[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


             CYBERSECURITY: THE DEPARTMENT OF THE INTERIOR

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                AND THE

                      SUBCOMMITTEE ON THE INTERIOR

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 15, 2015

                               __________

                           Serial No. 114-52

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
              
                              ______________
                              
                    U.S. GOVERNMENT PUBLISHING OFFICE
97-789 PDF                  WASHINGTON : 2015                              
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
              
              
              
              
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                    Sean McLaughlin, Staff Director
                 David Rapallo, Minority Staff Director
         William McGrath, Interior Subcommittee Staff Director
               Troy Stock, IT Subcommittee Staff Director
                        Melissa Beaumont, Clerk
                 Subcommittee on Information Technology

                       WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking 
MARK WALLER, North Carolina              Member
ROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois
                                     TED LIEU, California

                      Subcommittee on the Interior

                  Cynthia M. Lummis, Wyoming, Chairman
KEN BUCK, Colorado, Vice Chair       BRENDA L. LAWRENCE, Michigan, 
PAUL A. GOSAR, Arizona                   Ranking Member
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
STEVE RUSSELL, Oklahoma              STACEY E. PLASKETT, Virgin Islands
GARY J. PALMER, Alabama
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 15, 2015....................................     1

                               WITNESSES

Ms. Sylvia Burns, Chief Information Officer, U.S. Department of 
  the Interior
    Oral Statement...............................................     4
    Written Statement............................................     7
Ms. Mary Kendall, Deputy Inspector General, U.S. Department of 
  the Interior
    Oral Statement...............................................    11
    Written Statement............................................    13

                                APPENDIX

Office of Personnel Management Mission Statement, submitted by 
  Rep. Lieu......................................................    40
July 9, 2015 Dept. of the Interior Response to the Office of the 
  Inspector General Report, submitted by Chairman Hurd...........    42
Nov. 26, 2013 Dept. of the Interior, Office of the Inspector 
  General Report on Faisal Ahmed, submitted by Chairman Hurd.....    51
 Colleen M. Kelley, National President, Statement of the National 
  Treasury Employees Union, submitted by Chairman Hurd...........    54
Statement of Congressman Gerald E. Connolly (VA-11), submitted by 
  Chairman Hurd..................................................    57
Office of the Inspector General, U.S. Department of the Interior 
  Report: Security of the U.S. Department of the Interior's 
  Publicly Accessible Information Tehnology Systems, submitted by 
  Chairman Hurd..................................................    59

 
             CYBERSECURITY: THE DEPARTMENT OF THE INTERIOR

                              ----------                              


                        Wednesday, July 15, 2015

                  House of Representatives,
Subcommittee on Information Technology, joint with 
                  the Subcommittee on the Interior,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 2:38 p.m., in 
Room 2154, Rayburn House Office Building, Hon. Will Hurd 
[chairman of the subcommittee] presiding.
    Present from Subcommittee on Information Technology: 
Representatives Hurd, Farenthold, Blum, Kelly, and Lieu.
    Present from Subcommittee on the Interior: Representatives 
Lummis, Russell, Palmer, Lawrence, and Cartwright.
    Mr. Hurd. The Subcommittee on Information Technology and 
the Subcommittee on the Interior will come to order. And, 
without objection, the chair is authorized to declare a recess 
at any time.
    Good afternoon. Thanks for being here today. Sorry for the 
delay. You all know how it is here in Washington. This is an 
important hearing. In the wake of the data breach of the Office 
of Personnel Management, the committee remains deeply concerned 
with the Federal Government's plan to address cybersecurity. 
This do as I say, not as I do mentality is an affront to the 
American people and leaves our Federal agencies and the PII of 
millions at risk.
    Today's hearing is the first in a series of hearings the 
Subcommittee on Information Technology will hold to focus on 
the cybersecurity posture of Federal agencies. This means not 
only compliance with FISMA, but also responding to the 
recommendation from an agency's inspector general, as well the 
GAO.
    I'm proud to hold this hearing jointly with Chairwoman 
Lummis, Ranking Member Lawrence, and the Subcommittee of 
Interior. And I am always thankful for Ranking Member Kelly and 
the bipartisan way we have been able to approach cybersecurity 
and other issues on this subcommittee.
    The first hearing this committee held on the recent OPM 
data breach I advised agency CIOs across the Federal Government 
to pull out their past IG reports and get to work on addressing 
the vulnerabilities that have been identified.
    Ms. Burns, I hope you have come here today with a concrete 
plan to address vulnerabilities in DOI's systems pointed out by 
the IG and others.
    The Department of Interior inspector general recently 
conducted penetration tests of publicly accessible computer 
systems and Web sites operated by DOI bureaus. What they found 
is alarming and is largely what brings us here today. The IG 
found nearly 3,000 critical and high-risk vulnerabilities in 
hundreds of publicly accessible computers operated by DOI 
bureaus. Let me repeat that number: 3,000.
    Even more concerning, the IG found that because DOI did not 
segment its publicly accessible systems from its internal 
systems, hackers could exploit these vulnerabilities to access 
internal or nonpublic DOI computer networks. DOI's internal 
networks support mission-critical operation and contain highly 
sensitive data. Not segmenting the public and the internal 
networks from each other is a failure of basic cybersecurity 
best practices.
    We need and deserve better from Federal agencies and those 
in charge of securing our digital assets. There's too much at 
risk not to.
    In addition, DOI hosted the OPM personnel file database 
that was breached and resulted in 4.2 million former and 
current Federal employees having their personal and private 
information stolen. Since then, Director Archuleta has stepped 
down and rightfully so.
    Several questions about DOI's role in the breach remain 
unanswered, including whether or not other agencies may have 
been compromised, how many breaches exactly took place at DOI, 
and whether or not the attackers are still in the system. Both 
subcommittees look forward today to having some of those 
questions answered.
    In closing, it is no secret that Federal agencies have a 
long way to go to improve their cybersecurity posture. We have 
years and years of reports highlighting the vulnerabilities and 
inactions of Federal agencies. We also have years and years of 
recommendations from IGs, GAO, and experts in and out of the 
government on how to address these vulnerabilities. Simply put, 
we know what needs to be done, we just need to do it.
    We need strong and capable leaders in place across the 
Federal Government to upgrade IT systems and shore up the 
current sorry state of cybersecurity at Federal agencies. We 
need leaders who will listen to the recommendations of their 
IGs and others and take appropriate corrective actions based on 
those recommendations. The status quo is unacceptable. We need 
leaders who can put a solid plan in place and then execute it.
    I hope we have that type of leadership in place at DOI. I 
welcome the witnesses and look forward to their testimony.
    And now, I'd like to recognize my friend and the ranking 
member, Ms. Kelly of Illinois.
    Ms. Kelly. Thank you, Mr. Chairman, and welcome to the 
witnesses.
    Last month, the Oversight Committee held hearings on two 
major OPM data breaches. We learned that the stolen personnel 
records of over 4 million current and former Federal employees 
were kept on servers hosted by the Department of Interior. 
Hackers essentially not only gained access to OPM's personal 
records, but in doing so they successfully penetrated the 
Department's data center where the records have been stored.
    Fortunately, an ongoing investigation into the OPM breach 
has so far not uncovered any evidence that any of the 
Department's data was stolen during the time period hackers had 
access to the data center. But the fact that the Department's 
computer systems were also hacked raises serious questions 
about the strength of the Department's cybersecurity system.
    Last week, the Department's inspector general provided the 
general with a draft that identified security weaknesses the IG 
found in many of the publicly accessible computers the 
Department maintains. Computers such as these are primarily 
used by the Department to share information with the public, 
collaborate with business and research partners, and to provide 
employees and contractors remote access to Department networks.
    As the IG noted in his draft report, and I quote: 
``Publicly accessible computers operated by Federal agencies 
are prime targets for exploitation and are highly sought after 
by criminals and foreign intelligence services.''
    According to the IG, over the past several years hackers 
and foreign intelligence services has been able to compromise 
the Department's computer network by exploiting weaknesses in 
its publicly accessible system. The IG's draft report provides 
a clear warning about a serious security vulnerability in the 
Department's publicly accessible computers.
    As I pointed out in my opening remarks at the 
subcommittee's first hearing this year, no organization is 
immune from cyber attacks and data breaches. As we saw this 
past year, sophisticated companies, from Anthem to JPMorgan 
Chase, were all targeted and breached by cyber attackers.
    I do want to acknowledge and thank Chairman Hurd for the 
bipartisan approach he has taken on the issue of cybersecurity.
    Mr. Chairman, I know we can work together to solve this. 
Thank you, and I yield the balance of my time.
    Mr. Hurd. Thank you, Ms. Kelly.
    And now it is a pleasure to recognize Mrs. Lummis, the 
chairwoman of the Subcommittee on the Interior, for her opening 
statement.
    Mrs. Lummis. Well, thank you, Chairman Hurd, for leading 
this hearing.
    As we know, the Department of the Interior hosted a 
database for the Office of Personnel Management containing the 
records of approximately 4.2 million current and former 
government employees. Now, as we've seen, shared hosting can 
reduce redundancy and costs for government IT needs. Also as 
we've seen, however, it can result in increased vulnerability 
if it's not properly managed.
    So in this hearing, I look forward to learning more about 
the response by Interior to the breach, their compliance with 
the Federal Information Security Management Act and the Federal 
Information Technology Acquisition Reform Act, and past and 
future management decisions regarding recommendations by 
inspectors general for improving cybersecurity.
    So thanks again, Mr. Chairman.
    And thank you, witnesses, for being here today.
    I yield back.
    Mr. Hurd. When Mrs. Lawrence, the ranking member of the 
Subcommittee on the Interior, is here we'll recognize her for 
her opening remarks. Until that time, I'd like to turn to our 
witnesses and introduce them. And I'm also going to hold open 
the record for 5 legislative days for any members who would 
like to submit a written statement.
    Mr. Hurd. I'm pleased to welcome Ms. Sylvia Burns, the 
Chief Information Officer at the U.S. Department of the 
Interior; Ms. Mary Kendall, Deputy Inspector General at the 
U.S. Department of the Interior as well.
    Welcome to you both.
    It is also my understanding that our witnesses are 
accompanied by two additional experts whose expertise may be 
needed during questioning. And so I'd like to welcome Mr. 
Jefferson Gilkeson, Director of IT Audits at the U.S. 
Department of Interior, and Mr. Bernard Mazer, Senior Policy 
Advisor in the Office of Inspector General at the U.S. 
Department of Interior and the former Interior CIO.
    Pursuant to committee rules, all witnesses will be sworn in 
before they testify, including Mr. Gilkeson and Mr. Mazer. So 
please rise and raise your right hands.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    Thank you. Please be seated.
    Let the record reflect that all witnesses answered in the 
affirmative.
    In order to allow time for discussion, please limit your 
testimony to 5 minutes. Your entire written statements will be 
made part of the record.
    And we're going to start with you Ms. Burns. You're now 
recognized for 5 minutes for your opening remarks.

