b'<html>\n<title> - GAO HIGH RISK FOCUS: CYBERSECURITY</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                   GAO HIGH RISK FOCUS: CYBERSECURITY\n\n=======================================================================\n\n                              JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INFORMATION TECHNOLOGY\n\n                                AND THE\n\n                            SUBCOMMITTEE ON\n                         GOVERNMENT OPERATIONS\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JULY 25, 2018\n\n                               __________\n\n                           Serial No. 115-110\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n        Available via the World Wide Web: http://www.govinfo.gov\n                       http://oversight.house.gov\n                       \n                       \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n32-932 PDF                  WASHINGTON : 2018                     \n          \n-----------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a3c4d3cce3c0d6d0d7cbc6cfd38dc0ccce8d">[email&#160;protected]</a>                       \n                       \n                       \n                       \n              Committee on Oversight and Government Reform\n\n                  Trey Gowdy, South Carolina, Chairman\nJohn J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, \nDarrell E. Issa, California              Ranking Minority Member\nJim Jordan, Ohio                     Carolyn B. Maloney, New York\nMark Sanford, South Carolina         Eleanor Holmes Norton, District of \nJustin Amash, Michigan                   Columbia\nPaul A. Gosar, Arizona               Wm. Lacy Clay, Missouri\nScott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts\nVirginia Foxx, North Carolina        Jim Cooper, Tennessee\nThomas Massie, Kentucky              Gerald E. Connolly, Virginia\nMark Meadows, North Carolina         Robin L. Kelly, Illinois\nRon DeSantis, Florida                Brenda L. Lawrence, Michigan\nDennis A. Ross, Florida              Bonnie Watson Coleman, New Jersey\nMark Walker, North Carolina          Raja Krishnamoorthi, Illinois\nRod Blum, Iowa                       Jamie Raskin, Maryland\nJody B. Hice, Georgia                Jimmy Gomez, Maryland\nSteve Russell, Oklahoma              Peter Welch, Vermont\nGlenn Grothman, Wisconsin            Matt Cartwright, Pennsylvania\nWill Hurd, Texas                     Mark DeSaulnier, California\nGary J. Palmer, Alabama              Stacey E. Plaskett, Virgin Islands\nJames Comer, Kentucky                John P. Sarbanes, Maryland\nPaul Mitchell, Michigan\nGreg Gianforte, Montana\nMichael Cloud, Texas\n\n                     Sheria Clarke, Staff Director\n                    William McKenna, General Counsel\n                         Meghan Green, Counsel\n     Troy Stock, Information Technology Subcommittee Staff Director\n     Julie Dunne, Government Operations Subcommittee Staff Director\n                    Sharon Casey, Deputy Chief Clerk\n                 David Rapallo, Minority Staff Director\n                 Subcommittee on Information Technology\n\n                       Will Hurd, Texas, Chairman\nPaul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking \nDarrell E. Issa, California              Minority Member\nJustin Amash, Michigan               Jamie Raskin, Maryland\nSteve Russell, Oklahoma              Stephen F. Lynch, Massachusetts\nGreg Gianforte, Montana              Gerald E. Connolly, Virginia\nMichael Cloud, Texas                 Raja Krishnamoorthi, Illinois\n\n                                 ------                                \n\n                 Subcommittee on Government Operations\n\n                 Mark Meadows, North Carolina, Chairman\nJody B. Hice, Georgia, Vice Chair    Gerald E. Connolly, Virginia, \nJim Jordan, Ohio                         Ranking Minority Member\nMark Sanford, South Carolina         Carolyn B. Maloney, New York\nThomas Massie, Kentucky              Eleanor Holmes Norton, District of \nRon DeSantis, Florida                    Columbia\nDennis A. Ross, Florida              Wm. Lacy Clay, Missouri\nRod Blum, Iowa                       Brenda L. Lawrence, Michigan\n                                     Bonnie Watson Coleman, New Jersey\n                           \n                           \n                           C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on July 25, 2018....................................     1\n\n                               WITNESSES\n\nThe Honorable Gene L. Dodaro, Comptroller General of the United \n  States, U.S. Government Accountability Office\n    Oral Statement...............................................     4\n    Written Statement............................................     6\nMs. Suzette Kent, Federal Chief Information Officer, U.S. Office \n  of Management and Budget\n    Oral Statement...............................................    45\n    Written Statement............................................    47\n\n                                APPENDIX\n\nResponse from Mr. Dodaro, Government Accountability Office, to \n  Questions for the Record.......................................    78\nResponse from Ms. Kent, Office of Management and Budget, to \n  Questions for the Record.......................................    81\n\n \n                   GAO HIGH RISK FOCUS: CYBERSECURITY\n\n                              ----------                              \n\n\n                        Wednesday, July 25, 2018\n\n                  House of Representatives,\n Subcommittee on Information Technology joint with \n             Subcommittee on Government Operations,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittee met, pursuant to call, at 2:25 p.m., in \nRoom 2154, Rayburn House Office Building, Hon. Will Hurd \n[chairman of the Subcommittee on Information Technology] \npresiding.\n    Present: Representatives Hurd, Mitchell, Hice, Amash, \nMassie, DeSantis, Blum, Kelly, Connolly, Raskin, Maloney, and \nNorton.\n    Mr. Hurd. The Subcommittee on Information Technology and \nthe Subcommittee on Government Operations will come to order. \nAnd, without objection, the presiding member is authorized to \ndeclare a recess at any time.\n    I would like to now recognize my friend and partner in \ncrime, the distinguished gentlewoman from the great State of \nIllinois, for her opening remarks.\n    Ms. Kelly. Thank you, Mr. Chair. And not too much crime.\n    Thank you, Mr. Chairman and Chairman Meadows, for holding \nthis important hearing. Ms. Kent, welcome to today\'s hearing, \nand thank you for testifying today and sharing your vision for \ncybersecurity as a new Federal COI, and it\'s great to meet you \nin my office.\n    And, Mr. Dodaro, special thanks to you for the extensive \nwork you and all the dedicated professionals at GAO put into \nproviding this special midcycle high-risk report on \ncybersecurity, and it was nice meeting with you also.\n    GAO\'s newly issued report raises serious concerns about our \nNation\'s ability to confront cybersecurity risk. GAO found key \ndeficiencies that could hinder the government\'s progress in \nstrengthening the Nation\'s cyber defenses. For example, GAO \nfound that the Trump administration\'s plans failed to include \nbasic components needed to carry out a national strategy for \nprotecting critical cyber infrastructure.\n    Among the missing components were details about performance \nmeasurements and milestones for determining whether the \ncountry\'s cyber objectives are being met and the resources that \nwould be needed to carry out those objectives. GAO\'s report \nhighlights the need for the administration to develop and \nexecute a more comprehensive Federal strategy for national \ncybersecurity and global cyberspace. It underscores the \nimportance of having a cybersecurity coordinator in the White \nHouse to develop a more robust cybersecurity strategy for the \ncountry.\n    But, here again, the Trump administration is not rising to \nthe challenge. Two months ago, the President\'s National \nSecurity Advisor, John Bolton, eliminated the position of White \nHouse cybersecurity coordinator. This decision was contrary to \na prior GAO recommendation to have a White House cybersecurity \ncoordinator in the Executive Office of the President develop an \noverarching Federal cybersecurity strategy at a time when our \nNation is facing persistent cyber threats ranging from foreign \nadversaries who seek to undermine our elections to criminal \nhackers who steal sensitive data. The administration\'s decision \nto eliminate the key cybersecurity position in the White House \nshould raise alarm.\n    Today\'s report also shows that the number of Americans \nwhose personal information has been compromised and government \nand private sector data breaches is growing. And there\'s a need \nfor stronger measures and congressional action to protect \nconsumer privacy. GAO found that the vast number of individuals \npotentially affected by data breaches at Federal agencies and \nprivate sector entities in recent years increases concerns that \npersonally identifiable information is not being properly \nprotected.\n    GAO\'s findings is supported by two recent reports that \nhighlight the heightened, challenged public and private sector \norganizations are facing in securing sensitive data. In April, \nVerizon issued a report showing that in the past 12 months \nalone, there with over 53,000 incidents and 2,216 confirmed \ndata breaches. And just last week, the Attorney General\'s \nCyber-Digital Task Force released a report showing that there \nwere at least 686 data breaches reported in the first quarter \nof 2018, resulting in the theft of as many as 1.4 billion \nrecords.\n    Last year, data breaches at Equifax in which over 143 \nmillion Americans had their personal information stolen and the \n2015 breach at OPM, which affected approximately 22.1 million \nindividuals, illustrates the massive scale of harm to privacy \nand security that these breaches have. To address the growing \nconcerns about privacy, GAO recommended that Congress \nstraighten out privacy laws, the majority of which were written \nwell before the development of new technologies, ranging from \nthe use of social networking sites, the facial recognition \ntechnologies, and many mobile applications. Congress should \nheed GAO\'s recommendations and reexamine how our privacy laws \ncan be strengthened to ensure that consumers\' personal privacy \nis adequately protected.\n    I want to thank our witnesses for testifying today. And I \nnormally would say I look forward to hearing your testimony, \nbut I have to leave. But I look forward to reading it on how we \ncan improve the Nation\'s cybersecurity.\n    And thank you again, my friend, Mr. Chairman.\n    Mr. Hurd. Good afternoon, y\'all. Today\'s hearing returns to \na familiar field for this subcommittee, an area of top \nbipartisan concern and focus, and that\'s the cybersecurity of \nthe Federal Government. The Federal Government and our Federal \nagencies, like everything else in today\'s digital society, are \ndependent on IT systems and electronic data, which make them \nhighly vulnerable to a wide and evolving array of cyber \nthreats.\n    Federal civilian agencies report over 35,000 information \nsecurity incidents to the US-CERT last fiscal year. This \nrepresents a 14 percent increase over the previous year. \nSecuring Federal systems and data is vital to the Nation\'s \nsecurity, prosperity, and well-being. It should concern all of \nus, therefore, that the GAO has concluded in the interim high-\nrisk report, that spurred this hearing, that urgent actions are \nneeded to address ongoing cybersecurity challenges in the \nFederal Government.\n    In this report, the GAO identified four major cybersecurity \nchallenges: establishing a comprehensive cybersecurity strategy \nin performing effective oversight, securing Federal systems and \ninformation, protecting cyber critical infrastructure, and \nprotecting privacy and sensitive data. To address these four \nchallenges, GAO identified 10 critical actions the Federal \nGovernment entities need to take. I\'m looking forward to \nexploring those 10 items.