[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                   GAO HIGH RISK FOCUS: CYBERSECURITY

=======================================================================

                              JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                AND THE

                            SUBCOMMITTEE ON
                         GOVERNMENT OPERATIONS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 25, 2018

                               __________

                           Serial No. 115-110

                               __________

Printed for the use of the Committee on Oversight and Government Reform



[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


        Available via the World Wide Web: http://www.govinfo.gov
                       http://oversight.house.gov
                       
                       
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
32-932 PDF                  WASHINGTON : 2018                     
          
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].                       
                       
                       
                       
              Committee on Oversight and Government Reform

                  Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Mark Sanford, South Carolina         Eleanor Holmes Norton, District of 
Justin Amash, Michigan                   Columbia
Paul A. Gosar, Arizona               Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts
Virginia Foxx, North Carolina        Jim Cooper, Tennessee
Thomas Massie, Kentucky              Gerald E. Connolly, Virginia
Mark Meadows, North Carolina         Robin L. Kelly, Illinois
Ron DeSantis, Florida                Brenda L. Lawrence, Michigan
Dennis A. Ross, Florida              Bonnie Watson Coleman, New Jersey
Mark Walker, North Carolina          Raja Krishnamoorthi, Illinois
Rod Blum, Iowa                       Jamie Raskin, Maryland
Jody B. Hice, Georgia                Jimmy Gomez, Maryland
Steve Russell, Oklahoma              Peter Welch, Vermont
Glenn Grothman, Wisconsin            Matt Cartwright, Pennsylvania
Will Hurd, Texas                     Mark DeSaulnier, California
Gary J. Palmer, Alabama              Stacey E. Plaskett, Virgin Islands
James Comer, Kentucky                John P. Sarbanes, Maryland
Paul Mitchell, Michigan
Greg Gianforte, Montana
Michael Cloud, Texas

                     Sheria Clarke, Staff Director
                    William McKenna, General Counsel
                         Meghan Green, Counsel
     Troy Stock, Information Technology Subcommittee Staff Director
     Julie Dunne, Government Operations Subcommittee Staff Director
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                 Subcommittee on Information Technology

                       Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking 
Darrell E. Issa, California              Minority Member
Justin Amash, Michigan               Jamie Raskin, Maryland
Steve Russell, Oklahoma              Stephen F. Lynch, Massachusetts
Greg Gianforte, Montana              Gerald E. Connolly, Virginia
Michael Cloud, Texas                 Raja Krishnamoorthi, Illinois

                                 ------                                

                 Subcommittee on Government Operations

                 Mark Meadows, North Carolina, Chairman
Jody B. Hice, Georgia, Vice Chair    Gerald E. Connolly, Virginia, 
Jim Jordan, Ohio                         Ranking Minority Member
Mark Sanford, South Carolina         Carolyn B. Maloney, New York
Thomas Massie, Kentucky              Eleanor Holmes Norton, District of 
Ron DeSantis, Florida                    Columbia
Dennis A. Ross, Florida              Wm. Lacy Clay, Missouri
Rod Blum, Iowa                       Brenda L. Lawrence, Michigan
                                     Bonnie Watson Coleman, New Jersey
                           
                           
                           C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 25, 2018....................................     1

                               WITNESSES

The Honorable Gene L. Dodaro, Comptroller General of the United 
  States, U.S. Government Accountability Office
    Oral Statement...............................................     4
    Written Statement............................................     6
Ms. Suzette Kent, Federal Chief Information Officer, U.S. Office 
  of Management and Budget
    Oral Statement...............................................    45
    Written Statement............................................    47

                                APPENDIX

Response from Mr. Dodaro, Government Accountability Office, to 
  Questions for the Record.......................................    78
Response from Ms. Kent, Office of Management and Budget, to 
  Questions for the Record.......................................    81

