b"<html>\n<title> - NIST'S PHYSICAL SECURITY VULNERABILITIES: A GAO UNDERCOVER REVIEW</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n \n               NIST'S PHYSICAL SECURITY VULNERABILITIES: \n                        A GAO UNDERCOVER REVIEW\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                      SUBCOMMITTEE ON OVERSIGHT &\n                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            October 11, 2017\n\n                               __________\n\n                           Serial No. 115-31\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n \n \n \n \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n \n\n\n       Available via the World Wide Web: http://science.house.gov\n       \n       \n       \n       \n                              _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 27-178 PDF                 WASHINGTON : 2018       \n____________________________________________________________________\n For sale by the Superintendent of Documents, U.S. Government Publishing Office,\nInternet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800\n  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001            \n       \n       \n       \n       \n       \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nDANA ROHRABACHER, California         ZOE LOFGREN, California\nMO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon\nBILL POSEY, Florida                  ALAN GRAYSON, Florida\nTHOMAS MASSIE, Kentucky              AMI BERA, California\nJIM BRIDENSTINE, Oklahoma            ELIZABETH H. ESTY, Connecticut\nRANDY K. WEBER, Texas                MARC A. VEASEY, Texas\nSTEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia\nBRIAN BABIN, Texas                   JACKY ROSEN, Nevada\nBARBARA COMSTOCK, Virginia           JERRY MCNERNEY, California\nGARY PALMER, Alabama                 ED PERLMUTTER, Colorado\nBARRY LOUDERMILK, Georgia            PAUL TONKO, New York\nRALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois\nDRAIN LaHOOD, Illinois               MARK TAKANO, California\nDANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii\nJIM BANKS, Indiana                   CHARLIE CRIST, Florida\nANDY BIGGS, Arizona\nROGER W. MARSHALL, Kansas\nNEAL P. DUNN, Florida\nCLAY HIGGINS, Louisiana\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n                   HON. DRAIN LaHOOD, Illinois, Chair\nBILL POSEY, Florida                  DONALD S. BEYER, Jr., Virginia, \nTHOMAS MASSIE, Kentucky                  Ranking Member\nGARY PALMER, Alabama                 JERRY MCNERNEY, California\nROGER W. MARSHALL, Kansas            ED PERLMUTTER, Colorado\nCLAY HIGGINS, Louisiana              EDDIE BERNICE JOHNSON, Texas\nLAMAR S. SMITH, Texas\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                 HON. BARBARA COMSTOCK, Virginia, Chair\nFRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             ELIZABETH H. ESTY, Connecticut\nSTEPHEN KNIGHT, California           JACKY ROSEN, Nevada\nDARIN LaHOOD, Illinois               SUZANNE BONAMICI, Oregon\nRALPH LEE ABRAHAM, Louisiana         AMI BERA, California\nDANIEL WEBSTER, Florida              DONALD S. BEYER, JR., Virginia\nJIM BANKS, Indiana                   EDDIE BERNICE JOHNSON, Texas\nROGER W. MARSHALL, Kansas\nLAMAR S. SMITH, Texas\n\n                            C O N T E N T S\n\n                            October 11, 2017\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Darin LaHood, Chairman, Subcommittee \n  on Oversight, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................     4\n    Written Statement............................................     8\n\nStatement by Representative Donald S. Beyer, Jr., Ranking Member, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    10\n    Written Statement............................................    12\n\nStatement by Representative Barbara Comstock, Chairwoman, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........    14\n    Written Statement............................................    16\n\nStatement by Representative Daniel Lipinski, Ranking Member, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........    18\n    Written Statement............................................    19\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    20\n    Written Statement............................................    21\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................    23\n    Written Statement............................................    24\n\n                               Witnesses:\n\nMs. Lisa Casias, Deputy Assistant Secretary for Administration at \n  U.S. Department of Commerce\n    Oral Statement...............................................    25\n    Written Statement (Joint statement with Dr. Kent Rochford)...    27\n\nDr. Kent Rochford, Acting Under Secretary of Commerce for \n  Standards and Technology and Acting Director at National \n  Institute of Standards and Technology\n    Oral Statement...............................................    34\n    Written Statement (Joint statement with Ms. Lisa Casias).....    27\n\nMr. Seto Bagdoyen, Director, Audit Services at U.S. Government \n  Accountability Office\n    Oral Statement...............................................    35\n    Written Statement............................................    38\n\nDiscussion.......................................................    50\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMs. Lisa Casias, Deputy Assistant Secretary for Administration at \n  U.S. Department of Commerce, and Dr. Kent Rochford, Acting \n  Under Secretary of Commerce for Standards and Technology and \n  Acting Director at National Institute of Standards and \n  Technology.....................................................    70\n\nMr. Seto Bagdoyen, Director, Audit Services at U.S. Government \n  Accountability Office..........................................    72\n\n\n               NIST'S PHYSICAL SECURITY VULNERABILITIES:\n\n\n\n                        A GAO UNDERCOVER REVIEW\n\n                              ----------                              \n\n\n                      Wednesday, October 11, 2017\n\n                  House of Representatives,\n                      Subcommittee on Oversight and\n            Subcommittee on Research and Technology\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittees met, pursuant to call, at 10:14 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Darin \nLaHood [Chairman of the Subcommittee on Oversight] presiding.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman LaHood. The Subcommittee on Oversight and the \nSubcommittee on Research and Technology will come to order.\n    Without objection, the Chair is authorized to declare \nrecesses of the Subcommittee at any time.\n    I want to welcome everyone to today's hearing titled \n``NIST, the National Institute of Standards and Technology, \nPhysical Security Vulnerabilities: a GAO Undercover Review.'' I \nhave a few brief remarks before we move into opening \nstatements.\n    Committee Members and staff just viewed three short videos \nproduced by GAO. At the request of the Department of Commerce, \nthese videos have been labeled law enforcement sensitive, which \nmeans the agency has determined that they contain sensitive but \nnot classified information. I remind Members that while they \nmay ask questions today concerning GAO's investigation, \nwitnesses may respond but there are answers that can only be \naddressed in a closed, non-public setting. Please be mindful of \nthis fact here today.\n    I would like to instruct the witnesses to answer to the \nbest of their ability, but should an answer call for sensitive \ninformation, it may be addressed when we move into executive \nsession at the end of the hearing.\n    We will now vote to authorize the Subcommittees to enter \ninto executive session at the end of the hearing.\n    The Clerk. Mr. LaHood.\n    Chairman LaHood. Pursuant to House Rule 11(g)(2), I move \nthat upon completion of all present members' questions under \nthe five minute rule, the remainder of the hearing be closed to \nthe public because the disclosure of the testimony to be heard \nmay compromise sensitive law enforcement information. The clerk \nwill call the roll.\n    The Clerk. Mr. LaHood?\n    Chairman LaHood. Yes.\n    The Clerk. Mr. LaHood votes aye.\n    Mrs. Comstock?\n    Mrs. Comstock. Aye.\n    The Clerk. Mrs. Comstock votes aye.\n    Mr. Lucas?\n    [No response.]\n    The Clerk. Mr. Hultgren?\n    [No response.]\n    The Clerk. Mr. Posey?\n    [No response.]\n    The Clerk. Mr. Massie?\n    [No response.]\n    The Clerk. Mr. Knight?\n    [No response.]\n    The Clerk. Mr. Loudermilk?\n    Mr. Loudermilk. Aye.\n    The Clerk. Mr. Loudermilk votes aye.\n    Mr. Abraham?\n    [No response.]\n    The Clerk. Mr. Webster?\n    [No response.]\n    The Clerk. Mr. Banks?\n    Mr. Banks. Aye.\n    The Clerk. Mr. Banks votes aye.\n    Mr. Marshall?\n    Mr. Marshall. Aye.\n    The Clerk. Mr. Marshall votes aye.\n    Mr. Higgins?\n    Mr. Higgins. Aye.\n    The Clerk. Mr. Higgins votes aye.\n    Mr. Norman?\n    Mr. Norman. Aye.\n    The Clerk. Mr. Norman votes aye.\n    Mr. Beyer?\n    Mr. Beyer. Aye.\n    The Clerk. Mr. Beyer votes aye.\n    Mr. Lipinski?\n    Mr. Lipinski. Aye.\n    Mr. Lipinski votes aye.\n    Ms. Bonamici?\n    Ms. Bonamici. Aye.\n    Ms. Bonamici votes aye.\n    Mr. Bera?\n    [No response.]\n    The Clerk. Ms. Esty?\n    Ms. Esty. Aye.\n    The Clerk. Ms. Esty votes aye.\n    Ms. Rosen?\n    [No response.]\n    The Clerk. Mr. McNerney?\n    Mr. McNerney. Aye.\n    The Clerk. Mr. McNerney votes aye.\n    Mr. Perlmutter?\n    [No response.]\n    The Clerk. Mr. Chairman, 12 Members voted aye. No Members \nvoted nay.\n    Mr. Perlmutter. Aye.\n    The Clerk. Mr. Perlmutter votes aye. Thirteen Members voted \naye. No Members voted nay.\n    Chairman LaHood. There being 13 ayes and zero nos, the \nmotion is agreed to.\n    Once Members have finished their questioning under the five \nminute rule, the clerk will clear the room. Only Members of \nCongress, their staff, and the witnesses may remain in the \nhearing room.\n    At this time I recognize myself for five minutes for an \nopening statement.\n    Again, good morning and welcome everyone to today's joint \nsubcommittee hearing titled ``NIST's Physical Security \nVulnerabilities: A GAO Undercover Review.''\n    Today we intend to discuss and evaluate GAO's report on its \nassessment of the physical security program at NIST, the public \nversion of which is being released in conjunction with this \nhearing. We will hear from GAO about the questions it sought to \nanswer in undertaking its assessment, as well as the methods it \nused to assess the current physical security program at NIST. \nWe will also look at GAO's findings and the recommendations it \nhas made with respect to the physical security program, and the \nsteps NIST management must take to satisfy these \nrecommendations and fortify its physical security.\n    Finally, as part of today's hearing, we will examine \nspecific instances where physical security at NIST has failed, \nspecifically, an explosion that occurred in July 2015 at the \nNIST campus in Gaithersburg, Maryland, which was caused by a \nsecurity officer's attempt to illegally manufacture \nmethamphetamine inside a NIST laboratory, and served as the \ncatalyst for the Committee's investigation of physical security \nat NIST.\n    However, before we get to that discussion, in light of \ntransparency, I would like to describe briefly for the public \nwhat occurred during the closed portion of today's hearing.\n    Prior to gaveling into this open session, Members of the \nCommittee examined video evidence of recent physical security \nbreaches at NIST campuses. These videos, captured as part of \nGAO's covert vulnerability testing, reveal NIST employees \nfailing to adhere to established physical security policies. \nOne video in particular shows an undercover GAO agent \nsubverting detection by security personnel by employing very \nbasic espionage techniques. The evidence produced in these \nvideos shines a light on the porous nature of NIST's physical \nsecurity, and are particularly concerning to the Committee, \nespecially in light of the fact that the July 2015 meth lab \nexplosion served to put NIST on notice that its physical \nsecurity program was flawed.\n    While all of this is discussed in the sensitive version of \nGAO's report, it is discussed only briefly in the public \nversion being released today, and while certain information is \nundoubtedly sensitive and must remain concealed from those who \nwould use it for nefarious purposes, nothing I just explained \nrises to that level. In fact, I believe that this information \nis vital to ensuring that such breaches are prevented in the \nfuture at NIST and other federal agencies.