                       WITNESS STATEMENTS

                   STATEMENT OF SYLVIA BURNS

    Ms. Burns. Chairmen Hurd and Lummis, Ranking Members Kelly 
and Lawrence, and members of the subcommittee, thank you for 
the opportunity to discuss cybersecurity at the Department of 
the Interior. I am Sylvia Burns, and I have been the 
Department's Chief Information Officer since August 24, 2014.
    The Department and its bureaus serve as stewards of the 
Nation's parks, wildlife refuges, and public lands. And as the 
keeper of the history of this country, over 70,000 employees in 
more than 2,400 operating locations, including many remote 
areas, carry out the Department's mission across the United 
States and its territories.
    The Department is committed to cybersecurity and the 
protection of our assets, including data. IT tools are of vital 
importance to the delivery of the mission of the Department. 
The security of those IT tools and systems is likewise critical 
to our mission. All levels of our Department are engaged in the 
efforts to improve our cybersecurity.
    My office provides leadership to the Department and its 
bureaus in all areas of information management and technology. 
The Department's programs are many and varied. The Department's 
current IT management and operations structure reflects the 
decentralized nature of IT programs. My office is responsible 
for the operation of many departmental systems and issues IT 
policy, while bureaus and offices are each responsible for 
their respective systems.
    Each week the Department detects and prevents between 5 
million and 6 million malicious connection attempts to exploit 
vulnerabilities in its Internet perimeter and Internet-facing 
systems. My office is working in partnership with the 
Department's senior leadership and IT personnel in the bureaus 
and offices to improve our ability to manage the risk of cyber 
attacks while delivering the Department's mission.
    I recently established a Department-wide cybersecurity 
advisory group to support me in developing and implementing a 
comprehensive, multipronged cybersecurity strategy and action 
plan, which includes short, medium and long-term initiatives to 
strengthen the Department's IT security posture.
    We are in the process of adopting a more centralized 
approach, managing IT across the Department. For instance, to 
meet FISMA requirements, the Department will obtain access and 
visibility into the entire Department network and will play a 
more direct role in incident response working with its bureaus 
and office and with US-CERT.
    As a result of a secretarial order, FISMA and FITARA, DOI 
achieve the following. Through the Continuous Diagnostics and 
Mitigation investment funded by Congress through DHS, DOI 
deployed capabilities to centrally manage vulnerability 
patching at the Department level, which will greatly improve 
cyber hygiene across our IT landscape.
    As of June 26, the Department implemented strong 
authentication for all privileged users. I am happy to report 
that as of this morning we have achieved 75 percent of PIV 
enablement for our unprivileged users. That was news.
    The Department launched its data center consolidation plan 
to support the OMB Federal Data Center Consolidation 
Initiative. Data center consolidation reduces the Department's 
IT footprint overall, consolidating smaller, noncore data 
centers into DOI's larger and more robust core data centers, 
allows us to more efficiently and effectively manage and 
protect high value data.
    The Department supports and appreciates the work of the 
Office of the Inspector General in assessing and advising the 
Department on its IT systems. We accept all of the OIG's 
recommendations and will incorporate them into our action plan. 
The impacted bureaus report that all vulnerabilities identified 
in the report have been corrected.
    The Department takes the privacy and security of its IT 
systems and data very seriously. The Department immediately and 
aggressively responded to the recent cyber intrusion resulting 
in the loss of OPM data. We worked with interagency partners 
who are addressing the broader cybersecurity threats to the 
Federal Government to develop and implement an immediate 
remediation plan specific to the threat. We incorporated 
remediation actions, the OIG's recommendations, and 
departmental IT improvements which were already underway into 
the Department's overall IT strategy moving forward.
    We will continue to be an active participant in the ongoing 
efforts by the Federal Government to improve our Nation's 
overall cybersecurity posture.
    Chairmen Hurd and Lummis, Members Kelly and Lawrence, and 
members of the subcommittee, this concludes my prepared 
statement. I would be happy to answer any questions you have.
    [Prepared statement of Ms. Burns follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
           
    Mr. Hurd. Thank you, Ms. Burns.
    Now over to you, Ms. Kendall, for 5 minutes.

                   STATEMENT OF MARY KENDALL

    Ms. Kendall. Mr. Chairman, Madam Chairman, Ranking Member 
Kelly, and members of the subcommittees, good afternoon, and 
thank you for the opportunity to testify today about the 
results of our OIG audit on security of public-facing Web sites 
at the Department of the Interior.
    Although the OIG has had an IT oversight function for over 
a decade, we have refocused our IT oversight efforts over the 
past 3 years. In 2012, we began to transfer the responsibility 
for conducting IT oversight to our Office of Audits, 
Inspections, and Evaluations in order to standardize and track 
our IT oversight of the Department, and we have since doubled 
the number of IT professionals assigned to this oversight.
    Our focus on IT oversight has evolved over the years from 
periodic assessments and compliance reporting to using tools 
and techniques to conduct ongoing monitoring of IT security 
controls, an approach that enables responsible officials to 
take timely risk-mitigation actions and make risk-based 
decisions regarding the operation of their IT systems.
    This is how we conducted the IT audit at issue in today's 
hearing. The results of our efforts provided the bureaus with 
real-time information necessary for them to take prompt action. 
A future OIG follow-up audit will determine whether those 
actions were effective at addressing the vulnerabilities 
identified.
    ``Defense in depth'' is a widely recognized best practice 
for protecting critical IT assets from loss or disruption by 
implementing overlapping security controls. The concept of 
defense in depth is that if one control fails, then another is 
in place to either prevent or limit the adverse effect of an 
inevitable cyber attack.
    We found that three DOI bureaus had not implemented 
effective defense in depth measures to protect key IT assets 
from Internet-based cyber attacks. We found critical and high-
risk vulnerabilities in publicly accessible computers operated 
by these bureaus. If exploited, these vulnerabilities would 
allow a remote attacker to take control of publicly accessible 
computers or render them unavailable.
    In addition, we found that a remote attacker could then use 
a compromised computer to attack the Department's internal 
networks that host computer systems supporting mission-critical 
operations and containing highly sensitive data. These 
deficiencies occurred because the Department did not 
effectively monitor its publicly accessible systems to ensure 
they were free of vulnerabilities or isolate its publicly 
accessible systems from its internal computer networks to limit 
the potential adverse effects of a successful cyber attack.
    The results contained in this report are the first in a 
series of defense in depth. We made recommendations designed to 
help the Department mitigate, identify vulnerabilities, and 
strengthen security practices, reduce the opportunity for a 
malicious attack, and minimize the impact and potential 
opportunities to infiltrate nonpublic systems after a 
successful attack. The Department concurred with all of our 
recommendations and has begun to implement them.
    We are preparing a public version of our report, but as we 
continue to analyze the content, we determined that details of 
our methodology, specifically the ``how we did our testing and 
with what tools,'' and certain details of the results of our 
testing, could cause harm to the Department and its IT assets. 
We will therefore redact this information along with the 
identity of the bureaus that were subject to our testing in the 
public version of our final report, which will be posted on our 
Web site.
    As is our practice however, Chairmen Hurd and Lummis, we 
will be glad to provide you with a copy of our full final 
report at your request.
    Mr. Chairman, Madam Chairman, ranking members, this 
concludes my prepared remarks today. I am happy to try to 
answer any questions you or members of the subcommittee may 
have, but I would also be assisted by Mr. Gilkeson and Mr. 
Mazer.
    [Prepared statement of Ms. Kendall follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
        