\n    Since 2010, GAO has made over 3,000 recommendations to \nagencies aimed at addressing these four cybersecurity \nchallenges. And as of June of this year, nearly 1,000 of those \nrecommendations have not been implemented. It\'s not acceptable \ngiven the threat we face. These open, lingering vulnerabilities \nput us at incredible risk, as we saw with the devastating data \nbreaches at OPM.\n    While I do not expect Ms. Kent or anyone else to have all \nthe answers today, I want to hear from GAO, the most critical \nopen recommendations, and from Ms. Kent, concrete plans to \nclose them. I want to commend Mr. Dodaro and his team at GAO \nfor issuing this report. Midcycle updates to the high-risk list \nare not common. I recommend all agency CIOs read this report \nand apply the applicable recommendations to the respective \nagencies and systems, because guess what, we\'re going to be \nasking you about them.\n    And, as always, I\'m honored to explore these issues in a \nbipartisan fashion with Ranking Member Kelly, Chairman Meadows, \nand Ranking Member Connolly. The four of us have worked \ntogether for years on these issues, and I\'m honored to be \njoined here with them throughout today\'s hearing.\n    Now, it\'s a pleasure to introduce our witnesses. The \nHonorable Gene Dodaro, comptroller general of the United States \nGovernment Accountability Office. You always hold a special \nplace in my heart because you were my first hearing being in \nCongress. Mr. Dodaro is accompanied by Mr. Gregory C. \nWilshusen, the director of Information Security Issues at GAO, \nwho will also be sworn in. And Ms. Suzette Kent, Federal chief \ninformation officer at the Office of Management and Budget. I \nthink this is your first time here. I don\'t think it\'s the \nfirst time testifying in Congress, but welcome.\n    Pursuant to committee rules, all witnesses will be sworn in \nbefore they testify. So please stand and raise your right hand.\n    Do you solemnly swear or affirm that the testimony you\'re \nabout to give is the truth, the whole truth, and nothing but \nthe truth, so help you God?\n    Thank you.\n    Please let the record reflect that all witnesses answered \nin the affirmative.\n    And in order to allow time for discussion, please limit \nyour testimony to 5 minutes. The entire written statement has \nbeen made part of the record. And as a reminder, the clock will \nshow your time remaining. When it\'s yellow, you have 30 \nseconds. When it\'s red, your time is up. And remember to press \nthe button.\n    And we\'ll start with Mr. Dodaro. You\'re now recognized for \n5 minutes.\n\n                       WITNESS STATEMENTS\n\n                  STATEMENT OF GENE L. DODARO\n\n    Mr. Dodaro. Thank you very much, Mr. Chairman, Ranking \nMember Kelly, members of the committees that are here today. I \nvery much appreciate the opportunity to be here to discuss this \nimportant topic.\n    This is an area that\'s been of long concern to me. We at \nGAO designated cybersecurity across the Federal Government as a \nhigh-risk area in 1997. So nobody could say we didn\'t warn \npeople that this was going to be a problem. In 2003, we \nexpanded that high-risk designation to include critical \ninfrastructure protection. And, in 2015, we included the need \nto protect personally identifiable sensitive information as \nwell.\n    Now, the government has taken a number of actions, \nespecially since the OPM breach. Mr. Chairman, as you \nmentioned, there\'s been executive orders, strategies, document \nstudies, but there still needs--much more needs to be done in \nthis area.\n    As you referenced in your opening statement, since 2010, \nwe\'ve made over 3,000 recommendations. While two-thirds of \nthose have been implemented, there\'s still 1,000 \nrecommendations that need action. Now, the four areas that we \nidentified I think are especially important.\n    First is establishing a comprehensive strategy, and \nimportantly, having effective mechanisms in place to oversee \nits effective implementation. And this is to include global \nsupply chain issues; critical workforce issues; and in dealing \nwith emerging technologies that are going to bring new risk, \nsuch as artificial intelligence, the internet of things, \nquantum computing.\n    Secondly, there needs to be more urgent action to secure \nthe Federal information systems. There needs to be more \neffective implementation of governmentwide efforts like \ncontinuous diagnostics and mitigation. Agencies need to fix \ntheir systems. There needs to be more attention in responding \neffectively when incidents do occur. Over time, we\'ve seen \nagencies be slow to implement the effective actions over times.\n    On critical infrastructure protection, and this is an area \nthat needs a lot more Federal attention. Now, in many areas, \nthe Federal Government has some regulatory responsibilities in \nthis area, but by and large critical infrastructure protection \nis a voluntary effort by the private sector. The National \nInstitutes of Standards and Technology have developed an \napproach that the private sector can use, but it\'s all \nvoluntary. So there\'s really not a clear picture, in my \nopinion, across the different sectors. And there\'s 16 different \nsectors of the economy that make up critical infrastructure, \nincluding electricity grid, telecommunications, nuclear issues, \nutilities, et cetera, the financial market areas as well.\n    So these are vital to our economic health. They\'re vital to \npublic health and safety. And there needs to be more \ncollaboration and a better understanding of to what extent have \nthese voluntary standards been implemented by the various \nsectors, and what is their state of readiness to deal with \nthese issues?\n    The fourth area deals with privacy. Now, here, Federal \nagencies themselves need to better secure sensitive \ninformation. We\'ve issued reports recently on a need to protect \nMedicare beneficiary data, for example, electronic health \ninformation systems, data on Federal student loans, there\'s a \nlot of personal data there, financial data that families \nsubmit. So that needs to be dealt with definitely. And we need \nto think about what information the Federal Government will \ncollect going forward. We\'ve made some recommendations on need \nto eliminate unnecessary use of Social Security information, \nfor example.\n    We also have recommendations to the Congress in this area. \nThe Privacy Act that was passed in 1974. The Electronic \nGovernment Act was passed in 2002, they need updated as well. \nAnd I\'d also--we\'ve recommended, since 2013, that the Congress \nestablish a consumer privacy framework for the private sector.\n    In those areas, the Federal Government has put out, in some \nsectors, healthcare and, you know, credit reporting, some \nrequirements for the private sector. But by and large the \nFederal Government has not set requirements for this area, \nparticularly as it relates to information resellers as well.\n    So, again, Mr. Chairman, I want to thank you for the \nopportunity to be here today. I asked our team to put together \nthis special report because I don\'t think the Federal \nGovernment\'s moving at a pace commensurate with the evolving \nthreat in this area, and we need all to work harder, faster to \naddress this issue.\n    Thank you very much.\n    [Prepared statement of Mr. Dodaro follows:]\n    \n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Hurd. Thank you, Mr. Dodaro.\n    Ms. Kent, you\'re now recognized for 5 minutes for opening \nremarks.\n\n                   STATEMENT OF SUZETTE KENT\n\n    Ms. Kent. Chairman Hurd, Chairman Meadows, Ranking Member \nKelly, Ranking Member Connolly, and members of the committee, \nthank you for having me here today. I am honored to be here to \nspeak with you, and I appreciate all the forums that inspire \nmore aggressive actions towards improving Federal \ncybersecurity.\n    My goal today is to share with you the progress that has \nbeen made against the areas highlighted by the comptroller \ngeneral, but more important, to share the perspectives on what \nstill needs to be done. And I\'d like to engage your continued \nsupport on that.\n    Advancement of our cybersecurity posture, both at agency \nlevels and across the Federal enterprise, is one of the most \nimportant parts of my job. Tomorrow will actually mark 5 months \nserving at OMB as the Federal chief information officer. And I \njoined from the financial services industry where the bar is \nhigh for cybersecurity and data protection, and I bring that \nsame high bar of expectations to my role as Federal CIO.\n    I was fortunate to come into the role when the \nadministration was setting out the President\'s Management \nAgenda that focuses on technology modernization, data \naccountability and transparency, and building the workforce of \nthe 21st century.\n    Cybersecurity is a core component of the PMA\'s IT \nmodernization goals. It\'s also embedded in the work that we are \ndriving under other goals. The goals for sharing quality \nservices and improving IT spending have elements that drive the \nuse of modern technologies and industry best practices to \nimprove our overall cyber posture.\n    Additionally, the PMA stresses strategies for recruiting, \nretaining, and re-skilling our Federal IT and cybersecurity \nworkforce, because our current status is as much a people issue \nas it is a technology issue. While the PMA outlines the \ncritical areas of focus, OMB\'s statutory cybersecurity roles \nare predominately defined by the E-Government Act of 2002 and \nthe Federal Information Security Modernization Act of 2014.\n    Our roles align to three main things: development of policy \nand oversight for the Federal civilian systems, Assisting \nagencies with data analysis and budget, and gathering evidence \nthat promotes solutions that achieve these policies and \nstandards. To carry out the responsibilities, we work closely \nwith agency technology leaders, DHS, NIST, DOD, the \nintelligence community, and the National Security Council.\n    But because cybersecurity requires deep expertise both \nabout technology and the mission functions, it does take a \ncollaborative approach to address both the agency-specific and \nenterprise demands. I am united with the Federal Inspector \nGeneral community in the mission of securing our systems and \ndata on a journey that actually doesn\'t end.\n    The improvements in Federal cybersecurity outlined in GAO\'s \nreport are due to a focus on accountability, and it\'s my goal \nto further advance the culture of continuous evolution of our \ncyber capabilities and our workforce to tackle the things that \nwe still must do.\n    In May of 2017, the President signed Executive Order 13800 \nregarding strengthening cybersecurity of Federal networks. This \nexecutive order recognized that we need to defend the security \nof citizen information and ensure the agencies consider \ncybersecurity as a vital part of their core mission. As part of \nthis EO, the White House also published a report to the \nPresident on Federal IT modernization, which included 52 tasks, \nsuch as safeguarding high-value assets, network consolidation, \nuse of commercial cloud solutions, and strengthening identity \nmanagement tactics. I share with you today that 37 of those 52 \ntasks have been completed, many of them ahead of schedule, and \nwe intend to complete the remaining tasks by the end of the \nyear.\n    Executive Order 13800 also directed OMB to develop the \nFederal Cybersecurity Risk Determination Report and an action \nplan. Together, OMB and DHS conducted agency risk management \nassessments to measure agency cybersecurity capabilities, and \nvery specifically, their risk mitigation approaches. This \nreport did evidence that there\'s still much to do to improve \nthe awareness of the threat environment, and we\'re using these \nfinding to prioritize both the investments and the focus of \nresources.