[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




 
               NIST'S PHYSICAL SECURITY VULNERABILITIES: 
                        A GAO UNDERCOVER REVIEW

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                      SUBCOMMITTEE ON OVERSIGHT &
                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            October 11, 2017

                               __________

                           Serial No. 115-31

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 
 
 
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
 


       Available via the World Wide Web: http://science.house.gov
       
       
       
       
                              _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 27-178 PDF                 WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001            
       
       
       
       
       
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California         ZOE LOFGREN, California
MO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon
BILL POSEY, Florida                  ALAN GRAYSON, Florida
THOMAS MASSIE, Kentucky              AMI BERA, California
JIM BRIDENSTINE, Oklahoma            ELIZABETH H. ESTY, Connecticut
RANDY K. WEBER, Texas                MARC A. VEASEY, Texas
STEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia
BRIAN BABIN, Texas                   JACKY ROSEN, Nevada
BARBARA COMSTOCK, Virginia           JERRY MCNERNEY, California
GARY PALMER, Alabama                 ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia            PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois
DRAIN LaHOOD, Illinois               MARK TAKANO, California
DANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii
JIM BANKS, Indiana                   CHARLIE CRIST, Florida
ANDY BIGGS, Arizona
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
                                 ------                                

                       Subcommittee on Oversight

                   HON. DRAIN LaHOOD, Illinois, Chair
BILL POSEY, Florida                  DONALD S. BEYER, Jr., Virginia, 
THOMAS MASSIE, Kentucky                  Ranking Member
GARY PALMER, Alabama                 JERRY MCNERNEY, California
ROGER W. MARSHALL, Kansas            ED PERLMUTTER, Colorado
CLAY HIGGINS, Louisiana              EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             ELIZABETH H. ESTY, Connecticut
STEPHEN KNIGHT, California           JACKY ROSEN, Nevada
DARIN LaHOOD, Illinois               SUZANNE BONAMICI, Oregon
RALPH LEE ABRAHAM, Louisiana         AMI BERA, California
DANIEL WEBSTER, Florida              DONALD S. BEYER, JR., Virginia
JIM BANKS, Indiana                   EDDIE BERNICE JOHNSON, Texas
ROGER W. MARSHALL, Kansas
LAMAR S. SMITH, Texas

                            C O N T E N T S

                            October 11, 2017

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Darin LaHood, Chairman, Subcommittee 
  on Oversight, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................     4
    Written Statement............................................     8

Statement by Representative Donald S. Beyer, Jr., Ranking Member, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    10
    Written Statement............................................    12

Statement by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    14
    Written Statement............................................    16

Statement by Representative Daniel Lipinski, Ranking Member, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    18
    Written Statement............................................    19

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    20
    Written Statement............................................    21

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................    23
    Written Statement............................................    24

                               Witnesses:

Ms. Lisa Casias, Deputy Assistant Secretary for Administration at 
  U.S. Department of Commerce
    Oral Statement...............................................    25
    Written Statement (Joint statement with Dr. Kent Rochford)...    27

Dr. Kent Rochford, Acting Under Secretary of Commerce for 
  Standards and Technology and Acting Director at National 
  Institute of Standards and Technology
    Oral Statement...............................................    34
    Written Statement (Joint statement with Ms. Lisa Casias).....    27

Mr. Seto Bagdoyen, Director, Audit Services at U.S. Government 
  Accountability Office
    Oral Statement...............................................    35
    Written Statement............................................    38

Discussion.......................................................    50

             Appendix I: Answers to Post-Hearing Questions

Ms. Lisa Casias, Deputy Assistant Secretary for Administration at 
  U.S. Department of Commerce, and Dr. Kent Rochford, Acting 
  Under Secretary of Commerce for Standards and Technology and 
  Acting Director at National Institute of Standards and 
  Technology.....................................................    70

Mr. Seto Bagdoyen, Director, Audit Services at U.S. Government 
  Accountability Office..........................................    72


               NIST'S PHYSICAL SECURITY VULNERABILITIES:



                        A GAO UNDERCOVER REVIEW

                              ----------                              


                      Wednesday, October 11, 2017

                  House of Representatives,
                      Subcommittee on Oversight and
            Subcommittee on Research and Technology
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 10:14 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Darin 
LaHood [Chairman of the Subcommittee on Oversight] presiding.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman LaHood. The Subcommittee on Oversight and the 
Subcommittee on Research and Technology will come to order.
    Without objection, the Chair is authorized to declare 
recesses of the Subcommittee at any time.
    I want to welcome everyone to today's hearing titled 
``NIST, the National Institute of Standards and Technology, 
Physical Security Vulnerabilities: a GAO Undercover Review.'' I 
have a few brief remarks before we move into opening 
statements.
    Committee Members and staff just viewed three short videos 
produced by GAO. At the request of the Department of Commerce, 
these videos have been labeled law enforcement sensitive, which 
means the agency has determined that they contain sensitive but 
not classified information. I remind Members that while they 
may ask questions today concerning GAO's investigation, 
witnesses may respond but there are answers that can only be 
addressed in a closed, non-public setting. Please be mindful of 
this fact here today.
    I would like to instruct the witnesses to answer to the 
best of their ability, but should an answer call for sensitive 
information, it may be addressed when we move into executive 
session at the end of the hearing.
    We will now vote to authorize the Subcommittees to enter 
into executive session at the end of the hearing.
    The Clerk. Mr. LaHood.
    Chairman LaHood. Pursuant to House Rule 11(g)(2), I move 
that upon completion of all present members' questions under 
the five minute rule, the remainder of the hearing be closed to 
the public because the disclosure of the testimony to be heard 
may compromise sensitive law enforcement information. The clerk 
will call the roll.
    The Clerk. Mr. LaHood?
    Chairman LaHood. Yes.
    The Clerk. Mr. LaHood votes aye.
    Mrs. Comstock?
    Mrs. Comstock. Aye.
    The Clerk. Mrs. Comstock votes aye.
    Mr. Lucas?
    [No response.]
    The Clerk. Mr. Hultgren?
    [No response.]
    The Clerk. Mr. Posey?
    [No response.]
    The Clerk. Mr. Massie?
    [No response.]
    The Clerk. Mr. Knight?
    [No response.]
    The Clerk. Mr. Loudermilk?
    Mr. Loudermilk. Aye.
    The Clerk. Mr. Loudermilk votes aye.
    Mr. Abraham?
    [No response.]
    The Clerk. Mr. Webster?
    [No response.]
    The Clerk. Mr. Banks?
    Mr. Banks. Aye.
    The Clerk. Mr. Banks votes aye.
    Mr. Marshall?
    Mr. Marshall. Aye.
    The Clerk. Mr. Marshall votes aye.
    Mr. Higgins?
    Mr. Higgins. Aye.
    The Clerk. Mr. Higgins votes aye.
    Mr. Norman?
    Mr. Norman. Aye.
    The Clerk. Mr. Norman votes aye.
    Mr. Beyer?
    Mr. Beyer. Aye.
    The Clerk. Mr. Beyer votes aye.
    Mr. Lipinski?
    Mr. Lipinski. Aye.
    Mr. Lipinski votes aye.
    Ms. Bonamici?
    Ms. Bonamici. Aye.
    Ms. Bonamici votes aye.
    Mr. Bera?
    [No response.]
    The Clerk. Ms. Esty?
    Ms. Esty. Aye.
    The Clerk. Ms. Esty votes aye.
    Ms. Rosen?
    [No response.]
    The Clerk. Mr. McNerney?
    Mr. McNerney. Aye.
    The Clerk. Mr. McNerney votes aye.
    Mr. Perlmutter?
    [No response.]
    The Clerk. Mr. Chairman, 12 Members voted aye. No Members 
voted nay.
    Mr. Perlmutter. Aye.
    The Clerk. Mr. Perlmutter votes aye. Thirteen Members voted 
aye. No Members voted nay.
    Chairman LaHood. There being 13 ayes and zero nos, the 
motion is agreed to.
    Once Members have finished their questioning under the five 
minute rule, the clerk will clear the room. Only Members of 
Congress, their staff, and the witnesses may remain in the 
hearing room.
    At this time I recognize myself for five minutes for an 
opening statement.
    Again, good morning and welcome everyone to today's joint 
subcommittee hearing titled ``NIST's Physical Security 
Vulnerabilities: A GAO Undercover Review.''
    Today we intend to discuss and evaluate GAO's report on its 
assessment of the physical security program at NIST, the public 
version of which is being released in conjunction with this 
hearing. We will hear from GAO about the questions it sought to 
answer in undertaking its assessment, as well as the methods it 
used to assess the current physical security program at NIST. 
We will also look at GAO's findings and the recommendations it 
has made with respect to the physical security program, and the 
steps NIST management must take to satisfy these 
recommendations and fortify its physical security.
    Finally, as part of today's hearing, we will examine 
specific instances where physical security at NIST has failed, 
specifically, an explosion that occurred in July 2015 at the 
NIST campus in Gaithersburg, Maryland, which was caused by a 
security officer's attempt to illegally manufacture 
methamphetamine inside a NIST laboratory, and served as the 
catalyst for the Committee's investigation of physical security 
at NIST.
    However, before we get to that discussion, in light of 
transparency, I would like to describe briefly for the public 
what occurred during the closed portion of today's hearing.
    Prior to gaveling into this open session, Members of the 
Committee examined video evidence of recent physical security 
breaches at NIST campuses. These videos, captured as part of 
GAO's covert vulnerability testing, reveal NIST employees 
failing to adhere to established physical security policies. 
One video in particular shows an undercover GAO agent 
subverting detection by security personnel by employing very 
basic espionage techniques. The evidence produced in these 
videos shines a light on the porous nature of NIST's physical 
security, and are particularly concerning to the Committee, 
especially in light of the fact that the July 2015 meth lab 
explosion served to put NIST on notice that its physical 
security program was flawed.
    While all of this is discussed in the sensitive version of 
GAO's report, it is discussed only briefly in the public 
version being released today, and while certain information is 
undoubtedly sensitive and must remain concealed from those who 
would use it for nefarious purposes, nothing I just explained 
rises to that level. In fact, I believe that this information 
is vital to ensuring that such breaches are prevented in the 
future at NIST and other federal agencies.
    Before concluding, I would like to focus briefly on some 
positive aspects of GAO's report. Specifically, the report 
indicates that the Commerce Department agreed with all of GAO's 
recommendations, which is the first step toward implementation. 
Additionally, the report emphasized that NIST has taken some 
steps to further notify and improve its physical security 
program. Specifically, GAO found that NIST management had three 
independent assessments of its physical security program 
conducted following the July 2015 incident, and that NIST has 
current plans to implement new physical security policies and 
procedures as the result of those assessments.
    The work that NIST performs is extremely valuable to our 
Nation. From development of the Cyber Framework to standards 
used throughout industry and academia alike, NIST's work must 
continue to thrive. In doing so, however, we must ensure the 
safety and security of those endeavoring to carry out the NIST 
mission, just as we must ensure the protection of physical and 
intellectual assets entrusted to NIST's care.
    I look forward to hearing from our witnesses about the 
status of these new policies and procedures, steps taken toward 
their implementation, and what NIST and the Department of 
Commerce intend to do in order to carry out GAO's 
recommendations.
    [The prepared statement of Chairman LaHood follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
       