 
                   GAO HIGH RISK FOCUS: CYBERSECURITY

                              ----------                              


                        Wednesday, July 25, 2018

                  House of Representatives,
 Subcommittee on Information Technology joint with 
             Subcommittee on Government Operations,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 2:25 p.m., in 
Room 2154, Rayburn House Office Building, Hon. Will Hurd 
[chairman of the Subcommittee on Information Technology] 
presiding.
    Present: Representatives Hurd, Mitchell, Hice, Amash, 
Massie, DeSantis, Blum, Kelly, Connolly, Raskin, Maloney, and 
Norton.
    Mr. Hurd. The Subcommittee on Information Technology and 
the Subcommittee on Government Operations will come to order. 
And, without objection, the presiding member is authorized to 
declare a recess at any time.
    I would like to now recognize my friend and partner in 
crime, the distinguished gentlewoman from the great State of 
Illinois, for her opening remarks.
    Ms. Kelly. Thank you, Mr. Chair. And not too much crime.
    Thank you, Mr. Chairman and Chairman Meadows, for holding 
this important hearing. Ms. Kent, welcome to today's hearing, 
and thank you for testifying today and sharing your vision for 
cybersecurity as a new Federal COI, and it's great to meet you 
in my office.
    And, Mr. Dodaro, special thanks to you for the extensive 
work you and all the dedicated professionals at GAO put into 
providing this special midcycle high-risk report on 
cybersecurity, and it was nice meeting with you also.
    GAO's newly issued report raises serious concerns about our 
Nation's ability to confront cybersecurity risk. GAO found key 
deficiencies that could hinder the government's progress in 
strengthening the Nation's cyber defenses. For example, GAO 
found that the Trump administration's plans failed to include 
basic components needed to carry out a national strategy for 
protecting critical cyber infrastructure.
    Among the missing components were details about performance 
measurements and milestones for determining whether the 
country's cyber objectives are being met and the resources that 
would be needed to carry out those objectives. GAO's report 
highlights the need for the administration to develop and 
execute a more comprehensive Federal strategy for national 
cybersecurity and global cyberspace. It underscores the 
importance of having a cybersecurity coordinator in the White 
House to develop a more robust cybersecurity strategy for the 
country.
    But, here again, the Trump administration is not rising to 
the challenge. Two months ago, the President's National 
Security Advisor, John Bolton, eliminated the position of White 
House cybersecurity coordinator. This decision was contrary to 
a prior GAO recommendation to have a White House cybersecurity 
coordinator in the Executive Office of the President develop an 
overarching Federal cybersecurity strategy at a time when our 
Nation is facing persistent cyber threats ranging from foreign 
adversaries who seek to undermine our elections to criminal 
hackers who steal sensitive data. The administration's decision 
to eliminate the key cybersecurity position in the White House 
should raise alarm.
    Today's report also shows that the number of Americans 
whose personal information has been compromised and government 
and private sector data breaches is growing. And there's a need 
for stronger measures and congressional action to protect 
consumer privacy. GAO found that the vast number of individuals 
potentially affected by data breaches at Federal agencies and 
private sector entities in recent years increases concerns that 
personally identifiable information is not being properly 
protected.
    GAO's findings is supported by two recent reports that 
highlight the heightened, challenged public and private sector 
organizations are facing in securing sensitive data. In April, 
Verizon issued a report showing that in the past 12 months 
alone, there with over 53,000 incidents and 2,216 confirmed 
data breaches. And just last week, the Attorney General's 
Cyber-Digital Task Force released a report showing that there 
were at least 686 data breaches reported in the first quarter 
of 2018, resulting in the theft of as many as 1.4 billion 
records.
    Last year, data breaches at Equifax in which over 143 
million Americans had their personal information stolen and the 
2015 breach at OPM, which affected approximately 22.1 million 
individuals, illustrates the massive scale of harm to privacy 
and security that these breaches have. To address the growing 
concerns about privacy, GAO recommended that Congress 
straighten out privacy laws, the majority of which were written 
well before the development of new technologies, ranging from 
the use of social networking sites, the facial recognition 
technologies, and many mobile applications. Congress should 
heed GAO's recommendations and reexamine how our privacy laws 
can be strengthened to ensure that consumers' personal privacy 
is adequately protected.
    I want to thank our witnesses for testifying today. And I 
normally would say I look forward to hearing your testimony, 
but I have to leave. But I look forward to reading it on how we 
can improve the Nation's cybersecurity.
    And thank you again, my friend, Mr. Chairman.
    Mr. Hurd. Good afternoon, y'all. Today's hearing returns to 
a familiar field for this subcommittee, an area of top 
bipartisan concern and focus, and that's the cybersecurity of 
the Federal Government. The Federal Government and our Federal 
agencies, like everything else in today's digital society, are 
dependent on IT systems and electronic data, which make them 
highly vulnerable to a wide and evolving array of cyber 
threats.
    Federal civilian agencies report over 35,000 information 
security incidents to the US-CERT last fiscal year. This 
represents a 14 percent increase over the previous year. 
Securing Federal systems and data is vital to the Nation's 
security, prosperity, and well-being. It should concern all of 
us, therefore, that the GAO has concluded in the interim high-
risk report, that spurred this hearing, that urgent actions are 
needed to address ongoing cybersecurity challenges in the 
Federal Government.
    In this report, the GAO identified four major cybersecurity 
challenges: establishing a comprehensive cybersecurity strategy 
in performing effective oversight, securing Federal systems and 
information, protecting cyber critical infrastructure, and 
protecting privacy and sensitive data. To address these four 
challenges, GAO identified 10 critical actions the Federal 
Government entities need to take. I'm looking forward to 
exploring those 10 items.
    Since 2010, GAO has made over 3,000 recommendations to 
agencies aimed at addressing these four cybersecurity 
challenges. And as of June of this year, nearly 1,000 of those 
recommendations have not been implemented. It's not acceptable 
given the threat we face. These open, lingering vulnerabilities 
put us at incredible risk, as we saw with the devastating data 
breaches at OPM.
    While I do not expect Ms. Kent or anyone else to have all 
the answers today, I want to hear from GAO, the most critical 
open recommendations, and from Ms. Kent, concrete plans to 
close them. I want to commend Mr. Dodaro and his team at GAO 
for issuing this report. Midcycle updates to the high-risk list 
are not common. I recommend all agency CIOs read this report 
and apply the applicable recommendations to the respective 
agencies and systems, because guess what, we're going to be 
asking you about them.
    And, as always, I'm honored to explore these issues in a 
bipartisan fashion with Ranking Member Kelly, Chairman Meadows, 
and Ranking Member Connolly. The four of us have worked 
together for years on these issues, and I'm honored to be 
joined here with them throughout today's hearing.
    Now, it's a pleasure to introduce our witnesses. The 
Honorable Gene Dodaro, comptroller general of the United States 
Government Accountability Office. You always hold a special 
place in my heart because you were my first hearing being in 
Congress. Mr. Dodaro is accompanied by Mr. Gregory C. 
Wilshusen, the director of Information Security Issues at GAO, 
who will also be sworn in. And Ms. Suzette Kent, Federal chief 
information officer at the Office of Management and Budget. I 
think this is your first time here. I don't think it's the 
first time testifying in Congress, but welcome.
    Pursuant to committee rules, all witnesses will be sworn in 
before they testify. So please stand and raise your right hand.
    Do you solemnly swear or affirm that the testimony you're 
about to give is the truth, the whole truth, and nothing but 
the truth, so help you God?
    Thank you.
    Please let the record reflect that all witnesses answered 
in the affirmative.
    And in order to allow time for discussion, please limit 
your testimony to 5 minutes. The entire written statement has 
been made part of the record. And as a reminder, the clock will 
show your time remaining. When it's yellow, you have 30 
seconds. When it's red, your time is up. And remember to press 
the button.
    And we'll start with Mr. Dodaro. You're now recognized for 
5 minutes.