\n    Before concluding, I would like to focus briefly on some \npositive aspects of GAO's report. Specifically, the report \nindicates that the Commerce Department agreed with all of GAO's \nrecommendations, which is the first step toward implementation. \nAdditionally, the report emphasized that NIST has taken some \nsteps to further notify and improve its physical security \nprogram. Specifically, GAO found that NIST management had three \nindependent assessments of its physical security program \nconducted following the July 2015 incident, and that NIST has \ncurrent plans to implement new physical security policies and \nprocedures as the result of those assessments.\n    The work that NIST performs is extremely valuable to our \nNation. From development of the Cyber Framework to standards \nused throughout industry and academia alike, NIST's work must \ncontinue to thrive. In doing so, however, we must ensure the \nsafety and security of those endeavoring to carry out the NIST \nmission, just as we must ensure the protection of physical and \nintellectual assets entrusted to NIST's care.\n    I look forward to hearing from our witnesses about the \nstatus of these new policies and procedures, steps taken toward \ntheir implementation, and what NIST and the Department of \nCommerce intend to do in order to carry out GAO's \nrecommendations.\n    [The prepared statement of Chairman LaHood follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n       \n    Chairman LaHood. I now recognize the Ranking Member, the \ngentleman from Virginia, for his opening statement.\n    Mr. Beyer. Thank you very much, and thank you, Chairman \nLaHood and Chairwoman Comstock for calling this meeting. Thanks \nto all of you for being here.\n    The National Institute of Science and Standards and \nTechnology is a vital federal science agency that for more than \na hundred years has helped push American innovation in areas as \ndiverse as computer chips, nanoscale devices, the smart \nelectric power grid, and earthquake-resistant skyscrapers. The \nadvanced technologies being developed and pioneering research \nbeing conducted at NIST makes security of its facilities and \ntechnologies critically important.\n    Unfortunately, security at NIST at both the Gaithersburg, \nMaryland, and Boulder, Colorado, campuses has been a struggle. \nAs Chairman LaHood pointed out, in July 2015, a NIST police \nofficer attempting to brew methamphetamine in a little-used \nlaboratory on the Gaithersburg campus was injured in an \nexplosion. He was subsequently arrested, fired, and is \ncurrently serving a 41-month prison sentence. In April 2016, a \nnon-NIST employee gained access to a secure lab on NIST's \nBoulder, Colorado, campus. In May 2017, a paraglider landed on \nthe grounds of the Colorado campus, and in June 2017 a member \nof NIST's police force was arrested and charged with first- and \nsecond-degree assault by the Frederick County Sheriff's \nDepartment in Maryland.\n    Today, we'll discuss the GAO's recent security review at \nboth campuses, and this showed significant issues with NIST's \nsecurity structure, operating procedures, and performance. \nSecurity awareness training for NIST employees should be \nincreased, and the agency's guard force must improve their \nattentiveness to potential threats, the effectiveness of NIST's \nsecurity procedures must be thoroughly assessed, and a \ncomprehensive communication strategy that can help identify and \nresolve potential security threats should be implemented.\n    My biggest concern regarding security at NIST is the \nsecurity structure. It's fragmented, inefficient and in some \ncases inadequate. The Department of Commerce oversees the \nsecurity personnel at NIST who implement physical security \npolicies, for example, while NIST manages access control \ntechnologies and other physical security countermeasures. This \nsecurity structure violates best practice for security, which \ncalls for centrally managing physical security assets and \noperations. Without a cohesive organizational structure, it \nseems inevitable that gaps in security will continue to emerge, \nand the management of NIST's security will be inefficient and \npotentially ineffective.\n    GAO in its review pointed out further problems with NIST \nsecurity management that we'll hear about, but it's also worth \nnoting the positive stuff, that NIST has made positive \ncommitment to improving security. Seventy-five percent of NIST \nstaff surveyed by GAO believed that NIST's leadership places a \ngreat or very great importance on security issues, and this \ncommitment to security is really encouraging, but I expect the \nleadership at the Department of Commerce and NIST to work \ntogether to fully and quickly address the issues outlined.\n    You know, the science and technology research and programs \ncarried out at NIST helps U.S. businesses grow, it strengthens \nthe U.S. economy, and expands our scientific and technical \nknowledge. So we in Congress and the public expect NIST to not \nonly protect their vital resources, and in some cases hazardous \nmaterials, from potential threats, but also to protect NIST's \nemployees, visiting scientists and others from physical \nsecurity risks.\n    I'd like to point out that the Acting Director, Dr. Kent \nRochford, only stepped into this role in January, so thank you \nfor being here today and helping tell us how you plan to \naddress these issues.\n    And finally, I'd like to note my disappointment, the \ndisappointment of our Minority team with the Department of \nCommerce and NIST for their late submittal of the testimony \nless than 24 hours ago, despite a 48-hour deadline. And both \nMajority and Minority I think were surprised that the joint \nwritten testimony came from both Commerce and NIST, and perhaps \nyou can talk about that in your testimony.\n    So Chairman LaHood, thank you very much for calling this \nmeeting. Thank you to all of our witnesses, and we look forward \nto a productive meeting.\n    [The prepared statement of Mr. Beyer follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    \n    Chairman LaHood. Thank you, Mr. Beyer.\n    I now recognize the Chairwoman of the Research and \nTechnology Subcommittee, Ms. Comstock, for her opening \nstatement.\n    Mrs. Comstock. Thank you, Mr. Chairman.\n    This Committee has a strong record of bipartisan support \nfor the National Institute of Standards and Technology (NIST). \nNIST promotes U.S. innovation and competitiveness by advancing \nmeasurement science, standards, and technology.\n    Today, we will be discussing a handful of dangerous \nphysical security breaches at NIST's two campuses in \nGaithersburg, Maryland, and Boulder, Colorado. Unfortunately, \nthis isn't the first hearing we have held on this subject, but \nwe certainly hope that it will be the last and certainly hope \nwe can identify how can we move forward on improvements.\n    Lack of security at NIST facilities is a direct, serious \nthreat to the safety and well-being of thousands of federal \nworkers, a steady stream of scientists and technologists who \nvisit NIST facilities every day, and sizable populations of \npeople who live and work near the NIST facilities.\n    NIST's campus security has been a growing concern of the \nCommittee since the July 2015 explosion at NIST's Gaithersburg \nfacility, which revealed a NIST police officer, a former acting \nchief of NIST police, was operating an illegal meth lab at a \nNIST building. This event was the catalyst for bringing to \nlight other security breaches at the Gaithersburg campus. Not \nquite one year later, in April 2016, another, no less serious \nincident occurred in Boulder, Colorado. A man without \nidentification walked onto the NIST campus and was able to \nenter a building and laboratory where hazardous chemicals were \nstored. Fortunately, this man wasn't intent on playing around \nwith laboratory chemicals and equipment or causing other \ndamage. He instead roamed about the building and made himself \nat home.\n    Fortunately, the meth lab at the NIST Gaithersburg campus \nexploded on a weekend evening, not that it's fortunate but at \nleast it was a weekend when NIST staff and visitors weren't \nthere. But luck does run out.\n    We are going to hear this morning from NIST and Department \nof Commerce witnesses who will describe steps that were taken \nto shore up physical security after these two incidents. We are \nalso going to hear about the results of a GAO investigation \nconducted at our Committee's request, which reveals that there \nare still serious, unaddressed security problems at NIST's \nMaryland and Colorado facilities. What we are going to hear \ntoday from GAO is serious enough that the Department may not \nallow certain details to be included in the public record.\n    NIST must learn from its past and do its best to ensure \nproper security is implemented, and obviously we all here in \nthe Committee want to make sure that's the case. This is \ncritical for the safety of NIST campuses, its employees, \nvisitors, and the surrounding community.\n    It is also important not to jeopardize NIST's mission to \npromote U.S. innovation and industrial competitiveness. \nPhysical insecurity at NIST's two locations obviously \njeopardizes the important work done by the agency. Even more \nimportant, what seems to be huge, unfixed holes in security \nthreaten the safety and well-being of approximately 3,000 NIST \nemployees, 3,500 visiting professionals government agencies. \nThe safety of our people should be the number-one concern. \nSafety is certainly the number-one concern for this Committee.\n    I trust this hearing today will mark the end of the \nmeasures that haven't been successful and the beginning of \nswift, uncompromising action by NIST and the Department of \nCommerce.\n    Thank you.\n    [The prepared statement of Mrs. Comstock follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   \n    \n        \n    Chairman LaHood. Thank you, Chairwoman Comstock.\n    I now recognize the Ranking Member of the Research and \nTechnology Subcommittee, Mr. Lipinski, for his opening \nstatement.\n    Mr. Lipinski. I'll start by also thanking Chairman LaHood, \nChairwoman Comstock, Chairman Smith for calling this hearing, \nand thank the witnesses for being here. I'll keep this brief as \nmy colleagues have stated many of the issues and concerns that \nI also have.\n    The National Institute of Standards and Technology is a \nnational treasure. I know of no other agency that has such a \nwidespread impact with so modest a budget: Nobel Prize-winning \nresearch, leadership standards development benefiting every \nsector of our economy, acceleration of advanced manufacturing \non U.S. shores, and improvement of cybersecurity in both the \ngovernment and the private sector. NIST's leadership in \nmeasurement science and their work in cybersecurity and so many \nother important areas of technology is unimpeachable.\n    Today, however, we will learn in some detail about how NIST \nhas not applied the same rigor and discipline to the physical \nsecurity of its facilities. A new report from GAO, being \nreleased with this hearing, identifies several weaknesses in \nNIST's policies and procedures for physical security. The GAO \nreport further discusses the challenges caused by the \nfragmentation of oversight of NIST security between NIST and \nits parent agency, the Department of Commerce. GAO makes a \nnumber of recommendations to both NIST and Commerce on how to \nimprove physical security on the two NIST campuses in \nGaithersburg, Maryland, and Boulder, Colorado. Those \nrecommendations are not prescriptive; rather they lay out or \nreference a clear process for the development of action plans \nand timetables to address each identified weakness in current \npolicies and procedures.\n    While it is premature to ask NIST and Commerce for detailed \nplans, I expect to hear from them today how they plan to \nproceed in addressing each of GAO's recommendations, and what \nsteps they have already taken.\n    I want to thank each of the witnesses for being here this \nmorning. This hearing is not as fun for anyone as the science-\nand-technology-focused hearings that we're more used to in the \nResearch and Technology Subcommittee, but it is certainly no \nless important. I take our oversight responsibilities \nseriously, and I believe the agencies before us take their \nsecurity seriously. I look forward to learning more about the \nagencies' security plans going forward.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Lipinski follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n       \n    Chairman LaHood. Thank you, Mr. Lipinski.\n    I now recognize the Chairman of the full Committee, Mr. \nSmith, for his opening statement.\n    Chairman Smith. Thank you, Mr. Chairman.\n    The GAO conducted a comprehensive review of NIST's physical \nsecurity posture. They used covert tactics and they found \ngaping holes in the agency's ability to protect their campuses. \nUndercover agents succeeded in breaching numerous checkpoints.\n    Today, I want to thank the GAO for their work. Their \nfindings are alarming and confirmed our worst suspicions: NIST \ncampuses are sieves.