\n    There are other key initiatives I\'ll quickly highlight. As \nchair of the Technology Modernization Board, I\'m excited by the \nway this vehicle supports acceleration of modernization, and we \nappreciate the funding that Congress provided this year, and we \nhope to receive funding for next year. We are focused on \nenhancing CIO authorities.\n    And, lastly, and most importantly, we are updating old \npolicies, policies that are not effective given the current \nstate of technology capabilities. We\'re delivering new policies \nfor high-value assets, data centers, continuous monitoring \ncloud technologies, and network optimization in the next coming \nmonths.\n    In closing, I\'m fortunate to take on this role with a clear \nand focused technology agenda. Cybersecurity has to underpin \neverything we\'re doing, from acquisition to operations, because \nthe battle is continuous and our effort to raise the bar and \noutpace our adversaries is a mission imperative for every \nagency.\n    I look forward to working with Congress and the leaders \nacross the Federal Government agencies to be aggressive and \nrelentless about approving Federal cybersecurity. And I thank \nyou for the opportunity to talk with you today.\n    [Prepared statement of Ms. Kent follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Hurd. Thank you, Ms. Kent.\n    Now we\'ll go to the first round of questions. The \ndistinguished gentleman from Georgia is now recognized for 5 \nminutes.\n    Mr. Hice. Thank you very much, Mr. Chairman. Thank you both \nfor being here. Mr. Dodaro, good seeing you again. And, Ms. \nKent, congratulations on your recent position.\n    Last year, fiscal year 2017, Federal civilian agencies \nreported over 35,000 information security incidents. That\'s a \nstunning number, about a 15 percent increase from the previous \nyear.\n    This is really to both of you to begin with. What\'s driving \nthat increase?\n    Mr. Dodaro. I think there\'s at least two things. One, \nthere\'s a better awareness on the part of the agencies to \nreport incidents, which do occur. But I also think that it\'s \nbeing driven in part by more aggressive activity on the part of \nstate and non-state actors to try to penetrate the Federal \nGovernment systems. This applies to critical infrastructure \nprotection as well. And so I think it\'s, you know, both--both \nfactors are at play here at a minimum.\n    Ms. Kent. I concur. And we do see an increase across the \nentire industry in threats, but you also see the increase in \nreporting, and that\'s something that we need to continue to \nmove more aggressively across all of the agencies.\n    Mr. Hice. All right. So it\'s both, and we\'re having more \nincidents, more attacks, and we\'re also getting better at \ndetecting them?\n    Ms. Kent. Yes.\n    Mr. Hice. All right. Can you walk me through some of the \nvarious means that attackers use to initiate some sort of cyber \nattack, the threat vectors? What\'s most common? What\'s most \npreventable?\n    Mr. Dodaro.\n    Mr. Dodaro. Yeah. There\'s--you know, phishing attacks have \nbeen particularly prominent lately in terms of somebody sending \nan email to someone in the hopes that they\'ll download \nmalicious code or other factors. There\'s, you know, social \nengineering that takes place in those areas as well. There\'s--\none of the largest categories, though, in the reporting is \nother. And other includes they don\'t know what the threat \nvector was and how people were able to penetrate the system. \nThat is one of the most concerning aspects of this.\n    Mr. Hice. All right. I want to get there. What are the \nvectors? When you talk about vectors, what--you\'ve got \nphishing, you got--what else? What are we dealing with?\n    Mr. Dodaro. Yeah, we have a pie chart in our testimony. Let \nme just pull that up here.\n    Ms. Kent. Improper usage, email and phishing.\n    Mr. Dodaro. Right.\n    Ms. Kent. Loss and theft of equipment and other web-based \nattacks.\n    Mr. Hice. Okay. So those comprise more or less 70 percent. \nThen you mentioned 31 percent----\n    Mr. Dodaro. Right.\n    Mr. Hice. --other. So does that mean we have no idea how \nthey\'re breaking in or what they\'re doing, or what does that \nmean?\n    Mr. Dodaro. That means that there\'s--it\'s unknown, and in \nsome of these cases how these things have occurred. I mean, \nthat\'s the concerning part of this, and that\'s one of the \npoints that we make in the report. That\'s why it\'s important to \nhave an effort to detect these things when they occur. What\'s \nbeen reported in these cases, I mean, the attacks happen in a \nmatter of minutes, but the detection doesn\'t occur for months \nlater. And that impairs the ability to determine exactly what \nhappened that led to this attack situation.\n    Mr. Hice. All right. Ms. Kent, do you want to add to that, \nyour definition or whatever of other?\n    Ms. Kent. I would just add to the last point that Mr. \nDodaro made, is that we have identified that we have to move \nmuch more quickly when an attack is identified, to not only \nshare that threat information across agencies, but to act and \nbegin immediate remediation of those issues.\n    Mr. Hice. All right. Once an attack comes in, particularly, \nI\'m with you, concerned about the other where we have no idea \nhow they\'re getting in. Is there any way of tracking where \nthey\'re coming from?\n    Mr. Dodaro. Some of that\'s possible with some forensics, \nbut in some cases there\'s not clear audit trails in the systems \nthat are created in the documentation there. One of the big \nproblems, Congressman, here is that, you know, the Federal \nGovernment and a lot of agencies are saddled with these legacy \nfinancial systems that are like a millstone around their neck. \nThey\'re old systems. They were designed before security was a \nprominent area. Some of them at IRS are from the sixties. And \nso there\'s not good documentation and, therefore, there\'s not a \ngood audit trail to follow to figure out how things were \nintroduced.\n    Mr. Hice. Which is surprising to me and kind of inexcusable \nseeing that 10 and 10 and 10 of millions of dollars we give for \nIT on an annual basis around here. It just amazes me that we\'re \nstill using such legacy systems. It seems like----\n    Mr. Dodaro. Well, of the billions of dollars that you give \nevery year, $80-$90 billion, 75 percent of it goes to maintain \nthese legacy systems.\n    Mr. Hice. Rather than get updated.\n    Mr. Dodaro. Rather than get updated. That\'s why we added IT \nacquisitions and operations across the government as a high-\nrisk area in 2015.\n    Mr. Hice. My time has expired. Mr. Chairman, thank you so \nmuch.\n    Mr. Hurd. The representative from the District of Columbia, \nMs. Holmes Norton, you\'re now recognized for 5 minutes.\n    Ms. Norton. Thank you very much.\n    And I must say, not only do I appreciate our guests \nappearing, I appreciate the committee for having this hearing, \nbecause frankly, I think Americans are increasingly terrified, \nwondering if anybody is protecting their cybersecurity. And the \nreason I think so is what we\'re hearing even on mass media.\n    This is really an old problem. How many years ago was it \nthis very committee had a hearing on how our Federal employees \nhad been penetrated, and the Congress actually, at that time, \ngave Federal employees 10 years of protection against further \npenetration by way--I\'m sure that\'s running, I\'m not sure how \nlong it has to go. I have a bill called the Recover Act. In \nlight of the negligence of the Federal Government, it seems to \nme that the very least we could do would be to give lifetime \ncoverage. And that\'s been sufficiently long ago, more than 5 \nyears ago. I think it\'s going to come up against soon and we\'re \ngoing to be faced with that question for our own employees.\n    Now, this committee had a recent hearing, and if you want \nto get--if you want to frighten our people, the head of the \nDHS, Under Secretary, testified that the Russians were already \nscanning--it\'s the word he used--all 50 States. He couldn\'t \ntell me that all 50 States, they were doing something in all 50 \nStates. It sounds like reconnaissance. We\'re looking to see \nwhen to hop and whom to hop upon.\n    So I\'m very interested, I think because I represent so many \nFederal employers that were among those first implicated.\n    And, Mr. Dodaro, I\'d like to ask you about Federal \nstrategy. I\'d like to be able to say I left this hearing and I \nlearned something that should put some of my own constituents \nat ease.\n    Would you tell me what the Federal strategy is for \nprotecting national cybersecurity here and penetration globally \nfrom outside of the United States? Do you have access to such a \nnational strategy?\n    Mr. Dodaro. There are several documents that have been put \nforward by the executive branch. DHS----\n    Ms. Norton. Would you call that a national cybersecurity \nstrategy? And what do you mean by documents? Would you tell us \nwhat a document does?\n    Mr. Dodaro. Sure. Sure. Sure. You know--well, first of all, \nour main point today is there\'s a need for a more comprehensive \nnational strategy.\n    Ms. Norton. There must be something, if you say a more \ncomprehensive----\n    Mr. Dodaro. Right, right. There has been a foundation laid \nby the government for these strategies. DHS has a strategy that \nthey put forward, they\'re responsible for coordinating across \nthe Federal Government, and with critical infrastructure \nprotections, and they\'ve laid out a number of components of \nthat strategy. But we found they need--they didn\'t identify who \nthe--what resources they needed, how they were going to \ndetermine they were making progress----\n    Ms. Norton. Since several agencies would be involved, who \nshould be in charge of coordinating the development of a \nstrategy--cybersecurity strategy?\n    Mr. Dodaro. Well, it needs----\n    Ms. Norton. National cybersecurity strategy.\n    Mr. Dodaro. Yeah. You need to have either an individual or \nan entity or a process in order to have somebody to \ncoordinate----\n    Ms. Norton. For example, with more than a number of \nagencies involved, who would you suggest? You, the GAO, might \nbe----\n    Mr. Dodaro. Well, it needs to be led out of the White \nHouse, in my opinion.\n    Ms. Norton. It needs to be led out of the White House. Back \nand forth.\n    Mr. Dodaro. Because you\'re dealing with national and global \nissues in this case.\n    Ms. Norton. That\'s where the coordination needs to happen, \nand I appreciate that.\n    Mr. Dodaro. Well, it needs to happen at all levels, but \nthe----\n    Ms. Norton. Now, somebody needs to be in charge. My \nconcern, Mr. Dodaro, is I can\'t say to my constituents, don\'t \nworry about it. Either some agency is in charge or somebody in \nthe White House is in charge.\n    What about milestones? Are there at least and what has been \nput forward by individual agencies, milestones, so that I could \nsay to my own constituents, well, they\'re this far along and \nhere\'s an example? That\'s what people are looking for. Assure \nme. Reassure me.\n    Mr. Dodaro. No, we would like to see more milestones. DHS \nhas told us, for example, they\'re working on their strategy, \nit\'s supposed to be out next month, that would identify \nmilestones that would include the resources and the performance \nmeasures. So we\'ll wait to see. But that\'s supposed to be \nforthcoming.\n    Ms. Norton. Ms. Kent, finally, let me ask you, because you \nare dealing with the IT strategy for the Federal Government. Do \nyou have milestones? And where are we when it comes to helping \nagencies operationalize these policies so that there is at \nleast governmentwide such an IT strategy? Are they milestones? \nWho\'s implementing them? Who\'s in charge? Are you in charge? \nYou\'re the chief financial officer, or please detail that.\n    Ms. Kent. There are indeed milestones, and many of the \npoints that have been made around deployment of continuous \ndiagnostic and monitoring tools, securing agency data, \nmodernizing their technology are part of the milestones that we \nare tracking. You did see in the report that we are behind \nacross the agencies on some of those. So we have a very \nspecific focus.