    Mr. Hurd. Thank you, Ms. Kendall.
    I would now like to recognize the ranking member of the 
Interior Subcommittee, Mrs. Lawrence, for 5 minutes for opening 
remarks.
    Mrs. Lawrence. Thank you, Mr. Chairman. I want to thank you 
for holding this hearing and examining the effectiveness of the 
Department of Interior's cybersecurity practices. I also want 
to thank our witnesses for speaking with us today. I know some 
of you are returning.
    Recent cyber attacks in public and private sectors 
highlight the importance of enhancing information security 
policies and controls. Although the Department of Interior has 
not suffered a breach of its data in relation to cyber attacks 
on OPM, information security weaknesses have been identified by 
the inspector general and exploited by cyber attackers.
    The Federal Information Security Management Act, or FISMA, 
requires each Federal agency, and I will quote, ``each Federal 
agency to develop, document, and implement an agencywide 
program to provide information security for the information and 
information systems that support the operations and assets of 
the agency,'' end quote.
    In the Office of Management and Budget annual report to 
Congress on FISMA for fiscal year 2014, the Department was at 
or above compliance standards for several areas of affected 
information security. According to OMB's report, the Department 
was given an overall cybersecurity assessment score of 92 
percent, 16 percentage points higher than the average score for 
reporting agencies, which was 76 percent.
    However, I'm concerned that the Department was identified 
as having weak profile, which means that the majority of 
unprivileged users are allowed to log onto network systems with 
a user ID and password alone. This is an increased risk of 
unauthorized network access.
    In closing, today's hearing provides an opportunity to gain 
an understanding from our witnesses of the challenges the 
Department faces, to learn what DOI is doing to correct their 
information security deficiencies, and to find out what 
Congress can do to help ensure that the Department has the 
people and the resources it needs to enhance its information 
security practices.
    Mr. Chairman, thank you for holding this hearing, and I 
yield back my time.
    Mr. Hurd. Thank you, Mrs. Lawrence.
    Now to begin our questioning portion of this afternoon, I'd 
like to turn it over for 5 minutes to Mrs. Lummis, the chair of 
the Interior Subcommittee.
    Mrs. Lummis. Thank you, Mr. Chairman. Thanks again for 
holding this hearing.
    And welcome witnesses. Appreciate your being here.
    Our committee recently learned through a report of 
investigation about a high-level IT staffer at the Department 
of Interior's Office of Law Enforcement and Security. His name 
is Faisal Ahmed.
    Ms. Kendall, can you please quickly summarize the findings 
of this report?
    Ms. Kendall. Chairman Lummis, thank you.
    We have not analyzed the personal privacy security 
implications of our report in this regard, and so I will not 
identify the individual by name. But when the OIG was notified 
that there was an individual in the Office of Law Enforcement 
and Security who may have falsified his credentials, we 
investigated these allegations and determined that in fact 
there were two transcripts suggesting that he had both an 
undergraduate and a master's degree which he did not have. The 
person who was subject of this investigation resigned from the 
position 3 days after we initiated our investigation.
    Mrs. Lummis. And at the time was Mr. Faisal Ahmed--I'm at 
liberty to disclose his name--was Mr. Faisal Ahmed the 
Assistant Director for the Office of Law Enforcement and 
Security heading the Technology Division?
    Ms. Kendall. I believe that was his title.
    Mrs. Lummis. Okay. Please continue.
    Ms. Kendall. We did determine that there were two falsified 
transcripts on the computer that we seized and that those 
transcripts had been--the individual had requested that the 
transcripts be included into his official personnel file. Also 
understand, and this may or may not be in the report that you 
received, I have since received some information that they may 
have been submitted for an SES candidate development program. 
But I understand that the individual was not an SES member as 
the report may have suggested.
    Mrs. Lummis. Now, we have reason to belief that Mr. Faisal 
Ahmed is currently employed at the Census Bureau. Do you know 
if this is true?
    Ms. Kendall. We were not able to confirm that before the 
hearing this afternoon.
    Mrs. Lummis. Have you ever been contacted or have you ever 
contacted the Census Bureau or Department of Commerce about Mr. 
Faisal Ahmed?
    Ms. Kendall. We were contacted by an Office of Personnel 
Management investigator investigating the background of this 
individual and provided that investigator with the information 
that we had available in our files.
    Mrs. Lummis. Now, it's my understanding from the report on 
investigation on the Faisal Ahmed case that your office 
presented this case to the Department of Justice, but they 
declined to prosecute. Do you know anything about why they 
declined?
    Ms. Kendall. We rarely get reasons behind declinations for 
prosecution, and I'm not aware of a reason behind this one.
    Mrs. Lummis. Did anyone from your office have any 
discussions with DOJ about this case?
    Ms. Kendall. We typically either forward our report of 
investigation and oftentimes have some discussion with the 
prosecutors. I could not tell you specifically if we did in 
this case.
    Mrs. Lummis. I'm concerned that there may be an individual 
who was in a high-level position, comparatively, it's high 
ranking Senior Executive Services position, he had worked, as I 
understand, at DOI since late 2007, and that he held a security 
clearance. And so I'm a little concerned--well, I'm more than a 
little concerned--that he had access to law enforcement 
sensitive materials and other secure information, that he had 
falsified his background, and that now it appears that he is 
working for another Federal agency, the U.S. Census Bureau.
    So there is additional fallout from the issues that have 
been raised by the gentleman from Texas, Mr. Hurd, about this 
hearing.
    So as to these collateral matters also, I thank you kindly, 
Mr. Hurd, for holding this hearing. I yield back.
    Mr. Hurd. The gentlewoman yields back.
    I'd now like to recognize my distinguish colleague from 
Illinois and ranking member, Ms. Kelly, for 5 minutes.
    Ms. Kelly. Thank you, Mr. Chairman.
    Ms. Burns, the two data breaches OPM recently reported have 
been particularly concerning to us because of the national 
security risk involved. According to testimony you gave at a 
recent hearing on the OPM data breaches, the OPM personnel 
records that were compromised in one of those breaches were 
hosted in the data center maintained by the Department of 
Interior. Did the cyber attackers who gained access to those 
records also gain access to the Interior Department data 
center?
    Ms. Burns. So the adversary had access to our data center. 
It was exposed. There was no evidence based on the 
investigation that was led by DHS, US-CERT, and the FBI, there 
was no evidence that the adversary had compromised any other 
data aside from the OPM data.
    Ms. Kelly. Okay, so the same cyber intruder who breached 
OPM's personal data, which the Department of Interior hosted on 
its servers, also breached the defense's of the Interior 
Department data center?
    Ms. Burns. So this, the intrusion that you're referring to, 
was a sophisticated breach. And my understanding, based on DHS' 
assessment, was that the adversary exploited, compromised 
credentials on OPM's side to move laterally and gain access to 
the Department of Interior's data center through a trusted 
connection between the two organizations.
    Ms. Kelly. So the cyber intruder, did they gain access it 
to DOI's data center through OPM or was it the other way 
around?
    Ms. Burns. The adversary gained access to DOI's 
infrastructure through OPM, as far as I understand, based on 
DHS's investigation.
    Ms. Kelly. Has there been any investigation to determine 
whether the Department's records were stolen once the attackers 
gained access to the data center?
    Ms. Burns. So I believe that that was part of DHS' 
comprehensive investigation. When we first learned from them of 
the intrusion, they came on board in April 2015, this year, and 
they actually were on the ground with other interagency 
partners at the site of the data center, collecting data and 
forensics for approximately 3 weeks. They took that data back.
    So the investigation was ongoing even as they were there. 
But they took the data back. And my understanding from the 
report that they issued to us was that there wasn't evidence of 
further compromise of DOI's data in that data center.
    Ms. Kelly. So there is no evidence that the Department's 
data was stolen.
    Ms. Burns. Correct, based on what DHS' report said. I would 
defer to them, though, if you wanted to get into more detail, 
because they did the detailed analysis, and they're really the 
ones who are the author and the source of the investigation and 
the findings. But that is my understanding based on reading the 
report.
    Ms. Kelly. In addition to hosting OPM's personnel records, 
the Department hosts data from other agencies in its data 
center. Is that correct? And, if so, which agencies?
    Ms. Burns. Yes. Actually, the Department is a--the data 
center in question, the biggest customer of the data center is 
actually Interior. So it's the Interior Business Center, what 
we call IBC. They're a shared service provider, and they are 