\n    On July 22, 2015, this Committee launched an investigation \nof NIST's security in the wake of chemical--of a chemical \nexplosion and fire at the Gaithersburg, Maryland, campus. On \nJuly 18, 2015, the acting chief of the police services group, \nor ``PSG,'' attempted to manufacture the illegal drug meth in \none of NIST vacant laboratories. The local Gaithersburg, \nMaryland, police and fire departments responded to the scene \nand began a criminal investigation.\n    On January 7, 2016, this high-ranking PSG officer was \nsentenced to three and a half years in jail for manufacturing \nmeth. Slowly we learned this was only the tip of the iceberg.\n    According to a July 2016 Department of Commerce Office of \nInspector General's report, the very officer who caused the \nexplosion on NIST's campus also had committed time and \nattendance fraud by claiming hours that he did not actually \nwork. He was not the only officer engaged in this misconduct.\n    The final straw for the Committee was the April 2016 \nincident in Boulder, Colorado, where an unknown individual was \nfound wandering in a NIST building. After this incident, we \ncontacted GAO and asked them to investigate. While law \nenforcement personnel has stepped in and handled many of these \nincidents, and the GAO has disclosed their findings to the \nDepartment and NIST, I'm not convinced that NIST will actually \nachieve the necessary goal: a secure NIST compound at \nGaithersburg and Boulder.\n    GAO, as I understand it, remains concerned that the Police \nServices Group and the security structure within NIST has not \nreceived proper scrutiny, a concern that is bolstered by the \nrevelation that GAO agents successfully penetrated NIST \ncampuses in 15 out of 15 attempts during their covert \nvulnerability testing. By the way, that is just incredible: 15 \nout of 15. Not much security there.\n    Now we have a new Administration in place, a pending \nnominee for NIST Director, and GAO's recommendations, I urge \nNIST and the Department to work together for comprehensive \nsecurity reform.\n    Thank you, Mr. Chairman. I'll yield back.\n    [The prepared statement of Chairman Smith follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n        \n    Chairman LaHood. Thank you, Chairman Smith.\n    I now yield to the Ranking Member of the full Committee, \nMs. Johnson, for her opening statement.\n    Ms. Johnson. Thank you, Mr. Chairman.\n    Thank you very much, Mr. Chairman, and good morning. \nWelcome to our witnesses. I'd like to thank you and Chairman \nComstock for holding this important hearing on the state of \nphysical security at the National Institute of Standards and \nTechnology (NIST).\n    NIST has had a number of serious problems with physical \nsecurity in recent years. A rogue NIST police officer injured \nhimself and damaged a NIST building in Gaithersburg while \nattempting to manufacture methamphetamines.\n    Additionally, there was a troubling incident of an \nunauthorized individual wandering around a supposedly secure \nbuilding at the NIST Boulder campus.\n    These events spurred the Department of Commerce and NIST to \nreview NIST's security practices and attempt to improve \nphysical security at the NIST facilities. NIST requested \nindependent assessments and developed an Action Plan based on \nthose assessments.\n    Under the current Acting Director, Dr. Rochford, NIST has \ncontinued to focus on improving its security culture. While \nthere may have been improvements to NIST's security culture, \nthere appears to be plenty of room for additional improvements.\n    We learned from GAO's just-released report that the GAO \nagents were recently able to gain unauthorized access to areas \nof both the Gaithersburg, Maryland, and Boulder, Colorado, NIST \ncampuses. It is particularly troubling that GAO's efforts were \nso successful even after NIST had taken steps to improve \nsecurity. I look forward to hearing today from Acting Director \nRochford about how NIST plans to respond to the GAO \nrecommendations, including specific corrective actions and \napproximate timelines for improving and implementing those \nactions. I look forward to hearing from Ms. Casias about the \nDepartment of Commerce's plan to address the bifurcated \norganizational structure of NIST physical security programs. I \nwould also like to know what actions the Department of Commerce \nplans to take to ensure NIST security services operate at \nmaximum effectiveness.\n    The protection of federal facilities, employees, \ncontractors, and guests is of the utmost concern to me and this \nCommittee. NIST specifically has valuable research and \ntechnology that must be protected as well. I look forward to \nhearing from our witnesses about how NIST security services can \nbetter meet its mission.\n    I thank you, and yield back.\n    [The prepared statement of Ms. Johnson follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n        \n    Chairman LaHood. Thank you, Ms. Johnson.\n    Let me now introduce our witnesses. Our first witness today \nis Ms. Lisa Casias, Deputy Assistant Secretary for \nAdministration at the Department of Commerce. She previously \nserved as the Deputy Chief Financial Officer and Director for \nFinancial Management at the Department. Ms. Casias received her \nbachelor's of business administration in public accounting from \nPace University.\n    Our second witness today is Dr. Kent Rochford, Acting Under \nSecretary of Commerce for Standards and Technology, and Acting \nDirector of the National Institute of Standards and Technology \n(NIST). He previously served as the Director of NIST Boulder \nLabs and Communications Technology Laboratory headquartered in \nBoulder, Colorado. Dr. Rochford received his bachelor's degree \nin electrical engineering at Arizona State University, his MBA \nfrom the University of Colorado, and his Ph.D. in optical \nsciences from the University of Arizona.\n    Our third witness is Mr. Seto Bagdoyan, Director of \nForensic Audits at the U.S. Government Office--Accountability \nOffice (GAO). Mr. Bagdoyan has previously served as the GAO \nActing Director for Strategic Issues and as the Assistant \nDirector for Congressional Relations at GAO. Mr. Bagdoyan \nreceived his bachelor's degree in international relations and \neconomics from Claremont McKenna College and his MBA in \nstrategy from Pepperdine University.\n    I now recognize Ms. Casias for five minutes to present her \ntestimony.\n\n                 TESTIMONY OF MS. LISA CASIAS,\n\n                   DEPUTY ASSISTANT SECRETARY\n\n                     FOR ADMINISTRATION AT\n\n                  U.S. DEPARTMENT OF COMMERCE\n\n    Ms. Casias. Thank you, Chairman LaHood, Ranking Member \nBeyer, Chairman Comstock, Ranking Member Lipinski, and \ndistinguished members of the Subcommittees.\n    I am Lisa Casias, the Deputy Assistant Secretary for \nAdministration at the U.S. Department of Commerce. In this \nrole, I oversee the Department's Office of Security and its \nfunctions and personnel. I appreciate the opportunity to appear \nbefore you today to discuss the Department's response to the \nGovernment Accountability Office report titled ``Physical \nSecurity: NIST and Commerce Need to Complete Efforts to Address \nPersistent Challenges.''\n    Let me first thank GAO for its important work, which we \nwill use to help strengthen security at NIST. I want the \nCommittee to know that the Department of Commerce shares the \nGAO's and this Committee's concerns about physical security at \nNIST. The Department is proud of NIST's mission to promote U.S. \ninnovation and industrial competitiveness through advancing \nmeasurement science, standards, and technologies in ways that \nenhance economic security and improve our quality of life.\n    However, our highest priority is the safety of all of our \nstaff, guest workers, and visitors. We have carefully reviewed \nthe draft report, and I can tell you that the findings revealed \nshortcomings that are absolutely unacceptable, and I know that \nDr. Rochford agrees. We take the GAO's findings seriously, and \nboth the Department and NIST have agreed with all of the \nrecommendations set forth in the report. NIST and the \nDepartment have already taken a number of steps to address the \nconcerns raised in the report, and we are together planning \nmore actions in the near and long term to close the gaps in \nsecurity identified in the report.\n    For example, the Department's Office of Security has \nalready implemented a requirement that all security specialists \nconducting facility security assessments be certified in \nInteragency Security Committee Risk Management Process, or \n``RMP standard.'' To date, 19 of our security specialist staff \nhave successfully completed the ISC's RMP standard training and \nall security specialists will be trained in early fiscal year \n2018. We have also scheduled new facility security assessments \nusing those trained personnel at both campuses this fiscal \nyear.\n    Additionally, OSY has completed a draft chapter for the \nDepartment's Manual for Security Policies and Procedures that \nwill align with the Department's Risk Management Plan with the \nISC's RMP standard. This chapter is currently in the review \nprocess within the Department. In addition to aligning the \nDepartment's Risk Management Plan with ISC's RMP standard, this \nupdate incorporates all the recommended elements from the GAO \nreport related to campus facility Security Committee's risk \ndecision documentation and alternative countermeasure \nrecommendations.\n    We are also, as the GAO has recommended, reviewing the \nsecurity structure at NIST. This review involves all aspects of \nthe relationship between OSY and NIST related to personnel \nassets and security, and as part of a coordinated effort \nbetween the Department and NIST to determine the best approach. \nWhile there is no one-size-fits-all standard, we are reviewing \nall options available to us. These are only a few of the \nactions we have taken and are taking to ensure our campuses and \nfacilities are secure and safe for our employees, guests, and \nothers.\n    I wanted to reiterate my appreciation to GAO for their \nthoughtful and thorough report. The Secretary and the \nDepartment are committed to ensuring that our actions in \nresponse to it are appropriate, effective, and correct. The \nsecurity and safety of all of NIST's and the Department's \nemployees are of paramount importance to all of us.\n    Thank you for this opportunity to address the report, and I \nlook forward to answering your questions.\n    [The prepared statement of Ms. Casias and Dr. Kent Rochford \nfollows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman LaHood. Thank you.\n    Dr. Rochford.\n\n                TESTIMONY OF DR. KENT ROCHFORD,\n\n               ACTING UNDER SECRETARY OF COMMERCE\n\n                FOR STANDARDS AND TECHNOLOGY AND\n\n             ACTING DIRECTOR AT NATIONAL INSTITUTE\n\n                  OF STANDARDS AND TECHNOLOGY\n\n    Dr. Rochford. Chairman LaHood, Ranking Member Beyer, \nChairwoman Comstock, Ranking Member Lipinski, and members of \nthe Subcommittee, I'm Kent Rochford, the Acting Under Secretary \nof Commerce for Standards and Technology, and the Acting \nDirector of the National Institute of Standards and Technology, \nor ``NIST.'' Thank you for the opportunity to appear before you \ntoday to discuss NIST's and the Department's response to the \nrecently released report by the GAO on physical security at \nNIST.\n    I share the Subcommittees' concerns about physical security \nat our campuses, and I thank you for your comments. I also \nappreciate your kind words about our programmatic successes, so \nthank you for that.\n    I also appreciate the Subcommittees' support of NIST's \nefforts to improve our security practices and to fully \nimplement the recommendations in the report, with which we \nagree. NIST and the Department of Commerce are working to \nfoster a positive security culture at both of our campuses, and \nthe written testimony outlines the steps that we've already \ntaken or plan to take to improve NIST's security posture and \nensure the successful implementation of the report's \nrecommendations.\n    The world-class research conducted at NIST needs world-\nclass facilities to conduct that mission, but just as \nimportant, NIST needs robust, consistent adherence to standards \nfor safety and physical security to ensure our people work in a \nsafe environment and that our assets are protected. I am \ncommitted to working with our partners at the Department to \nachieve this goal.\n    As the Acting Director, it's my job to ensure the safety \nand security of our personnel, facilities, property, \ninformation, and assets, and I take that responsibility very \nseriously, and that's why we are working together with the \nDepartment's Office of Security to ensure the security of NIST \nstaff, that my co-workers, can work safely and securely, and \nfor establishing local campus security procedures designed to \nprotect NIST assets.