    Chairman LaHood. I now recognize the Ranking Member, the 
gentleman from Virginia, for his opening statement.
    Mr. Beyer. Thank you very much, and thank you, Chairman 
LaHood and Chairwoman Comstock for calling this meeting. Thanks 
to all of you for being here.
    The National Institute of Science and Standards and 
Technology is a vital federal science agency that for more than 
a hundred years has helped push American innovation in areas as 
diverse as computer chips, nanoscale devices, the smart 
electric power grid, and earthquake-resistant skyscrapers. The 
advanced technologies being developed and pioneering research 
being conducted at NIST makes security of its facilities and 
technologies critically important.
    Unfortunately, security at NIST at both the Gaithersburg, 
Maryland, and Boulder, Colorado, campuses has been a struggle. 
As Chairman LaHood pointed out, in July 2015, a NIST police 
officer attempting to brew methamphetamine in a little-used 
laboratory on the Gaithersburg campus was injured in an 
explosion. He was subsequently arrested, fired, and is 
currently serving a 41-month prison sentence. In April 2016, a 
non-NIST employee gained access to a secure lab on NIST's 
Boulder, Colorado, campus. In May 2017, a paraglider landed on 
the grounds of the Colorado campus, and in June 2017 a member 
of NIST's police force was arrested and charged with first- and 
second-degree assault by the Frederick County Sheriff's 
Department in Maryland.
    Today, we'll discuss the GAO's recent security review at 
both campuses, and this showed significant issues with NIST's 
security structure, operating procedures, and performance. 
Security awareness training for NIST employees should be 
increased, and the agency's guard force must improve their 
attentiveness to potential threats, the effectiveness of NIST's 
security procedures must be thoroughly assessed, and a 
comprehensive communication strategy that can help identify and 
resolve potential security threats should be implemented.
    My biggest concern regarding security at NIST is the 
security structure. It's fragmented, inefficient and in some 
cases inadequate. The Department of Commerce oversees the 
security personnel at NIST who implement physical security 
policies, for example, while NIST manages access control 
technologies and other physical security countermeasures. This 
security structure violates best practice for security, which 
calls for centrally managing physical security assets and 
operations. Without a cohesive organizational structure, it 
seems inevitable that gaps in security will continue to emerge, 
and the management of NIST's security will be inefficient and 
potentially ineffective.
    GAO in its review pointed out further problems with NIST 
security management that we'll hear about, but it's also worth 
noting the positive stuff, that NIST has made positive 
commitment to improving security. Seventy-five percent of NIST 
staff surveyed by GAO believed that NIST's leadership places a 
great or very great importance on security issues, and this 
commitment to security is really encouraging, but I expect the 
leadership at the Department of Commerce and NIST to work 
together to fully and quickly address the issues outlined.
    You know, the science and technology research and programs 
carried out at NIST helps U.S. businesses grow, it strengthens 
the U.S. economy, and expands our scientific and technical 
knowledge. So we in Congress and the public expect NIST to not 
only protect their vital resources, and in some cases hazardous 
materials, from potential threats, but also to protect NIST's 
employees, visiting scientists and others from physical 
security risks.
    I'd like to point out that the Acting Director, Dr. Kent 
Rochford, only stepped into this role in January, so thank you 
for being here today and helping tell us how you plan to 
address these issues.
    And finally, I'd like to note my disappointment, the 
disappointment of our Minority team with the Department of 
Commerce and NIST for their late submittal of the testimony 
less than 24 hours ago, despite a 48-hour deadline. And both 
Majority and Minority I think were surprised that the joint 
written testimony came from both Commerce and NIST, and perhaps 
you can talk about that in your testimony.
    So Chairman LaHood, thank you very much for calling this 
meeting. Thank you to all of our witnesses, and we look forward 
to a productive meeting.
    [The prepared statement of Mr. Beyer follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    Chairman LaHood. Thank you, Mr. Beyer.
    I now recognize the Chairwoman of the Research and 
Technology Subcommittee, Ms. Comstock, for her opening 
statement.
    Mrs. Comstock. Thank you, Mr. Chairman.
    This Committee has a strong record of bipartisan support 
for the National Institute of Standards and Technology (NIST). 
NIST promotes U.S. innovation and competitiveness by advancing 
measurement science, standards, and technology.
    Today, we will be discussing a handful of dangerous 
physical security breaches at NIST's two campuses in 
Gaithersburg, Maryland, and Boulder, Colorado. Unfortunately, 
this isn't the first hearing we have held on this subject, but 
we certainly hope that it will be the last and certainly hope 
we can identify how can we move forward on improvements.
    Lack of security at NIST facilities is a direct, serious 
threat to the safety and well-being of thousands of federal 
workers, a steady stream of scientists and technologists who 
visit NIST facilities every day, and sizable populations of 
people who live and work near the NIST facilities.
    NIST's campus security has been a growing concern of the 
Committee since the July 2015 explosion at NIST's Gaithersburg 
facility, which revealed a NIST police officer, a former acting 
chief of NIST police, was operating an illegal meth lab at a 
NIST building. This event was the catalyst for bringing to 
light other security breaches at the Gaithersburg campus. Not 
quite one year later, in April 2016, another, no less serious 
incident occurred in Boulder, Colorado. A man without 
identification walked onto the NIST campus and was able to 
enter a building and laboratory where hazardous chemicals were 
stored. Fortunately, this man wasn't intent on playing around 
with laboratory chemicals and equipment or causing other 
damage. He instead roamed about the building and made himself 
at home.
    Fortunately, the meth lab at the NIST Gaithersburg campus 
exploded on a weekend evening, not that it's fortunate but at 
least it was a weekend when NIST staff and visitors weren't 
there. But luck does run out.
    We are going to hear this morning from NIST and Department 
of Commerce witnesses who will describe steps that were taken 
to shore up physical security after these two incidents. We are 
also going to hear about the results of a GAO investigation 
conducted at our Committee's request, which reveals that there 
are still serious, unaddressed security problems at NIST's 
Maryland and Colorado facilities. What we are going to hear 
today from GAO is serious enough that the Department may not 
allow certain details to be included in the public record.
    NIST must learn from its past and do its best to ensure 
proper security is implemented, and obviously we all here in 
the Committee want to make sure that's the case. This is 
critical for the safety of NIST campuses, its employees, 
visitors, and the surrounding community.
    It is also important not to jeopardize NIST's mission to 
promote U.S. innovation and industrial competitiveness. 
Physical insecurity at NIST's two locations obviously 
jeopardizes the important work done by the agency. Even more 
important, what seems to be huge, unfixed holes in security 
threaten the safety and well-being of approximately 3,000 NIST 
employees, 3,500 visiting professionals government agencies. 
The safety of our people should be the number-one concern. 
Safety is certainly the number-one concern for this Committee.
    I trust this hearing today will mark the end of the 
measures that haven't been successful and the beginning of 
swift, uncompromising action by NIST and the Department of 
Commerce.
    Thank you.
    [The prepared statement of Mrs. Comstock follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
        
    Chairman LaHood. Thank you, Chairwoman Comstock.
    I now recognize the Ranking Member of the Research and 
Technology Subcommittee, Mr. Lipinski, for his opening 
statement.
    Mr. Lipinski. I'll start by also thanking Chairman LaHood, 
Chairwoman Comstock, Chairman Smith for calling this hearing, 
and thank the witnesses for being here. I'll keep this brief as 
my colleagues have stated many of the issues and concerns that 
I also have.
    The National Institute of Standards and Technology is a 
national treasure. I know of no other agency that has such a 
widespread impact with so modest a budget: Nobel Prize-winning 
research, leadership standards development benefiting every 
sector of our economy, acceleration of advanced manufacturing 
on U.S. shores, and improvement of cybersecurity in both the 
government and the private sector. NIST's leadership in 
measurement science and their work in cybersecurity and so many 
other important areas of technology is unimpeachable.
    Today, however, we will learn in some detail about how NIST 
has not applied the same rigor and discipline to the physical 
security of its facilities. A new report from GAO, being 
released with this hearing, identifies several weaknesses in 
NIST's policies and procedures for physical security. The GAO 
report further discusses the challenges caused by the 
fragmentation of oversight of NIST security between NIST and 
its parent agency, the Department of Commerce. GAO makes a 
number of recommendations to both NIST and Commerce on how to 
improve physical security on the two NIST campuses in 
Gaithersburg, Maryland, and Boulder, Colorado. Those 
recommendations are not prescriptive; rather they lay out or 
reference a clear process for the development of action plans 
and timetables to address each identified weakness in current 
policies and procedures.
    While it is premature to ask NIST and Commerce for detailed 
plans, I expect to hear from them today how they plan to 
proceed in addressing each of GAO's recommendations, and what 
steps they have already taken.
    I want to thank each of the witnesses for being here this 
morning. This hearing is not as fun for anyone as the science-
and-technology-focused hearings that we're more used to in the 
Research and Technology Subcommittee, but it is certainly no 
less important. I take our oversight responsibilities 
seriously, and I believe the agencies before us take their 
security seriously. I look forward to learning more about the 
agencies' security plans going forward.
    I yield back the balance of my time.
    [The prepared statement of Mr. Lipinski follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
       