\n    There was a milestone set for deployment of the continuous \ndiagnostic and monitoring tools. We have not met that \nmilestone, and we\'re working very aggressively with the----\n    Ms. Norton. What are monitoring tools, please?\n    Ms. Kent. To be able to--for all of the agencies to have \nimplemented tracking capability so that they know what is on \ntheir network.\n    Ms. Norton. Yeah. I\'m worried about the scanning, for \nexample.\n    Ms. Kent. Yes. So that we know who is accessing their \nnetwork----\n    Ms. Norton. Yeah.\n    Ms. Kent. --and what. And so we are working very \naggressively with DHS. And one of the critical things that we \ndid as part of the President\'s Management Agenda was reassess \nhigh-value assets. I am pleased to say that we had 100 percent \nparticipation from every agency to identify those assets that \nare most critical, applications and data, and we\'re working \nwith DHS on those that are most critical for next set of \nactivities.\n    Ms. Norton. Thank you very much.\n    Mr. Chairman, I think the committee needs to do more to \npress the milestone notion so that we can reassure the American \npeople that we\'re getting there and how soon we\'re going to get \nthere. Thank you very much.\n    Mr. Hurd. Thank you.\n    The gentleman from Michigan is now recognized for 5 \nminutes.\n    Mr. Mitchell. Thank you, Mr. Chair.\n    I\'d like to pursue a little bit the questioning that my \ncolleague had a few moments ago about these 35,000-plus, quote, \nincidents. Can you define, Mr. Dodaro, a little more carefully \nwhat an incident is, in your interpretation?\n    Mr. Dodaro. I\'m going to ask Mr. Wilshusen, our expert in \nthis area, to explain those.\n    Mr. Mitchell. Turn your mic on, sir.\n    Mr. Dodaro. Oh, I\'m sorry. I\'m going to ask Mr. Wilshusen \nto explain those. He\'s our expert in that area.\n    Mr. Mitchell. Because these aren\'t--incidents aren\'t just \nsomeone tinkering around trying to scan in your system. Please \ndefine them a little more carefully.\n    Mr. Wilshusen. Right. These would be incidents that \nactually have impacted an agency operation or so. They were \nable to gain access, and they do this through a number of \ndifferent mechanisms. One of the more common ones, it\'s just \nthrough what is known as a phishing attack.\n    Mr. Mitchell. Phishing, sure.\n    Mr. Wilshusen. In which you send an email with a link and \nsomeone clicks on it and it sends them to a----\n    Mr. Mitchell. Sends malware.\n    Mr. Wilshusen. --or download some suspicious software.\n    Mr. Mitchell. Okay.\n    Mr. Wilshusen. It can also be the loss or theft of \nequipment that contains sensitive information as well.\n    Mr. Mitchell. Sure.\n    Mr. Wilshusen. So there are a number of different types of \nincidents, but these are ones that do have an impact or can \nhave an impact on the agency.\n    Mr. Mitchell. Now, Mr. Dodaro, you referenced earlier that \nstate and non-state actors has been suggested as discussions \nalready started that, again, we\'re back to Russia. These state \nactors, examples of state actors impacting our systems go far \nbeyond Russia, do they not?\n    Mr. Dodaro. Yes, they do. I mean, some of the intelligence \ncommunity has singled out, you know, Russia, China, Iran, North \nKorea, as you know, actors in this area as well.\n    Mr. Mitchell. I\'ll run the risk of offending some people by \nsaying that I believe occasionally some of our allies actually \noccasionally are trying to wander around our systems too.\n    Mr. Dodaro. It could be. I mean, I would defer to the \nintelligence community for those responses.\n    Mr. Mitchell. I\'ll let them get into it. I want to stress, \nthe reality is we face threats both internally and externally \nthrough cybersecurity.\n    When an incident happens, Ms. Kent, how--what\'s the \ntimeframe by which you\'re informed we have some level of an \nincident?\n    Ms. Kent. There are various timeframes depending on the \nincident and when the agency identifies the particular \nactivity. Like you just heard, there\'s different types of \nissues and incidents. Some of those may be very quick, others \nmay be a longer timeframe. And as Mr. Dodaro indicated, \nparticularly in situations where there is some type of malware \nor an attempt to----\n    Mr. Mitchell. Let me stop you. I appreciate it. You\'ve \ngot--I understand they can\'t inform you until they know about \nthem; that\'s problem one. We\'ll get to that in a moment. \nProblem two is that the time from when they have knowledge of \nthe incident, what\'s the general--what\'s the expectation--let \nme change that--what\'s the expectation that you put out, the \nWhite House has put out to inform you that we have an incident \nof some form? What\'s the expectation?\n    Ms. Kent. The expectation is that the agency informed DHS, \nwho is looking at our enterprise risk, and we are tracking \nall----\n    Mr. Mitchell. What\'s the timeframe on that? Once more, what \nis the timeframe on that?\n    Ms. Kent. As immediately as they know.\n    Mr. Mitchell. So, theoretically, the same day, next day, \nthat night, whatever the case may be?\n    Ms. Kent. As quickly as they have identified the incident.\n    Mr. Mitchell. When do you find out about it?\n    Ms. Kent. I find out in reports from DHS?\n    Mr. Mitchell. Which is--takes what kind of timeframe?\n    Ms. Kent. Depends on the type of incident.\n    Mr. Mitchell. Go ahead, give me examples.\n    Ms. Kent. I don\'t actually have an example.\n    Mr. Mitchell. Okay. Let me ask you a question, if I can, \nMr. Dodaro. The FISMA audits that are done, in your opinion, \nare they sufficient, and are actions being taken on those \naudits at this point in time?\n    Mr. Dodaro. They\'re a starting point because they\'re \nsupposed to identify a comprehensive information security \nsystem. We find that there are deficiencies in all aspects, \naccess control, segregation duties, configuration management, \ncontingency planning, so--and they\'re not remedied as quickly \nas possible. So there are serious security weaknesses that have \nexisted for years, and a number of the FISMA audits at the \nagencies are in place. But there needs to be more done, because \nthey need to have better response when they find incidents.\n    Mr. Mitchell. Who\'s responsible for those--for that \nfollowup?\n    Mr. Dodaro. Well, each agency is responsible for their own \nactions, and this is an issue, because they\'re not correcting \nthe problems fast enough, in my opinion. That\'s why we have it \nas a designated high-risk area across the entire Federal \nGovernment. Virtually every agency has serious weaknesses. And \nI don\'t think enough attention\'s focused by agency managers on \ngetting these areas fixed. We\'ve made recommendations to OMB \nthat they send out more guidance to the agencies to hold senior \nleaders accountable for getting these weaknesses fixed.\n    Mr. Mitchell. One of the things that astonished me, and my \ntime expired here, but let me finish this one comment, Mr. \nChair, is that when I first joined Congress and joined this \ncommittee, I was astonished by the number of agency chief \ninformation officers that--how do you get someone leading when \nyou\'ve got all of these people doing their own thing? I mean, \nyou----\n    Ms. Kent, you were in the private sector, and I am short on \ntime so I can\'t--that didn\'t happen in your world, now, did it?\n    Ms. Kent. It did not. And that\'s also one of the focuses \nthat we have had both under FITARA as well as the recent \nexecutive order to have a single CIO that has accountability, \nresponsibility, and visibility across the entire agency, so \nthat we can move the types of things that we were talking about \nmuch more quickly.\n    Mr. Mitchell. And with that, when there\'s an incident, they \nshould tell DHS and they should tell you at the same time.\n    Ms. Kent. Yes.\n    Mr. Mitchell. Thank you. I will yield back. Thank you, Mr. \nChair, I\'m sorry.\n    Mr. Hurd. The distinguished gentleman from Iowa is now \nrecognized for 5 minutes.\n    Mr. Blum. Thank you, Chairman Hurd.\n    Mr. Dodaro, good to see you again. Ms. Kent, good to see \nyou. Thank you for appearing today.\n    I\'m going to change gears a little bit, and I\'d like to \nhear from you your expertise on cloud computing. I understand \nthe Department of Defense is going to have a private company in \nthe private sector host, via the cloud, a lot of government \ndata. And I don\'t know, my first reaction is, you know, it \nconcerns me a little bit, it concerns people in my district \nwhen they hear that. Maybe I shouldn\'t assume anything.\n    Do you feel confident that this data will be more secure \nthan if it were with the Federal Government, and why?\n    Mr. Dodaro. Cloud computing offers the potential for, first \nof all, cost savings, and a more rapidly updating of the \nsystems that are used in place. You know, as we mentioned, you \nknow, these legacy systems have been in the Federal Government \nfor a long period of time, and that\'s a big problem. If you go \nto the cloud, then the updating of those systems become the \nresponsibility there.\n    Now, that being said, there are cost efficiencies and other \nefficiencies that could be gained. The security is a paramount \nissue that needs to be addressed. We\'re looking now, there is a \nprogram that\'s supposed to ensure that there\'s security over \nthe cloud operations. It\'s called FedRAMP, is the acronym for \nit. And we\'re looking to see if it\'s an effective tool to make \nsure there\'s adequate security in the cloud operations.\n    Now, the last point I\'d make is that the Federal \nGovernment\'s own record of security is pretty abysmal. So, you \nknow, as a starting point--so I don\'t think, you know, \neverybody--everybody have a total confidence that everything\'s \nfine now, and it may be worse later if we move to the cloud. \nBut you have to be careful in making the move to the cloud \nenvironment to make sure there\'s adequate security.\n    Mr. Blum. So more secure is what you feel, I guess?\n    Mr. Dodaro. It could be, but we need to take care to make \nsure the requirements are there, they\'re set properly, there\'s \nadequate testing, there\'s certification, there\'s requirements \nand operations. It offers a lot of potential for savings, cost \nsavings for the Federal Government, and more up-to-date systems \nthat are better patched properly and in place. But the security \nremains as much of a concern with the cloud environment as it \ndoes with the Federal agencies, and we need to take due care.\n    Mr. Blum. Ms. Kent.\n    Ms. Kent. Yes, sir. I agree that it can be--it can \ndefinitely be secure. And in many cases, it is maintained in a \nway that we\'ve--we have seen--we have not necessarily done \nacross some of the Federal systems.\n    I would add two other things to what Mr. Dodaro said, is \nthat there\'s a discipline around understanding the data and \nwhat we\'re moving to the cloud and how we control access to \nthat. And that is the discipline that we\'re trying to drive \nwith the agencies as they\'re considering their transformations \nand the cloud technologies that they\'re using. So it\'s a \ncombination of the security that\'s available with the \ntechnology, what we\'re putting there, and how we manage access \nto that information.\n    And so those are the disciplines that we are--that my \noffice is working directly with the agencies as they consider \nthese acquisitions.\n    Mr. Blum. Mr. Dodaro, we often hear things like the Federal \nGovernment was slow to respond to an emerging threat, \nespecially cybersecurity threats. What have you found in that \nregard, and why?\n    Mr. Dodaro. It brings a new definition of slowness, okay. \nIn this area, you know, we first designated it as a high-risk \narea across the Federal Government in 1997. So I\'ve been trying \nfor over 20 years to get attention to this area. You know, we \nactually built a computer lab facility that could simulate the \noperating environment of agencies in the early nineties, and \nactually did a penetration testing to get people\'s attention \nthat there could be issues that needed to be dealt with.