                       WITNESS STATEMENTS

                  STATEMENT OF GENE L. DODARO

    Mr. Dodaro. Thank you very much, Mr. Chairman, Ranking 
Member Kelly, members of the committees that are here today. I 
very much appreciate the opportunity to be here to discuss this 
important topic.
    This is an area that's been of long concern to me. We at 
GAO designated cybersecurity across the Federal Government as a 
high-risk area in 1997. So nobody could say we didn't warn 
people that this was going to be a problem. In 2003, we 
expanded that high-risk designation to include critical 
infrastructure protection. And, in 2015, we included the need 
to protect personally identifiable sensitive information as 
well.
    Now, the government has taken a number of actions, 
especially since the OPM breach. Mr. Chairman, as you 
mentioned, there's been executive orders, strategies, document 
studies, but there still needs--much more needs to be done in 
this area.
    As you referenced in your opening statement, since 2010, 
we've made over 3,000 recommendations. While two-thirds of 
those have been implemented, there's still 1,000 
recommendations that need action. Now, the four areas that we 
identified I think are especially important.
    First is establishing a comprehensive strategy, and 
importantly, having effective mechanisms in place to oversee 
its effective implementation. And this is to include global 
supply chain issues; critical workforce issues; and in dealing 
with emerging technologies that are going to bring new risk, 
such as artificial intelligence, the internet of things, 
quantum computing.
    Secondly, there needs to be more urgent action to secure 
the Federal information systems. There needs to be more 
effective implementation of governmentwide efforts like 
continuous diagnostics and mitigation. Agencies need to fix 
their systems. There needs to be more attention in responding 
effectively when incidents do occur. Over time, we've seen 
agencies be slow to implement the effective actions over times.
    On critical infrastructure protection, and this is an area 
that needs a lot more Federal attention. Now, in many areas, 
the Federal Government has some regulatory responsibilities in 
this area, but by and large critical infrastructure protection 
is a voluntary effort by the private sector. The National 
Institutes of Standards and Technology have developed an 
approach that the private sector can use, but it's all 
voluntary. So there's really not a clear picture, in my 
opinion, across the different sectors. And there's 16 different 
sectors of the economy that make up critical infrastructure, 
including electricity grid, telecommunications, nuclear issues, 
utilities, et cetera, the financial market areas as well.
    So these are vital to our economic health. They're vital to 
public health and safety. And there needs to be more 
collaboration and a better understanding of to what extent have 
these voluntary standards been implemented by the various 
sectors, and what is their state of readiness to deal with 
these issues?
    The fourth area deals with privacy. Now, here, Federal 
agencies themselves need to better secure sensitive 
information. We've issued reports recently on a need to protect 
Medicare beneficiary data, for example, electronic health 
information systems, data on Federal student loans, there's a 
lot of personal data there, financial data that families 
submit. So that needs to be dealt with definitely. And we need 
to think about what information the Federal Government will 
collect going forward. We've made some recommendations on need 
to eliminate unnecessary use of Social Security information, 
for example.
    We also have recommendations to the Congress in this area. 
The Privacy Act that was passed in 1974. The Electronic 
Government Act was passed in 2002, they need updated as well. 
And I'd also--we've recommended, since 2013, that the Congress 
establish a consumer privacy framework for the private sector.
    In those areas, the Federal Government has put out, in some 
sectors, healthcare and, you know, credit reporting, some 
requirements for the private sector. But by and large the 
Federal Government has not set requirements for this area, 
particularly as it relates to information resellers as well.
    So, again, Mr. Chairman, I want to thank you for the 
opportunity to be here today. I asked our team to put together 
this special report because I don't think the Federal 
Government's moving at a pace commensurate with the evolving 
threat in this area, and we need all to work harder, faster to 
address this issue.
    Thank you very much.
    [Prepared statement of Mr. Dodaro follows:]
    
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hurd. Thank you, Mr. Dodaro.
    Ms. Kent, you're now recognized for 5 minutes for opening 
remarks.