    Chairman LaHood. Thank you, Mr. Lipinski.
    I now recognize the Chairman of the full Committee, Mr. 
Smith, for his opening statement.
    Chairman Smith. Thank you, Mr. Chairman.
    The GAO conducted a comprehensive review of NIST's physical 
security posture. They used covert tactics and they found 
gaping holes in the agency's ability to protect their campuses. 
Undercover agents succeeded in breaching numerous checkpoints.
    Today, I want to thank the GAO for their work. Their 
findings are alarming and confirmed our worst suspicions: NIST 
campuses are sieves.
    On July 22, 2015, this Committee launched an investigation 
of NIST's security in the wake of chemical--of a chemical 
explosion and fire at the Gaithersburg, Maryland, campus. On 
July 18, 2015, the acting chief of the police services group, 
or ``PSG,'' attempted to manufacture the illegal drug meth in 
one of NIST vacant laboratories. The local Gaithersburg, 
Maryland, police and fire departments responded to the scene 
and began a criminal investigation.
    On January 7, 2016, this high-ranking PSG officer was 
sentenced to three and a half years in jail for manufacturing 
meth. Slowly we learned this was only the tip of the iceberg.
    According to a July 2016 Department of Commerce Office of 
Inspector General's report, the very officer who caused the 
explosion on NIST's campus also had committed time and 
attendance fraud by claiming hours that he did not actually 
work. He was not the only officer engaged in this misconduct.
    The final straw for the Committee was the April 2016 
incident in Boulder, Colorado, where an unknown individual was 
found wandering in a NIST building. After this incident, we 
contacted GAO and asked them to investigate. While law 
enforcement personnel has stepped in and handled many of these 
incidents, and the GAO has disclosed their findings to the 
Department and NIST, I'm not convinced that NIST will actually 
achieve the necessary goal: a secure NIST compound at 
Gaithersburg and Boulder.
    GAO, as I understand it, remains concerned that the Police 
Services Group and the security structure within NIST has not 
received proper scrutiny, a concern that is bolstered by the 
revelation that GAO agents successfully penetrated NIST 
campuses in 15 out of 15 attempts during their covert 
vulnerability testing. By the way, that is just incredible: 15 
out of 15. Not much security there.
    Now we have a new Administration in place, a pending 
nominee for NIST Director, and GAO's recommendations, I urge 
NIST and the Department to work together for comprehensive 
security reform.
    Thank you, Mr. Chairman. I'll yield back.
    [The prepared statement of Chairman Smith follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
    Chairman LaHood. Thank you, Chairman Smith.
    I now yield to the Ranking Member of the full Committee, 
Ms. Johnson, for her opening statement.
    Ms. Johnson. Thank you, Mr. Chairman.
    Thank you very much, Mr. Chairman, and good morning. 
Welcome to our witnesses. I'd like to thank you and Chairman 
Comstock for holding this important hearing on the state of 
physical security at the National Institute of Standards and 
Technology (NIST).
    NIST has had a number of serious problems with physical 
security in recent years. A rogue NIST police officer injured 
himself and damaged a NIST building in Gaithersburg while 
attempting to manufacture methamphetamines.
    Additionally, there was a troubling incident of an 
unauthorized individual wandering around a supposedly secure 
building at the NIST Boulder campus.
    These events spurred the Department of Commerce and NIST to 
review NIST's security practices and attempt to improve 
physical security at the NIST facilities. NIST requested 
independent assessments and developed an Action Plan based on 
those assessments.
    Under the current Acting Director, Dr. Rochford, NIST has 
continued to focus on improving its security culture. While 
there may have been improvements to NIST's security culture, 
there appears to be plenty of room for additional improvements.
    We learned from GAO's just-released report that the GAO 
agents were recently able to gain unauthorized access to areas 
of both the Gaithersburg, Maryland, and Boulder, Colorado, NIST 
campuses. It is particularly troubling that GAO's efforts were 
so successful even after NIST had taken steps to improve 
security. I look forward to hearing today from Acting Director 
Rochford about how NIST plans to respond to the GAO 
recommendations, including specific corrective actions and 
approximate timelines for improving and implementing those 
actions. I look forward to hearing from Ms. Casias about the 
Department of Commerce's plan to address the bifurcated 
organizational structure of NIST physical security programs. I 
would also like to know what actions the Department of Commerce 
plans to take to ensure NIST security services operate at 
maximum effectiveness.
    The protection of federal facilities, employees, 
contractors, and guests is of the utmost concern to me and this 
Committee. NIST specifically has valuable research and 
technology that must be protected as well. I look forward to 
hearing from our witnesses about how NIST security services can 
better meet its mission.
    I thank you, and yield back.
    [The prepared statement of Ms. Johnson follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
        
    Chairman LaHood. Thank you, Ms. Johnson.
    Let me now introduce our witnesses. Our first witness today 
is Ms. Lisa Casias, Deputy Assistant Secretary for 
Administration at the Department of Commerce. She previously 
served as the Deputy Chief Financial Officer and Director for 
Financial Management at the Department. Ms. Casias received her 
bachelor's of business administration in public accounting from 
Pace University.
    Our second witness today is Dr. Kent Rochford, Acting Under 
Secretary of Commerce for Standards and Technology, and Acting 
Director of the National Institute of Standards and Technology 
(NIST). He previously served as the Director of NIST Boulder 
Labs and Communications Technology Laboratory headquartered in 
Boulder, Colorado. Dr. Rochford received his bachelor's degree 
in electrical engineering at Arizona State University, his MBA 
from the University of Colorado, and his Ph.D. in optical 
sciences from the University of Arizona.
    Our third witness is Mr. Seto Bagdoyan, Director of 
Forensic Audits at the U.S. Government Office--Accountability 
Office (GAO). Mr. Bagdoyan has previously served as the GAO 
Acting Director for Strategic Issues and as the Assistant 
Director for Congressional Relations at GAO. Mr. Bagdoyan 
received his bachelor's degree in international relations and 
economics from Claremont McKenna College and his MBA in 
strategy from Pepperdine University.
    I now recognize Ms. Casias for five minutes to present her 
testimony.

                 TESTIMONY OF MS. LISA CASIAS,

                   DEPUTY ASSISTANT SECRETARY

                     FOR ADMINISTRATION AT

                  U.S. DEPARTMENT OF COMMERCE

    Ms. Casias. Thank you, Chairman LaHood, Ranking Member 
Beyer, Chairman Comstock, Ranking Member Lipinski, and 
distinguished members of the Subcommittees.
    I am Lisa Casias, the Deputy Assistant Secretary for 
Administration at the U.S. Department of Commerce. In this 
role, I oversee the Department's Office of Security and its 
functions and personnel. I appreciate the opportunity to appear 
before you today to discuss the Department's response to the 
Government Accountability Office report titled ``Physical 
Security: NIST and Commerce Need to Complete Efforts to Address 
Persistent Challenges.''
    Let me first thank GAO for its important work, which we 
will use to help strengthen security at NIST. I want the 
Committee to know that the Department of Commerce shares the 
GAO's and this Committee's concerns about physical security at 
NIST. The Department is proud of NIST's mission to promote U.S. 
innovation and industrial competitiveness through advancing 
measurement science, standards, and technologies in ways that 
enhance economic security and improve our quality of life.
    However, our highest priority is the safety of all of our 
staff, guest workers, and visitors. We have carefully reviewed 
the draft report, and I can tell you that the findings revealed 
shortcomings that are absolutely unacceptable, and I know that 
Dr. Rochford agrees. We take the GAO's findings seriously, and 
both the Department and NIST have agreed with all of the 
recommendations set forth in the report. NIST and the 
Department have already taken a number of steps to address the 
concerns raised in the report, and we are together planning 
more actions in the near and long term to close the gaps in 
security identified in the report.
    For example, the Department's Office of Security has 
already implemented a requirement that all security specialists 
conducting facility security assessments be certified in 
Interagency Security Committee Risk Management Process, or 
``RMP standard.'' To date, 19 of our security specialist staff 
have successfully completed the ISC's RMP standard training and 
all security specialists will be trained in early fiscal year 
2018. We have also scheduled new facility security assessments 
using those trained personnel at both campuses this fiscal 
year.
    Additionally, OSY has completed a draft chapter for the 
Department's Manual for Security Policies and Procedures that 
will align with the Department's Risk Management Plan with the 
ISC's RMP standard. This chapter is currently in the review 
process within the Department. In addition to aligning the 
Department's Risk Management Plan with ISC's RMP standard, this 
update incorporates all the recommended elements from the GAO 
report related to campus facility Security Committee's risk 
decision documentation and alternative countermeasure 
recommendations.
    We are also, as the GAO has recommended, reviewing the 
security structure at NIST. This review involves all aspects of 
the relationship between OSY and NIST related to personnel 
assets and security, and as part of a coordinated effort 
between the Department and NIST to determine the best approach. 
While there is no one-size-fits-all standard, we are reviewing 
all options available to us. These are only a few of the 
actions we have taken and are taking to ensure our campuses and 
facilities are secure and safe for our employees, guests, and 
others.
    I wanted to reiterate my appreciation to GAO for their 
thoughtful and thorough report. The Secretary and the 
Department are committed to ensuring that our actions in 
response to it are appropriate, effective, and correct. The 
security and safety of all of NIST's and the Department's 
employees are of paramount importance to all of us.
    Thank you for this opportunity to address the report, and I 
look forward to answering your questions.
    [The prepared statement of Ms. Casias and Dr. Kent Rochford 
follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Chairman LaHood. Thank you.
    Dr. Rochford.

                TESTIMONY OF DR. KENT ROCHFORD,

               ACTING UNDER SECRETARY OF COMMERCE

                FOR STANDARDS AND TECHNOLOGY AND

             ACTING DIRECTOR AT NATIONAL INSTITUTE

                  OF STANDARDS AND TECHNOLOGY

    Dr. Rochford. Chairman LaHood, Ranking Member Beyer, 
Chairwoman Comstock, Ranking Member Lipinski, and members of 
the Subcommittee, I'm Kent Rochford, the Acting Under Secretary 
of Commerce for Standards and Technology, and the Acting 
Director of the National Institute of Standards and Technology, 
or ``NIST.'' Thank you for the opportunity to appear before you 
today to discuss NIST's and the Department's response to the 
recently released report by the GAO on physical security at 
NIST.
    I share the Subcommittees' concerns about physical security 
at our campuses, and I thank you for your comments. I also 
appreciate your kind words about our programmatic successes, so 
thank you for that.
    I also appreciate the Subcommittees' support of NIST's 
efforts to improve our security practices and to fully 
implement the recommendations in the report, with which we 
agree. NIST and the Department of Commerce are working to 
foster a positive security culture at both of our campuses, and 
the written testimony outlines the steps that we've already 
taken or plan to take to improve NIST's security posture and 
ensure the successful implementation of the report's 
recommendations.
    The world-class research conducted at NIST needs world-
class facilities to conduct that mission, but just as 
important, NIST needs robust, consistent adherence to standards 
for safety and physical security to ensure our people work in a 
safe environment and that our assets are protected. I am 
committed to working with our partners at the Department to 
achieve this goal.
    As the Acting Director, it's my job to ensure the safety 
and security of our personnel, facilities, property, 
information, and assets, and I take that responsibility very 
seriously, and that's why we are working together with the 
Department's Office of Security to ensure the security of NIST 
staff, that my co-workers, can work safely and securely, and 
for establishing local campus security procedures designed to 
protect NIST assets.
    Moreover, NIST continues to work with the Department's 
Office of Security to strengthen the security culture at NIST. 
The GAO notes that we have already had some success but we also 
acknowledge there is still more work to be done. The GAO's 
report made four recommendations. NIST and the Department agree 
with the full extent of these recommendations.
    Upon becoming Acting Director in January of this year, one 
of my first actions was to build on the foundational work 
started by Dr. May and the Department's Office of Security and 
prioritize our activities through a Security Sprint. I 
considered it critically important to take the existing 
information we had, the knowledge we'd gained during the 
previous year, and prioritize our activities to move forward 
with implementation plans.
    The GAO pointed out the importance of improved 
communication with staff concerning physical security 
requirements, and what should be expected of each employee. 
NIST agrees, and we have taken steps to improve our internal 
communications. We've developed an improved set of security 
requirements designed to provide an unambiguous understanding 
of the security responsibilities of all individuals who work at 
NIST.
    Last month, I met with senior NIST leadership and the 
Department's Office of Security to ensure that these 
requirements and expectations were fully understood. This 
afternoon, we will meet with the full complement of NIST 
management and supervisors to ensure that these security 
requirements and expectations are fully understood by all NIST 
leaders. And following that, I will hold all-staff meetings to 
roll out these responsibilities and expectations and training 
requirements that all staff must meet.
    I also initiated the inclusion of a security element and 
all-employee performance plans for this fiscal year, ensuring 
that security is afforded the same high level of importance in 
one's job performance as other elements. My intent is to work 
with OSY to drive a change towards a positive security culture. 
These efforts and others will help drive that change.
    Mr. Chairman, NIST has a history of tackling tough problems 
from research challenges like developing the world's most 
atomic clock to internal challenges such as addressing our 
safety culture. The dedicated people at NIST have committed 
themselves to working toward a common goal of achieving NIST's 
mission. We along with OSY are now in the midst of such an 
effort for physical security. I appreciate the Subcommittees' 
interest in our ongoing work to improve the physical security 
of our campuses, and I welcome your questions. Thank you.
    Chairman LaHood. Thank you, Dr. Rochford.
    Now we'll move to our third witness, Mr. Bagdoyan.