\n    And we very, very--it took a long time, but we finally \nconvinced the Congress, legislation began being introduced in \n2000, 2002, creating the Federal Information Management Act, \nthe FISMA Act, that was updated. And it really wasn\'t until the \nOPM breach that a lot of--in 2015--this is, you know, so many \nyears later that agencies began to move and the administration \nbegan to move.\n    But even then, to this day, I\'m not sure OPM has fixed all \nthe weaknesses that led to the original data breach. We went in \na couple of times and we haven\'t found the problem. So it\'s \nperplexing to me that there hasn\'t been enough urgency \nassociated with dealing with this issue. And I\'m pleased to \nhear from Ms. Kent and others that they\'re going to sort of up \nthe game here to be aggressive in this area.\n    But there\'s no question that there has been adequate \nwarnings about these areas that GAO has been given that has \nbeen on our top risk list for many years, both within the \nFederal Government, but also critical infrastructure \nprotection. We put that on in 2003. And concern about the \nelectricity grid, the financial markets, telecommunications, \nand we\'re moving in that area, but that\'s--you know, right now, \nit\'s all voluntary on the part of the private sector, and I can \nunderstand that, but we need to have a partnership and more \ninformation exchange between the private sector and the other \nsector.\n    I mean, this is a national security issue, not just, you \nknow, a privacy issue. And privacy has been slow too. You know, \nwe\'ve recommended that the Congress change the--update the \nprivacy laws. The original privacy Act is 1974. E-Government \nAct in 2002. Many things have changed since then that there \nneeds to be updated information. And while the Congress has \nonly identified some sectors of the economy, healthcare, credit \nreporting, to put in place rights for consumers about data \nthat\'s collected about them, there is no consumer privacy \nframework. We\'ve recommended that Congress consider creating \none since 2013.\n    So, you know, we\'ve been urging for a long time now more \nattention to this area. I\'m glad that we\'re having this \nhearing, but I think the pace of change needs to pick up quite \na bit, because the threats are evolving way faster than the \ngovernment\'s ability to deal with it.\n    Mr. Blum. I heard the phrase, and I\'ll end with this, the \nwarfare of the future may not be bombs, it may be bits and \nbytes, not bombs. And I know we spend a lot of money on bombs, \nand we should, but I think we need to give attention to bits \nand bytes, cybersecurity as well.\n    Mr. Dodaro. Yeah, absolutely. Absolutely. You know, in \nconventional warfare the first thing people do is take out your \ncommunication systems, take out your transportation structure, \nyour ability to have power. But to do that you\'d have to \nphysically invade the country. Today that\'s not exactly the \nsame. You can do it from your own country.\n    Mr. Blum. Thank you for your insights. And I yield back the \ntime I do not have, Mr. Chairman.\n    Mr. Hurd. I generally try to have a PMA, a positive mental \nattitude. My dad taught me that. And I think there has been \nsome bright spots over the last 3-1/2 years since I\'ve been in \nCongress.\n    Federal CIOs have more power than they have in the past. \nThey\'re getting more involved in the procurement process, \nbecause we can\'t hold Federal CIOs accountable if they don\'t \nhave the responsibilities on what goes on their network. And \nthat\'s something that this committee has fought for in a very \nbipartisan way.\n    I believe when we first started this committee, there were \nonly four CIOs that reported to the agency head or deputy \nagency head. I think now there\'s only four that do not. And I \nbelieve by the end of the year, there would only be one that is \nprobably not reporting. So, again, empowering the men and women \nin the CIO.\n    I\'ve been surprised over the last few months, I\'ve had a \nnumber of businesses say that they are happy with improved \nsharing of intelligence threat information between the Federal \nand the private sector. Now, that\'s part of DHS\'s role, and I \nthink DHS is the only entity that can get into that mode of \nneed to share. And we are seeing what DHS is able to do. And \ntheir technical capabilities to help across the other 24 CFO \nagencies, I think, are improving. And one of the things that is \nleading to and causing us to see the number of threats \nincrease, because, guess what, DHS is doing their job. Right?\n    Now, having done this kind of work before, guess what, I\'m \nalways going to get in. How quickly can you detect me, How \nquickly can you quarantine me, and how quickly can you kick me \nout is the mentality that we need to be in. But why are some \nbasic things--MEGABYTE Act. The MEGABYTE Act says every agency \nshould know what software they have on their networks. Is that \nhard to do, Mr. Dodaro?\n    Mr. Dodaro. No.\n    Mr. Hurd. Ms. Kent, is that a hard thing to do to be able \nto catalog the software that you have on your system?\n    Ms. Kent. No, sir, we have an opportunity to do much \nbetter.\n    Mr. Hurd. And so what is the--what more do we need to do to \ndrive that behavior? Megabyte is important, knowing what your \nsoftware is, and that\'s why we\'ve added it on to the FITARA \nscorecard. The FITARA scorecard is evolving into a digital \nhygiene scorecard. Naming and shaming is really what we\'re \ndoing. We\'re trying to give CIOs the authority with MGT, the \nModernizing Government Technology Act, to get out of this \nnotion of if you don\'t use it, you lose it. So now there\'s \nmotivation to--motivation to modernize.\n    What other carrot sticks should we be using or do you need \nin order to compel compliance on some very basic things, like \nknowing what software you have?\n    Ms. Kent. First, I have to applaud and say thank you for \nthe continuous focus on the FITARA scorecard because having \nthat level of transparency does make it a priority.\n    To your point on MEGABYTE, there are tools and technologies \nthat we can do that with, especially if it\'s a priority.\n    One of the things that I would ask that would be of great \nassistance is the continued focus on workforce activities. In \nmany cases, we still have almost a 25 percent gap in the number \nof cybersecurity resources that we need across Federal agencies \nand what we actually have in place. And, particularly, we have \nsome gaps in leadership and individuals--places where we have \nopen positions that are key leaders. In many cases, the \nindividuals, when we get them in, their tenure is less than 12 \nto 18 months.\n    So there are multiple workforce actions, both at entry \nlevel and at leadership, and there are things that we continue \ndialogs with the private sector to see if we can fill those \ngaps.\n    Mr. Hurd. Do we still believe it\'s--is the number still \n15,000, roughly, IT positions that are unfilled across the \nFederal Government?\n    Ms. Kent. Yes. Yes, sir.\n    Mr. Hurd. How is the process going to catalog what those \npositions are? Because we don\'t have common job descriptions \nacross the Federal Government. This is something that OPM was \nsupposed to be working on. I\'d welcome an update on this \ninitiative.\n    Ms. Kent. We are making good progress on that at clarifying \nthe specific positions, as well as common nomenclature. \nParticularly, the CIO Council recently published a CISO \nHandbook to ensure that we are holding our cybersecurity teams \naccountable for the same standards of behavior across all of \nthe agencies, but we still have work to do to fill those \npositions. And particularly in the entry levels to ensure that \npotentially we are identifying other skill sets in the Federal \nGovernment that we can move into some of those positions.\n    Mr. Hurd. So when will we have a common picture of what \npositions are open and what these positions are going to be?\n    Ms. Kent. I know that it is in the works, and I will get \nthe date back to you.\n    Mr. Hurd. Mr. Dodaro, you mentioned in your written \nremarks, the national initiative for cybersecurity education, \ncybersecurity workforce framework. Is that ringing a bell?\n    Mr. Dodaro. It will ring Mr. Wilshusen\'s, it will ring his \nbell.\n    Mr. Hurd. It will ring his bell. All right.\n    Mr. Wilshusen. It does.\n    Mr. Hurd. What is that? Where are we--you know, the report \nrecommends, and y\'all\'s report recommends that this is \nsomething that is not being addressed properly. Can you give us \na little bit more context to this?\n    Mr. Wilshusen. Sure, absolutely. The NIST\'s Cybersecurity \nWorkforce is an attempt to kind of have a common language and \ndesignation for cybersecurity and IT-related activities. And \nthe intent under the Federal Cybersecurity Workforce Assessment \nAct, Federal agencies are required to assess their \ncybersecurity workforce, identify the specific functions \nassociated with each of those positions, or their IT and cyber \npositions, and then assign codes to it in the attempt to \nidentify critical areas of need as it relates to cyber.\n    We issued a report last month that showed that 13 out of \nthe 23--24 agencies that we examined had not performed all of \nthe activities that they were required to do. And we ended up \nmaking about 30 recommendations to those 13 agencies. We have \nongoing work continuing--following up on the status of those \nrecommendations and agencies\' actions to finish implementation \nof the requirements of that Act.\n    Mr. Hurd. Good copy. We will come back on a round two. And \nnow, I\'d like to recognize my friend from New York, Mrs. \nMaloney, for her 5 minutes.\n    Mrs. Maloney. Thank you very much, Mr. Chairman and Mr. \nRanking Member, and all of the panelists.\n    Mr. Dodaro, in the high-risk report that GAO issued today, \nit states that the vast number of individuals potentially, if \naffected by data breaches at Federal agencies and private \nsector outlets, increases concern considerably that personally \nidentified information is not being properly protected. And I \nthink I agree with you completely too. Given the breaches that \nwe\'ve seen with Verizon in April, they released a report \nshowing that in the past 12 months alone, there was a total \nover 53,000 incidents, and over 2,200 confirmed data breaches. \nAnd then in 2017, we saw the really awful data breach at \nEquifax, which was over 143 Americans had their personal \ninformation stolen. And the 2015 breach at OPM, which affected \napproximately 22 million individuals. It demonstrates the \nabsolute massive scale of harm to privacy and security that \ndata breaches can have, and this doesn\'t even get into the \nalleged foreign governments that are hacking into our private \nmaterial.\n    The high-risk reports states, and I quote, that the laws \nare currently written may not consistently protect personally \nidentified information in all circumstances of its collection \nand use, end quote.\n    Can you briefly explain how our current privacy laws and \nframework for protecting individuals\' privacy is not adequate? \nObviously, it\'s not adequate with this large number of breaches \ntaking place. There\'s some reports that every person in \ngovernment has been hacked. That everybody\'s breaking in \neverywhere. So could you respond to that?\n    Mr. Dodaro. Absolutely. First, the Privacy Act was \noriginally passed in 1974, so it\'s very dated and did not have \nanywhere near the context of the current computing environment \nin place, and what is likely to occur in the future. There was \nthe E-Government Act in 2002 that took a couple of steps, but \nnot sufficient.\n    Here\'s two examples. One is that the current definition \ndeals with a system of records that the government\'s \nresponsibility is protecting that. That doesn\'t say anything \nabout data mining, it doesn\'t say anything about databases that \nare used and scanned and scraped and whatever definition you \nwant to use. So the ability now to be able to manipulate the \ndata doesn\'t really--is not contemplated under current law.