\n    Moreover, NIST continues to work with the Department's \nOffice of Security to strengthen the security culture at NIST. \nThe GAO notes that we have already had some success but we also \nacknowledge there is still more work to be done. The GAO's \nreport made four recommendations. NIST and the Department agree \nwith the full extent of these recommendations.\n    Upon becoming Acting Director in January of this year, one \nof my first actions was to build on the foundational work \nstarted by Dr. May and the Department's Office of Security and \nprioritize our activities through a Security Sprint. I \nconsidered it critically important to take the existing \ninformation we had, the knowledge we'd gained during the \nprevious year, and prioritize our activities to move forward \nwith implementation plans.\n    The GAO pointed out the importance of improved \ncommunication with staff concerning physical security \nrequirements, and what should be expected of each employee. \nNIST agrees, and we have taken steps to improve our internal \ncommunications. We've developed an improved set of security \nrequirements designed to provide an unambiguous understanding \nof the security responsibilities of all individuals who work at \nNIST.\n    Last month, I met with senior NIST leadership and the \nDepartment's Office of Security to ensure that these \nrequirements and expectations were fully understood. This \nafternoon, we will meet with the full complement of NIST \nmanagement and supervisors to ensure that these security \nrequirements and expectations are fully understood by all NIST \nleaders. And following that, I will hold all-staff meetings to \nroll out these responsibilities and expectations and training \nrequirements that all staff must meet.\n    I also initiated the inclusion of a security element and \nall-employee performance plans for this fiscal year, ensuring \nthat security is afforded the same high level of importance in \none's job performance as other elements. My intent is to work \nwith OSY to drive a change towards a positive security culture. \nThese efforts and others will help drive that change.\n    Mr. Chairman, NIST has a history of tackling tough problems \nfrom research challenges like developing the world's most \natomic clock to internal challenges such as addressing our \nsafety culture. The dedicated people at NIST have committed \nthemselves to working toward a common goal of achieving NIST's \nmission. We along with OSY are now in the midst of such an \neffort for physical security. I appreciate the Subcommittees' \ninterest in our ongoing work to improve the physical security \nof our campuses, and I welcome your questions. Thank you.\n    Chairman LaHood. Thank you, Dr. Rochford.\n    Now we'll move to our third witness, Mr. Bagdoyan.\n\n           TESTIMONY OF MR. SETO BAGDOYEN, DIRECTOR,\n\n               AUDIT SERVICES AT U.S. GOVERNMENT\n\n                     ACCOUNTABILITY OFFICE\n\n    Mr. Bagdoyan. Thank you, Mr. Chairman. Chairman Smith, \nRanking Member Johnson, Chairman LaHood, Chairwoman Comstock, \nRanking Members Lipinski and Beyer, and members of the \nSubcommittees, I'm pleased to appear before you today to \ndiscuss GAO's October 2017 report on NIST's physical security \nprogram. In recent years, incidents at each of its campuses in \nGaithersburg and Boulder have raised questions about security \nvulnerabilities and NIST's ability to secure its facilities and \nthe human, physical, and intellectual capital assets.\n    In fiscal year 2017, NIST spent over $600 million on its \ncampus laboratories that perform vital work in measurements, \ncalibrations, and quality assurance techniques that help \nunderpin much of U.S. commerce. Accordingly, this morning I'll \nhighlight three of our principal takeaways regarding NIST's \nsecurity at its campuses.\n    First, we found that efforts to transform the physical \nsecurity program at NIST have incorporated some key practices, \nparticularly with regard to leadership commitment to \norganizational change. For example, though assessments in 2015 \nfound issues with NIST's security culture, we estimate that \nabout 75 percent of personnel we recently surveyed believe that \nNIST leadership places great or very great importance on \nsecurity issues. However, our agents gained unauthorized access \nto various areas at NIST campuses in Gaithersburg and Boulder. \nWe can provide details about our unauthorized access efforts \nand certain survey results only during a closed session of this \nhearing.\n    Additionally, our survey results showed personnel awareness \nabout security responsibilities varied, in part because of the \nlimited effectiveness of NIST's security-related communication \nefforts. By incorporating elements of key practices including a \ncomprehensive communications strategy, interim milestone dates \nto measure progress, and measures to assess effectiveness, NIST \nwill be in a better position to address the security \nvulnerabilities caused by the varied levels of security \nawareness among employees.\n    Second, management of NIST's physical security program is \nsplit between Commerce and NIST. This is inconsistent with the \nfederal Interagency Security Committee's physical security best \npractices, which encourage agencies to centrally manage \nphysical security. Commerce is responsible for overseeing \npersonnel who implement physical security policies while NIST \nmanages physical security countermeasures such as access \ncontrol technology leading to fragmentation in \nresponsibilities.\n    Before implementing the current organizational structure in \nOctober of 2015, neither Commerce nor NIST assessed whether it \nwas the most appropriate way to fulfill NIST's physical \nsecurity responsibilities. Without evaluating management \noptions, the current organizational structure may be creating \nunnecessary inefficiencies, thereby inhibiting the \neffectiveness of the security program overall.\n    Third, to help federal agencies protect and assess risks to \ntheir facilities, ISC developed a Risk Management Process \nstandard, also known as the ``RMP standard,'' with which \nfederal agencies including Commerce generally must comply. \nCommerce and NIST most recently completed risk management steps \nfor NIST campuses in 2015 and 2017 but we found that their \nefforts did not fully align with the standard. Neither Commerce \nnor NIST use the sound risk assessment methodology, fully \ndocumented key risk management decisions or appropriately \ninvolved stakeholders, partly because these requirements were \nnot in existing policy.\n    Further, we found that Commerce and NIST had overlapping \nrisk management activities potentially leading to unnecessary \nduplication. According to officials, Commerce and NIST are \nseparately drafting new risk management policies without \nensuring that one, these policies aligned with the RMP \nstandard, and two, that NIST policy contains a formal mechanism \nto coordinate with Commerce future risk management activities \nmay be limited in their usefulness and potentially duplicative.\n    In closing, I'd underscore that this is essential for \nCommerce and NIST to place a high policy and operational \npriority on deploying preventative security controls to help \nmitigate the vulnerabilities we identified. Otherwise, should \nthese vulnerabilities be exploited, NIST's human, physical, and \nintellectual capital will remain at risk. Fully and timely \nimplementing our report's four recommendations in addition to \nany other actions Commerce and NIST are taking independently \nwould be vital in this regard. To its credit, as both witnesses \nfrom Commerce have mentioned, the Department has agreed to \nimplement all of our recommendations.\n    Chairman LaHood, Chairwoman Comstock, Chairman Smith, and \nRanking Member Johnson, this concludes my remarks. I look \nforward to the Subcommittees' questions.\n    [The prepared statement of Mr. Bagdoyan follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    \n    \n    Chairman LaHood. Thank you, Mr. Bagdoyan, and I want to \nthank all the witnesses for your valuable testimony here today.\n    The Chair recognizes myself for five minutes of \nquestioning.\n    I guess I want to first start off and say that I've had the \nopportunity to watch the three videos a couple times now, and \nwatching them and observing them, my reaction is disturbing, \nalarming, particularly when you think about the work that goes \non at the NIST campus in Boulder and in Gaithersburg, the \nsensitive work, the strategic work, the proprietary nature of \nwhat goes on at these facilities, much of what relates to \nnational security, and so when I think about what procedures \nare being put in place now, I'm anxious to hear today those, \nand Mr. Bagdoyan, I was going to start with you.\n    After learning of the incident involving the meth lab in \n2015, you would think that there would be measures put in place \nthat would prevent something like that or vulnerabilities from \noccurring. Today after hearing what steps have been implemented \nin your recommendations, what can you tell us to assure the \npublic that these vulnerabilities have been taken care of? And \nthen secondly, are you confident that if you were to do another \nundercover operation in the next month here, that those would \nfail?\n    Mr. Bagdoyan. Mr. Chairman, thank you for your questions. \nI'll take the first one obviously first.\n    Based on what Dr. Rochford and Ms. Casias have mentioned, I \nthink they are taking this seriously. That's good to know, and \nwe look forward to receiving more details about what they plan \non doing in response not only to our recommendations but also \nthe incident you mentioned. There's going to be a long-term \neffort. I think what they both described are promising first \nsteps. We are probably playing a long game here in terms of \ngetting things done. So that would be for the first question.\n    The second question, it would definitely be speculative on \nmy part to say whether or not anything that would be put in \nplace would work, so I'll defer answering that one.\n    Chairman LaHood. And what about reassurances that you can \ngive to the public that this has been remedied?\n    Mr. Bagdoyan. Well, I can't say that it has been remedied. \nAs I mentioned, these are first steps. They are promising. They \nare in the right direction. I'll hold the witnesses to their \nword that they are taking this seriously. They both outline \nvarious steps that they are taking. Management attention and \npriority is key, as Dr. Rochford mentioned. Training is an \nabsolute must. To have a security culture, you have to train \nyour people to take it seriously. So that would be my answer.\n    Chairman LaHood. Thank you.\n    Dr. Rochford, similar to you, give us your assessment on \nwhat reassurances you can give to the American people here \ntoday that you've taken these recommendations into account and \nthat you're implementing them and that the vulnerabilities are \nno longer there.\n    Dr. Rochford. I agree with the Committee that these \nbreaches are unacceptable, and I do share your very, very deep \nconcern. I also agree with my colleague from GAO. This is going \nto require a culture change. We have the responsibility--I have \nthe responsibility for keeping NIST staff safe and secure, and \nwe have a responsibility, as you noted, to secure the \nsubstantial investment that the taxpayers have made to build \nNIST what it is today.\n    This breach, I agree, demonstrates the need for clear \nrequirements, clear training, greater accountability, and we \nare undertaking all those steps.\n    Last month, I met with all senior leadership for a two hour \nsecurity summit where we described the needs for \naccountability. Today, later today, I actually meet with all \nmanagers at NIST, and then we're going to have all-hands-staff \nsecurity summits on both campuses that I will personally lead. \nWe've developed training, and we'll have mandatory training, \nfor all 3,500 and the several thousand associates. So I do \nagree, this is a bit of a long game. It's going to take time to \nhave all this training done. But we will do it, and then I will \npersonally ensure that the training is taken, and we will \nconsider taking measures so we can understand the impact and \nthe improvement in our security culture.\n    As mentioned, we did undertake a Security Sprint that has \ndeveloped a number of prioritized activities, some of which I \ncan mention here, some we can discuss in closed session, but we \ndo have an action plan to address a number of issues at NIST.\n    Chairman LaHood. Can you talk a little bit about what you \njust mentioned there?\n    Dr. Rochford. The Security Sprint?\n    Chairman LaHood. Yes.