           TESTIMONY OF MR. SETO BAGDOYEN, DIRECTOR,

               AUDIT SERVICES AT U.S. GOVERNMENT

                     ACCOUNTABILITY OFFICE

    Mr. Bagdoyan. Thank you, Mr. Chairman. Chairman Smith, 
Ranking Member Johnson, Chairman LaHood, Chairwoman Comstock, 
Ranking Members Lipinski and Beyer, and members of the 
Subcommittees, I'm pleased to appear before you today to 
discuss GAO's October 2017 report on NIST's physical security 
program. In recent years, incidents at each of its campuses in 
Gaithersburg and Boulder have raised questions about security 
vulnerabilities and NIST's ability to secure its facilities and 
the human, physical, and intellectual capital assets.
    In fiscal year 2017, NIST spent over $600 million on its 
campus laboratories that perform vital work in measurements, 
calibrations, and quality assurance techniques that help 
underpin much of U.S. commerce. Accordingly, this morning I'll 
highlight three of our principal takeaways regarding NIST's 
security at its campuses.
    First, we found that efforts to transform the physical 
security program at NIST have incorporated some key practices, 
particularly with regard to leadership commitment to 
organizational change. For example, though assessments in 2015 
found issues with NIST's security culture, we estimate that 
about 75 percent of personnel we recently surveyed believe that 
NIST leadership places great or very great importance on 
security issues. However, our agents gained unauthorized access 
to various areas at NIST campuses in Gaithersburg and Boulder. 
We can provide details about our unauthorized access efforts 
and certain survey results only during a closed session of this 
hearing.
    Additionally, our survey results showed personnel awareness 
about security responsibilities varied, in part because of the 
limited effectiveness of NIST's security-related communication 
efforts. By incorporating elements of key practices including a 
comprehensive communications strategy, interim milestone dates 
to measure progress, and measures to assess effectiveness, NIST 
will be in a better position to address the security 
vulnerabilities caused by the varied levels of security 
awareness among employees.
    Second, management of NIST's physical security program is 
split between Commerce and NIST. This is inconsistent with the 
federal Interagency Security Committee's physical security best 
practices, which encourage agencies to centrally manage 
physical security. Commerce is responsible for overseeing 
personnel who implement physical security policies while NIST 
manages physical security countermeasures such as access 
control technology leading to fragmentation in 
responsibilities.
    Before implementing the current organizational structure in 
October of 2015, neither Commerce nor NIST assessed whether it 
was the most appropriate way to fulfill NIST's physical 
security responsibilities. Without evaluating management 
options, the current organizational structure may be creating 
unnecessary inefficiencies, thereby inhibiting the 
effectiveness of the security program overall.
    Third, to help federal agencies protect and assess risks to 
their facilities, ISC developed a Risk Management Process 
standard, also known as the ``RMP standard,'' with which 
federal agencies including Commerce generally must comply. 
Commerce and NIST most recently completed risk management steps 
for NIST campuses in 2015 and 2017 but we found that their 
efforts did not fully align with the standard. Neither Commerce 
nor NIST use the sound risk assessment methodology, fully 
documented key risk management decisions or appropriately 
involved stakeholders, partly because these requirements were 
not in existing policy.
    Further, we found that Commerce and NIST had overlapping 
risk management activities potentially leading to unnecessary 
duplication. According to officials, Commerce and NIST are 
separately drafting new risk management policies without 
ensuring that one, these policies aligned with the RMP 
standard, and two, that NIST policy contains a formal mechanism 
to coordinate with Commerce future risk management activities 
may be limited in their usefulness and potentially duplicative.
    In closing, I'd underscore that this is essential for 
Commerce and NIST to place a high policy and operational 
priority on deploying preventative security controls to help 
mitigate the vulnerabilities we identified. Otherwise, should 
these vulnerabilities be exploited, NIST's human, physical, and 
intellectual capital will remain at risk. Fully and timely 
implementing our report's four recommendations in addition to 
any other actions Commerce and NIST are taking independently 
would be vital in this regard. To its credit, as both witnesses 
from Commerce have mentioned, the Department has agreed to 
implement all of our recommendations.
    Chairman LaHood, Chairwoman Comstock, Chairman Smith, and 
Ranking Member Johnson, this concludes my remarks. I look 
forward to the Subcommittees' questions.
    [The prepared statement of Mr. Bagdoyan follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Chairman LaHood. Thank you, Mr. Bagdoyan, and I want to 
thank all the witnesses for your valuable testimony here today.
    The Chair recognizes myself for five minutes of 
questioning.
    I guess I want to first start off and say that I've had the 
opportunity to watch the three videos a couple times now, and 
watching them and observing them, my reaction is disturbing, 
alarming, particularly when you think about the work that goes 
on at the NIST campus in Boulder and in Gaithersburg, the 
sensitive work, the strategic work, the proprietary nature of 
what goes on at these facilities, much of what relates to 
national security, and so when I think about what procedures 
are being put in place now, I'm anxious to hear today those, 
and Mr. Bagdoyan, I was going to start with you.
    After learning of the incident involving the meth lab in 
2015, you would think that there would be measures put in place 
that would prevent something like that or vulnerabilities from 
occurring. Today after hearing what steps have been implemented 
in your recommendations, what can you tell us to assure the 
public that these vulnerabilities have been taken care of? And 
then secondly, are you confident that if you were to do another 
undercover operation in the next month here, that those would 
fail?
    Mr. Bagdoyan. Mr. Chairman, thank you for your questions. 
I'll take the first one obviously first.
    Based on what Dr. Rochford and Ms. Casias have mentioned, I 
think they are taking this seriously. That's good to know, and 
we look forward to receiving more details about what they plan 
on doing in response not only to our recommendations but also 
the incident you mentioned. There's going to be a long-term 
effort. I think what they both described are promising first 
steps. We are probably playing a long game here in terms of 
getting things done. So that would be for the first question.
    The second question, it would definitely be speculative on 
my part to say whether or not anything that would be put in 
place would work, so I'll defer answering that one.
    Chairman LaHood. And what about reassurances that you can 
give to the public that this has been remedied?
    Mr. Bagdoyan. Well, I can't say that it has been remedied. 
As I mentioned, these are first steps. They are promising. They 
are in the right direction. I'll hold the witnesses to their 
word that they are taking this seriously. They both outline 
various steps that they are taking. Management attention and 
priority is key, as Dr. Rochford mentioned. Training is an 
absolute must. To have a security culture, you have to train 
your people to take it seriously. So that would be my answer.
    Chairman LaHood. Thank you.
    Dr. Rochford, similar to you, give us your assessment on 
what reassurances you can give to the American people here 
today that you've taken these recommendations into account and 
that you're implementing them and that the vulnerabilities are 
no longer there.
    Dr. Rochford. I agree with the Committee that these 
breaches are unacceptable, and I do share your very, very deep 
concern. I also agree with my colleague from GAO. This is going 
to require a culture change. We have the responsibility--I have 
the responsibility for keeping NIST staff safe and secure, and 
we have a responsibility, as you noted, to secure the 
substantial investment that the taxpayers have made to build 
NIST what it is today.
    This breach, I agree, demonstrates the need for clear 
requirements, clear training, greater accountability, and we 
are undertaking all those steps.
    Last month, I met with all senior leadership for a two hour 
security summit where we described the needs for 
accountability. Today, later today, I actually meet with all 
managers at NIST, and then we're going to have all-hands-staff 
security summits on both campuses that I will personally lead. 
We've developed training, and we'll have mandatory training, 
for all 3,500 and the several thousand associates. So I do 
agree, this is a bit of a long game. It's going to take time to 
have all this training done. But we will do it, and then I will 
personally ensure that the training is taken, and we will 
consider taking measures so we can understand the impact and 
the improvement in our security culture.
    As mentioned, we did undertake a Security Sprint that has 
developed a number of prioritized activities, some of which I 
can mention here, some we can discuss in closed session, but we 
do have an action plan to address a number of issues at NIST.
    Chairman LaHood. Can you talk a little bit about what you 
just mentioned there?
    Dr. Rochford. The Security Sprint?
    Chairman LaHood. Yes.
    Dr. Rochford. What it did is, it certainly pointed out that 
we have a leadership issue. Culture is driven by leadership, 
and I need to take that responsibility to change the culture. 
So we are developing training. We have what we call baseline 
requirements, which will be our first training set. We then 
have additional training for things like criminal behavior, 
action plans, training for active shooter, other potential 
security issues. We have work where we're going to develop a 
Security Advisory Board. We're going to have an executive 
security committee so we can engage leadership on programmatic 
changes to ensure the culture sticks. We've taken some specific 
engineering and access controls that I can talk about in closed 
session, perhaps. We have a range of activities that we'll be 
undertaking over the year.
    When the new confirmed NIST Director is on the job and 
starts, one of my first actions is my intent to brief him on 
these issues, show him the plans that we've undertaken, and 
with his permission continue these actions.
    Chairman LaHood. Thank you, Dr. Rochford.
    I now recognize Mr. Beyer for his questions.
    Mr. Beyer. Thank you, Chairman LaHood, very much.
    Mr. Bagdoyan, in the GAO report you write about the 
fragmented approach to security, which as a person interested 
in management and leadership for a long time, seems pretty 
nonsensical, too many cooks in the kitchen. You've got big 
Commerce responsible for the outside piece, NIST responsible 
for the cameras and the locks, and how did this divided 
approach come about and what can we do to fix it?
    Mr. Bagdoyan. Thank you for your question, Mr. Beyer. I 
think in the first part, it originated back in late 2015, I 
believe, once NIST received, or Commerce received delegated 
authority for NIST police to act as federal law enforcement 
agents. So that was delegated by the Federal Protective 
Service. And then in 2017, the American Innovation and 
Competitiveness Act essentially directed Commerce to have an 
overall role in setting security policy and practice but also 
NIST maintained its ability to perform its security-related 
duties as it saw fit consistent with its culture that it was 
trying to build at that time. So in a very high level, that's 
the origin of the split.
    I would agree with you that having a split situation like 
this is not really consistent with best practice according to 
federal standards, and it does lead to inefficiencies, 
especially when the two parties really don't coordinate or 