the majority user of the data center. And we also host some 
applications for the Office of the Secretary in the data 
center.
    Ms. Kelly. Okay. With the exception of the OPM's records, 
was data from any of the other agencies, those places you 
mentioned, compromised when hackers gained entry into the 
Department's data center?
    Ms. Burns. As I was saying before, based on my 
understanding of the report from DHS and their forensics, there 
was no evidence that any other data was exfiltrated from the 
data center.
    Ms. Kelly. From all that has happened and what you've gone 
through, what do you feel are some of the key lessons that the 
Department has learned.
    Ms. Burns. So many lessons learned. So, as you can imagine, 
when I as a CIO for the Department learned of the intrusion, it 
was horrifying to me. And since that time I've been--my team 
and I have actually been on a high alert, working probably 7 
days a week, long hours, to take our lessons learned and do a 
mitigation plan around it, a remediation plan that's 
comprehensive.
    So lessons learned include things that we were doing 
already. So, for example, the whole need for two-factor 
authentication, that's an important control that's needed. We 
were already working on it, so it was a performance goal that 
we had for the agency this year, and we had set those metrics 
for all of our bureaus and offices to achieve certain targets 
this year, and we were making slow progress to it.
    When the incident happened, it just created a different 
lens on looking at the need, and I think it made it crystal 
clear to everybody why it was so critical that we achieve two-
factor authentication for, first of all, our privileged users, 
but then also our unprivileged users.
    And that's why we were aggressive about moving to getting 
all of our privileged users using their PIV cards to 
authenticate to their system. And as I mentioned in my 
statement, we achieved that on June 26 as part of the Office of 
Management and Budget 30-day cyber sprint. So it just 
accelerated the work we had already started.
    In addition to that, I was proud to say that we achieved--
actually it was at least 75 percent of unprivileged users 
today.
    So people have been working around the clock in my office, 
but also in the bureaus and offices, because we shared our 
lessons learned with our other counterparts in our bureaus and 
offices, because we have to all own this problem, and it will 
take all of us to fix the problem, and everybody has been 
taking it seriously. So I'm very gratified by that.
    Ms. Kelly. Thank you for sharing.
    My time is up. I yield back.
    Mr. Hurd. The gentlewoman yields back.
    Now I would like to recognize my fellow Texan and 
colleague, Mr. Farenthold from Texas, for 5 minutes for 
questioning.
    Mr. Farenthold. Thank you, Mr. Chairman.
    We've heard testimony that there have been inspector 
general reports dating back to 2014. We've been talking about 
cybersecurity here in this committee since well before last 
year. It's been a pretty critical issue. There are actually 
some recommendations in the 2014 start of the--in the audit--
yet it looks like it really took this data breach to get you 
guys moving on it.
    Ms. Kendall or Ms. Burns, would you like to take just a 
second and talk about, as a result of 2014, how much was done 
and how much didn't get done out of the 2014 recommendations? 
Ms. Burns, I'll let you----
    Ms. Burns. So I wasn't CIO for the Department for the whole 
time, but as the report was written I assumed the 
responsibility of this role. We have been working hard, so for 
me, when I first became CIO, I made cybersecurity a priority. 
And part of that was because there were things that were 
happening even before, right before I became CIO.
    Mr. Farenthold. But, I mean, you got a huge breach that 
came in and millions of Federal employees' personal information 
got out. I mean, you can talk about making something a 
priority, but it apparently wasn't or we wouldn't have had a 
breach. Maybe it is impossible to completely stop a breach.
    Can we just get a little bit of background, just so 
everybody is clear on exactly what happened? The Department of 
Interior, were you hacked or was it an insider or was it a 
combination of both?
    Ms. Burns. So from my understanding of DHS' investigation, 
there was a compromise of an OPM privileged account. So there 
were credentialed, high level--high--a privileged users 
credentials were compromised and went from OPM----
    Mr. Farenthold. Now, do we know if it was an insider job or 
somebody just got his information, a brute force attack, or 
some other way, or did he voluntarily share that with?
    Ms. Burns. I don't have that information, and I would defer 
to DHS, US-CERT, because----
    Mr. Farenthold. So how did you all first find out about the 
breach?
    Mr. Burns. We first found out about the breach because DHS 
contacted us in April and sat down with me and my CISO and told 
me that they saw suspicious activity on our network.
    Mr. Farenthold. So how confident are we that they're out 
and that there are no trojans or malware still somewhere in the 
system?
    Ms. Burns. So, according to DHS, there is no evidence 
anymore that there is malicious activity.
    Mr. Farenthold. I assume you stepped up the monitoring.
    Ms. Burns. Absolutely. Immediately.
    So that said, we don't take anything for granted. We're on 
high alert, because there is the possibility that another 
breach could happen. And in our discussions with DHS our 
remediation plan has to include our ability to quickly detect 
when something bad is happening so that we can shut it down 
quickly.
    Mr. Farenthold. Now, we have also got a July 2015 report 
that is saying there are potentially thousands of security 
risks that are still out there. I mean, is all the software up 
to date? Do you have the security software on all the 
computers? You' making people change their passwords? How 
confident are you that you've at least got the basics down?
    Ms. Burns. So within the Office of the Secretary, directly 
where the breach happened, some of the things we did is 
remediation, included things like password reset. If you're 
referring to the IG's report that referenced the 
vulnerabilities, as soon as we learned about them, I talked 
with the bureaus in question immediately about them. And as of 
before the report was actually issued, which I think is going 
to be soon, the bureaus corrected all the vulnerabilities that 
were identified in that report.
    And so as a follow-up to that, we would like the--I 
appreciate what the IG is talking about doing in terms of 
followon to ensure that they check to make sure the 
vulnerabilities are clearly corrected permanently.
    Vulnerabilities, though, it's a process. So it's not 
something that's a one-time hit. You have to continually do it. 
It's a process that you have to manage. You have to continually 
scan, look at what weaknesses exist, categorize the weaknesses 
so you know what's critical and high, and deploy your resources 
to the most critical weaknesses that you have that can have the 
broadest impact on the organization.
    Mr. Farenthold. All right, so we're videotaping this and 
it's being broadcast on C-SPAN 8, the Ocho, or somewhere. The 
video is out there. If you could talk to your fellow CIOs at 
other government agencies and give them some piece of advice so 
this doesn't happen to them, what would be the top two or three 
things you would tell them? I'll let you answer that and yield 
back when you're complete.
    Ms. Burns. Okay. First of all, I think that to get this 
problem fixed that we have in the whole Federal Government it 
takes strong leadership and drive, but it also takes everybody 
to help with this. Because cybersecurity isn't isolated to IT. 
Cybersecurity is a responsibility of everybody. Nobody can 
abdicate their responsibilities there or else we put ourselves 
at risk. So that's one thing.
    Another thing that I would say is that the FISMA metrics 
are right, but they are not the only thing that we need to be 
doing. They're one lens of what we have to be doing, but there 
is much more.
    And I think we have to act in the real world. So it can't 
be this paper-based exercise that we go through in checking 
boxes. We actually have to do things like what the IG did, 
which is get people to actually--it's kind of the red team, 
blue team type concept--of getting professionals to actually 
try to attack us, but in a safe environment, so that we can 
actually understand what the weaknesses are and put them on a 
list and do something about them quickly.
    That would be my advice to my fellow CIOs.
    Mr. Farenthold. Thank you very much. And I'll yield back.
    Mr. Hurd. Thank you, Mr. Farenthold.
    Now I'd like to recognize Mr. Cartwright from Pennsylvania 
for 5 minutes.
    Mr. Cartwright. Thank you, Chairman Hurd.
    And welcome to all of our witnesses to are subcommittee.
    Ms. Burns, I'm going to ask you some questions. Now, I want 
you to understand, when I ask you a question, if you don't know 
the answer, it's all right to say, ``I don't know,'' because 
accuracy is the most important thing we're after here.
    And I share Mr. Farenthold's sentiment that a record is 
being made today, and I want you to feel free to go back and 
look at these questions, and if you have more information, 
provide the information to the subcommittee subsequent to this 
hearing. Will you do that.
    Ms. Burns. Yes.
    Mr. Cartwright. Ms. Burns, in your testimony from the June 
16 hearing regarding the OPM breach, you indicated that the 
Department of the Interior houses data for the OPM in the 
Interior Department's data center. Am I correct in that?
    Ms. Burns. Yes.