                   STATEMENT OF SUZETTE KENT

    Ms. Kent. Chairman Hurd, Chairman Meadows, Ranking Member 
Kelly, Ranking Member Connolly, and members of the committee, 
thank you for having me here today. I am honored to be here to 
speak with you, and I appreciate all the forums that inspire 
more aggressive actions towards improving Federal 
cybersecurity.
    My goal today is to share with you the progress that has 
been made against the areas highlighted by the comptroller 
general, but more important, to share the perspectives on what 
still needs to be done. And I'd like to engage your continued 
support on that.
    Advancement of our cybersecurity posture, both at agency 
levels and across the Federal enterprise, is one of the most 
important parts of my job. Tomorrow will actually mark 5 months 
serving at OMB as the Federal chief information officer. And I 
joined from the financial services industry where the bar is 
high for cybersecurity and data protection, and I bring that 
same high bar of expectations to my role as Federal CIO.
    I was fortunate to come into the role when the 
administration was setting out the President's Management 
Agenda that focuses on technology modernization, data 
accountability and transparency, and building the workforce of 
the 21st century.
    Cybersecurity is a core component of the PMA's IT 
modernization goals. It's also embedded in the work that we are 
driving under other goals. The goals for sharing quality 
services and improving IT spending have elements that drive the 
use of modern technologies and industry best practices to 
improve our overall cyber posture.
    Additionally, the PMA stresses strategies for recruiting, 
retaining, and re-skilling our Federal IT and cybersecurity 
workforce, because our current status is as much a people issue 
as it is a technology issue. While the PMA outlines the 
critical areas of focus, OMB's statutory cybersecurity roles 
are predominately defined by the E-Government Act of 2002 and 
the Federal Information Security Modernization Act of 2014.
    Our roles align to three main things: development of policy 
and oversight for the Federal civilian systems, Assisting 
agencies with data analysis and budget, and gathering evidence 
that promotes solutions that achieve these policies and 
standards. To carry out the responsibilities, we work closely 
with agency technology leaders, DHS, NIST, DOD, the 
intelligence community, and the National Security Council.
    But because cybersecurity requires deep expertise both 
about technology and the mission functions, it does take a 
collaborative approach to address both the agency-specific and 
enterprise demands. I am united with the Federal Inspector 
General community in the mission of securing our systems and 
data on a journey that actually doesn't end.
    The improvements in Federal cybersecurity outlined in GAO's 
report are due to a focus on accountability, and it's my goal 
to further advance the culture of continuous evolution of our 
cyber capabilities and our workforce to tackle the things that 
we still must do.
    In May of 2017, the President signed Executive Order 13800 
regarding strengthening cybersecurity of Federal networks. This 
executive order recognized that we need to defend the security 
of citizen information and ensure the agencies consider 
cybersecurity as a vital part of their core mission. As part of 
this EO, the White House also published a report to the 
President on Federal IT modernization, which included 52 tasks, 
such as safeguarding high-value assets, network consolidation, 
use of commercial cloud solutions, and strengthening identity 
management tactics. I share with you today that 37 of those 52 
tasks have been completed, many of them ahead of schedule, and 
we intend to complete the remaining tasks by the end of the 
year.
    Executive Order 13800 also directed OMB to develop the 
Federal Cybersecurity Risk Determination Report and an action 
plan. Together, OMB and DHS conducted agency risk management 
assessments to measure agency cybersecurity capabilities, and 
very specifically, their risk mitigation approaches. This 
report did evidence that there's still much to do to improve 
the awareness of the threat environment, and we're using these 
finding to prioritize both the investments and the focus of 
resources.
    There are other key initiatives I'll quickly highlight. As 
chair of the Technology Modernization Board, I'm excited by the 
way this vehicle supports acceleration of modernization, and we 
appreciate the funding that Congress provided this year, and we 
hope to receive funding for next year. We are focused on 
enhancing CIO authorities.
    And, lastly, and most importantly, we are updating old 
policies, policies that are not effective given the current 
state of technology capabilities. We're delivering new policies 
for high-value assets, data centers, continuous monitoring 
cloud technologies, and network optimization in the next coming 
months.
    In closing, I'm fortunate to take on this role with a clear 
and focused technology agenda. Cybersecurity has to underpin 
everything we're doing, from acquisition to operations, because 
the battle is continuous and our effort to raise the bar and 
outpace our adversaries is a mission imperative for every 
agency.
    I look forward to working with Congress and the leaders 
across the Federal Government agencies to be aggressive and 
relentless about approving Federal cybersecurity. And I thank 
you for the opportunity to talk with you today.
    [Prepared statement of Ms. Kent follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hurd. Thank you, Ms. Kent.
    Now we'll go to the first round of questions. The 
distinguished gentleman from Georgia is now recognized for 5 
minutes.
    Mr. Hice. Thank you very much, Mr. Chairman. Thank you both 
for being here. Mr. Dodaro, good seeing you again. And, Ms. 
Kent, congratulations on your recent position.
    Last year, fiscal year 2017, Federal civilian agencies 
reported over 35,000 information security incidents. That's a 
stunning number, about a 15 percent increase from the previous 
year.
    This is really to both of you to begin with. What's driving 
that increase?
    Mr. Dodaro. I think there's at least two things. One, 
there's a better awareness on the part of the agencies to 
report incidents, which do occur. But I also think that it's 
being driven in part by more aggressive activity on the part of 
state and non-state actors to try to penetrate the Federal 
Government systems. This applies to critical infrastructure 
protection as well. And so I think it's, you know, both--both 
factors are at play here at a minimum.
    Ms. Kent. I concur. And we do see an increase across the 
entire industry in threats, but you also see the increase in 
reporting, and that's something that we need to continue to 
move more aggressively across all of the agencies.
    Mr. Hice. All right. So it's both, and we're having more 
incidents, more attacks, and we're also getting better at 