\n    Dr. Rochford. What it did is, it certainly pointed out that \nwe have a leadership issue. Culture is driven by leadership, \nand I need to take that responsibility to change the culture. \nSo we are developing training. We have what we call baseline \nrequirements, which will be our first training set. We then \nhave additional training for things like criminal behavior, \naction plans, training for active shooter, other potential \nsecurity issues. We have work where we're going to develop a \nSecurity Advisory Board. We're going to have an executive \nsecurity committee so we can engage leadership on programmatic \nchanges to ensure the culture sticks. We've taken some specific \nengineering and access controls that I can talk about in closed \nsession, perhaps. We have a range of activities that we'll be \nundertaking over the year.\n    When the new confirmed NIST Director is on the job and \nstarts, one of my first actions is my intent to brief him on \nthese issues, show him the plans that we've undertaken, and \nwith his permission continue these actions.\n    Chairman LaHood. Thank you, Dr. Rochford.\n    I now recognize Mr. Beyer for his questions.\n    Mr. Beyer. Thank you, Chairman LaHood, very much.\n    Mr. Bagdoyan, in the GAO report you write about the \nfragmented approach to security, which as a person interested \nin management and leadership for a long time, seems pretty \nnonsensical, too many cooks in the kitchen. You've got big \nCommerce responsible for the outside piece, NIST responsible \nfor the cameras and the locks, and how did this divided \napproach come about and what can we do to fix it?\n    Mr. Bagdoyan. Thank you for your question, Mr. Beyer. I \nthink in the first part, it originated back in late 2015, I \nbelieve, once NIST received, or Commerce received delegated \nauthority for NIST police to act as federal law enforcement \nagents. So that was delegated by the Federal Protective \nService. And then in 2017, the American Innovation and \nCompetitiveness Act essentially directed Commerce to have an \noverall role in setting security policy and practice but also \nNIST maintained its ability to perform its security-related \nduties as it saw fit consistent with its culture that it was \ntrying to build at that time. So in a very high level, that's \nthe origin of the split.\n    I would agree with you that having a split situation like \nthis is not really consistent with best practice according to \nfederal standards, and it does lead to inefficiencies, \nespecially when the two parties really don't coordinate or \ncollaborate. Sometimes it's fine to have two distinct streams \nof oversight over a major program like this, but if they don't \ntalk with each other, they end up doing separate risk \nassessments and so forth. That is definitively \ncounterproductive and hinders effectiveness overall.\n    Mr. Beyer. In your perception, we'd probably need to amend \nthat Act in order to be able to centralize the security?\n    Mr. Bagdoyan. Well, that certainly would be one option. \nThat would be up to Congress. It's certainly not for me to \nprescribe but I think in the past it has been noted that in \norder to fix this, I believe one of the assessments that NIST \ndid pointed out that the only remedy was a statutory fix. On \nthe other hand, we know of no plans to pursue such a fix at the \nDepartment level.\n    Mr. Beyer. Very good. Thanks.\n    Dr. Rochford, I was in an embassy overseas for four years, \nand every night the Marines would go office to office and look \nat the stuff on everyone's desk, and if somebody had classified \nmaterial out, there was a report the next morning, and the \nvery--and no one wanted to have a report which came back to \nWashington. Is there any reporting program like that at Boulder \nor in Gaithersburg, where it's a guard who lets somebody in who \nshouldn't have been let in with a bad badge or papers left out \non desks that shouldn't have been let out?\n    Dr. Rochford. We do have incident reporting on both \ncampuses that then bubble up through our police staff, which \nare managed by OSY to the Director's office. For example, I \nknow that in Boulder, the doors are checked nightly and they \nprovide a report of any issues that then can be addressed \neither through maintenance or through personnel action.\n    Mr. Beyer. When you mentioned that you built security into \nthe employee performance plans----\n    Dr. Rochford. Yes.\n    Mr. Beyer. --is this tied to incident reporting then?\n    Dr. Rochford. Right now it addresses the baseline security \nrequirements. The baseline security requirements do address \nreporting incidents of tailgating, piggybacking, things of that \nnature.\n    Mr. Beyer. Have you figured out a way to keep paragliders \nfrom landing on your campuses?\n    Dr. Rochford. That might have some technology solutions \nthat we've not addressed.\n    Mr. Beyer. And Ms. Casias, in your oversight role, do you \nenvision a way for you at OSY to be able to provide the \nnecessary oversight of the security that NIST provides without \nnecessarily having to own half of it directly?\n    Ms. Casias. Congressman, we recognize, and Dr. Rochford and \nI have talked about this, we recognize that the security \nmanagement structure does require some evaluation, and we agree \nwith GAO. We've accepted their recommendation. So I think we do \nhave work in that area. We've already started some steps. We've \nidentified executive sponsors, myself and Dell Brocket, the \nAssociate Director for Management Resources at NIST. We'll lead \nthat endeavor. We've selected internal teams. We're also \nlooking at using outside security experts such as folks from \nthe ISC to help us in that matter. In our review, we'll be \nlooking at roles, responsibility and accountability and how \nthat impacts security.\n    So I think there's a mix. There's not one-size-fits-all, \nand we know that the Boulder campus is different from the \nGaithersburg campus, so we will be working jointly but we do \nagree that this is an item that we do need to look at and is a \nserious item that needs attention immediately.\n    Mr. Beyer. Thank you, Mr. Chairman.\n    Chairman LaHood. Thank you, Mr. Beyer.\n    I now recognize the Chairman of the full Committee, Mr. \nSmith, for his questions.\n    Chairman Smith. Thank you, Mr. Chairman.\n    Mr. Bagdoyan, let me address my first question to you, and \nthat is, how much confidence do you have that the GAO's \nrecommendations will be implemented by NIST?\n    Mr. Bagdoyan. Good question. I really believe this. I am \nconfident that based on what I've heard this morning certainly \nin its official response to our draft report that Commerce and \nNIST are taking this seriously and they'll take the necessary \naction.\n    Chairman Smith. I mentioned in my opening statement that \nunauthorized access was attempted by the GAO at both campuses \n15 times, and 15 times they were successful. It just seems \nincredible that that would be the case, but to what do you \nattribute that other than just lax security? And is there any \nexcuse for that? I don't know where to----\n    Mr. Bagdoyan. I take your point, Mr. Chairman. I'll \nprobably be best served to respond to that in a closed session.\n    Chairman Smith. And as I understand it, it's the Department \nof Commerce that came up with the designation ``law enforcement \nsensitive.'' Is that right?\n    Mr. Bagdoyan. That's correct. They are the marking agency \nin this case.\n    Chairman Smith. Ms. Casias, I'd like to ask you about that \ndesignation, ``law enforcement sensitive.'' Why did you choose \nto apply that to the three videos that members saw in closed \nsession before we opened it up for this hearing?\n    Ms. Casias. We believe in viewing the videos, which I have \nviewed and so has Dr. Rochford, that there are security \nvulnerabilities that other folks could look at and use those \nvulnerabilities within our facilities or other federal \nfacilities. In addition, I'd be more than happy in any closed \nsession that we could get into that in a little more detail \nso----\n    Chairman Smith. What is the definition of ``law enforcement \nsensitive''?\n    Ms. Casias. The definition is that it's the sensitivity if \nthat came out would cause some issues with security within our \ncampuses.\n    Chairman Smith. Okay. Can you give me--do you happen to \nhave the exact definition with you?\n    Ms. Casias. I do not have that with me but I can get that \nfor you.\n    Chairman Smith. If you can get that fairly quickly, that \nwould be helpful.\n    My suspicion is that you all maybe overly cautious. Having \nseen the videos, they're pretty obvious as to what might cause \nbreaches and what did cause breaches in this case, and I don't \nthink it's revealing much to acknowledge that. In fact, it may \neven be helpful. So I'd like to see the exact definition and \nsee what the rationale was for applying it in these cases.\n    Ms. Casias. Absolutely.\n    Chairman Smith. And I might even ask you to go back and \ntake another look because while you want to err on the side of \ncaution, you also don't want to prevent information that can \nand should be seen by others from being considered by others as \nwell.\n    Let me go to Director Rochford and ask you a couple \nquestions to the extent that you can answer them, and that is, \njust generally what can be done to prevent some of these \nunauthorized accesses? I know you responded to the Chairman \ngenerally. If you want to elaborate on that, I think that would \nbe helpful.\n    Dr. Rochford. So if we're talking about the specifics in \nthe video, I mean, generally, we see security as a layered \napproach so we need to have both improved training and \nimprovement in our security force that does their checks, but \nthe other layer is the employees, and part of what I need to do \nis make sure that NIST staff have a much greater awareness \nabout these concerns, know at some level how these things can \nbe spoofed, for example, and through training and I think this \nawareness, we can have them also do a better job of making the \nappropriate checks to ensure security and avoid breaches.\n    Chairman Smith. And I assume improvements have been made to \nsecurity in the last several weeks?\n    Dr. Rochford. When I started, the security plan actually \nbecame operational over the last couple months so we have \ndeveloped training materials. We have video training materials. \nWe have a number of things that I'll be launching very soon. So \nyes, we're ready to----\n    Chairman Smith. Would the security measures that have been \nimplemented recently have prevented the unauthorized access \nthat has occurred in the past?\n    Dr. Rochford. I think the training is going to be a key \npart of that, and the training is going to take some time. So \nwe have not put in place something that would cause 100 percent \nimprovement.\n    Chairman Smith. What has been put in place that you guess \nwould prevent most of the unauthorized access from occurring?\n    Dr. Rochford. There are some items that I could discuss in \nclosed session.\n    Chairman Smith. I'm not asking you what those items are. \nI'm just asking you generally to say whether or not you feel \nthat what's already been implemented would prevent most of the \nunauthorized access that has occurred in the past.\n    Dr. Rochford. I think we've put things in place to improve \nthe situation.\n    Chairman Smith. Okay.\n    Dr. Rochford. I do not have confidence that I could say we \nhave 100 percent----\n    Chairman Smith. Thank you very much.\n    Thank you, Mr. Chairman.\n    Chairman LaHood. Thank you, Chairman Smith.\n    I now recognize the Ranking Member, Mr. Lipinski.\n    Mr. Lipinski. Thank you.\n    Ms. Casias, your office overseas the Commerce Office of \nSecurity, which manages the Police Services Group. The Director \nof Security for NIST provided a letter to the Science Committee \non September 14 of this year that the Police Services Group in \nboth Colorado and Maryland had a total of 41 authorized staff \nwith five current vacancies under the existing operating \nbudget. Can you tell us what sort of impact you believe current \nbudget constraints have on NIST's security posture, and what \ncan we in Congress do to help in that regard?\n    Ms. Casias. Congressman, thank you for that question. As we \nsaid, security is not one-size-fits-all, and while we have our \npolice force, our Police Services Group, we also have \ncontracted staff which we have supplemented that workforce \nwith. At this point I believe looking at our risks and our \nvulnerabilities, we are working within our budget and believe \nthat we have adequate funding. As we work through the \nevaluation and look at the different responsibilities between \nNIST and the Department, if there is anything there we'll \nidentify and work with this Committee on those findings.\n    Mr. Lipinski. Let me ask Dr. Rochford or Mr. Bagdoyan, do \nyou agree with that in terms of having enough resources?\n    Dr. Rochford. At this point we've gone through our Security \nSprint and have identified a number of activities that we can \nmake. I currently believe I have the resources to take on that \nfirst tranche of activities. So at this time I believe we have \nthe resources.\n    Mr. Lipinski. Mr. Bagdoyan, do you have any thoughts on \nthat?