    Mr. Cartwright. When did the Interior Department first 
begin hosting data for OPM?
    Ms. Burns. From my understanding in talking with my staff, 
OPM started to become--first became a customer of the 
Department in 2005.
    Mr. Cartwright. Okay. Is this under some kind of agreement?
    Ms. Burns. There is a memorandum of understanding between 
the two organizations.
    Mr. Cartwright. Would you send us a copy of that, please?
    Ms. Burns. We can, yes.
    Mr. Cartwright. Now under that agreement, what is the 
Department of the Interior's role in providing cybersecurity 
for the data that it hosts?
    Ms. Burns. So the Department's role--the Department offers 
OPM our IT infrastructure, so its hosting services, that's what 
they're consuming from us as a customer. Our responsibilities 
in terms of security go around securing the IT infrastructure. 
So that means we provide the data center, which has facilities 
base, right, the physical security. It has the power and 
cooling, hardware, the servers, operating system, potentially 
even the database, and also support services to help OPM just 
maintain the actual infrastructure in terms of, like, system 
administrators, database administrators, that kind of thing.
    Mr. Cartwright. I don't mean to interrupt you, but the 
question is, under the agreement by which the Department of the 
Interior hosts OPM on its computers, how is cybersecurity 
treated under that agreement?
    Ms. Burns. So the Department of the Interior, we provide 
the infrastructure. We are responsible for security the 
infrastructure. That includes the network connection between us 
and OPM.
    Mr. Cartwright. Okay.
    Ms. Burns. And we encrypt our connection between OPM and 
us.
    Mr. Cartwright. How about money? Does the Department of the 
Interior receive any revenue from OPM for hosting their records 
on your data center?
    Ms. Burns. Yes, OPM is a customer and we provide our 
services as a full cost recovery system.
    Mr. Cartwright. Good. How much do you get?
    Ms. Burns. I have to get back to you on that. I'm not sure.
    Mr. Cartwright. Thank you.
    Now, in the June 16 hearing you also testified, quote: 
``DOI also performs shared services for other agencies,'' 
unquote. Is that correct?
    Ms. Burns. Yes.
    Mr. Cartwright. Okay. Can you help us understand why the 
Department is performing data hosting services for other 
agencies as well?
    Ms. Burns. Yes. So shared services is a concept of creating 
more robust centralized points of service around specific 
activities. IT is one of them, but there are others. And it's 
because you can gain economies of scale. So it's less expensive 
and more efficient to a customer to consume the service from a 
provider like that at a better rate. And also, because we can 
aggregate capabilities in that area of expertise, in this case 
IT----
    Mr. Cartwright. So the other agencies could store their own 
data, but it's a cost savings if it's all in Interior, is that 
it?
    Ms. Burns. It could be for them. They'd have to look at the 
business case for that.
    Mr. Cartwright. How many other agencies does the Interior 
Department do this for?
    Ms. Burns. So the primary customer that Interior--what we 
have in the data center is really the Interior Business Center, 
so it's an internal customer.
    Mr. Cartwright. I'm looking for a number. How many agencies 
does Interior do this for?
    Ms. Burns. Can I get back to you on that?
    Mr. Cartwright. Please, please.
    Mr. Cartwright. How long has the Department been hosting 
data for other agencies?
    Ms. Burns. I don't know the answer to that question.
    Mr. Cartwright. Okay. You'll get back to us?
    Ms. Burns. Yes.
    Mr. Cartwright. Okay.
    Now, does the Department provide this hosting function 
under a similar arrangement, similar to the agreement with OPM?
    Ms. Burns. Yes.
    Mr. Cartwright. So you'll have separate agreements for each 
of the other agencies?
    Ms. Burns. Yes.
    Mr. Cartwright. Can you get us copies of those as well, 
please?
    Ms. Burns. We can follow up on that, yes.
    Mr. Cartwright. Thank you.
    And I yield back, Mr. Chairman.
    Mr. Hurd. Thank you. The gentleman yields back.
    Now I'd like to recognize Mr. Russell from Oklahoma for 5 
minutes.
    Mr. Russell. Thank you, Mr. Chairman.
    Ms. Burns, the IG found that a remote hacker could exploit 
vulnerabilities in public accessible computers to attack 
internal or nonpublic Department of Interior computer networks. 
Why weren't the two systems not segmented from each other?
    Ms. Burns. So several years ago--actually, if you would 
indulge me, I need to go back a little bit in history for the 
Department of the Interior.
    In 2001 there was, if you're familiar with the Cobell 
lawsuit, the Cobell litigation. It was a situation regarding 
Indian trusts. And as a result of it, there was a breach that 
caused a decision to disconnect several--it started with 
disconnecting the Department from the Internet, and it 
ultimately resulted in about, like, five other bureaus and 
offices within DOI from being disconnected from the Internet 
for about 6-1/2 years.
    And in this environment, because of just the fear of being 
disconnected, all the bureaus and offices in the Department 
basically created sort of the modes and protections around 
themselves organizationally from an IT perspective. And in 
essence, you couldn't really work together easily in that 
environment because they were trying to protect themselves from 
being associated with trust data.
    In 2008, the Department reconnected those organizations 
back to the Internet, and what it came to find was that the 
organizations within the Department of Interior had difficulty 
just doing basic day-to-day work together because of these 
security controls that were put all around their IT 
infrastructure. And that initiated an effort to optimize our 
network. And actually this was not during my tenure, so I'm 
speaking in the past.
    Mr. Russell. And if I can, on that, so we optimized it, but 
we also optimized it for hackers.
    And I guess, Mr. Mazer, you were the CIO for 4 years before 
Ms. Burns took over. So what efforts, if any, did you undertake 
to address these issues when you were in charge?
    Mr. Mazer. Thank you for the opportunity to respond.
    Mr. Russell. Can you move the microphone closer to you?
    Mr. Mazer. As Ms. Burns noted, the bureaus are very 
segmented, they are very fractionated. Before my arrival we 
embarked upon an effort to say it would be great to have one 
Department of Interior network providing telecommunications 
services on behalf of everyone. That started about 10 years 
ago. There's still ongoing activities that are underway.
    But something that emerged out of that was protection on 
what we call the perimeters. And the perimeters on the network 
were for--it was the bureaus are making the determination that 
they would provide protection on the perimeters. At the TICs, 
the Trusted Internet Connections, is the Department provides 
protection on incoming and outcoming traffic, but one of the 
results of the report showed that it is--if people set up Web 
site servers inside our environment they are liable for 
exploitation into Interior network operations.
    And so, I always counseled, whenever we had an incident--
and we had an incidents, whether its malware or APT, advanced 
persistent threats--was when our team became aware of it we 
would work with that Bureau and all that to remove the 
particular affected server from there.
    I also encourage people that were hosting Web sites: 
Please, for gosh sakes, get off of the environment, put 
yourself into a separate enclave. So one of the efforts that 
occurred during my tenure is the Department embarked upon a 
cloud solution for public Web sites. So the DOI.gov quite a few 
of the Web sites that we are seeing, they are all migrating to 
a public--a government cloud service provider that has a 
FedRAMP moderate categorization on those activities.
    Mr. Russell. And I guess we see--Intel 101 says 
compartmentalization is good, because it creates barriers. It 
also creates efficiency problems, we acknowledge that. So my 
question for Ms. Kendall or Mr. Gilkeson, as I yield back my 
time at the conclusion, is how do we balance the optimization 
with the security and what would you recommend for the fix?
    Ms. Kendall. I think Mr. Mazer identified the cloud as 
being one of the fixes. We had several recommendations, six, I 
believe, total in this report, but the cloud was one of them. 
The other was to remove these outward-facing computer systems 
from being connected to the inside of Interior's systems so you 
could provide information to the public, to the outside without 
access or connectivity and compromise to the internal.
    Mr. Russell. Thank you. I yield back my time, Mr. Chairman.
    Mr. Hurd. Thank you, sir.
    I'd now like to recognize Ms. Lawrence from Michigan for 5 
minutes.
    Mrs. Lawrence. Thank you, Mr. Chair.
    Ms. Burns, what is the Department's plan and time line for 
implementing the IG's recommendations?
    Ms. Burns. So we're doing some things immediately. I have 
already--as soon as I saw the draft report and what findings 
and recommendations were, I started to talk with all of our 
bureau IT leaders about things that we needed to do. So we are 
engaged in conversations with our bureaus and offices right now 
about things that we want them to do right away to mitigate the 
situation that was identified in the IG's report.
    That's a short-term action, because of the real issues, 
right, and the threats, the vulnerability, the weakness it 
presents to the Department. There is longer-term things that we 
need to do, and some of those longer-term things go to things 
like network segmentation.