detecting them?
    Ms. Kent. Yes.
    Mr. Hice. All right. Can you walk me through some of the 
various means that attackers use to initiate some sort of cyber 
attack, the threat vectors? What's most common? What's most 
preventable?
    Mr. Dodaro.
    Mr. Dodaro. Yeah. There's--you know, phishing attacks have 
been particularly prominent lately in terms of somebody sending 
an email to someone in the hopes that they'll download 
malicious code or other factors. There's, you know, social 
engineering that takes place in those areas as well. There's--
one of the largest categories, though, in the reporting is 
other. And other includes they don't know what the threat 
vector was and how people were able to penetrate the system. 
That is one of the most concerning aspects of this.
    Mr. Hice. All right. I want to get there. What are the 
vectors? When you talk about vectors, what--you've got 
phishing, you got--what else? What are we dealing with?
    Mr. Dodaro. Yeah, we have a pie chart in our testimony. Let 
me just pull that up here.
    Ms. Kent. Improper usage, email and phishing.
    Mr. Dodaro. Right.
    Ms. Kent. Loss and theft of equipment and other web-based 
attacks.
    Mr. Hice. Okay. So those comprise more or less 70 percent. 
Then you mentioned 31 percent----
    Mr. Dodaro. Right.
    Mr. Hice. --other. So does that mean we have no idea how 
they're breaking in or what they're doing, or what does that 
mean?
    Mr. Dodaro. That means that there's--it's unknown, and in 
some of these cases how these things have occurred. I mean, 
that's the concerning part of this, and that's one of the 
points that we make in the report. That's why it's important to 
have an effort to detect these things when they occur. What's 
been reported in these cases, I mean, the attacks happen in a 
matter of minutes, but the detection doesn't occur for months 
later. And that impairs the ability to determine exactly what 
happened that led to this attack situation.
    Mr. Hice. All right. Ms. Kent, do you want to add to that, 
your definition or whatever of other?
    Ms. Kent. I would just add to the last point that Mr. 
Dodaro made, is that we have identified that we have to move 
much more quickly when an attack is identified, to not only 
share that threat information across agencies, but to act and 
begin immediate remediation of those issues.
    Mr. Hice. All right. Once an attack comes in, particularly, 
I'm with you, concerned about the other where we have no idea 
how they're getting in. Is there any way of tracking where 
they're coming from?
    Mr. Dodaro. Some of that's possible with some forensics, 
but in some cases there's not clear audit trails in the systems 
that are created in the documentation there. One of the big 
problems, Congressman, here is that, you know, the Federal 
Government and a lot of agencies are saddled with these legacy 
financial systems that are like a millstone around their neck. 
They're old systems. They were designed before security was a 
prominent area. Some of them at IRS are from the sixties. And 
so there's not good documentation and, therefore, there's not a 
good audit trail to follow to figure out how things were 
introduced.
    Mr. Hice. Which is surprising to me and kind of inexcusable 
seeing that 10 and 10 and 10 of millions of dollars we give for 
IT on an annual basis around here. It just amazes me that we're 
still using such legacy systems. It seems like----
    Mr. Dodaro. Well, of the billions of dollars that you give 
every year, $80-$90 billion, 75 percent of it goes to maintain 
these legacy systems.
    Mr. Hice. Rather than get updated.
    Mr. Dodaro. Rather than get updated. That's why we added IT 
acquisitions and operations across the government as a high-
risk area in 2015.
    Mr. Hice. My time has expired. Mr. Chairman, thank you so 
much.
    Mr. Hurd. The representative from the District of Columbia, 
Ms. Holmes Norton, you're now recognized for 5 minutes.
    Ms. Norton. Thank you very much.
    And I must say, not only do I appreciate our guests 
appearing, I appreciate the committee for having this hearing, 
because frankly, I think Americans are increasingly terrified, 
wondering if anybody is protecting their cybersecurity. And the 
reason I think so is what we're hearing even on mass media.
    This is really an old problem. How many years ago was it 
this very committee had a hearing on how our Federal employees 
had been penetrated, and the Congress actually, at that time, 
gave Federal employees 10 years of protection against further 
penetration by way--I'm sure that's running, I'm not sure how 
long it has to go. I have a bill called the Recover Act. In 
light of the negligence of the Federal Government, it seems to 
me that the very least we could do would be to give lifetime 
coverage. And that's been sufficiently long ago, more than 5 
years ago. I think it's going to come up against soon and we're 
going to be faced with that question for our own employees.
    Now, this committee had a recent hearing, and if you want 
to get--if you want to frighten our people, the head of the 
DHS, Under Secretary, testified that the Russians were already 
scanning--it's the word he used--all 50 States. He couldn't 
tell me that all 50 States, they were doing something in all 50 
States. It sounds like reconnaissance. We're looking to see 
when to hop and whom to hop upon.
    So I'm very interested, I think because I represent so many 
Federal employers that were among those first implicated.
    And, Mr. Dodaro, I'd like to ask you about Federal 
strategy. I'd like to be able to say I left this hearing and I 
learned something that should put some of my own constituents 
at ease.
    Would you tell me what the Federal strategy is for 
protecting national cybersecurity here and penetration globally 
from outside of the United States? Do you have access to such a 
national strategy?
    Mr. Dodaro. There are several documents that have been put 
forward by the executive branch. DHS----
    Ms. Norton. Would you call that a national cybersecurity 
strategy? And what do you mean by documents? Would you tell us 
what a document does?
    Mr. Dodaro. Sure. Sure. Sure. You know--well, first of all, 
our main point today is there's a need for a more comprehensive 
national strategy.
    Ms. Norton. There must be something, if you say a more 
comprehensive----
    Mr. Dodaro. Right, right. There has been a foundation laid 
by the government for these strategies. DHS has a strategy that 
they put forward, they're responsible for coordinating across 
the Federal Government, and with critical infrastructure 
protections, and they've laid out a number of components of 
that strategy. But we found they need--they didn't identify who 
the--what resources they needed, how they were going to 
determine they were making progress----
    Ms. Norton. Since several agencies would be involved, who 
should be in charge of coordinating the development of a 
strategy--cybersecurity strategy?
    Mr. Dodaro. Well, it needs----