\n    Second, it gives the Federal agencies the ability to only, \nyou know, use the data for, quote, authorized purposes. Now, \nthat doesn\'t necessarily give the individuals whose data is \nbeing collected an understanding of what is an authorized \npurpose. So there\'s really not clarity about what the Federal \nGovernment\'s limits or abilities are to be able to deal with \nthese things.\n    Mrs. Maloney. What would you say is an authorized purpose?\n    Mr. Dodaro. Well, it\'s--every agency is allowed to define \nit in their own way, which is what----\n    Mrs. Maloney. Well, that\'s not right.\n    Mr. Dodaro. Well, that\'s what we\'re saying. Basically, \nthere needs to be more clarity on exactly----\n    Mrs. Maloney. Can you get back to the committee with an \nexplanation or a recommended definition of this?\n    And you went on to say in your report that--that we needed \nto strengthen our consumer privacy laws. Is that right?\n    Mr. Dodaro. Yes.\n    Mrs. Maloney. Could you get back to us on how you would \nexpect us, or to me, on how you\'d like us to strengthen it?\n    And if Congress does move forward with amending and \nupdating the Nation\'s privacy laws, which we should, what are \nthe key changes that you believe must be achieved?\n    Mr. Dodaro. Yeah. We will definitely provide all that \ninformation to you in detail.\n    On the consumer privacy framework, really, there isn\'t one, \nexcept in the healthcare area and HIPAA, for example, or \nFederal credit reporting, or some other information--\neverything--nothing else is really covered, including \ninformation reselling of data.\n    And with other technologies, facial recognition technology \nand other things, there is no consumer financial privacy--or \nconsumer privacy framework in place, and we recommended that it \nbe put in place. So we can give you some examples of that.\n    Mrs. Maloney. Please do. Please do give it.\n    And I do want to get to OMB for a moment, Ms. Kent. What is \nthe administration\'s timeline for implementing GAO\'s \nrecommendations? Are you implementing these recommendations \nthey put out?\n    RPTR KEAN\n    EDTR HUMKE\n    [3:24 p.m.]\n    Ms. Kent. We\'re in process of many of the recommendations, \nparticularly the ones that are in the area of Federal systems \nand information and, actually, in the privacy and security area \nthat you just talked about.\n    One of the key elements around how we secure data and \ncitizen data is the efforts under IT modernization.\n    It is very difficult or complex to secure data in systems \nthat are over 20 years old. And as we modernize, we have better \ntools for data encryption and management of the data both at \nrest and in movement, and that is one of the ways that we \nprotect all information that we have within our Federal agency \npurview against any type of threat.\n    Mrs. Maloney. And very briefly, how can Congress assist you \nin this really huge effort and very, very important one? It \nused to be privacy was utmost concern on everyone\'s mind. And \nnow with terrorism, attacks, and other things, it\'s not taken \nthe really important level that it should in our country. And I \nwant to express my appreciation for your report. But how can we \nhelp you?\n    Ms. Kent. Congress can continue to help us through funding \nof the teams that focus on these efforts, through creative \nvehicles like the Technology Modernization Fund that let us \nactually advance the modernization activities much more \nquickly, as well as the efforts that I spoke of earlier on \nworkforce.\n    Mrs. Maloney. I\'m way past time.\n    Thank you for indulging, Mr. Chairman. I yield back. Thank \nyou.\n    Mr. Hurd. The distinguished gentleman from the Commonwealth \nof Virginia and ranking member is now recognized for his first \n5 minutes of questioning.\n    Mr. Connolly. Thank you, Mr. Chairman. Thank you for your \ncommitment to this subject matter.\n    Mr. Dodaro, I want to thank you and GAO for elevating this \nparticular part of the issue to your high risk grouping. \nBecause it forces us to at least talk about it, hopefully do \nsomething about it, and you\'ve been instrumental in the past in \nsupporting our FATAR legislation and our scorecard efforts and \nthe like. And I really credit GAO with helping us make the \nprogress we\'ve made.\n    Last May, the Trump Administration, however, eliminated the \nWhite House cybersecurity coordinator position from the \nNational Security Council. In light of your elevation of this \nas a high risk category, in retrospect, was that a prudent \nmove? Was that a welcome move in the context in which you\'ve \ndelineated this subject matter?\n    Mr. Dodaro. I think, just for clarification, we\'ve had this \non the high risk list since 1997, so this isn\'t a recent \nelevation. I\'m concerned that there hasn\'t been enough progress \nin addressing this issue. I was, you know, surprised that the \nposition was eliminated. I\'ve been told that those \nresponsibilities have been divided among two people. I haven\'t \nhad a chance, since it\'s a recent activity, to look into it \nmore. We plan to do that in the future.\n    So once we look into it and see how they\'re planning to \napproach it with the elimination of that position, I\'ll be in a \nbetter position to advise the Congress on what to do.\n    We\'ve never really evaluated this cybersecurity coordinator \nrole. We\'ve been more focused on getting a national strategy in \nplace and making clarifications. And I haven\'t really examined \nfully what that position did, what kind of resources they had \navailable and what their accomplishments were during that \nperiod of time.\n    So it\'s an area that I\'m concerned about. You always want \nto have good leadership, and you can have good leadership in a \nnumber of different ways, but I want to look at it more \ncarefully before I advise on exactly what would need to be done \ndifferently from what they\'re contemplating doing.\n    Mr. Connolly. Yeah, you may be right. I mean, maybe \ndiffusing responsibility or splitting responsibility allows us \nto have a sum greater--you know, the whole greater than the sum \nof the parts.\n    On the other hand, you know, there was a report in Politico \nthat said since its creation in 2009, the White House \ncybersecurity coordinator position has been key in resolving \nconflicts among agencies, preparing cabinet leaders to make \nmajor policy decisions, and responding to crises.\n    As you know, Mr. Dodaro, sometimes--maybe more often than \nnot--in government, you need a central focus. You need some \nchampion who is vested with authority and responsibility for \nmoving an agenda, for advocating for a cause. And absent that, \noften in big bureaucracies, you know, something we all think is \na good thing just kind of dies on the vine for lack of \nattention and championship.\n    So I would welcome you looking at that because I think we \nwould want to know, did the Trump Administration make a good \ndecision or did it make a mistake in abolishing this position.\n    Ms. Kent, do you have views on that? I\'m sure you do.\n    Ms. Kent. Sir, I don\'t know that I would--what I would \nreflect is that the activities for the Federal agencies are \ndirected by Homeland Security Advisor Fears. And in fact, my \nchief information security officer has a dual reporting \nrelationship between he and I, so that there is no miss or time \nin translation for things that we need to take action on.\n    And I think I have a very clear set of mandates of actions \nthat we need to take across the Federal agencies.\n    Mr. Connolly. Well, I\'m glad to hear that. Do you know how \nlong it took to get a CTO?\n    Ms. Kent. To get a--I\'m sorry?\n    Mr. Connolly. A chief technology office or a CIO for the \nFederal Government?\n    Ms. Kent. Yes, sir, I do.\n    Mr. Connolly. In this administration, it is over a year.\n    Ms. Kent. Yes, sir.\n    Mr. Connolly. So I have to tell you, given that record, it \nis not exactly confidence-building that, you know, you\'ve got \nit and you\'re moving an agenda--not you personally--but the \nadministration. I mean, words are nice but actions are \nimportant.\n    If I may, Mr. Chairman, because I think I\'m going to have \nto run, I have one other subject that is of deep concern to me. \nAnd again, I\'m going to ask you, Mr. Dodaro, to look into this.\n    And I agree with what you said, Ms. Kent, we\'ve been \nchampions about the need to upgrade legacy systems or replace \nthem, and to, you know, come into this part of the 21st Century \nso that we can encrypt, we can protect.\n    But what is, you know, the purpose of technology is to do \nthe job better. It\'s to be deployed. It is to give us \ncapabilities we otherwise might not have. One of those \ncapabilities is telework.\n    And I can tell you as someone who lived through 9/11 and \nhas lived through lots of hurricanes and other kinds of things \nhere in the Nation\'s Capitol, telework increasingly becomes \ncritical to continuity of operations, without which, government \nshuts down.\n    And what has disturbed me is that the Trump Administration \nseems to be going in exactly the wrong direction with respect \nto telework. The Department of Education issued new guidelines \nthat seem to severely curtail our robust program.\n    USDA, which is highly touted by Jared Kushner and Chris \nLiddell--and I met with them and had a good meeting--but I did \nbring to their attention that I felt Secretary Purdue was going \nin the wrong direction on telework. He actually curtailed that \nprogram there.\n    And then your office issued guidelines that, from the White \nHouse, that actually would limit, as I understand it, telework \nto be defined as no more than one day a week.\n    Now, I don\'t know anyone in the telework profession who \nwould agree with that definition. No one. Telework is to be \nencouraged more than one day a week. It\'s a structured program. \nIt\'s not a spontaneous, like ``gee, I feel like teleworking \ntoday.\'\' That\'s not how it works. But we want to get the \nmaximum benefits and we want to deploy technology, and we want \nto make sure this is part of the offering for the next \ngeneration of Federal employee. Because millennials expect that \nas part of the offering.\n    So what is going on here in terms of the reluctance to \nencourage rather than constrain telework in this \nadministration? I have to confess to you, and then I\'ll shut \nup, I was really particularly bothered by this because we \nactually had a good meeting at the White House where we found \ncommon ground. And I reassured Mr. Kushner and Mr. Liddell \nthat, frankly, if they continued going in the direction they \ndescribed they would have our support, which is not an every \nday occurrence. And then this happened.\n    And this seems to fly in the face of the kind of progress \nwe thought we were going to make in common.\n    Ms. Kent. Sir, I\'m not informed on the specific decisions \nthat the agencies made around their policies.\n    I do know that one of the things that we are focused on as \npart of the President\'s management agenda and specific goal is \nthe elimination of paper across the various processes in the \ngovernment to actually free up the ability for individuals to \nnot be dependent on being in a specific physical spot to do \nthat work and drive other efficiencies.\n    In addition, some of the investments that we\'re making in \ndigital capabilities and new workforce tools actually enable \nwork to be done from a broader reach of locations.\n    Mr. Connolly. Well, I mean, there\'s actually explicit \npolicy guidance that has been drafted that would curtail \ntelework in your administration. And I\'ll be glad to get it to \nyou, if you haven\'t seen it.\n    Mr. Dodaro, I would just ask that you look into this, \nbecause I think it flies in the face of the progress we\'ve \ntried to make. And, you know, the whole point here is to deploy \nthe capability, not constrain it, and would welcome GAO to look \ninto this and see if we can\'t----\n    Mr. Dodaro. I\'d be happy to do so.