\n    Mr. Bagdoyan. Yes. Thank you, Mr. Lipinski. I would answer \nin terms of the resourcing level as a function of the risk and \nthe countermeasures already in place and anticipated, so a \nprecise number that would drive a budget is obviously a \nfunction of that, and I would defer to the Department on that \nmatter.\n    Mr. Lipinski. Thank you. Mr. Bagdoyan, part of the GAO \nexamination of NIST security included a survey of NIST \nemployees which you had talked about in your testimony. My \nunderstanding is that the sample for that survey was \nexclusively technical and scientific staff. Is that true, and \nif so, why were other staff omitted from the survey pool?\n    Mr. Bagdoyan. Yes, that is correct, Mr. Lipinski. We \nsurveyed approximately 500, which is a projectable sample, and \na determination of what to include and what not to include was \nessentially a methodological one. We can provide you with \nadditional detail separately if you like in terms of how we \narrived at that.\n    Mr. Lipinski. Was there a reason that the administrative \nstaffers were not included in that?\n    Mr. Bagdoyan. Well, I don't recall the specifics but I \nwould say that we chose to focus on people who would likely \nencounter potential intruders and others during the course of \ntheir duties.\n    Mr. Lipinski. But it would seem like anyone coming in to \nthe gate would be someone who potentially would have the \npossibility of letting someone in who shouldn't be in there.\n    Mr. Bagdoyan. Yeah, I take your point but we just chose \nwhat we chose, and I can certainly provide a more detailed \nexplanation on the methodology separately.\n    Mr. Lipinski. Okay. You said 75 percent in the survey said \nthat they take security--I forget, what were the exact----\n    Mr. Bagdoyan. Yes. Let me look at my cheat sheet here. It \nsays about three-quarters of scientific and technical employees \nbelieve that NIST leadership places great or very great \nimportance on physical security issues.\n    Mr. Lipinski. Is that 75 percent enough?\n    Mr. Bagdoyan. Well, optimally you would want it to be 100 \npercent. That was--that goes back to my earlier point that if \nyou want the culture to improve, the awareness to improve, and \nbe optimal, you really need to be at a very, very high level \nfor this to work. Otherwise a single weak point, a single \nindividual who might not get it is a potential vulnerability.\n    Mr. Lipinski. It sounds like there's good work being done. \nWe certainly need to follow up, and the culture I think is \ncertainly going to be a big issue.\n    Just very briefly, do you think there's any--is it possible \nthat the type of people who would be working, the technical \npeople who would be working at NIST are people who are used to \nmore open circumstances, campuses, things like that that do not \nrequire the type of security and that could be a reason why?\n    Mr. Bagdoyan. It's certainly a possibility but again, with \nproper training, leadership emphasis, you move the needle in \nthe direction it needs to go, and awareness is key. \nPrioritization from leadership is key as is getting \nstakeholders, for example, on the Boulder campus. There are \nother agencies that share the space to get them involved as \nwell because their culture would be also impacted, and that's a \nkey point.\n    Mr. Lipinski. Thank you.\n    I yield back.\n    Chairman LaHood. Thank you, Mr. Lipinski.\n    I now recognize Mr. Marshall of Kansas for his questions.\n    Mr. Marshall. Thank you, Chairman LaHood.\n    First question for Mr. Rochford. In the military or in \nbusiness when we have a big goal, a big vision, we typically \nset out a timeline with major events, major milestones, so our \ngoal here obviously I would assume we have all the same goal: \nbetter security in these facilities. Do you have a timeline? \nWhere are we on that timeline? Where's it going?\n    Dr. Rochford. Our Security Sprint did set out a timeline \nfor phase I for this training, this outreach, the \naccountabilities. That timeline has various things happening \nthat I've mentioned with our goal to have complete mandatory \ntraining, for example, by the end of the calendar year.\n    Mr. Marshall. Can we have access to that, perhaps? Would \nthat be a reasonable question?\n    Dr. Rochford. That's to the----\n    Mr. Marshall. To the timeline or----\n    Dr. Rochford. Certainly. I don't have it with me but I can \nprovide that.\n    Mr. Marshall. Okay. Thanks.\n    I want to go back to the plutonium incident at the NIST \nfacility in Boulder, Colorado. I guess that's several years \nago. Obviously it created some significant challenges to not \njust the facility but the surrounding people as well. And now \nwe're aware of another incident at the same facility. Do you \nfeel like you've done everything possible to shore up that \nsituation there for such another dangerous event? Obviously \nthere's some pretty toxic things going on there.\n    Dr. Rochford. Plutonium was a wake-up call for NIST. That \nwas the moment we realized that our safety culture was not what \nit needed to be. In the past we've worked on what is considered \nan expert culture where we trusted our highly trained \nindividuals to take on safety. What we recognized is, we needed \nto take this more deeply. We needed to have specific training, \nspecific processes, specific access controls and procedures. As \na result, I could state that we have a very assertive safety \nculture now, and in fact, that's what I'm modeling our changes \nin the security culture towards. In fact, that specific event \nwe basically met all the Nuclear Regulatory Commission's \nrequirements satisfactorily. We've made great strides in our \nsafety program both in radiation--radioactive materials and \nsafety in general, and I think yes, our safety program is much \nmore robust.\n    Mr. Marshall. I'm just curious. The people that are doing \nthe research are scientists. Are they the ones ultimately in \ncharge of the security, figuring out what--I mean, I'm guessing \nit's two different people. My doctors are not real--the \nsurgeons are not real good at figuring out what to do in the \nER. So I'm hoping it's different people than the scientists \ntrying to figure out a security program for the facility.\n    Dr. Rochford. No. So the way we operate is, we obviously \nhave a management structure. I as the Acting Director have \nresponsibility for security. We can gather scientific input. So \nfor example, when we assess a space, as the Chairman had \nmentioned, we may have proprietary information, we may have \nother information. We gathered that from the scientists so we \ncan understand what sort of safety and/or security protocols to \nput in place. Those then are developed in programs that follow \nguidelines created by both the Department's Office of Security \nand then the local controls that we have in place.\n    Mr. Marshall. Okay. My last question. Going back to \nBoulder, there's still no external barrier in Boulder as I \nunderstand it. Do you feel like that's a problem, and what are \nwe--why isn't--I mean, that would seem to me to be more of an \nimmediate solution to unauthorized access to restricted areas \nor some type of a physical external barrier. Do you think it's \nnecessary? Why haven't we done it, or is that a waste of time \nand effort and money?\n    Dr. Rochford. I would not characterize it as a waste of \ntime and effort. When I started in January and undertook the \nSecurity Sprint, my goal was to be able to get quick wins, to \nbe able to do things that we could take action on quickly. A \nfence in Boulder, it's going to be a multi-stakeholder process. \nThere's a number of factors and considerations including both \nthe city, the neighbors, local government, issues of that \nnature. There are environmental aspects. It's something that \nwill take a longer time.\n    Mr. Marshall. That just drives me crazy to think about \nthat, that here's an immediate danger and we're not--and the \nprocess, the rules, the regulations, and again, having built a \nhospital facility, I know what it's like. It just takes months \nand years to go through the process, and in the meanwhile, we \ncan't get to the real solution.\n    So I look forward to going through those weeds as quick as \nyou can and making these places secure.\n    Thank you, and I yield back.\n    Chairman LaHood. Thank you, Mr. Marshall.\n    I now yield to the Ranking Member, Ms. Johnson, for her \nquestions.\n    Ms. Johnson. Thank you very much, Mr. Chairman.\n    It's rather puzzling to me when you put everything on \ntraining, what was the initial training when people were hired? \nDo you have any standards, ethical standards for them to have a \ncommitment? Yes?\n    Dr. Rochford. We do have onboarding training. In \nretrospect, onboarding training has been rather simplistic--\nwear your badge. What I need to do is develop--and we have done \nthis--a training that's very explicit, very unambiguous, and \nactually includes various scenarios so people know precisely \nwhat we mean and what we expect. So I think in the past we just \nhad not done training that was sufficiently detailed, and that \nis being remedied.\n    Ms. Johnson. You know, I'm having a hard time. I fully \nsupport the work of NIST, and I looked at the recommendations \nthat GAO has recommended, and I'm having a very hard time \nunderstanding what changes were made or what kind of approaches \ndid you make after these incidences. It seems very, very loose \nto me in a very important area. Do you feel capable of running \nthis agency and keeping the activities at a professional level?\n    Dr. Rochford. Yes, I do. I've been in this role since \nJanuary so I've had a limited span here that I can do these \nthings. Since 2015, we have added several engineering access \ncontrols. We did increase security staffing. We did establish \nthis NIST Security Advisory Board. But there is more to do, and \nthat's what I've been working on over the last many months, and \nI'm confident when our new Director joins us that he'll be \ninterested in moving this forward as well.\n    Ms. Johnson. When you say there's much more to do, give me \nan idea what else that you have in mind to do.\n    Dr. Rochford. In addition to training--this is a culture \nchange, in my opinion, so it requires a leadership commitment \nthat's consistent and persistent, right? We need to continually \nmeet with staff. We need to demand that the training \nrequirements are met. I need to hold my management accountable. \nMy management needs to hold the employees accountable. We \nbasically have to change an attitude so that we're doing this \nin the best possible way. We've done it in safety. We know how \nto do this, but we also know it takes time and it takes real \ncommitment. So I have the commitment. We just need some time.\n    Ms. Johnson. Okay. Ms. Casias, do you have any comments?\n    Ms. Casias. Yes. I agree with Dr. Rochford that it is a \nculture change, but I also believe as we're working together we \nneed to look at the management structure. That is a priority \nfor us. We also--as I stated, we now have all of our staff \ntrained on the ISCR RMP standards, and I think looking and \nworking with those facility assessments and getting those \nrelooked at this year, redone, and looking at that jointly, I \nthink it really is critical that we have that open \ncommunication and working together, and I believe we do. We've \ntalked about a lot of trainings today, and those are not just \nthe NIST folks working on that. Our Director of Security, who \nis on campus at NIST, has been working, and yesterday just had \none of the security days with a fabulous turnout from the \nstaff, and that was a joint effort and working together and \nlooking at what we need to do.\n    So there's more to do than training, and I believe we're on \nthat path and we're working towards that, and I'm confident \nthat our partnership together we will get there.\n    Ms. Johnson. Have you looked at these? Are you following \nthe recommendations of GAO?\n    Ms. Casias. Absolutely. We have already started. As I \nnoted, we've already put together--both myself and Dell \nBrocket, who's in the room, we're going to be spearheading this \nand the executive sponsors. We've actually worked on other \nprojects in the Department before this, and we've been \nsuccessful, and I know that we'll be successful in this one, \nand it's a priority. Security is a priority for the Department, \nfor our people, for our assets and our information.\n    Ms. Johnson. Well, thank you. I know that security is very \nimportant but I'm talking about the ethical behavior of the \npeople within a security measure as well.\n    Ms. Casias. I agree, and I think looking--and there's been \nsome steps of initiating some security measures in people's \nperformance plans, but we are looking into the incidents that, \nyou know, folks have seen on the videos and determining--we've \ndone appropriate counseling to date and we're working with the \nappropriate offices on what other steps we need to take.\n    Ms. Johnson. Thank you very much.\n    Chairman LaHood. Thank you, Ms. Johnson.\n    I now recognize Mr. Norman from South Carolina.