    A form of network segmentation, as in the previous 
question, is creating what they call DMZs, what they call an--
it's a demilitarized zone, it's basically a safe place, right, 
to put externally facing systems and configure them in a 
certain way where they are secure and they don't do what was 
described in the IG's report.
    So some of the immediate actions that we have, we can tell 
everybody, give them guidance on what they need to do right 
now. Longer term, I believe we need to move to a consolidated 
enterprise-wide DMZ for publicly facing systems, and as the 
IG's office was also saying, embracing the cloud more for our 
systems.
    Mrs. Lawrence. Do you, sitting here today before this body 
in this hearing, do you see any obstacles that would stop you 
from addressing these concerns or would cause you a challenge 
that we need to know about?
    Ms. Burns. Right now I think we're--I feel very fortunate 
in that we have the full cooperation of the organization at 
every level. If there's one big impediment, it would be that, 
it would be resistance, I'm happy to say right now, and I think 
it's because of just the stark reality of the threats and it 
hit home for DOI, that everybody is cooperating and doing the 
right thing and they want to do the right thing. So leading 
that effort I think will be easier because we have the full 
cooperation at all levels.
    Mrs. Lawrence. The first recommendation for the CIO is to 
require and enforce the secure development and management of 
all publicly available IT systems.
    Mr. Burns, what are you doing to require and enforce 
information security improvements across the various bureaus of 
the Department? I'm sorry, Mrs. Burns.
    Ms. Burns. Thank you. Thank you.
    So actually I have to thank you all for passing FITARA, 
because I think FITARA is pivotal legislation that helps us to 
drive the consolidation and centralization of the things that 
we're talking about today.
    I think some of the--one of the biggest challenges that the 
Department has is the fact that you have all the different 
separate operating environments for IT. That has to come under 
kind of a single presence of mind, if you will, under the CIO.
    And so there are challenges in the bureaus and offices even 
with programs who are in far-flung places in the country who 
are doing whatever they're doing because it's the best way they 
know to do their job, but they're not getting any direction, 
central direction from their bureau and from the Department.
    I think that FITARA positions us to fix that problem, and 
the Department is very committed to following through and 
taking advantage of all the provisions of FITARA.
    Mrs. Lawrence. Mr. Mazer, you're the former Interior CIO. 
Do you agree that there are challenges to dealing with multiple 
bureaus? And do you feel that we are on target to meeting the 
requirement to enforce security improvements?
    Mr. Mazer. I used to work in intelligence, so it's always 
trust, but verify within the IG. We looked at, when we did this 
one particular job or activity on the Web inspection, that was 
just one area of vulnerability in the broad surface of what 
could confront the Department.
    Web sites are very easy to do hacks on, they are very easy 
to do activities on. We do want to do examinations on how well 
the credentials, are people using two-factor authentication, 
are they having too many--are there too many elevated 
privileges for users on applications.
    We're looking at activities like we're all in a mobile 
world, what does everyone have when they're taking things away 
with them? We're looking at assuring that there is mobile 
device management put in place on any particular devices that 
our people are looking at.
    We are also looking at interconnection agreements in terms 
of what will we have with different agencies if we are acting 
as a shared services type of providers. And in some of those 
interconnection agreements and all, if they have those, we want 
to assure that they are coming underneath a Trusted Internet 
Connection, those TICs that provide that perimeter protection 
from the outside world.
    Some of the agencies might be doing direct circuits, they 
might be encrypted, they might not be. Some agencies are using 
a thing that is called MTIPS, which is outside of an agency's 
way of monitoring Internet traffic.
    So it remains to be seen. We are very gratified and pleased 
by the progress of the Department in responding to the Web 
inspection activity. When the Department in the past would do 
these things, during Ms. Burns' tenure or mine, the ability to 
do scans on those network perimeters was very limited. We might 
only use just one particular scanning tool or another scanning 
tool that might come up with a couple of hundred 
vulnerabilities. If you had an organized advanced persistent 
adversary that used a variety of tools, it really illuminated 
to the Department and all that the steps that need to be taken.
    Mrs. Lawrence. Thank you.
    I yield back.
    Mr. Hurd. Mr. Blum, you're recognized for 5 minutes.
    Mr. Blum. Thank you, Chairman Hurd.
    And I'd like to thank the panel for being here today and 
giving us your insights on these most critical issues.
    Ms. Burns, I believe 20 of the 29 IG recommendations made 
in fiscal year 2013 in the audit remains open. Many of these 
are basic cybersecurity recommendations, as you're well aware, 
such as implementing third-party vendor security patches, 
maintaining an up-to-date information systems inventory, and 
utilizing approved and authorized solutions for remote access.
    When do you expect to address these recommendations?
    Ms. Burns. So those are on a rolling list that my team 
keeps and we monitor very closely with specific targets. I'd 
have to go back and look specifically to see what our plans 
are, what we had as the date for doing that.
    Ms. Burns. But I would say that with all the events of the 
past few months there's heightened attention to all things 
related to cybersecurity. We were already working on, for 
instance, clauses to contracts that would include security 
provisions. And so those things were already underway.
    Mr. Blum. Do you plan on implementing all of them?
    Ms. Burns. We would like to implement the things that--I 
think if we agree with them, we want to implement them.
    Mr. Blum. Did many of these stem from before your tenure as 
CIO?
    Ms. Burns. Yes, sir.
    Mr. Blum. So that would be Mr. Mazer then, is that correct?
    Mr. Mazer. That would be correct.
    Mr. Blum. What did you do, Mr. Mazer, in your tenure to 
address these? Twenty of the 29 remain open today. What did you 
do to address these during your tenure?
    Mr. Mazer. What we would do with, regardless of any 
weaknesses or we'd call them program objectives and milestones, 
is we literally receive thousands of weaknesses.
    What I did during my time, and it appears that it is 
continuing, is we set up a particular organization, sub-
organization within the OCIO that monitored all audit and GAO 
and weakness findings. And then we pressed upon the bureaus or 
the office that was responsible for them on completion dates. 
And then there was a continuous follow-up on whether or not 
they are finishing those recommendations to be completed.
    Some recommendations can't be finished within 2 months, 4 
months. Some might take a particular year because it might have 
to take a clause and a contract change.
    Mr. Blum. Twenty of 29 seems to be a big number to me, and 
they're still open today.
    Mr. Mazer. If you look at open findings or open audit 
actions in all that, there is literally--there might be several 
hundred of those. There are normal things that are either a 
weakness in all that, that need to be corrected, and then they 
will be corrected. The bureaus have always been or the office 
who is responsible for that are always pressed to get updates, 
they are requested for updates as to when those things are 
going to be done.
    Mr. Blum. The IG felt these were important enough to put 
them on a list. And it seems like the list, it never makes it 
to the top of the list. And it sounds like it hasn't for years. 
That concerns me. Does it concern you, Mr. Mazer?
    Mr. Mazer. It very much concerns me. When we looked at 
things like--we call the term POAMs, forgive the abbreviation--
there are literally thousands of them. One of the things that 
we were looking at and it is still continuing under Mrs. Burn's 
tenure is how many of these things are older than 6 months and 
then what were the steps in all that, that needed to be to 
complete those.
    Mr. Blum. Were you eligible to receive a bonus over the 
last 3 years as CIO?
    Mr. Mazer. Yes, sir.
    Mr. Blum. Did you receive a bonus in 2011?
    Mr. Mazer. Yes, I did.
    Mr. Blum. Did you receive a bonus in 2012?
    Mr. Mazer. Yes, I did.
    Mr. Blum. Did you receive a bonus in 2013?
    Mr. Mazer. Yes.
    Mr. Blum. Ms. Burns, did you receive a bonus in 2014?
    Ms. Burns. Yes.
    Mr. Blum. I have a minute left. My last question, Ms. 
Burns, if there were another hack of the agency's servers in 
the Department of Interior today, what could the hackers do? 
What kind of damage could be done? Could they access other 
areas of the Department of Interior servers? Could they access 
other agencies' information if it happened today?
    Ms. Burns. There are risks to the Department. And so it is 
important for us, for me to be attentive to what's going on and 
make sure that we do whatever is necessary to immediately--and 
I'm not talking about waiting years, I'm talking about looking 
at what could really happen to us and damage us and act 
quickly. And that's something that I have been doing. I was 
doing it during my tenure. But I think it is with sharpened 