\n    Mr. Connolly. I thank you so much. And Mr. Chairman, thank \nyou for your indulgence. I\'m sorry.\n    Mr. Hurd. Mr. Mitchell, round two.\n    Mr. Mitchell. Thank you, Mr. Chair.\n    Mr. Connolly, you may want to stay for this conversation--\nit\'s the beginning of it--because we\'re talking about legacy \nsystems.\n    Mr. Dodaro, have you looked at or done any analysis----\n    Mr. Connolly. I would say to my friend, I would, but I \nbelong to two committees that believe no human problem cannot \nbe improved with another hearing. And my other committee is \npracticing that as we speak.\n    Mr. Mitchell. Only two committees are doing that? I\'m \nshocked.\n    It\'s getting near district work period and it\'s gone, the \nwheels have come off the bus around here, okay?\n    Let\'s talk about legacy systems for a moment. Have you done \nany analysis, any examples of the current cost of maintaining \nlegacy systems versus just making a transition to a new system, \nand what is the comparison?\n    If you could give me some examples, that would be great.\n    Mr. Dodaro. Well, overall, what we\'ve said of the annual \nFederal investment, which is about $80, $90 billion a year, 75 \npercent of that goes to support the legacy systems as opposed \nto, you know, making investments and modern approaches in \nsystems.\n    So, you know, we\'ve looked at a lot of individual cases, \nand I\'d be happy to provide those for the record, but, you \nknow, it definitely, you know, the government\'s track record in \nimplementing new systems and being able to retire legacy \nsystems isn\'t, you know, very good. But it needs to be better.\n    And I think the legislation this committee has sponsored is \nhelping move in that right direction. And, you know, I had \nalways approach this with a PMA as well, a positive mental \nattitude, but I also have a view of what the realistic track \nrecord has been of the agencies. I\'m hoping they do better. I \nhope the CIOs will do better in this area, but we need to make \na better job in those areas.\n    So the short answer to your question is the legacy systems \ninvolve a lot of spending and are sucking up a lot of the \nFederal government\'s investment, and we need to get new systems \nin place. But every time there\'s an effort to do that, there\'s \na failure on the part of many agencies.\n    Now, hopefully with Ms. Kent\'s leadership and elevating the \nCIOs to have more responsibility in the agencies, we\'ll see a \ndifferent outcome going into the future. I certainly hope so.\n    Mr. Mitchell. Well, I would like to see those examples, so \nif you can get those to the committee with things you\'ve looked \nat, we would like to look at. Because at some point in time \nwhat we\'re doing is we\'re paying costs, workforce costs to work \non legacy systems that should, in fact, be better----\n    Mr. Dodaro. Yeah, I mean, a good example. We just issued a \nreport about the Coast Guard system that was supposed to be put \nin place that failed. The VA, they spent, you know, over $1 \nbillion dollars trying to improve the current electronic \nhealthcare system, that hasn\'t been successful as well.\n    I mean, we\'ve got a long list of activities where money has \nbeen invested, you know, in a lot of cases millions, hundreds \nof millions of dollars, and it hasn\'t produced the new system \nyet properly to retire the legacy system.\n    So we\'ll get you a list. I\'m confident we have one, and it \nwill touch virtually every agency in the Federal Government.\n    Mr. Mitchell. We just had a hearing a bit ago on the \nCensus. And as you are well aware, they are well behind, in \nterms of developing it\'s what they do in systems and they\'re \nover-budget. So it doesn\'t surprise me, but we need to start to \nlook at that, so I\'d like to see it.\n    Ms. Kent, could I ask you, you mentioned the vacancies you \nhave, about 15,000 vacancies of technical, cybersecurity \npersonnel; is that connect?\n    Ms. Kent. Yes, sir.\n    Mr. Mitchell. What are the primary drivers of those \nvacancies.\n    Ms. Kent. I\'m sorry. Say that again?\n    Mr. Mitchell. What are the primary drivers, causes of the--\n--\n    Ms. Kent. Of the vacancies?\n    Mr. Mitchell. Yes.\n    Ms. Kent. The primary drivers of the vacancies is that \ncybersecurity skills are one of the hottest skills in the \nindustry right now and we\'re competing with the private sector, \nas well as the cybersecurity professionals have an expectation \nof quick mobility, large challenges and some ability to move \nvery quickly in their profession. And some of those things \ndon\'t align well.\n    Mr. Mitchell. We\'ve got big challenges. I can guarantee \nthat.\n    Ms. Kent. It is a very big challenge, but it\'s an area \nwhere there are many avenues that we\'re pursuing, both at \nentry-level positions as well as leadership positions, and \ncontinuing to explore exchanges with private sector to fill \nthose gaps.\n    Mr. Mitchell. When we had people leave my company, we \nalways did a survey of, kind of get an idea of why you\'re \ngoing. I mean, I\'m sure you did as well.\n    What is the primary--average 10 years about 18 months and \nthey\'re gone.\n    What\'s the primary causes that people are up and leaving \nonce you get them here?\n    Ms. Kent. It is a highly valuable set of skills in the \nprivate sector industry. So many times it is a question of \ncompensation.\n    What we have to offer is an exciting mission and the \nability--we have many very motivated professionals that come in \nbecause they believe in the missions that our agencies are \nfocused on.\n    Other times, they are leaving because they want more \nmobility. And mobility as they progress through, you know, the \nprofessional ranks.\n    Mr. Mitchell. Have there been many recognitions made, Mr. \nDodaro, on what we do in terms of compensation skill or a \ncareer structure for cybersecurity personnel in the Federal \nsystem?\n    Mr. Dodaro. No. I mean, this is an area where we\'ve had \nstrategic human capital management on high risk since 2001.\n    You know, one of the areas----\n    Mr. Mitchell. What have you not had on high risk since \n2001?\n    Mr. Dodaro. Well, there are things that aren\'t high risk. \nYou know, we----\n    Mr. Mitchell. Okay.\n    Mr. Dodaro. But, you know, the problem here is the \nclassification system that OPM has in place. I mean, there\'s \nreally not been, I mean that system was created many years ago. \nIt didn\'t contemplate cybersecurity. They\'ve not adapted over \ntime. And so right now the phase 1 of what the administration \nis currently doing is to take stock of what cybersecurity \nskills exists across the government.\n    I mean, we should have known this for years earlier and \ndeveloped new systems in place.\n    Now, Congress has been very good where they\'ve given a lot \nof special authorities to the agencies. But we found that they \nhave over 100 special hiring authorities but they only use \nabout a dozen or so. And so it\'s really OPM hasn\'t looked at \nwhether or not the special hiring authorities are being \neffective or not.\n    And so, you know, this means more attention. I\'m very glad \nthat the President\'s reorganization proposals focused on \ncybersecurity workforce.\n    Mr. Mitchell. Can you share with OPM, at least my opinion--\nnot necessarily the committee opinion--but my opinion that--I \nran a fair-sized company. The chief technology officer reported \nto me. They reported to me for a reason. And we had a deal. His \nphone never went off.\n    And as soon as something went sideways, you know, he gave \nwarning systems and you\'re well aware, Ms. Kent, what those \nare. And the deal was, he immediately went in and dealt with \nthe issues. And the next thing he did was he called me. Because \nthere is nothing that\'s more important than securing our data.\n    We\'re a school group. We have the information on 6,500 \nstudents at any point in time, their financial information, \ntheir parents\' financial information. And that getting hacked \nis a serious issue, never mind the issues we have here.\n    So suggest to OPM they may want to up the anti on this and \nmake it a little more important because people aren\'t trusting \nthe government because they don\'t believe their data is secure. \nNever mind the issues it creates for us in terms of national \nsecurity.\n    Thank you. I am out of time as well. Thank you, sir.\n    Mr. Hurd. Ms. Kent, one of the recommendations that GAO \nsuggests, needs to be improved, is this global supply chain of \ninformation that\'s on our Federal infrastructure.\n    So if we take the narrow view of the supply chain of \nsoftware or hardware that is put on a system responsible in the \ndot-gov domain, who is responsible for making sure that those \nwidgets are secure?\n    Ms. Kent. One of the things that I agree with the point \naround supply chain is ensuring that we have a mechanism, not \nonly to know what is on our network, but to allow Congress and \nother bodies to make recommendations and have a structured way \nthat we identify both hardware and software, where is it being \nused, and we have a structured way to pull those things out.\n    As we worked through the Kaspersky situation, we had to \ncreate an entire process, communicate that information, and \nmanage it one-by-one, across all of the agencies. And we did \nnot have a systematic way to do that.\n    Since we have now had additional concerns and, you know, \nthose may continue, what we would like to have in place is a \nstructured way to do that in ongoing identification by \nagencies.\n    Mr. Hurd. So let me rephrase the question. Right now can \nyou tell right now agency X, You\'ve got to remove all this \nstuff? You as the Federal CIO can make that directive and X-\nagency would have to comply with that.\n    Ms. Kent. We have been taking directives from the National \nSecurity Council or from others, but, yes, that is the way that \nwe have been executing the ones for which we\'ve been given a \ndirective to date.\n    Mr. Hurd. Can the CIO for that agency make that decision \nand say, All this stuff is coming out?\n    Ms. Kent. The CIOs have responsibility for the security \nposture of their agencies, so if they decide to take a more \naggressive stance on some situation or, you know, for some \nreason that aligns with their mission, that is within their \nauthority.\n    Mr. Hurd. So let\'s say an agency has a device on their \nnetwork that they shouldn\'t have, who should be in trouble? Who \nis responsible for having allowed that to happen? Or not \nfinding that out in advance?\n    Ms. Kent. That\'s a good question. We do hold agencies \naccountable for knowing what is on their network. And if there \nhas been a directive to remove actions and a specific date by \nwhich to act, we are holding them accountable from an oversight \nperspective.\n    Mr. Hurd. Mr. Dodaro, do you have any opinions on this?\n    Critical infrastructure, I mean excuse me, supply chain \nwithin the dot.gov space. Let\'s start with that.\n    Mr. Dodaro. Yeah, right, right. I think, you know, \nindividual agencies are always the first line of responsibility \nin these cases to know what they\'re buying and what is in \nplace.\n    DHS has responsibility and has the ability to issue binding \noperational directives to agencies, across government, if need \nbe, to remove devices or to do certain things as well. So DHS \nhas some responsibilities.\n    I would ask Greg to come up. He just testified on a supply \nchain issue recently, see if he has any additional thoughts.\n    Mr. Hurd. While he is coming up, describe your vision, the \nfuture state that needs to happen in order for this to be \nremoved from the GAO high risk report.\n    Mr. Dodaro. On supply chain or the whole----\n    Mr. Hurd. On supply chain over dot-gov.\n    Mr. Dodaro. Yeah, there needs to be, you know, a clearer \nplan for determining the supply chain operations, you know, in \nterms of identification of vulnerabilities, and there needs to \nbe greater accountability for enforcing that over time.\n    Mr. Hurd. Who should do that?