would like to say we do have people 
who are sort of more specifically focused on this area, and we 
would be happy to follow up with you to answer any questions 
you may have.
    Mr. Hurd. Thank you.
    Mr. Connolly. Thank you, Mr. Chairman.
    Mr. Hurd. Thank you. And I do look forward to working with 
you over these next couple of weeks and months on FITARA and 
how we can make sure the Federal Government is doing the things 
that it is supposed to be doing.
    I want to thank the witnesses for your appearances here 
today. I appreciate you all being flexible. This is a 
conversation we could sit here for the next three days and just 
scratch the surface. I look forward to future conversations 
with you all and get a little bit more into the nitty-gritty on 
these issues. And I do think this is one of those areas where 
the House, the Senate, and the White House can work together to 
make sure that we are protecting the digital infrastructure of 
the Federal Government and doing everything we can to help the 
private sector protect themselves. So I look forward to working 
with you all.
    With that, if there is no further business, the committee 
stands adjourned.
    [Whereupon, at 5:12 p.m., the committee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 

                                 [all]