\n    Mr. Norman. Thank you.\n    Dr. Rochford, I guess as a follow-up to Chairman Smith's \nquestion about the 15 attempts and you had 15 breaches, and you \nmentioned that if they occur today, you couldn't give 100 \npercent guarantee that be--it would prevent it. What percentage \nwould you give?\n    Dr. Rochford. That would be difficult to assess. At this \npoint because we haven't rolled out the training, I don't think \nsome of the early steps that need to be taken have occurred. \nThe training, I will have the meetings with management this \nafternoon, and again, these have been planned for some time. \nI'll have meetings with all staff. At that point we'll roll out \nthe required training. My belief is as people take the training \nand we're holding them accountable, we'll see improvements.\n    Mr. Norman. Okay. Now, I also understand that the \nGaithersburg, Maryland, campus has a nuclear reactor on site. \nIs that true?\n    Dr. Rochford. That's correct.\n    Mr. Norman. NIST stores caches of radioactive material for \ntesting. Is that true?\n    Dr. Rochford. Testing and standards, measurement standards, \ncorrect.\n    Mr. Norman. Do you realize you can google this and get this \non site? You don't see this as a security risk?\n    Dr. Rochford. Some of this will be known because of Nuclear \nRegulatory Commission postings so, yes, it is known. In \naddition, our nuclear reactor is a center for neutron research, \nwhich is a center that uses neutrons to do measurements and \ntherefore we interact with industry and academia so they do \nknow about it as well.\n    Mr. Norman. And another question, Doctor. According to the \nWashington Post, in August of this year a NIST employee was \nexposed to unsafe dose of radiation, and according to this \narticle, as of September 27, it's still unknown how the \ncontainer of the radioactive material was compromised. Have \nthey found anything out on that?\n    Dr. Rochford. Yes, yes. We've learned a great deal in that \nincident. The material is known as americium. It was held in a \nsmall 50-milliliter ampoule. We received it from an energy lab \nabout 17 years ago. It was in solution, and as the \nradioactivity occurred, these decayed particles caused what \nthey call radiolysis, created a gas, and over time the gas \noverpressured and the ampoule exploded. So what in fact \nhappened was not a mishandling event but we keep these in these \nlead storage containers, and the material burst. We found it \nduring a routine radiation testing, a survey program that we \nhave where we look at these spaces weekly, and then when we \nfound it, we could put controls in place, and then we had to \ntest all the individuals who had been in contact with the \nmaterial before the breach or before the dispersion was noted.\n    We're very aggressive in our reporting in safety, so we \nimmediately went to the Nuclear Regulatory Commission, and we \nprovided a notification that had worst-case scenarios. What \nwe've learned since as we've been able to do more testing both \nof the material and the bioassay, we believe that the \nindividuals involved have not had exposures above the \nregulatory limits, that they've actually been below the \nregulatory limits. These measurements are actually quite \ndifficult. These are alpha emitters, which are very, very \nfaint. It also took some time for us to get the measurements. \nBut we have engaged with the Nuclear Regulatory Commission at \ngreat length and with the Department of Energy, and in fact, \nthe 30-day report to the NRC went out Saturday, so that's a \npublic document.\n    Mr. Norman. Okay. You know, I join in Congressman Johnson I \nguess and the concern I have is that you all were taking it \nseriously and particularly with the taxpayer dollars that are \ngoing toward this that it's--I see it's a leadership problem \nbut still there's got to be some consequences to it, so I would \nask you to put this at the top of your list to get fixed, and \nnot just addressed but to get fixed because 15 of 15 breaches \nis not--is unacceptable in my mind.\n    Dr. Rochford. I agree.\n    I yield.\n    Chairman LaHood. Thank you.\n    I now recognize Ms. Bonamici of Oregon, please.\n    Ms. Bonamici. Thank you very much, Mr. Chairman.\n    Dr. Rochford and Ms. Casias, NIST now has, it's my \nunderstanding, your full-time equivalent police officers, about \n28 in Maryland and 13 in Colorado, but you also use contract \nprotective security officers. So can you talk a little bit \nabout what they do, where are they stationed, at the gates, at \nthe doors, and what training do they get and what is the \nturnover among those contracted protective security officers?\n    Ms. Casias. Thank you for your question. I will have to get \nback to you on the turnover. I don't have that information with \nme immediately. But all of our contractors are required to have \ncertain standards. We do provide training, and I can tell the \nfolks on this panel that we have provided training since the \npenetration issues that we've had, and we'll continue to have \nthat training with those folks.\n    Ms. Bonamici. How does their training compare to the, for \nexample, police officer training?\n    Ms. Casias. I would have to get back to you on the exact \ndistinctions between the both, but in the case of providing the \nsecurity services, both parties, the Police Services Group and \nthe officers, the contract force, receive the same training, \nand everyone that is responsible for that understands that it \nis totally unacceptable with the breaches and what has \nhappened.\n    Ms. Bonamici. Thank you. I would appreciate the follow-up \non the turnover among those contracted officers.\n    The 2015 incident, which we've all heard about with the \nNIST employee who was a NIST police officer trying to make \nmeth, now that of course is a rare type of situation but what \nrecommendations are you making now that would have prevented \nthat particular incident as opposed to your recommendations to \nkeep out unauthorized access? This person was a NIST employee, \nso what specific recommendations would have prevented that? Ms. \nCasias or Dr. Rochford?\n    Ms. Casias. I obviously was not in my position when that \noccurred but I know we have put more--instituted more, looked \nat how we're using rovers, how we're using our police force and \nour guards and our actual police force that's on site.\n    Ms. Bonamici. But he was a police officer, so what----\n    Ms. Casias. I agree.\n    Ms. Bonamici. What would have prevented that at the time? \nWhat are you doing now that would have prevented that?\n    Ms. Casias. I believe how we are running our shifts and \nlooking at our shifts, that may have prevented it. I'll have to \nget back to you, you know, on exact measures that we may have \ntaken.\n    Ms. Bonamici. Thank you.\n    Mr. Bagdoyan, the GAO report notes inefficiencies, plural, \nthat arise from the fragmented organizational structure of NIST \nsecurity. An example mentioned in the report was that NIST is \nresponsible for procuring and placing the security cameras but \nthe Department of Commerce is overseeing the police personnel \nand the facilities, and that led to some of the security \ncameras being placed in locations that weren't particularly \nuseful or helpful for the police. So what are--number one, what \nare some of the other inefficiencies, because you said \ninefficiencies, and that was one example? And then also, how \ncould that have been prevented. It seems like maybe a simple \nphone call could have said--could have remedied by saying, you \nknow, the cameras aren't in the right place. So how did that \nhappen? And maybe I can get Ms. Casias and Dr. Rochford to \nrespond as well.\n    Mr. Bagdoyan. Sure. I'll let my fellow panelists here \nrespond from their perspectives.\n    In terms of placement of equipment and so forth, I \ncertainly wouldn't venture there in an open hearing, but in \nterms of other inefficiencies, you have risk assessments that \nare done separately, for example, so that is a core function \nthat at least should be coordinated, if not collaborated on.\n    Ms. Bonamici. And I see Dr. Rochford nodding his head so \nI'm assuming that NIST agrees with that.\n    Mr. Bagdoyan. Right. So that's--right. So I would just \nleave it at that. That's a key inefficiency.\n    Ms. Bonamici. Thank you.\n    Mr. Bagdoyan. And also crafting different policies at \ntimes. Parallel security policy is another area of inefficiency \nthat at a minimum should be much more closely coordinated if--\n--\n    Ms. Bonamici. Thank you, and I don't want to interrupt but \nI want Dr. Rochford and Ms. Casias to respond to the, how could \nthat have been remedied? Is there some channel for--a better \nchannel for communication where if the cameras are put in the \nwrong place, why weren't they--why wasn't that immediately \nfixed?\n    Dr. Rochford. That should have been immediately fixed. I \ndon't know what line of communication dropped and why that \ndidn't occur. On our campuses, our cameras and other access \ncontrols are not used purely for security as well. We do have \nsome that are put in for safety reasons, and it could be that \nsecurity personnel were concerned that they may not have had \nappropriate access but those were done for programmatic \nreasons.\n    As far as coordination, our Security Advisory Board does \nhave our local OSY Director of Security at NIST on that board, \nso when we do develop local policies, this individual is \ninvolved and weighs in. So we have worked to coordinate to \nensure that we have the right amount of overlap.\n    Ms. Bonamici. Thank you, and I see my time is expired. I \nyield back. Thank you, Mr. Chairman.\n    Chairman LaHood. Thank you. I now yield to Mr. Loudermilk \nof Georgia for his questions.\n    Mr. Loudermilk. Thank you, Mr. Chairman, and I thank the \npanelists for all being here today.\n    As has been mentioned I'm sure many times in the last few \nmonths and even here today, the incident with the police \nofficer who was cooking meth in one of the laboratories, it's \ninteresting, it was last year or in the last Congress I was \nChair of the Oversight Subcommittee, and we were investigating \nthis instance, and it was during that investigation when we \nactually uncovered the plutonium incident. In fact, it was an \nemail. The question was, why wasn't Congress notified of the \nmeth explosion, and an email we uncovered between two senior-\nlevel people was well, we didn't notify Congress about the \nplutonium incident either, and it was a thousand times worse. \nSo I'm just bringing that up to say I hope that the \ncommunications with Congress would--is going to drastically \nimprove with instances.\n    But I want to direct my questions to our response, \nCongress's response, regarding security issues that have \ntranspired at NIST. Last year I sponsored the NIST Campus \nSecurity Act, which ultimately was incorporated into the \nAmerican Innovation Competitiveness Act, which was signed into \nlaw back in January. Now, according to GAO report, physical \nsecurity at NIST was split between the Office of Security and \nNIST, and the American Innovative Competitiveness Act directs \nthe Secretary of Commerce to oversee law enforcement at NIST by \nestablishing the NIST Director of Security. I understand that \nhas been fulfilled, that position. How--are we seeing that with \nthis new position, the new Director is closing the gaps that \nexisted in security between the two offices, Dr. Rochford?\n    Dr. Rochford. Yes, I would agree, and I think one activity \nis the Security Advisory Board in which he works. We also have \nweekly meetings between the Office of Security, Director of \nSecurity of NIST and our Emergency Services Office Director \nevery week so we can make sure that day-to-day issues are dealt \nwith.\n    I would like to note in terms of the plutonium incident, I \nwasn't in this job.\n    Mr. Loudermilk. Yes, I understand.\n    Dr. Rochford. However, NIST would never keep things from \nthe Oversight Committee, and that incident in fact did have \nextensive hearings at the time, so we were very forthcoming and \ndid inform Congress during that incident as well.\n    Mr. Loudermilk. Mr. Bagdoyan, I know that the bill that I \nwas referencing assigns GAO to conduct a study evaluating the \nperformance of NIST Police Service Groups. Have you been able \nto assess the improvements or the performance that we've seen \nout of security since the new Director has been put into place?\n    Mr. Bagdoyan. Well, not really. I mean, basically what our \nwork consisted of was testing what was in place at the time. \nObviously having a Director in place is important but what \nwe're testing is the reality on the ground so the Director has \nto make things happen on the ground for us to be able to go \nback at some point, Congressional direction, of course, to take \nanother look and see how things have changed.\n    Mr. Loudermilk. Now, of course we don't want to get into \nareas that are sensitive to reveal----\n    Mr. Bagdoyan. Of course.