collaborate. Sometimes it's fine to have two distinct streams 
of oversight over a major program like this, but if they don't 
talk with each other, they end up doing separate risk 
assessments and so forth. That is definitively 
counterproductive and hinders effectiveness overall.
    Mr. Beyer. In your perception, we'd probably need to amend 
that Act in order to be able to centralize the security?
    Mr. Bagdoyan. Well, that certainly would be one option. 
That would be up to Congress. It's certainly not for me to 
prescribe but I think in the past it has been noted that in 
order to fix this, I believe one of the assessments that NIST 
did pointed out that the only remedy was a statutory fix. On 
the other hand, we know of no plans to pursue such a fix at the 
Department level.
    Mr. Beyer. Very good. Thanks.
    Dr. Rochford, I was in an embassy overseas for four years, 
and every night the Marines would go office to office and look 
at the stuff on everyone's desk, and if somebody had classified 
material out, there was a report the next morning, and the 
very--and no one wanted to have a report which came back to 
Washington. Is there any reporting program like that at Boulder 
or in Gaithersburg, where it's a guard who lets somebody in who 
shouldn't have been let in with a bad badge or papers left out 
on desks that shouldn't have been let out?
    Dr. Rochford. We do have incident reporting on both 
campuses that then bubble up through our police staff, which 
are managed by OSY to the Director's office. For example, I 
know that in Boulder, the doors are checked nightly and they 
provide a report of any issues that then can be addressed 
either through maintenance or through personnel action.
    Mr. Beyer. When you mentioned that you built security into 
the employee performance plans----
    Dr. Rochford. Yes.
    Mr. Beyer. --is this tied to incident reporting then?
    Dr. Rochford. Right now it addresses the baseline security 
requirements. The baseline security requirements do address 
reporting incidents of tailgating, piggybacking, things of that 
nature.
    Mr. Beyer. Have you figured out a way to keep paragliders 
from landing on your campuses?
    Dr. Rochford. That might have some technology solutions 
that we've not addressed.
    Mr. Beyer. And Ms. Casias, in your oversight role, do you 
envision a way for you at OSY to be able to provide the 
necessary oversight of the security that NIST provides without 
necessarily having to own half of it directly?
    Ms. Casias. Congressman, we recognize, and Dr. Rochford and 
I have talked about this, we recognize that the security 
management structure does require some evaluation, and we agree 
with GAO. We've accepted their recommendation. So I think we do 
have work in that area. We've already started some steps. We've 
identified executive sponsors, myself and Dell Brocket, the 
Associate Director for Management Resources at NIST. We'll lead 
that endeavor. We've selected internal teams. We're also 
looking at using outside security experts such as folks from 
the ISC to help us in that matter. In our review, we'll be 
looking at roles, responsibility and accountability and how 
that impacts security.
    So I think there's a mix. There's not one-size-fits-all, 
and we know that the Boulder campus is different from the 
Gaithersburg campus, so we will be working jointly but we do 
agree that this is an item that we do need to look at and is a 
serious item that needs attention immediately.
    Mr. Beyer. Thank you, Mr. Chairman.
    Chairman LaHood. Thank you, Mr. Beyer.
    I now recognize the Chairman of the full Committee, Mr. 
Smith, for his questions.
    Chairman Smith. Thank you, Mr. Chairman.
    Mr. Bagdoyan, let me address my first question to you, and 
that is, how much confidence do you have that the GAO's 
recommendations will be implemented by NIST?
    Mr. Bagdoyan. Good question. I really believe this. I am 
confident that based on what I've heard this morning certainly 
in its official response to our draft report that Commerce and 
NIST are taking this seriously and they'll take the necessary 
action.
    Chairman Smith. I mentioned in my opening statement that 
unauthorized access was attempted by the GAO at both campuses 
15 times, and 15 times they were successful. It just seems 
incredible that that would be the case, but to what do you 
attribute that other than just lax security? And is there any 
excuse for that? I don't know where to----
    Mr. Bagdoyan. I take your point, Mr. Chairman. I'll 
probably be best served to respond to that in a closed session.
    Chairman Smith. And as I understand it, it's the Department 
of Commerce that came up with the designation ``law enforcement 
sensitive.'' Is that right?
    Mr. Bagdoyan. That's correct. They are the marking agency 
in this case.
    Chairman Smith. Ms. Casias, I'd like to ask you about that 
designation, ``law enforcement sensitive.'' Why did you choose 
to apply that to the three videos that members saw in closed 
session before we opened it up for this hearing?
    Ms. Casias. We believe in viewing the videos, which I have 
viewed and so has Dr. Rochford, that there are security 
vulnerabilities that other folks could look at and use those 
vulnerabilities within our facilities or other federal 
facilities. In addition, I'd be more than happy in any closed 
session that we could get into that in a little more detail 
so----
    Chairman Smith. What is the definition of ``law enforcement 
sensitive''?
    Ms. Casias. The definition is that it's the sensitivity if 
that came out would cause some issues with security within our 
campuses.
    Chairman Smith. Okay. Can you give me--do you happen to 
have the exact definition with you?
    Ms. Casias. I do not have that with me but I can get that 
for you.
    Chairman Smith. If you can get that fairly quickly, that 
would be helpful.
    My suspicion is that you all maybe overly cautious. Having 
seen the videos, they're pretty obvious as to what might cause 
breaches and what did cause breaches in this case, and I don't 
think it's revealing much to acknowledge that. In fact, it may 
even be helpful. So I'd like to see the exact definition and 
see what the rationale was for applying it in these cases.
    Ms. Casias. Absolutely.
    Chairman Smith. And I might even ask you to go back and 
take another look because while you want to err on the side of 
caution, you also don't want to prevent information that can 
and should be seen by others from being considered by others as 
well.
    Let me go to Director Rochford and ask you a couple 
questions to the extent that you can answer them, and that is, 
just generally what can be done to prevent some of these 
unauthorized accesses? I know you responded to the Chairman 
generally. If you want to elaborate on that, I think that would 
be helpful.
    Dr. Rochford. So if we're talking about the specifics in 
the video, I mean, generally, we see security as a layered 
approach so we need to have both improved training and 
improvement in our security force that does their checks, but 
the other layer is the employees, and part of what I need to do 
is make sure that NIST staff have a much greater awareness 
about these concerns, know at some level how these things can 
be spoofed, for example, and through training and I think this 
awareness, we can have them also do a better job of making the 
appropriate checks to ensure security and avoid breaches.
    Chairman Smith. And I assume improvements have been made to 
security in the last several weeks?
    Dr. Rochford. When I started, the security plan actually 
became operational over the last couple months so we have 
developed training materials. We have video training materials. 
We have a number of things that I'll be launching very soon. So 
yes, we're ready to----
    Chairman Smith. Would the security measures that have been 
implemented recently have prevented the unauthorized access 
that has occurred in the past?
    Dr. Rochford. I think the training is going to be a key 
part of that, and the training is going to take some time. So 
we have not put in place something that would cause 100 percent 
improvement.
    Chairman Smith. What has been put in place that you guess 
would prevent most of the unauthorized access from occurring?
    Dr. Rochford. There are some items that I could discuss in 
closed session.
    Chairman Smith. I'm not asking you what those items are. 
I'm just asking you generally to say whether or not you feel 
that what's already been implemented would prevent most of the 
unauthorized access that has occurred in the past.
    Dr. Rochford. I think we've put things in place to improve 
the situation.
    Chairman Smith. Okay.
    Dr. Rochford. I do not have confidence that I could say we 
have 100 percent----
    Chairman Smith. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman LaHood. Thank you, Chairman Smith.
    I now recognize the Ranking Member, Mr. Lipinski.
    Mr. Lipinski. Thank you.
    Ms. Casias, your office overseas the Commerce Office of 
Security, which manages the Police Services Group. The Director 
of Security for NIST provided a letter to the Science Committee 
on September 14 of this year that the Police Services Group in 
both Colorado and Maryland had a total of 41 authorized staff 
with five current vacancies under the existing operating 
budget. Can you tell us what sort of impact you believe current 
budget constraints have on NIST's security posture, and what 
can we in Congress do to help in that regard?
    Ms. Casias. Congressman, thank you for that question. As we 
said, security is not one-size-fits-all, and while we have our 
police force, our Police Services Group, we also have 
contracted staff which we have supplemented that workforce 
with. At this point I believe looking at our risks and our 
vulnerabilities, we are working within our budget and believe 
that we have adequate funding. As we work through the 
evaluation and look at the different responsibilities between 
NIST and the Department, if there is anything there we'll 
identify and work with this Committee on those findings.
    Mr. Lipinski. Let me ask Dr. Rochford or Mr. Bagdoyan, do 
you agree with that in terms of having enough resources?
    Dr. Rochford. At this point we've gone through our Security 
Sprint and have identified a number of activities that we can 
make. I currently believe I have the resources to take on that 
first tranche of activities. So at this time I believe we have 
the resources.
    Mr. Lipinski. Mr. Bagdoyan, do you have any thoughts on 
that?
    Mr. Bagdoyan. Yes. Thank you, Mr. Lipinski. I would answer 
in terms of the resourcing level as a function of the risk and 
the countermeasures already in place and anticipated, so a 
precise number that would drive a budget is obviously a 
function of that, and I would defer to the Department on that 
matter.
    Mr. Lipinski. Thank you. Mr. Bagdoyan, part of the GAO 
examination of NIST security included a survey of NIST 
employees which you had talked about in your testimony. My 
understanding is that the sample for that survey was 
exclusively technical and scientific staff. Is that true, and 
if so, why were other staff omitted from the survey pool?
    Mr. Bagdoyan. Yes, that is correct, Mr. Lipinski. We 
surveyed approximately 500, which is a projectable sample, and 
a determination of what to include and what not to include was 
essentially a methodological one. We can provide you with 
additional detail separately if you like in terms of how we 
arrived at that.
    Mr. Lipinski. Was there a reason that the administrative 
staffers were not included in that?
    Mr. Bagdoyan. Well, I don't recall the specifics but I 
would say that we chose to focus on people who would likely 
encounter potential intruders and others during the course of 
their duties.
    Mr. Lipinski. But it would seem like anyone coming in to 
the gate would be someone who potentially would have the 
possibility of letting someone in who shouldn't be in there.
    Mr. Bagdoyan. Yeah, I take your point but we just chose 
what we chose, and I can certainly provide a more detailed 
explanation on the methodology separately.
    Mr. Lipinski. Okay. You said 75 percent in the survey said 
that they take security--I forget, what were the exact----