    Ms. Norton. National cybersecurity strategy.
    Mr. Dodaro. Yeah. You need to have either an individual or 
an entity or a process in order to have somebody to 
coordinate----
    Ms. Norton. For example, with more than a number of 
agencies involved, who would you suggest? You, the GAO, might 
be----
    Mr. Dodaro. Well, it needs to be led out of the White 
House, in my opinion.
    Ms. Norton. It needs to be led out of the White House. Back 
and forth.
    Mr. Dodaro. Because you're dealing with national and global 
issues in this case.
    Ms. Norton. That's where the coordination needs to happen, 
and I appreciate that.
    Mr. Dodaro. Well, it needs to happen at all levels, but 
the----
    Ms. Norton. Now, somebody needs to be in charge. My 
concern, Mr. Dodaro, is I can't say to my constituents, don't 
worry about it. Either some agency is in charge or somebody in 
the White House is in charge.
    What about milestones? Are there at least and what has been 
put forward by individual agencies, milestones, so that I could 
say to my own constituents, well, they're this far along and 
here's an example? That's what people are looking for. Assure 
me. Reassure me.
    Mr. Dodaro. No, we would like to see more milestones. DHS 
has told us, for example, they're working on their strategy, 
it's supposed to be out next month, that would identify 
milestones that would include the resources and the performance 
measures. So we'll wait to see. But that's supposed to be 
forthcoming.
    Ms. Norton. Ms. Kent, finally, let me ask you, because you 
are dealing with the IT strategy for the Federal Government. Do 
you have milestones? And where are we when it comes to helping 
agencies operationalize these policies so that there is at 
least governmentwide such an IT strategy? Are they milestones? 
Who's implementing them? Who's in charge? Are you in charge? 
You're the chief financial officer, or please detail that.
    Ms. Kent. There are indeed milestones, and many of the 
points that have been made around deployment of continuous 
diagnostic and monitoring tools, securing agency data, 
modernizing their technology are part of the milestones that we 
are tracking. You did see in the report that we are behind 
across the agencies on some of those. So we have a very 
specific focus.
    There was a milestone set for deployment of the continuous 
diagnostic and monitoring tools. We have not met that 
milestone, and we're working very aggressively with the----
    Ms. Norton. What are monitoring tools, please?
    Ms. Kent. To be able to--for all of the agencies to have 
implemented tracking capability so that they know what is on 
their network.
    Ms. Norton. Yeah. I'm worried about the scanning, for 
example.
    Ms. Kent. Yes. So that we know who is accessing their 
network----
    Ms. Norton. Yeah.
    Ms. Kent. --and what. And so we are working very 
aggressively with DHS. And one of the critical things that we 
did as part of the President's Management Agenda was reassess 
high-value assets. I am pleased to say that we had 100 percent 
participation from every agency to identify those assets that 
are most critical, applications and data, and we're working 
with DHS on those that are most critical for next set of 
activities.
    Ms. Norton. Thank you very much.
    Mr. Chairman, I think the committee needs to do more to 
press the milestone notion so that we can reassure the American 
people that we're getting there and how soon we're going to get 
there. Thank you very much.
    Mr. Hurd. Thank you.
    The gentleman from Michigan is now recognized for 5 
minutes.
    Mr. Mitchell. Thank you, Mr. Chair.
    I'd like to pursue a little bit the questioning that my 
colleague had a few moments ago about these 35,000-plus, quote, 
incidents. Can you define, Mr. Dodaro, a little more carefully 
what an incident is, in your interpretation?
    Mr. Dodaro. I'm going to ask Mr. Wilshusen, our expert in 
this area, to explain those.
    Mr. Mitchell. Turn your mic on, sir.
    Mr. Dodaro. Oh, I'm sorry. I'm going to ask Mr. Wilshusen 
to explain those. He's our expert in that area.
    Mr. Mitchell. Because these aren't--incidents aren't just 
someone tinkering around trying to scan in your system. Please 
define them a little more carefully.
    Mr. Wilshusen. Right. These would be incidents that 
actually have impacted an agency operation or so. They were 
able to gain access, and they do this through a number of 
different mechanisms. One of the more common ones, it's just 
through what is known as a phishing attack.
    Mr. Mitchell. Phishing, sure.
    Mr. Wilshusen. In which you send an email with a link and 
someone clicks on it and it sends them to a----
    Mr. Mitchell. Sends malware.
    Mr. Wilshusen. --or download some suspicious software.
    Mr. Mitchell. Okay.
    Mr. Wilshusen. It can also be the loss or theft of 
equipment that contains sensitive information as well.
    Mr. Mitchell. Sure.
    Mr. Wilshusen. So there are a number of different types of 
incidents, but these are ones that do have an impact or can 
have an impact on the agency.
    Mr. Mitchell. Now, Mr. Dodaro, you referenced earlier that 
state and non-state actors has been suggested as discussions 
already started that, again, we're back to Russia. These state 
actors, examples of state actors impacting our systems go far 
beyond Russia, do they not?
    Mr. Dodaro. Yes, they do. I mean, some of the intelligence 
community has singled out, you know, Russia, China, Iran, North 
Korea, as you know, actors in this area as well.
    Mr. Mitchell. I'll run the risk of offending some people by 
saying that I believe occasionally some of our allies actually 
occasionally are trying to wander around our systems too.
    Mr. Dodaro. It could be. I mean, I would defer to the 
intelligence community for those responses.
    Mr. Mitchell. I'll let them get into it. I want to stress, 
the reality is we face threats both internally and externally 
through cybersecurity.
    When an incident happens, Ms. Kent, how--what's the 
timeframe by which you're informed we have some level of an 
incident?
    Ms. Kent. There are various timeframes depending on the 
incident and when the agency identifies the particular 
activity. Like you just heard, there's different types of 
issues and incidents. Some of those may be very quick, others 
may be a longer timeframe. And as Mr. Dodaro indicated, 
particularly in situations where there is some type of malware 
or an attempt to----
    Mr. Mitchell. Let me stop you. I appreciate it. You've 
got--I understand they can't inform you until they know about 
them; that's problem one. We'll get to that in a moment. 
Problem two is that the time from when they have knowledge of 
the incident, what's the general--what's the expectation--let 
me change that--what's the expectation that you put out, the 
White House has put out to inform you that we have an incident 
of some form? What's the expectation?
    Ms. Kent. The expectation is that the agency informed DHS, 