focus since over the past few months.
    Mr. Blum. Are we still vulnerable? Is that a yes? Are we 
still vulnerable? Can they still do serious damage today?
    Ms. Burns. I think that all agencies are vulnerable.
    Mr. Blum. Thank you are for your candor.
    And with that, I yield back my time, Mr. Chairman.
    Mr. Hurd. Thank you, Mr. Blum.
    Votes are going to be called soon, and I think we can get 
through the questioning before then. I would like to turn it 
over to Mr. Lieu for 5 minutes.
    Mr. Lieu. Thank you, Chairman Hurd.
    Ms. Burns, at the Department of Interior's data center, you 
don't house the CIA's list of covert spies at that data center, 
correct?
    Ms. Burns. Correct.
    Mr. Lieu. And you don't house our Nation's classified 
nuclear launch codes at that data center, correct?
    Ms. Burns. Correct.
    Mr. Lieu. In fact, you didn't house OPM's security 
clearance database either at that data center, right?
    Ms. Burns. Correct.
    Mr. Lieu. And that's because you're not a national security 
or intelligence agency, correct?
    Ms. Burns. That's correct.
    Mr. Lieu. So I am going to read you the mission statement 
of your Department, which is: ``The Department of the Interior 
protects and manages the Nations natural resources and cultural 
heritage; provides scientific and other information about those 
resources; and honors its trust responsibilities or special 
commitments to American Indians, Alaska Natives, and affiliated 
island communities.''
    And with the indulgence of the chair, I would like to put 
this into the record.
    Mr. Hurd. So moved.
    Mr. Lieu. Mr. Chair, I would also like to enter into the 
record the mission statement of OPM, which is the following: 
``Through our initiatives, programs, and materials, we seek to 
recruit and hire the best talent; to train and motivate 
employees to achieve their greatest potential; and to 
constantly promote an inclusive workforce defined by diverse 
perspectives. OPM provides human resources, leadership, and 
support to Federal agencies and helps the Federal workforce 
achieve their aspirations as they serve the American people.''
    Mr. Lieu. OPM is not a national security or intelligence 
agency either, isn't that correct?
    Ms. Burns. It doesn't seem so.
    Mr. Lieu. Right. So I just want to make a point that for 
the same reasons we don't house our crown jewels of American 
intelligence at Department of Interior, there is no way we 
should be housing it in a human resources agency.
    Now, I would like to move on to the actual database that 
was breached at your data center, which was the 4.2 million 
personnel records that were not the security clearance records. 
OPM testified in one of the earlier hearings that they didn't 
encrypt their information because it was in COBOL language and 
they said they couldn't do that. But that's not true, right? 
COBOL can, in fact, be encrypted. There is nothing that says 
you cannot encrypt something written in COBOL, isn't that 
correct?
    Ms. Burns. I am not an expert in COBOL, so I can't answer 
that question.
    Mr. Lieu. If you could get information back to us on that, 
that would be terrific.
    Ms. Burns. Yes.
    Mr. Lieu. And then let me ask you, when they breached the 
systems through OPM into your data center, you said that no 
other information was compromised. Is that because the hackers 
found other information uninteresting? In other words, they 
could have gone to all these other databases and they chose not 
to? Or did you actually have protections there that prevented 
them from going to other databases that you were housing and 
storing?
    Ms. Burns. So I can't speculate about the motives of the 
attacker. What I know from the assessment that DHS performed, 
and they are the best source to talk about the specifics of the 
forensics that happened, there was no evidence of compromise of 
other data aside from OPM.
    Mr. Lieu. Let me ask this another way. If someone is in 
your data center in one database, can they look at your other 
databases of other agencies or of your own Secretary's 
information?
    Ms. Burns. So I would want to confirm this with my team, 
but I believe the answer to that is no. We use access controls 
and other methods to protect the data, other data in the data 
center that is different, aside from the OPM data.
    Mr. Lieu. Is that no now or no at the time or both?
    Ms. Burns. I'm sorry, could you repeat it? I didn't hear.
    Mr. Lieu. If it's no, was that also the case when this 
breached happened?
    Ms. Burns. Yes.
    Mr. Lieu. Or was it fixed later?
    Ms. Burns. No. It was always that way.
    Mr. Lieu. Okay. Thank you.
    And then let me conclude by commending you. You said 
something that I found important. You said: We own this 
problem. So I appreciate that you said that. It shows that you 
understand that it is not the responsibility of foreign enemies 
or hackers to protect our systems, it is our responsibility; 
that you understand the gravity of this issue; and that your 
view is we are going to try to prevent breaches, and that you 
are not going to measure your success by happening to find a 
breach 4 months later or a year later, that you are going to 
try to prevent these breaches in the first place.
    So I appreciate that and look forward to working with you.
    Ms. Burns. Thank you, sir.
    Mr. Lieu. I yield back.
    Mr. Hurd. The gentleman yields back.
    Mr. Palmer from Alabama for 5 minutes.
    Mr. Palmer. Thank you, Mr. Chairman. And I would like to 
thank the witnesses for coming.
    Ms. Burns, I think it's been established that there were 
known vulnerabilities and that the Department of Interior had 
suffered actual attacks that exploited some of these 
vulnerabilities prior to your team coming in, is that correct?
    Ms. Burns. I'm sorry, I can't hear you. Can you repeat the 
question? Sorry.
    Mr. Palmer. Okay. What I was saying is, is that there were 
known vulnerabilities and that the Department of Interior had 
suffered actual attacks that exploited these vulnerabilities 
prior to your coming on, is that correct?
    Ms. Burns. I believe that is correct.
    Mr. Palmer. So you knew that there were vulnerabilities. 
And you are also aware, I would assume, that the Sakula 
malware, which has been tied to the OPM attack, had been also 
tied to the Anthem cyber attack. Were you aware of that?
    Ms. Burns. I participated in briefings with DHS and OPM.
    Mr. Palmer. Did it not occur to you that you needed to 
evaluate the vulnerabilities at DOI for a potential cyber 
attack from what we knew in terms of the malware that was used 
in the Anthem attack?
    Ms. Burns. So I think I need to clarify that from my 
understanding of the incident that involved OPM----
    Mr. Palmer. I'm talking about going back. You knew there 
were vulnerabilities, you knew that there had been prior 
attacks. We also knew that the Sakula malware had been used in 
the Anthem attack. Did no one, did it not occur to anyone that 
such an attack on the scale of the Anthem attack might could 
occur at DOI?
    Ms. Burns. So I think that we have to be, as I said, on 
alert about the dangers that are out there in terms of 
cybersecurity.
    Mr. Palmer. No, ma'am. That's a yes or a no. You either did 
the due diligence or you didn't.
    Ms. Burns. Could I, if I could, with greatest respect, just 
clarify that the breach from OPM into DOI did not happen 
because of a vulnerability in DOI's data center. It happened 
because of compromised credentials of a privileged user on 
OPM's side that then moved into DOI's environment. So it was 
not because of a vulnerability.
    Mr. Palmer. Well, all right. Thanks for making that 
clarification.
    Mr. Mazer, you were the Chief Information Officer for 4 
years before Ms. Burns took over. What efforts, if any, did you 
undertake to address these issues when you were in charge?
    Mr. Mazer. When I assumed the role of the CIO at the 
Department of the Interior, the Department of Interior was 
basically predicated, the CIO's office was a policy shop. The 
CIO's office would promulgate policy to the respective bureaus 
and offices to assure that they were taking care of things like 
security, capital planning, enterprise architecture, systems 
life cycle development.
    I embarked upon--for 6 months we worked on a draft, it 
became known as the 3309 Secretarial Order, which says we need 
to consolidate Clinger-Cohen functions, like capital planning, 
enterprise architecture, and security underneath one CIO. And 
then we also stated that we need to move common infrastructure 
that everyone uses underneath one particular entity. We worked 
on a strategic plan. Arising out of the strategic plan, we 
settled on things that we called service towers.
    Mr. Palmer. I've only got a minute left.
    Mr. Mazer. Yes, sir. I'm sorry.
    Mr. Palmer. I appreciate the detail of the answer. And if 
you'd like to put the balance of that in writing and provide it 
to the committee, you're welcome to do so.
    Mr. Mazer. I'd be more than delighted. Okay.
    Mr. Palmer. I'd also like to know, was the database that 
the Interior hosted, including the OPM, encrypted?
    Ms. Burns.
    Ms. Burns. I'm probably not the right person to ask about 
that because OPM is the owner of the data. And I, in sitting in 
the testimony with the previous OPM Director, I just heard her 
testimony that she said the data was not encrypted. So I get my 
information from that. I would have to check with my technical 
team.
    Mr. Palmer. Do you have any idea how many serious breaches 
DOI has suffered in 2014?
    Ms. Burns. I'm sorry, could you repeat that?
    Mr. Palmer. So far for this year, how many breaches have 
you suffered? Do you have any idea?