\n    Mr. Dodaro. It has to be led by DHS or out of the White \nHouse to be enforced. I mean, it has to be. I mean, you know--\nand there are separate issues at DOD, all right, on this issue, \nyou know, for national security purposes, and they hold the \nprime contractors responsible. But there is a lot of \nsubcontractors kind of issues.\n    But in the civilian side of the government, I think it\'s \ngot to come from DHS primarily, would be where I would start.\n    Mr. Hurd. Mr. Wilshusen.\n    Mr. Wilshusen. Yeah. It would need to be, I think, also \nDHS, but also certainly with input, collaboration with the \nintel community as well as DOD as they collect intelligence and \ninformation about the particular supply chain direct to \nparticular components or systems that might be in use at \nFederal agencies.\n    DHS has used its authority under the Federal Information \nSecurity Modernization Act to issue binding operational \ndirectives to require and compel all Federal agencies to remove \nKaspersky Lab-type products, as was referenced earlier.\n    We have been requested and we plan to start an engagement \nlater this year to look at the process by which DHS determines \nwhen to issue a binding operational directive, how it comes \nabout that decision and then what oversight mechanisms it has \nto ensure that its directives are actually being implemented \nand implemented effectively by the agencies.\n    Mr. Hurd. Shifting gears on privacy. If the IRS database \ngot hacked--and let\'s say a portion of American citizen\'s \ninformation was stolen--what is the responsibility of IRS to \nnotify those individuals and notify Congress?\n    What is the breach notification rules that IRS would be \nfollowing in that case?\n    Mr. Wilshusen. It depends. IRS would need to make--and this \nis under guidance provided by the Office of Management and \nBudget, indeed on how to respond to particular data breaches.\n    Part of it is to conduct, at first, a risk assessment in \nwhich it looks at the scope of the breach and the potential \nharm that could occur to, say, in this case taxpayers, if their \ninformation is indeed compromised.\n    And then it\'s supposed to make a risk assessment and then \ndetermine what type of actions to take. Part of that could \ninclude notification to those individuals that their \ninformation has been breached. It could also include providing \nsome other remedies such as credit monitoring services and \nothers----\n    Mr. Hurd. So this is the standard written by OMB?\n    Mr. Wilshusen. That\'s correct.\n    Mr. Hurd. So if students\' loan information at Department of \nEducation was stolen, would that be the same notification \nresponsibilities and privacy----\n    Mr. Wilshusen. Yes, those guidelines are for all Federal \nagencies.\n    Mr. Hurd. So OMB has issued breach standard notification \nacross the Federal Government to include intel and militaries \nacross all Federal agencies or is it just the dot-gov space?\n    Mr. Wilshusen. I guess it would be dot-gov space.\n    Mr. Hurd. Ms. Kent, do you have any opinions on this topic?\n    Ms. Kent. It is not a topic that I am familiar with, all \nthe specifics. I do recognize, though, in the description is, \nthe process is very similar to industry and the notification \nprocess, identifying risks, understanding the risk of the \nindividuals, and then determining if there are other mitigating \nfactors that should be offered to those individuals.\n    Mr. Hurd. Ms. Kent, changing gears here. OMB released its \nagency self-reported data on the status of their information \nsecurity controls. We have found that agencies tend to present \na prettier picture than their own IGs in those FISMA audits.\n    Have you noticed this discrepancy? Are you working to make \nthis accurate reporting? Are you acknowledging these problems? \nHow do we plan to work with agencies to implement some of these \nbasic cybersecurity requirements.\n    Ms. Kent. I concur with your assessment. That was actually \nwhen I looked at the reports, one of the early things that I \nasked in joining.\n    It is actually a conversation that I have had with the GAO \nteam about how we can automate and actually extract data on \nsome of the specific points versus asking for a self-reporting \nmechanism. And we\'ll continue the dialogue about how to improve \nthat.\n    Mr. Hurd. This is one of my final questions. It\'s a very \nbroad basic question, and it\'s broad and basic for a reason. \nAnd we\'ll start with you Ms. Kent, and then we\'ll go down the \nline.\n    Who is responsible for defending the digital infrastructure \nof the Federal Government?\n    Ms. Kent. Say that again?\n    Mr. Hurd. Who is responsible for defending the digital \ninfrastructure of the Federal Government?\n    Ms. Kent. The agencies are responsible for defending the \ndigital infrastructure at their agency, and DHS is responsible \nfor defending across the enterprise. And there\'s an interlock \nof responsibilities between the agencies and their \ncommunication with DHS in ensuring that DHS has visibility to \nissues, incidents, and what they are detecting going on in \nthose individual agencies.\n    Mr. Hurd. What is the role of the Federal Government in \nhelping to defend the 16 areas that we consider to be critical \ninfrastructure?\n    Ms. Kent. I don\'t know that I\'m following your question. \nAre you talking about the external industry?\n    Mr. Hurd. So the 16 areas that we think are critical \ninfrastructure, financial services, utilities, election \ninfrastructure, go down the line, what is the Federal \ngovernment\'s role in helping to defend those infrastructures?\n    Ms. Kent. I see those as the responsibility of DHS. So I \ndon\'t know that I am informed to comment. DHS and our National \nSecurity Council. And from a Federal agency perspective, I know \nwhen we expect that they are sharing threat information from \nthose industries with us inside the Federal agency side so that \nwe can react to those.\n    Mr. Hurd. Got you. Mr. Dodaro, who\'s in charge?\n    Mr. Dodaro. Well, in the Federal space, I would agree. I \nmean, the agencies are primarily responsible according to \nFISMA. That\'s the agency heads. I mean, Congress has \nestablished that in law. It has given DHS responsibility and \nlaw. And OMB sort of passed that responsibility to DHS years \nago and without the authority.\n    Now, Congress corrected that and gave DHS the authority, \ngives them the ability to issue these binding operational \ndirectives. And then OMB has responsibility as well for policy \nmatters in a lot of these areas.\n    So in the Federal space, I think that\'s pretty clear. In \nthe critical infrastructure protection space, less so.\n    Now, in some of the critical infrastructures, for example, \nin the nuclear area, there are regulatory responsibilities. So \nthe Federal government\'s role is a little clearer in that area. \nThey have more authority to put in place requirements. But for \nby and large, for most of the 16 sectors for critical \ninfrastructure, it\'s voluntary.\n    And what we found is that the--there each has a Federal \ncoordination point and a lot of the Federal coordinators really \ndidn\'t know what the status was of the implementation of the \nvoluntary standards.\n    When we talked to a number of people in the sectors, you \nknow, they were basically saying that they had challenges. They \ndidn\'t have enough people, they didn\'t understand all the \nrequirements. So that\'s the area I\'m most concerned about.\n    Mr. Hurd. So describe that future state when it comes to \ncritical infrastructure that if we achieved you would pull this \noff as one of the four major challenges facing the Federal \nGovernment.\n    Mr. Dodaro. Yeah. Well, number one, I would have to have \nsome metrics and measures to know what the state of readiness \nreally is in those areas.\n    Right now, you don\'t have that. No one can answer that \nquestion, I believe, to say across the 16 sectors were ready. \nAnd here is why I believe that.\n    So to me, you need that in place to provide the level of \nassurance that would be necessary in order to do that. And so \nthat\'s, you know, a tall order. And then you would need to \nhave, you know, a clearer understanding of information sharing.\n    You know, our understanding of what\'s going on, you \nreferenced this earlier about businesses being happy with \ninformation they\'re getting from DHS. I\'m not too sure that \nthat information flow is going two ways. And I think we need \nto, from the Federal Government standpoint, need to have \ngreater assurance that there\'s a two-way dialogue here, and \nthat we\'re really communicating and understanding what\'s going \non with the risk in those areas.\n    So to me, you need a clear metric understanding of what the \nstatus of readiness is for each of the 16 areas, and there \nwould be different metrics for different sectors. I\'m not \nsuggesting there would just be one sector, but somebody has got \nto be in that position to know that.\n    And right now, that\'s very sketchy at best. And as a \nresult, I think we\'re very vulnerable in the Nation. I know \nthere\'s a lot of policy issues about the Federal role, \nrespecting the private sector, whatever. But I think we\'re \ngetting to a point with the threats from state and non-state \nactors that we need to have more of a grownup conversation \nabout the real risk to the country in those areas and a meeting \nof the minds on how best to protect our country for everybody.\n    Mr. Hurd. Has GAO thought through what are those Doomsday \nscenarios that we should be prepared for? Because if there are \nunclear roles between the public and private sectors in \nresponse to a Doomsday scenario, we need to be thinking through \nwhat are those Doomsday scenarios that we need to be prepared \nfor.\n    Have you all spent some time on that? Have you all seen an \nentity that has designed that?\n    Ms. Kent, you have seen stuff?\n    I know there are some exercises. DHS does a few. But I feel \nlike we haven\'t done enough, because if we\'re truly going to \nescape to a future state, we need to figure out what that is \nwe\'re trying to be prepared for.\n    If we\'re going to develop contingency planning, what \ncontingency are we planning for?\n    And Mr. Wilshusen you came up here, so I hope you have some \ninteresting things to say.\n    Mr. Wilshusen. I hope I can interest you.\n    One, is DHS has developed a response plan, and it\'s tested \nannually, in which it is a test against different types of \nscenarios.\n    And I do believe in some of the guidance at least--well, \nfrom the National Institute of Standards and Technology and \nsome of its guidance, it does identify different threat \nscenarios for different types of potential attacks that can \naffect organizations and systems.\n    Now, that\'s generally guided towards Federal agencies, but \nthose same types of attacks can also be applied against \ncritical infrastructure owners and operators in the systems \nthat they operate.\n    And so there are different threat scenarios that have been \nidentified and those are things that both I think DHS and NIST \nhas identified.\n    Mr. Hurd. Well, Mr. Dodaro, you\'ve heard me say this \nbefore. I\'m a big fan of GAO. Whenever there\'s a new topic I am \nworking on, I always start with whatever reports you all have \ndeveloped.\n    So thank you for you and your team and you all\'s service to \nmaking sure our government is responsive to the people that we \nserve. It\'s always a pleasure to have you here.\n    Ms. Kent, any final words?\n    Ms. Kent. I thank you for the opportunity. And as I said in \nthe opening, every chance that we have to elevate the \nconversation around cybersecurity and the resources that we \nneed to be in a position to protect our security posture, I \ngreatly appreciate.\n    Thank you.\n    Mr. Hurd. Well, I thank our witnesses for appearing before \nus today.\n    The hearing record will remain open for two weeks for any \nmember to submit a written opening statement or questions for \nthe record.\n    And if there\'s no further business, without objection, the \nsubcommittee stand adjourned.\n    [Whereupon, at 4:01 p.m., the subcommittee was adjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'