\n    Mr. Loudermilk. --anything in this session but I don't know \nthe exact time frame of the videos that we saw earlier.\n    Mr. Bagdoyan. Sure.\n    Mr. Loudermilk. But if those occurred within the past year, \nI still have concerns that we have not made strides in the \nright direction.\n    Mr. Bagdoyan. Right.\n    Mr. Loudermilk. Is there still a lot of improvement that \nneeds to be done?\n    Mr. Bagdoyan. Yes, we can certainly try and address that \npoint, Mr. Loudermilk, in a closed session.\n    Mr. Loudermilk. Okay. Thank you.\n    Dr. Rochford, do you agree that we still have a lot of area \nthat needs to be covered?\n    Dr. Rochford. Absolutely.\n    Mr. Loudermilk. Okay.\n    Dr. Rochford. And as I'd mentioned, a lot of this is driven \nby culture, and that we can change.\n    Mr. Loudermilk. Thank you.\n    Since I have a few more seconds, Mr. Bagdoyan, in your \ntestimony you described overlapping risk management activities. \nTo what extent did you witness duplicative activities and what \nare the consequences of such duplication?\n    Mr. Bagdoyan. Well, witnessing obviously is performing the \nassessments themselves, then devising security policies that \nare at least in part derived from those assessments. If they're \nnot sufficiently coordinated and essentially collaborated on, \nthen you might end up having two different lines of thinking in \nterms of what is risky and what the countermeasures are and \nwhat resources are needed to be devoted to those \ncountermeasures.\n    Mr. Loudermilk. Thank you. And Dr. Rochford, this--you're \ninheriting a lot of the problems that existed, and just my \nfinal question, do you have a plan in place to reduce the \nduplication between the two?\n    Dr. Rochford. Yes. In fact, much of what I think was seen \nas duplication was in fact coordination. We've often started \nour work using from documents derived from the Office of \nSecurity. As a manager I do have to make some resource \nallocation decisions so clearly those are things I can do in \nconjunction with the Office of Security. But we do that through \ncoordination with our Security Advisory Board, which does have \nOSY and its personnel.\n    Mr. Loudermilk. Thank you. I yield back.\n    Chairman LaHood. Thank you.\n    At this time we recognize Mr. Perlmutter for his questions.\n    Mr. Perlmutter. Thank you, Mr. Chair.\n    Mr. Bagdoyan, how often does the GAO conduct kind of \ninvestigations like this where you do, I mean kind of sting \noperations, if you will? I'm familiar with TSA operations where \nsometimes you go in and see if you can sneak through the \nsecurity there. How often do you guys do this?\n    Mr. Bagdoyan. Well, they do take a lot of time to develop \nand implement. Of course, all of our investigative work is \nderived from Congressional requests so we do get them \nperiodically. You're absolutely right about TSA and the \ntransport sector overall. We have done, as you may know, in the \npast work looking at the Affordable Care Act and its enrollment \ncontrols. I testified on that on several occasions in recent \nyears. We most recently completed work on the FCC's lifeline \nprogram where we used undercover resources to attempt to enroll \ninto the program, and we were mostly successful. So it \nbasically runs the gamut. Again, it's driven by Congressional \ninterest and request so we play in various different spaces, \nand I would point out that no one investigation is the same as \nanother. They're all very unique.\n    Mr. Perlmutter. Thank you.\n    So Dr. Marshall is from Kansas, and he has questions, Dr. \nRochford, about the Boulder campus and putting up a fence. So \njust listening to this, I think you've got to bifurcate between \nsafety and security. They're two different things. So the \nplutonium was a safety issue. It wasn't like somebody was \nstealing it. But the security issue is, you have a guy roaming \naround the campus through an open window, for goodness sakes, \nfor hours before anybody discovered him. So I don't know about \nputting a fence up in Boulder. That's going to take forever to \nget something like that done, but you certainly can harden the \nsecurity for each building. What steps are you taking on that?\n    Dr. Rochford. That's absolutely correct, and we have taken \na number of steps in that regard. We've added additional \nengineering controls at the perimeters of the buildings. We've \nimproved internal alarming in areas where we have windows of \nthat nature. In fact, it wasn't an open window. What it was, \nwas a temporary window in which we were doing laser experiments \non the mesa, so it was easily broken. Now that's----\n    Mr. Perlmutter. That's been fixed?\n    Dr. Rochford. There's other things we can--yes, that's been \nfixed, and we can talk about details.\n    Mr. Perlmutter. All right. Let's talk about the plutonium \nfor just a second, and obviously in our area, we've dealt with \nissues pertaining to plutonium with Rocky Flats and all of \nthat. I guess just as a neighbor of this laboratory, I wasn't \naware that you guys were a storage facility. You're a \nlaboratory. And to the degree that you are a storage facility, \nI hope that that's part of the approach you're taking, and I'd \nsay to Commerce as well, that should be going to the Department \nof Energy or somebody else. You can react to that if you will.\n    Dr. Rochford. So in fact, we are not a storage facility. In \nthat particular incident, we had an exceedingly small quantity \nof plutonium that was being used to measure sensors and \ndetectors that were going to be used for non-proliferation \nactivities. However, there is no exceedingly small amount of \nplutonium, so we had to manage it very carefully. Since then we \nhave only in Boulder used what are known as sealed sources.\n    Now, in Gaithersburg, we have a radiation physics division. \nWe do have a number of sources, and these are used as \nmeasurement standards to calibrate things as diverse as \nradionuclides for medicine to things for non-proliferation for \nother activities.\n    Mr. Perlmutter. So I just--now I'm going to get on my \npolitical high horse for a second. I mean, obviously I'm \nlistening to my friends on the Republican side of the aisle \ntalk about radiation and these small amounts and the danger \nthat comes from it, and I would just say as I just did in the \nFinancial Services Committee, the President just openly talking \nabout nuclear arms and building of stockpiles and all of that \nstuff, there's real danger there, and we all know that, and \nthat rhetoric is dangerous, and so with that I yield back to \nthe Chairman.\n    Chairman LaHood. Thank you, Mr. Perlmutter.\n    I now recognize Mr. Higgins of Louisiana for his questions.\n    Mr. Higgins. Thank you, Mr. Chairman.\n    Mr. Bagdoyan, as Director for the GAO's Forensic Audits and \nInvestigative Services, I thank you for your service to your \ncountry, sir.\n    Mr. Bagdoyan. Thank you.\n    Mr. Higgins. Looking at your bio, you have an extensive \nbackground of security, critical infrastructure protection, \nrisk management, and homeland security. Would you concur that \nyou're an accomplished investigator?\n    Mr. Bagdoyan. I would like to think so.\n    Mr. Higgins. One would like to think so. My background is \nin law enforcement, sir. Would you also agree that it's just \nhuman nature that over time if there's been no critical \nincident, there develops sort of a relaxed culture of security \nat entry and perimeter security? Would you concur that that's \ngenerally true and----\n    Mr. Bagdoyan. Yes, it's possible that over time that \nhappens----\n    Mr. Higgins. Thank you.\n    Mr. Bagdoyan. --if you don't pay attention.\n    Mr. Higgins. However, given the incidents of July of 2015 \nand April of 2016, those security breaches, wouldn't as an \nexperienced and accomplished law enforcement professional and \nsecurity expert, wouldn't you concur that the heightened \nawareness should have existed by the time your agents began \nyour undercover probes?\n    Mr. Bagdoyan. That would be a logical response, yes.\n    Mr. Higgins. And it was your team that conducted the \nsecurity evaluation of NIST. Is that not--is that correct?\n    Mr. Bagdoyan. Yes. My investigative colleagues performed \nthat work.\n    Mr. Higgins. How many individuals made up the team of GAO \nundercover staff?\n    Mr. Bagdoyan. That I will defer answering until a closed \nsession.\n    Mr. Higgins. I understand. Was there more than one agent?\n    Mr. Bagdoyan. I'll reserve on that one. Thanks.\n    Mr. Higgins. Your one or potentially more than one were \nquite successful though, were they not?\n    Mr. Bagdoyan. That's what the record shows, yes.\n    Mr. Higgins. At any point during the course of your \nundercover investigation did the GAO agents have potential \naccess or were they in a close vicinity of a NIST computer?\n    Mr. Bagdoyan. I'll have to defer answering that, sir, \nsorry.\n    Mr. Higgins. Were they in a building where computers \nexisted?\n    Mr. Bagdoyan. Same answer.\n    Mr. Higgins. Would your staff have had the opportunity to \ninsert a thumb drive on one of these perhaps nonexistent \ncomputers----\n    Mr. Bagdoyan. I'll----\n    Mr. Higgins. --thereby infecting the system with a virus?\n    Mr. Bagdoyan. I'll defer answering that.\n    Mr. Higgins. Did your staff have access to laboratories?\n    Mr. Bagdoyan. Same answer.\n    Mr. Higgins. So in these buildings that your staff was able \nto enter, is it reasonable to presume that there were offices \nwith computers and perhaps laboratories, given the fact that \nthat's why these buildings exist?\n    Mr. Bagdoyan. That's what NIST exists for so that's a safe \nassumption.\n    Mr. Higgins. It would be a reasonable presumption, would it \nnot?\n    Mr. Bagdoyan. Yes, sir.\n    Mr. Higgins. Isn't it true that a deranged individual \nwandered around the Boulder, Colorado, NIST campus and required \nmedical attention because he accessed an area which houses \ntoxic chemicals?\n    Mr. Bagdoyan. That's my understanding of the incident. I \ndon't know whether he was deranged or not but he certainly \ndidn't belong where he was.\n    Mr. Higgins. Is the Boulder facility fenced?\n    Mr. Bagdoyan. It is not.\n    Mr. Higgins. Thank you. Were there any mechanisms in place \nto warn the guards that this individual was present, an alarm \nsystem or something of that nature?\n    Mr. Bagdoyan. I don't know.\n    Mr. Higgins. Did the folks on the ground at Boulder know \nhow long this gentleman, what was the duration of time that he \nwandered undetected?\n    Mr. Bagdoyan. I don't know, Mr. Higgins.\n    Mr. Higgins. Mr. Chairman, we have reviewed videos of the \nGAO undercover staff conducting testing of the physical \nsecurity of these campuses, and I respectfully submit that the \nDepartment has considered this sensitive information and not \nappropriate for the public to see. But as an experienced former \nlaw enforcement officer, these videos do show evidence of \nrepetitive failures of the security in place at these \nfacilities and the need for substantial improvement from NIST \nand the Department, and I respectfully submit that these videos \nshould be made public so that NIST be held accountable by the \nbroader public, by we, the people, and by the taxpayers that we \nrepresent as opposed to just the members of this Committee, and \nwith that, I respectfully yield back, Mr. Chairman.\n    Chairman LaHood. Thank you, Mr. Higgins, for your \nquestions, and I think that concludes all the questions from \nCommittee members at this time.\n    Let me just in closing thank you for being here and for \nyour valuable testimony. I think collectively both Republicans \nand Democrats here today have expressed concern for what went \non here with these three breaches and are going to be watching \nand monitoring to make sure that the implementation of the \nsuggestions are put through and that we do everything we can to \nmake sure that these facilities are secure and safe moving \nforward.\n    I would also ask that there was a number of requests made \nby members here today, that those be followed up by the \nwitnesses. The record will remain open for two weeks for \nadditional comments and written questions from members.\n    Pursuant to House Rule 11(g)(2) and the previous vote of \nthe Subcommittees, the remainder of the hearing will be closed \nto the public because of the disclosure of the testimony that \nmay be heard may compromise sensitive law enforcement \ninformation. The clerk will clear the room. Only Members of \nCongress, their staff, and witnesses may remain in the room. \nOnce that's done, we'll begin the executive session.\n    [Whereupon, at 11:24 a.m., the Subcommittees proceeded in \nclosed session.]\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n                   Answers to Post-Hearing Questions\nResponses by Ms. Lisa Casias and Dr. Kent Rochford\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\nResponses by Mr. Seto Bagdoyen\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                                 <all>\n</pre></body></html>\n"