who is looking at our enterprise risk, and we are tracking 
all----
    Mr. Mitchell. What's the timeframe on that? Once more, what 
is the timeframe on that?
    Ms. Kent. As immediately as they know.
    Mr. Mitchell. So, theoretically, the same day, next day, 
that night, whatever the case may be?
    Ms. Kent. As quickly as they have identified the incident.
    Mr. Mitchell. When do you find out about it?
    Ms. Kent. I find out in reports from DHS?
    Mr. Mitchell. Which is--takes what kind of timeframe?
    Ms. Kent. Depends on the type of incident.
    Mr. Mitchell. Go ahead, give me examples.
    Ms. Kent. I don't actually have an example.
    Mr. Mitchell. Okay. Let me ask you a question, if I can, 
Mr. Dodaro. The FISMA audits that are done, in your opinion, 
are they sufficient, and are actions being taken on those 
audits at this point in time?
    Mr. Dodaro. They're a starting point because they're 
supposed to identify a comprehensive information security 
system. We find that there are deficiencies in all aspects, 
access control, segregation duties, configuration management, 
contingency planning, so--and they're not remedied as quickly 
as possible. So there are serious security weaknesses that have 
existed for years, and a number of the FISMA audits at the 
agencies are in place. But there needs to be more done, because 
they need to have better response when they find incidents.
    Mr. Mitchell. Who's responsible for those--for that 
followup?
    Mr. Dodaro. Well, each agency is responsible for their own 
actions, and this is an issue, because they're not correcting 
the problems fast enough, in my opinion. That's why we have it 
as a designated high-risk area across the entire Federal 
Government. Virtually every agency has serious weaknesses. And 
I don't think enough attention's focused by agency managers on 
getting these areas fixed. We've made recommendations to OMB 
that they send out more guidance to the agencies to hold senior 
leaders accountable for getting these weaknesses fixed.
    Mr. Mitchell. One of the things that astonished me, and my 
time expired here, but let me finish this one comment, Mr. 
Chair, is that when I first joined Congress and joined this 
committee, I was astonished by the number of agency chief 
information officers that--how do you get someone leading when 
you've got all of these people doing their own thing? I mean, 
you----
    Ms. Kent, you were in the private sector, and I am short on 
time so I can't--that didn't happen in your world, now, did it?
    Ms. Kent. It did not. And that's also one of the focuses 
that we have had both under FITARA as well as the recent 
executive order to have a single CIO that has accountability, 
responsibility, and visibility across the entire agency, so 
that we can move the types of things that we were talking about 
much more quickly.
    Mr. Mitchell. And with that, when there's an incident, they 
should tell DHS and they should tell you at the same time.
    Ms. Kent. Yes.
    Mr. Mitchell. Thank you. I will yield back. Thank you, Mr. 
Chair, I'm sorry.
    Mr. Hurd. The distinguished gentleman from Iowa is now 
recognized for 5 minutes.
    Mr. Blum. Thank you, Chairman Hurd.
    Mr. Dodaro, good to see you again. Ms. Kent, good to see 
you. Thank you for appearing today.
    I'm going to change gears a little bit, and I'd like to 
hear from you your expertise on cloud computing. I understand 
the Department of Defense is going to have a private company in 
the private sector host, via the cloud, a lot of government 
data. And I don't know, my first reaction is, you know, it 
concerns me a little bit, it concerns people in my district 
when they hear that. Maybe I shouldn't assume anything.
    Do you feel confident that this data will be more secure 
than if it were with the Federal Government, and why?
    Mr. Dodaro. Cloud computing offers the potential for, first 
of all, cost savings, and a more rapidly updating of the 
systems that are used in place. You know, as we mentioned, you 
know, these legacy systems have been in the Federal Government 
for a long period of time, and that's a big problem. If you go 
to the cloud, then the updating of those systems become the 
responsibility there.
    Now, that being said, there are cost efficiencies and other 
efficiencies that could be gained. The security is a paramount 
issue that needs to be addressed. We're looking now, there is a 
program that's supposed to ensure that there's security over 
the cloud operations. It's called FedRAMP, is the acronym for 
it. And we're looking to see if it's an effective tool to make 
sure there's adequate security in the cloud operations.
    Now, the last point I'd make is that the Federal 
Government's own record of security is pretty abysmal. So, you 
know, as a starting point--so I don't think, you know, 
everybody--everybody have a total confidence that everything's 
fine now, and it may be worse later if we move to the cloud. 
But you have to be careful in making the move to the cloud 
environment to make sure there's adequate security.
    Mr. Blum. So more secure is what you feel, I guess?
    Mr. Dodaro. It could be, but we need to take care to make 
sure the requirements are there, they're set properly, there's 
adequate testing, there's certification, there's requirements 
and operations. It offers a lot of potential for savings, cost 
savings for the Federal Government, and more up-to-date systems 
that are better patched properly and in place. But the security 
remains as much of a concern with the cloud environment as it 
does with the Federal agencies, and we need to take due care.
    Mr. Blum. Ms. Kent.
    Ms. Kent. Yes, sir. I agree that it can be--it can 
definitely be secure. And in many cases, it is maintained in a 
way that we've--we have seen--we have not necessarily done 
across some of the Federal systems.
    I would add two other things to what Mr. Dodaro said, is 
that there's a discipline around understanding the data and 
what we're moving to the cloud and how we control access to 
that. And that is the discipline that we're trying to drive 
with the agencies as they're considering their transformations 
and the cloud technologies that they're using. So it's a 
combination of the security that's available with the 
technology, what we're putting there, and how we manage access 
to that information.
    And so those are the disciplines that we are--that my 
office is working directly with the agencies as they consider 
these acquisitions.
    Mr. Blum. Mr. Dodaro, we often hear things like the Federal 
Government was slow to respond to an emerging threat, 
especially cybersecurity threats. What have you found in that 
regard, and why?
    Mr. Dodaro. It brings a new definition of slowness, okay. 
In this area, you know, we first designated it as a high-risk 
area across the Federal Government in 1997. So I've been trying 
for over 20 years to get attention to this area. You know, we 
actually built a computer lab facility that could simulate the 