    Ms. Burns. In 2015?
    Mr. Palmer. In 2014-2015.
    Ms. Burns. So that--I can't answer that. We have a 
distributed IT environment, as I said, and there is a--it was 
cited in the IG's report that there was a--reports of 
incidents, I think they referred to some incidents in the 
report, that were reported by the bureaus and offices that my 
office doesn't necessarily have visibility into. So we have to 
do research into them. In order to answer your question, I 
would have to go back and look further at that.
    Mr. Palmer. Would you be willing to let the committee know 
that?
    Ms. Burns. Yes.
    Mr. Palmer. Thank you.
    I yield, Mr. Chairman.
    Mr. Hurd. Thank you, sir.
    I'd like to yield myself 5 minutes.
    I just want to be clear, Ms. Burns, because you make a good 
point and I want to make sure everyone recognizes that. The bad 
guys got access to a credential that was OPM and they used that 
credential to gain access to the data housed at the Department 
of Interior. So that they used those credentials that had 
natural access to the information that was breached, is that 
correct?
    Ms. Burns. That's correct.
    Mr. Hurd. So they didn't take advantage of any 
vulnerability other than getting access to that user name and 
password.
    Ms. Burns. That's my understanding, sir.
    Mr. Hurd. Thank you.
    This recent vulnerability assessment that the inspector 
general did, who called for that?
    Ms. Kendall. We initiated it ourselves, sir.
    Mr. Hurd. Okay.
    And, Ms. Burns, how much of the IT budget for Department of 
Interior do you control? First question, what's the IT budget 
roughly for all of DOI?
    Ms. Burns. So the IT budget overall, we report 
approximately a billion dollars a year.
    Mr. Hurd. So of that billion dollars, how much do you, as 
the CIO of the Department, have access to?
    Ms. Burns. I would say it's----
    Mr. Hurd. Roughly.
    Ms. Burns. It's approximately less than $200 million.
    Mr. Hurd. So you are the CIO of the entire Department and 
you have access to less than $200 million. Isn't that a 
problem?
    Ms. Burns. I think that the provisions that you gave us in 
terms of authorities to CIOs in FITARA, whereby I have to 
approve IT spending, helps. Even though I don't have the money, 
all the funds for the IT portfolio in my direct budget, it 
gives me significant influence.
    Mr. Hurd. You have a little bit more control, is what you 
are saying.
    Ms. Burns. Yes.
    Mr. Hurd. Now, let's focus on the assessment that was done. 
The draft report that we have access to said that nearly 3,000 
critical and high-risk vulnerabilities in publicly accessible 
computers operated by three DOI bureaus was found, is that 
correct?
    Ms. Burns. Yes.
    Mr. Hurd. Have all those been remediated?
    Ms. Burns. From my understanding, yes.
    Mr. Hurd. But I also have information that indicates--and, 
Ms. Kendall, you may be able to confirm this--that the 
Department of Interior's total number of publicly accessible 
computer is unknown because the Department doesn't perform 
discovery scans of their publicly accessible information, is 
that correct?
    Ms. Kendall. I believe that's correct based on what we 
conducted in terms of----
    Mr. Hurd. So that number could be significantly higher than 
3,000?
    Ms. Kendall. It could be.
    Mr. Hurd. And there could be----
    Ms. Kendall. No, I'm sorry, I believe the 3,000--and I'll 
ask this--was the vulnerabilities.
    Mr. Hurd. The total vulnerabilities?
    Ms. Kendall. Yes.
    Mr. Hurd. Okay. So the number of publicly accessible Web 
sites that have these vulnerabilities is higher than what it is 
because we don't know the total summation of those?
    Ms. Kendall. It could potentially be, yes.
    Mr. Hurd. So I would have liked--and, again, if this is 
publicly accessible information, those three bureaus that's 
doing it, that is not classified information because the bad 
guys can figure that out. That's just a point for me. Because I 
would have liked those three CIOs to be here, because they 
probably have a budget probably larger or in line with yours, 
is that correct, Ms. Burns?
    Ms. Burns. I can't tell you. I don't have that information 
with me right now.
    Mr. Hurd. So the remediation of those three bureaus, was 
that overseen by your office or was that overseen by CIOs from 
these varies bureaus?
    Ms. Burns. The remediations ultimately would have been 
overseen by--so we don't call them CIOs, we changed that when 
that secretarial order was issued. We call them Assistant 
Directors for Information Resources. And they--so they head IT 
in the bureaus. But I would tell you that IT in the bureaus is 
not centralized under them. So while they would oversee the 
mitigation of the vulnerabilities that you're talking about, 
those vulnerabilities could have resided at a lower program 
level that was outside of the chain of command of the bureau.
    Mr. Hurd. Mr. Gilkeson, maybe you're the right one. Isn't 
that pretty outrageous for designing management control of an 
IT system?
    Mr. Gilkeson. It's certainly not optimal, Mr. Chairman, I 
would say.
    Mr. Hurd. I'll take that.
    Mr. Gilkeson. It's a very--it's a highly decentralized 
organization. I think that's kind of coming through.
    Mr. Hurd. Is there a move afoot, Ms. Burns, to centralize 
some of this information?
    Ms. Burns. Yes, there is, sir. Under FITARA and our 
implementation plan for FITARA, there are plans to bring that 
more under a centralized management.
    Mr. Hurd. And I would like, without objection, to submit 
the Department of Interior's response to the IG report to the 
record.
    Mr. Hurd. And in this report, they talk about--you all talk 
about how long it's going to take to fix all the problems that 
the IG report identified. When do you think all those are going 
to be done?
    Ms. Burns. Some of it is dependent on resources because I 
have limited staff to be able to do stuff. I think that at the 
same time it's my obligation to be prudent about how we use the 
money that we have, and that includes leveraging the bureaus 
and offices as much as possible to be able to fulfill the fixes 
that go along with the recommendations.
    So, as I said, we do the best we can with the resources 
that we get. There are some immediate things that we can do to 
protect us against the immediate threat. And, as I mentioned, 
I'm already talking with the bureaus and offices about those 
things so we can take immediate action.
    Mr. Hurd. Great.
    Ms. Burns. The longer term things do have cost.
    Mr. Hurd. And, Ms. Burns, I want to join my colleague from 
California in thanking you for taking responsibility for this. 
And you said something else in your opening remarks that I am 
going to have to go back to the record and write down: This not 
just a paper-based exercise, you've got to roll up your sleeves 
and actually do something. And I appreciate that mentality. But 
I also want to make sure that--what were the people that you 
called, they're not CIOs of bureaus anymore, Assistant----
    Ms. Burns. We call them ADIRs.
    Mr. Hurd. Let your ADIRs know that they should be sitting 
alongside you as well. And I appreciate you being here to 
answer the questions for the folks that are all in the 
organization of DOI who have the responsibility for fixing some 
of these issues. And I recognize it is not necessarily all in 
your area of control as it should be.
    And so we want to make sure that we continue looking at 
things like FITARA and FISMA and how we can strengthen your 
control over these issues, because we are going to be holding 
you responsible. And if we are going to hold you responsible, 
you should have the tools to fix the network.
    So I want to appreciate everyone for coming out today. This 
is an important topic. I'd like to yield a minute to my 
colleague from Texas.
    Mr. Farenthold. Thank you. I realize we are in a hurry for 
votes. I was next door dealing with the excessive regulation in 
the EPA. But Jeff from my office says both Ms. Burns and Ms. 
Kendall spoke positively about moving more information and more 
of the IT to the cloud.
    And I just wanted to get both of you all to quickly tell me 
if there is anything that Congress can do to help enable that 
and move that along.
    Ms. Burns. From my perspective, I am appreciative for what 
you did with enacting FITARA and the new version of FISMA. I 
think they help us greatly. And before I would ask you to do 
anything more, I would say let us take the tools that you have 
given us and try to do the best we can to make them work in our 
organizations.
    Mr. Farenthold. Ms. Kendall, do you want to add anything?
    Ms. Kendall. I would only add that when we briefed staff on 
this report, one of the questions was what kind of financial 
resources need to come along to make these things happen. And 
the IG does not make those recommendations. But I would 
encourage the Department to provide that information to you as 
well because I think it is very much resource driven.
    Mr. Farenthold. Thank you all for being here. And thank you 
for your work.
    Mr. Hurd. Without objection, I would like to provide the--
put the IG report on Faisal Ahmed on the record. And without 
objection, so ordered.
    Mr. Hurd. And I'd like thank our witnesses for taking the 
time today and appearing before us. This is an important issue 
and something that this subcommittee is going to continue to 
investigate.
    And, Ms. Burns, you know, this is--we are here to be 
supportive and make sure that you have all the tools you'll 
need to do your job.
    Thank you all. And the subcommittees stand adjourned.
    [Whereupon, at 4:01 p.m., the subcommittees were 
adjourned.]

                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]