    Mr. Bagdoyan. Yes. Let me look at my cheat sheet here. It 
says about three-quarters of scientific and technical employees 
believe that NIST leadership places great or very great 
importance on physical security issues.
    Mr. Lipinski. Is that 75 percent enough?
    Mr. Bagdoyan. Well, optimally you would want it to be 100 
percent. That was--that goes back to my earlier point that if 
you want the culture to improve, the awareness to improve, and 
be optimal, you really need to be at a very, very high level 
for this to work. Otherwise a single weak point, a single 
individual who might not get it is a potential vulnerability.
    Mr. Lipinski. It sounds like there's good work being done. 
We certainly need to follow up, and the culture I think is 
certainly going to be a big issue.
    Just very briefly, do you think there's any--is it possible 
that the type of people who would be working, the technical 
people who would be working at NIST are people who are used to 
more open circumstances, campuses, things like that that do not 
require the type of security and that could be a reason why?
    Mr. Bagdoyan. It's certainly a possibility but again, with 
proper training, leadership emphasis, you move the needle in 
the direction it needs to go, and awareness is key. 
Prioritization from leadership is key as is getting 
stakeholders, for example, on the Boulder campus. There are 
other agencies that share the space to get them involved as 
well because their culture would be also impacted, and that's a 
key point.
    Mr. Lipinski. Thank you.
    I yield back.
    Chairman LaHood. Thank you, Mr. Lipinski.
    I now recognize Mr. Marshall of Kansas for his questions.
    Mr. Marshall. Thank you, Chairman LaHood.
    First question for Mr. Rochford. In the military or in 
business when we have a big goal, a big vision, we typically 
set out a timeline with major events, major milestones, so our 
goal here obviously I would assume we have all the same goal: 
better security in these facilities. Do you have a timeline? 
Where are we on that timeline? Where's it going?
    Dr. Rochford. Our Security Sprint did set out a timeline 
for phase I for this training, this outreach, the 
accountabilities. That timeline has various things happening 
that I've mentioned with our goal to have complete mandatory 
training, for example, by the end of the calendar year.
    Mr. Marshall. Can we have access to that, perhaps? Would 
that be a reasonable question?
    Dr. Rochford. That's to the----
    Mr. Marshall. To the timeline or----
    Dr. Rochford. Certainly. I don't have it with me but I can 
provide that.
    Mr. Marshall. Okay. Thanks.
    I want to go back to the plutonium incident at the NIST 
facility in Boulder, Colorado. I guess that's several years 
ago. Obviously it created some significant challenges to not 
just the facility but the surrounding people as well. And now 
we're aware of another incident at the same facility. Do you 
feel like you've done everything possible to shore up that 
situation there for such another dangerous event? Obviously 
there's some pretty toxic things going on there.
    Dr. Rochford. Plutonium was a wake-up call for NIST. That 
was the moment we realized that our safety culture was not what 
it needed to be. In the past we've worked on what is considered 
an expert culture where we trusted our highly trained 
individuals to take on safety. What we recognized is, we needed 
to take this more deeply. We needed to have specific training, 
specific processes, specific access controls and procedures. As 
a result, I could state that we have a very assertive safety 
culture now, and in fact, that's what I'm modeling our changes 
in the security culture towards. In fact, that specific event 
we basically met all the Nuclear Regulatory Commission's 
requirements satisfactorily. We've made great strides in our 
safety program both in radiation--radioactive materials and 
safety in general, and I think yes, our safety program is much 
more robust.
    Mr. Marshall. I'm just curious. The people that are doing 
the research are scientists. Are they the ones ultimately in 
charge of the security, figuring out what--I mean, I'm guessing 
it's two different people. My doctors are not real--the 
surgeons are not real good at figuring out what to do in the 
ER. So I'm hoping it's different people than the scientists 
trying to figure out a security program for the facility.
    Dr. Rochford. No. So the way we operate is, we obviously 
have a management structure. I as the Acting Director have 
responsibility for security. We can gather scientific input. So 
for example, when we assess a space, as the Chairman had 
mentioned, we may have proprietary information, we may have 
other information. We gathered that from the scientists so we 
can understand what sort of safety and/or security protocols to 
put in place. Those then are developed in programs that follow 
guidelines created by both the Department's Office of Security 
and then the local controls that we have in place.
    Mr. Marshall. Okay. My last question. Going back to 
Boulder, there's still no external barrier in Boulder as I 
understand it. Do you feel like that's a problem, and what are 
we--why isn't--I mean, that would seem to me to be more of an 
immediate solution to unauthorized access to restricted areas 
or some type of a physical external barrier. Do you think it's 
necessary? Why haven't we done it, or is that a waste of time 
and effort and money?
    Dr. Rochford. I would not characterize it as a waste of 
time and effort. When I started in January and undertook the 
Security Sprint, my goal was to be able to get quick wins, to 
be able to do things that we could take action on quickly. A 
fence in Boulder, it's going to be a multi-stakeholder process. 
There's a number of factors and considerations including both 
the city, the neighbors, local government, issues of that 
nature. There are environmental aspects. It's something that 
will take a longer time.
    Mr. Marshall. That just drives me crazy to think about 
that, that here's an immediate danger and we're not--and the 
process, the rules, the regulations, and again, having built a 
hospital facility, I know what it's like. It just takes months 
and years to go through the process, and in the meanwhile, we 
can't get to the real solution.
    So I look forward to going through those weeds as quick as 
you can and making these places secure.
    Thank you, and I yield back.
    Chairman LaHood. Thank you, Mr. Marshall.
    I now yield to the Ranking Member, Ms. Johnson, for her 
questions.
    Ms. Johnson. Thank you very much, Mr. Chairman.
    It's rather puzzling to me when you put everything on 
training, what was the initial training when people were hired? 
Do you have any standards, ethical standards for them to have a 
commitment? Yes?
    Dr. Rochford. We do have onboarding training. In 
retrospect, onboarding training has been rather simplistic--
wear your badge. What I need to do is develop--and we have done 
this--a training that's very explicit, very unambiguous, and 
actually includes various scenarios so people know precisely 
what we mean and what we expect. So I think in the past we just 
had not done training that was sufficiently detailed, and that 
is being remedied.
    Ms. Johnson. You know, I'm having a hard time. I fully 
support the work of NIST, and I looked at the recommendations 
that GAO has recommended, and I'm having a very hard time 
understanding what changes were made or what kind of approaches 
did you make after these incidences. It seems very, very loose 
to me in a very important area. Do you feel capable of running 
this agency and keeping the activities at a professional level?
    Dr. Rochford. Yes, I do. I've been in this role since 
January so I've had a limited span here that I can do these 
things. Since 2015, we have added several engineering access 
controls. We did increase security staffing. We did establish 
this NIST Security Advisory Board. But there is more to do, and 
that's what I've been working on over the last many months, and 
I'm confident when our new Director joins us that he'll be 
interested in moving this forward as well.
    Ms. Johnson. When you say there's much more to do, give me 
an idea what else that you have in mind to do.
    Dr. Rochford. In addition to training--this is a culture 
change, in my opinion, so it requires a leadership commitment 
that's consistent and persistent, right? We need to continually 
meet with staff. We need to demand that the training 
requirements are met. I need to hold my management accountable. 
My management needs to hold the employees accountable. We 
basically have to change an attitude so that we're doing this 
in the best possible way. We've done it in safety. We know how 
to do this, but we also know it takes time and it takes real 
commitment. So I have the commitment. We just need some time.
    Ms. Johnson. Okay. Ms. Casias, do you have any comments?
    Ms. Casias. Yes. I agree with Dr. Rochford that it is a 
culture change, but I also believe as we're working together we 
need to look at the management structure. That is a priority 
for us. We also--as I stated, we now have all of our staff 
trained on the ISCR RMP standards, and I think looking and 
working with those facility assessments and getting those 
relooked at this year, redone, and looking at that jointly, I 
think it really is critical that we have that open 
communication and working together, and I believe we do. We've 
talked about a lot of trainings today, and those are not just 
the NIST folks working on that. Our Director of Security, who 
is on campus at NIST, has been working, and yesterday just had 
one of the security days with a fabulous turnout from the 
staff, and that was a joint effort and working together and 
looking at what we need to do.
    So there's more to do than training, and I believe we're on 
that path and we're working towards that, and I'm confident 
that our partnership together we will get there.
    Ms. Johnson. Have you looked at these? Are you following 
the recommendations of GAO?
    Ms. Casias. Absolutely. We have already started. As I 
noted, we've already put together--both myself and Dell 
Brocket, who's in the room, we're going to be spearheading this 
and the executive sponsors. We've actually worked on other 
projects in the Department before this, and we've been 
successful, and I know that we'll be successful in this one, 
and it's a priority. Security is a priority for the Department, 
for our people, for our assets and our information.
    Ms. Johnson. Well, thank you. I know that security is very 
important but I'm talking about the ethical behavior of the 
people within a security measure as well.
    Ms. Casias. I agree, and I think looking--and there's been 
some steps of initiating some security measures in people's 
performance plans, but we are looking into the incidents that, 
you know, folks have seen on the videos and determining--we've 
done appropriate counseling to date and we're working with the 
appropriate offices on what other steps we need to take.
    Ms. Johnson. Thank you very much.
    Chairman LaHood. Thank you, Ms. Johnson.
    I now recognize Mr. Norman from South Carolina.
    Mr. Norman. Thank you.
    Dr. Rochford, I guess as a follow-up to Chairman Smith's 
question about the 15 attempts and you had 15 breaches, and you 
mentioned that if they occur today, you couldn't give 100 
percent guarantee that be--it would prevent it. What percentage 
would you give?
    Dr. Rochford. That would be difficult to assess. At this 
point because we haven't rolled out the training, I don't think 
some of the early steps that need to be taken have occurred. 
The training, I will have the meetings with management this 
afternoon, and again, these have been planned for some time. 
I'll have meetings with all staff. At that point we'll roll out 
the required training. My belief is as people take the training 
and we're holding them accountable, we'll see improvements.
    Mr. Norman. Okay. Now, I also understand that the 
Gaithersburg, Maryland, campus has a nuclear reactor on site. 
Is that true?
    Dr. Rochford. That's correct.
    Mr. Norman. NIST stores caches of radioactive material for 
testing. Is that true?
    Dr. Rochford. Testing and standards, measurement standards, 
correct.
    Mr. Norman. Do you realize you can google this and get this 
on site? You don't see this as a security risk?
    Dr. Rochford. Some of this will be known because of Nuclear 
Regulatory Commission postings so, yes, it is known. In 
addition, our nuclear reactor is a center for neutron research, 
which is a center that uses neutrons to do measurements and 
therefore we interact with industry and academia so they do 
know about it as well.
    Mr. Norman. And another question, Doctor. According to the 
Washington Post, in August of this year a NIST employee was 
exposed to unsafe dose of radiation, and according to this 
article, as of September 27, it's still unknown how the 
container of the radioactive material was compromised. Have 
they found anything out on that?
    Dr. Rochford. Yes, yes. We've learned a great deal in that 
incident. The material is known as americium. It was held in a 
small 50-milliliter ampoule. We received it from an energy lab 
about 17 years ago. It was in solution, and as the 
radioactivity occurred, these decayed particles caused what 
they call radiolysis, created a gas, and over time the gas 
overpressured and the ampoule exploded. So what in fact 
happened was not a mishandling event but we keep these in these 
lead storage containers, and the material burst. We found it 
during a routine radiation testing, a survey program that we 
have where we look at these spaces weekly, and then when we 
found it, we could put controls in place, and then we had to 
test all the individuals who had been in contact with the 
material before the breach or before the dispersion was noted.
    We're very aggressive in our reporting in safety, so we 
immediately went to the Nuclear Regulatory Commission, and we 
provided a notification that had worst-case scenarios. What 
we've learned since as we've been able to do more testing both 
of the material and the bioassay, we believe that the 
individuals involved have not had exposures above the 
regulatory limits, that they've actually been below the 
regulatory limits. These measurements are actually quite 
difficult. These are alpha emitters, which are very, very 
faint. It also took some time for us to get the measurements. 
But we have engaged with the Nuclear Regulatory Commission at 
great length and with the Department of Energy, and in fact, 
the 30-day report to the NRC went out Saturday, so that's a 
public document.
    Mr. Norman. Okay. You know, I join in Congressman Johnson I 
guess and the concern I have is that you all were taking it 
seriously and particularly with the taxpayer dollars that are 
going toward this that it's--I see it's a leadership problem 
but still there's got to be some consequences to it, so I would 
ask you to put this at the top of your list to get fixed, and 
not just addressed but to get fixed because 15 of 15 breaches 
is not--is unacceptable in my mind.
    Dr. Rochford. I agree.
    I yield.
    Chairman LaHood. Thank you.
    I now recognize Ms. Bonamici of Oregon, please.
    Ms. Bonamici. Thank you very much, Mr. Chairman.
    Dr. Rochford and Ms. Casias, NIST now has, it's my 
understanding, your full-time equivalent police officers, about 
28 in Maryland and 13 in Colorado, but you also use contract 
protective security officers. So can you talk a little bit 
about what they do, where are they stationed, at the gates, at 
the doors, and what training do they get and what is the 
turnover among those contracted protective security officers?
    Ms. Casias. Thank you for your question. I will have to get 
back to you on the turnover. I don't have that information with 
me immediately. But all of our contractors are required to have 
certain standards. We do provide training, and I can tell the 
folks on this panel that we have provided training since the 
penetration issues that we've had, and we'll continue to have 
that training with those folks.
    Ms. Bonamici. How does their training compare to the, for 
example, police officer training?
    Ms. Casias. I would have to get back to you on the exact 
distinctions between the both, but in the case of providing the 
security services, both parties, the Police Services Group and 
the officers, the contract force, receive the same training, 
and everyone that is responsible for that understands that it 
is totally unacceptable with the breaches and what has 
happened.
    Ms. Bonamici. Thank you. I would appreciate the follow-up 
on the turnover among those contracted officers.
    The 2015 incident, which we've all heard about with the 
NIST employee who was a NIST police officer trying to make 
meth, now that of course is a rare type of situation but what 
recommendations are you making now that would have prevented 
that particular incident as opposed to your recommendations to 
keep out unauthorized access? This person was a NIST employee, 
so what specific recommendations would have prevented that? Ms. 
Casias or Dr. Rochford?
    Ms. Casias. I obviously was not in my position when that 
occurred but I know we have put more--instituted more, looked 
at how we're using rovers, how we're using our police force and 
our guards and our actual police force that's on site.
    Ms. Bonamici. But he was a police officer, so what----
    Ms. Casias. I agree.
    Ms. Bonamici. What would have prevented that at the time? 
What are you doing now that would have prevented that?
    Ms. Casias. I believe how we are running our shifts and 
looking at our shifts, that may have prevented it. I'll have to 
get back to you, you know, on exact measures that we may have 
taken.
    Ms. Bonamici. Thank you.
    Mr. Bagdoyan, the GAO report notes inefficiencies, plural, 
that arise from the fragmented organizational structure of NIST 
security. An example mentioned in the report was that NIST is 
responsible for procuring and placing the security cameras but 
the Department of Commerce is overseeing the police personnel 
and the facilities, and that led to some of the security 
cameras being placed in locations that weren't particularly 
useful or helpful for the police. So what are--number one, what 
are some of the other inefficiencies, because you said 
inefficiencies, and that was one example? And then also, how 
could that have been prevented. It seems like maybe a simple 
phone call could have said--could have remedied by saying, you 
know, the cameras aren't in the right place. So how did that 
happen? And maybe I can get Ms. Casias and Dr. Rochford to 
respond as well.
    Mr. Bagdoyan. Sure. I'll let my fellow panelists here 
respond from their perspectives.
    In terms of placement of equipment and so forth, I 
certainly wouldn't venture there in an open hearing, but in 
terms of other inefficiencies, you have risk assessments that 
are done separately, for example, so that is a core function 
that at least should be coordinated, if not collaborated on.
    Ms. Bonamici. And I see Dr. Rochford nodding his head so 
I'm assuming that NIST agrees with that.
    Mr. Bagdoyan. Right. So that's--right. So I would just 
leave it at that. That's a key inefficiency.
    Ms. Bonamici. Thank you.
    Mr. Bagdoyan. And also crafting different policies at 
times. Parallel security policy is another area of inefficiency 
that at a minimum should be much more closely coordinated if--
--
    Ms. Bonamici. Thank you, and I don't want to interrupt but 
I want Dr. Rochford and Ms. Casias to respond to the, how could 
that have been remedied? Is there some channel for--a better 
channel for communication where if the cameras are put in the 
wrong place, why weren't they--why wasn't that immediately 
fixed?
    Dr. Rochford. That should have been immediately fixed. I 
don't know what line of communication dropped and why that 
didn't occur. On our campuses, our cameras and other access 
controls are not used purely for security as well. We do have 
some that are put in for safety reasons, and it could be that 
security personnel were concerned that they may not have had 
appropriate access but those were done for programmatic 
reasons.
    As far as coordination, our Security Advisory Board does 
have our local OSY Director of Security at NIST on that board, 
so when we do develop local policies, this individual is 
involved and weighs in. So we have worked to coordinate to 
ensure that we have the right amount of overlap.
    Ms. Bonamici. Thank you, and I see my time is expired. I 
yield back. Thank you, Mr. Chairman.
    Chairman LaHood. Thank you. I now yield to Mr. Loudermilk 
of Georgia for his questions.
    Mr. Loudermilk. Thank you, Mr. Chairman, and I thank the 
panelists for all being here today.
    As has been mentioned I'm sure many times in the last few 
months and even here today, the incident with the police 
officer who was cooking meth in one of the laboratories, it's 
interesting, it was last year or in the last Congress I was 
Chair of the Oversight Subcommittee, and we were investigating 
this instance, and it was during that investigation when we 
actually uncovered the plutonium incident. In fact, it was an 
email. The question was, why wasn't Congress notified of the 
meth explosion, and an email we uncovered between two senior-
level people was well, we didn't notify Congress about the 
plutonium incident either, and it was a thousand times worse. 
So I'm just bringing that up to say I hope that the 
communications with Congress would--is going to drastically 
improve with instances.
    But I want to direct my questions to our response, 
Congress's response, regarding security issues that have 
transpired at NIST. Last year I sponsored the NIST Campus 
Security Act, which ultimately was incorporated into the 
American Innovation Competitiveness Act, which was signed into 
law back in January. Now, according to GAO report, physical 
security at NIST was split between the Office of Security and 
NIST, and the American Innovative Competitiveness Act directs 
the Secretary of Commerce to oversee law enforcement at NIST by 
establishing the NIST Director of Security. I understand that 
has been fulfilled, that position. How--are we seeing that with 
this new position, the new Director is closing the gaps that 
existed in security between the two offices, Dr. Rochford?
    Dr. Rochford. Yes, I would agree, and I think one activity 
is the Security Advisory Board in which he works. We also have 
weekly meetings between the Office of Security, Director of 
Security of NIST and our Emergency Services Office Director 
every week so we can make sure that day-to-day issues are dealt 
with.
    I would like to note in terms of the plutonium incident, I 
wasn't in this job.
    Mr. Loudermilk. Yes, I understand.
    Dr. Rochford. However, NIST would never keep things from 
the Oversight Committee, and that incident in fact did have 
extensive hearings at the time, so we were very forthcoming and 
did inform Congress during that incident as well.
    Mr. Loudermilk. Mr. Bagdoyan, I know that the bill that I 
was referencing assigns GAO to conduct a study evaluating the 
performance of NIST Police Service Groups. Have you been able 
to assess the improvements or the performance that we've seen 
out of security since the new Director has been put into place?
    Mr. Bagdoyan. Well, not really. I mean, basically what our 
work consisted of was testing what was in place at the time. 
Obviously having a Director in place is important but what 
we're testing is the reality on the ground so the Director has 
to make things happen on the ground for us to be able to go 
back at some point, Congressional direction, of course, to take 
another look and see how things have changed.
    Mr. Loudermilk. Now, of course we don't want to get into 
areas that are sensitive to reveal----
    Mr. Bagdoyan. Of course.
    Mr. Loudermilk. --anything in this session but I don't know 
the exact time frame of the videos that we saw earlier.
    Mr. Bagdoyan. Sure.
    Mr. Loudermilk. But if those occurred within the past year, 
I still have concerns that we have not made strides in the 
right direction.
    Mr. Bagdoyan. Right.
    Mr. Loudermilk. Is there still a lot of improvement that 
needs to be done?
    Mr. Bagdoyan. Yes, we can certainly try and address that 
point, Mr. Loudermilk, in a closed session.
    Mr. Loudermilk. Okay. Thank you.
    Dr. Rochford, do you agree that we still have a lot of area 
that needs to be covered?
    Dr. Rochford. Absolutely.
    Mr. Loudermilk. Okay.
    Dr. Rochford. And as I'd mentioned, a lot of this is driven 
by culture, and that we can change.
    Mr. Loudermilk. Thank you.
    Since I have a few more seconds, Mr. Bagdoyan, in your 
testimony you described overlapping risk management activities. 
To what extent did you witness duplicative activities and what 
are the consequences of such duplication?
    Mr. Bagdoyan. Well, witnessing obviously is performing the 
assessments themselves, then devising security policies that 
are at least in part derived from those assessments. If they're 
not sufficiently coordinated and essentially collaborated on, 
then you might end up having two different lines of thinking in 
terms of what is risky and what the countermeasures are and 
what resources are needed to be devoted to those 
countermeasures.
    Mr. Loudermilk. Thank you. And Dr. Rochford, this--you're 
inheriting a lot of the problems that existed, and just my 
final question, do you have a plan in place to reduce the 
duplication between the two?
    Dr. Rochford. Yes. In fact, much of what I think was seen 
as duplication was in fact coordination. We've often started 
our work using from documents derived from the Office of 
Security. As a manager I do have to make some resource 
allocation decisions so clearly those are things I can do in 
conjunction with the Office of Security. But we do that through 
coordination with our Security Advisory Board, which does have 
OSY and its personnel.
    Mr. Loudermilk. Thank you. I yield back.
    Chairman LaHood. Thank you.
    At this time we recognize Mr. Perlmutter for his questions.
    Mr. Perlmutter. Thank you, Mr. Chair.
    Mr. Bagdoyan, how often does the GAO conduct kind of 
investigations like this where you do, I mean kind of sting 
operations, if you will? I'm familiar with TSA operations where 
sometimes you go in and see if you can sneak through the 
security there. How often do you guys do this?
    Mr. Bagdoyan. Well, they do take a lot of time to develop 
and implement. Of course, all of our investigative work is 
derived from Congressional requests so we do get them 
periodically. You're absolutely right about TSA and the 
transport sector overall. We have done, as you may know, in the 
past work looking at the Affordable Care Act and its enrollment 
controls. I testified on that on several occasions in recent 
years. We most recently completed work on the FCC's lifeline 
program where we used undercover resources to attempt to enroll 
into the program, and we were mostly successful. So it 
basically runs the gamut. Again, it's driven by Congressional 
interest and request so we play in various different spaces, 
and I would point out that no one investigation is the same as 
another. They're all very unique.
    Mr. Perlmutter. Thank you.
    So Dr. Marshall is from Kansas, and he has questions, Dr. 
Rochford, about the Boulder campus and putting up a fence. So 
just listening to this, I think you've got to bifurcate between 
safety and security. They're two different things. So the 
plutonium was a safety issue. It wasn't like somebody was 
stealing it. But the security issue is, you have a guy roaming 
around the campus through an open window, for goodness sakes, 
for hours before anybody discovered him. So I don't know about 
putting a fence up in Boulder. That's going to take forever to 
get something like that done, but you certainly can harden the 
security for each building. What steps are you taking on that?
    Dr. Rochford. That's absolutely correct, and we have taken 
a number of steps in that regard. We've added additional 
engineering controls at the perimeters of the buildings. We've 
improved internal alarming in areas where we have windows of 
that nature. In fact, it wasn't an open window. What it was, 
was a temporary window in which we were doing laser experiments 
on the mesa, so it was easily broken. Now that's----
    Mr. Perlmutter. That's been fixed?
    Dr. Rochford. There's other things we can--yes, that's been 
fixed, and we can talk about details.
    Mr. Perlmutter. All right. Let's talk about the plutonium 
for just a second, and obviously in our area, we've dealt with 
issues pertaining to plutonium with Rocky Flats and all of 
that. I guess just as a neighbor of this laboratory, I wasn't 
aware that you guys were a storage facility. You're a 
laboratory. And to the degree that you are a storage facility, 
I hope that that's part of the approach you're taking, and I'd 
say to Commerce as well, that should be going to the Department 
of Energy or somebody else. You can react to that if you will.
    Dr. Rochford. So in fact, we are not a storage facility. In 
that particular incident, we had an exceedingly small quantity 
of plutonium that was being used to measure sensors and 
detectors that were going to be used for non-proliferation 
activities. However, there is no exceedingly small amount of 
plutonium, so we had to manage it very carefully. Since then we 
have only in Boulder used what are known as sealed sources.
    Now, in Gaithersburg, we have a radiation physics division. 
We do have a number of sources, and these are used as 
measurement standards to calibrate things as diverse as 
radionuclides for medicine to things for non-proliferation for 
other activities.
    Mr. Perlmutter. So I just--now I'm going to get on my 
political high horse for a second. I mean, obviously I'm 
listening to my friends on the Republican side of the aisle 
talk about radiation and these small amounts and the danger 
that comes from it, and I would just say as I just did in the 
Financial Services Committee, the President just openly talking 
about nuclear arms and building of stockpiles and all of that 
stuff, there's real danger there, and we all know that, and 
that rhetoric is dangerous, and so with that I yield back to 
the Chairman.
    Chairman LaHood. Thank you, Mr. Perlmutter.
    I now recognize Mr. Higgins of Louisiana for his questions.
    Mr. Higgins. Thank you, Mr. Chairman.
    Mr. Bagdoyan, as Director for the GAO's Forensic Audits and 
Investigative Services, I thank you for your service to your 
country, sir.
    Mr. Bagdoyan. Thank you.
    Mr. Higgins. Looking at your bio, you have an extensive 
background of security, critical infrastructure protection, 
risk management, and homeland security. Would you concur that 
you're an accomplished investigator?
    Mr. Bagdoyan. I would like to think so.
    Mr. Higgins. One would like to think so. My background is 
in law enforcement, sir. Would you also agree that it's just 
human nature that over time if there's been no critical 
incident, there develops sort of a relaxed culture of security 
at entry and perimeter security? Would you concur that that's 
generally true and----
    Mr. Bagdoyan. Yes, it's possible that over time that 
happens----
    Mr. Higgins. Thank you.
    Mr. Bagdoyan. --if you don't pay attention.
    Mr. Higgins. However, given the incidents of July of 2015 
and April of 2016, those security breaches, wouldn't as an 
experienced and accomplished law enforcement professional and 
security expert, wouldn't you concur that the heightened 
awareness should have existed by the time your agents began 
your undercover probes?
    Mr. Bagdoyan. That would be a logical response, yes.
    Mr. Higgins. And it was your team that conducted the 
security evaluation of NIST. Is that not--is that correct?
    Mr. Bagdoyan. Yes. My investigative colleagues performed 
that work.
    Mr. Higgins. How many individuals made up the team of GAO 
undercover staff?
    Mr. Bagdoyan. That I will defer answering until a closed 
session.
    Mr. Higgins. I understand. Was there more than one agent?
    Mr. Bagdoyan. I'll reserve on that one. Thanks.
    Mr. Higgins. Your one or potentially more than one were 
quite successful though, were they not?
    Mr. Bagdoyan. That's what the record shows, yes.
    Mr. Higgins. At any point during the course of your 
undercover investigation did the GAO agents have potential 
access or were they in a close vicinity of a NIST computer?
    Mr. Bagdoyan. I'll have to defer answering that, sir, 
sorry.
    Mr. Higgins. Were they in a building where computers 
existed?
    Mr. Bagdoyan. Same answer.
    Mr. Higgins. Would your staff have had the opportunity to 
insert a thumb drive on one of these perhaps nonexistent 
computers----
    Mr. Bagdoyan. I'll----
    Mr. Higgins. --thereby infecting the system with a virus?
    Mr. Bagdoyan. I'll defer answering that.
    Mr. Higgins. Did your staff have access to laboratories?
    Mr. Bagdoyan. Same answer.
    Mr. Higgins. So in these buildings that your staff was able 
to enter, is it reasonable to presume that there were offices 
with computers and perhaps laboratories, given the fact that 
that's why these buildings exist?
    Mr. Bagdoyan. That's what NIST exists for so that's a safe 
assumption.
    Mr. Higgins. It would be a reasonable presumption, would it 
not?
    Mr. Bagdoyan. Yes, sir.
    Mr. Higgins. Isn't it true that a deranged individual 
wandered around the Boulder, Colorado, NIST campus and required 
medical attention because he accessed an area which houses 
toxic chemicals?
    Mr. Bagdoyan. That's my understanding of the incident. I 
don't know whether he was deranged or not but he certainly 
didn't belong where he was.
    Mr. Higgins. Is the Boulder facility fenced?
    Mr. Bagdoyan. It is not.
    Mr. Higgins. Thank you. Were there any mechanisms in place 
to warn the guards that this individual was present, an alarm 
system or something of that nature?
    Mr. Bagdoyan. I don't know.
    Mr. Higgins. Did the folks on the ground at Boulder know 
how long this gentleman, what was the duration of time that he 
wandered undetected?
    Mr. Bagdoyan. I don't know, Mr. Higgins.
    Mr. Higgins. Mr. Chairman, we have reviewed videos of the 
GAO undercover staff conducting testing of the physical 
security of these campuses, and I respectfully submit that the 
Department has considered this sensitive information and not 
appropriate for the public to see. But as an experienced former 
law enforcement officer, these videos do show evidence of 
repetitive failures of the security in place at these 
facilities and the need for substantial improvement from NIST 
and the Department, and I respectfully submit that these videos 
should be made public so that NIST be held accountable by the 
broader public, by we, the people, and by the taxpayers that we 
represent as opposed to just the members of this Committee, and 
with that, I respectfully yield back, Mr. Chairman.
    Chairman LaHood. Thank you, Mr. Higgins, for your 
questions, and I think that concludes all the questions from 
Committee members at this time.
    Let me just in closing thank you for being here and for 
your valuable testimony. I think collectively both Republicans 
and Democrats here today have expressed concern for what went 
on here with these three breaches and are going to be watching 
and monitoring to make sure that the implementation of the 
suggestions are put through and that we do everything we can to 
make sure that these facilities are secure and safe moving 
forward.
    I would also ask that there was a number of requests made 
by members here today, that those be followed up by the 
witnesses. The record will remain open for two weeks for 
additional comments and written questions from members.
    Pursuant to House Rule 11(g)(2) and the previous vote of 
the Subcommittees, the remainder of the hearing will be closed 
to the public because of the disclosure of the testimony that 
may be heard may compromise sensitive law enforcement 
information. The clerk will clear the room. Only Members of 
Congress, their staff, and witnesses may remain in the room. 
Once that's done, we'll begin the executive session.
    [Whereupon, at 11:24 a.m., the Subcommittees proceeded in 
closed session.]

                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions

                   Answers to Post-Hearing Questions
Responses by Ms. Lisa Casias and Dr. Kent Rochford

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


Responses by Mr. Seto Bagdoyen

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]