operating environment of agencies in the early nineties, and 
actually did a penetration testing to get people's attention 
that there could be issues that needed to be dealt with.
    And we very, very--it took a long time, but we finally 
convinced the Congress, legislation began being introduced in 
2000, 2002, creating the Federal Information Management Act, 
the FISMA Act, that was updated. And it really wasn't until the 
OPM breach that a lot of--in 2015--this is, you know, so many 
years later that agencies began to move and the administration 
began to move.
    But even then, to this day, I'm not sure OPM has fixed all 
the weaknesses that led to the original data breach. We went in 
a couple of times and we haven't found the problem. So it's 
perplexing to me that there hasn't been enough urgency 
associated with dealing with this issue. And I'm pleased to 
hear from Ms. Kent and others that they're going to sort of up 
the game here to be aggressive in this area.
    But there's no question that there has been adequate 
warnings about these areas that GAO has been given that has 
been on our top risk list for many years, both within the 
Federal Government, but also critical infrastructure 
protection. We put that on in 2003. And concern about the 
electricity grid, the financial markets, telecommunications, 
and we're moving in that area, but that's--you know, right now, 
it's all voluntary on the part of the private sector, and I can 
understand that, but we need to have a partnership and more 
information exchange between the private sector and the other 
sector.
    I mean, this is a national security issue, not just, you 
know, a privacy issue. And privacy has been slow too. You know, 
we've recommended that the Congress change the--update the 
privacy laws. The original privacy Act is 1974. E-Government 
Act in 2002. Many things have changed since then that there 
needs to be updated information. And while the Congress has 
only identified some sectors of the economy, healthcare, credit 
reporting, to put in place rights for consumers about data 
that's collected about them, there is no consumer privacy 
framework. We've recommended that Congress consider creating 
one since 2013.
    So, you know, we've been urging for a long time now more 
attention to this area. I'm glad that we're having this 
hearing, but I think the pace of change needs to pick up quite 
a bit, because the threats are evolving way faster than the 
government's ability to deal with it.
    Mr. Blum. I heard the phrase, and I'll end with this, the 
warfare of the future may not be bombs, it may be bits and 
bytes, not bombs. And I know we spend a lot of money on bombs, 
and we should, but I think we need to give attention to bits 
and bytes, cybersecurity as well.
    Mr. Dodaro. Yeah, absolutely. Absolutely. You know, in 
conventional warfare the first thing people do is take out your 
communication systems, take out your transportation structure, 
your ability to have power. But to do that you'd have to 
physically invade the country. Today that's not exactly the 
same. You can do it from your own country.
    Mr. Blum. Thank you for your insights. And I yield back the 
time I do not have, Mr. Chairman.
    Mr. Hurd. I generally try to have a PMA, a positive mental 
attitude. My dad taught me that. And I think there has been 
some bright spots over the last 3-1/2 years since I've been in 
Congress.
    Federal CIOs have more power than they have in the past. 
They're getting more involved in the procurement process, 
because we can't hold Federal CIOs accountable if they don't 
have the responsibilities on what goes on their network. And 
that's something that this committee has fought for in a very 
bipartisan way.
    I believe when we first started this committee, there were 
only four CIOs that reported to the agency head or deputy 
agency head. I think now there's only four that do not. And I 
believe by the end of the year, there would only be one that is 
probably not reporting. So, again, empowering the men and women 
in the CIO.
    I've been surprised over the last few months, I've had a 
number of businesses say that they are happy with improved 
sharing of intelligence threat information between the Federal 
and the private sector. Now, that's part of DHS's role, and I 
think DHS is the only entity that can get into that mode of 
need to share. And we are seeing what DHS is able to do. And 
their technical capabilities to help across the other 24 CFO 
agencies, I think, are improving. And one of the things that is 
leading to and causing us to see the number of threats 
increase, because, guess what, DHS is doing their job. Right?
    Now, having done this kind of work before, guess what, I'm 
always going to get in. How quickly can you detect me, How 
quickly can you quarantine me, and how quickly can you kick me 
out is the mentality that we need to be in. But why are some 
basic things--MEGABYTE Act. The MEGABYTE Act says every agency 
should know what software they have on their networks. Is that 
hard to do, Mr. Dodaro?
    Mr. Dodaro. No.
    Mr. Hurd. Ms. Kent, is that a hard thing to do to be able 
to catalog the software that you have on your system?
    Ms. Kent. No, sir, we have an opportunity to do much 
better.
    Mr. Hurd. And so what is the--what more do we need to do to 
drive that behavior? Megabyte is important, knowing what your 
software is, and that's why we've added it on to the FITARA 
scorecard. The FITARA scorecard is evolving into a digital 
hygiene scorecard. Naming and shaming is really what we're 
doing. We're trying to give CIOs the authority with MGT, the 
Modernizing Government Technology Act, to get out of this 
notion of if you don't use it, you lose it. So now there's 
motivation to--motivation to modernize.
    What other carrot sticks should we be using or do you need 
in order to compel compliance on some very basic things, like 
knowing what software you have?
    Ms. Kent. First, I have to applaud and say thank you for 
the continuous focus on the FITARA scorecard because having 
that level of transparency does make it a priority.
    To your point on MEGABYTE, there are tools and technologies 
that we can do that with, especially if it's a priority.
    One of the things that I would ask that would be of great 
assistance is the continued focus on workforce activities. In 
many cases, we still have almost a 25 percent gap in the number 
of cybersecurity resources that we need across Federal agencies 
and what we actually have in place. And, particularly, we have 
some gaps in leadership and individuals--places where we have 
open positions that are key leaders. In many cases, the 
individuals, when we get them in, their tenure is less than 12 
to 18 months.
    So there are multiple workforce actions, both at entry 
level and at leadership, and there are things that we continue 
dialogs with the private sector to see if we can fill those 
gaps.
    Mr. Hurd. Do we still believe it's--is the number still 
15,000, roughly, IT positions that are unfilled across the 
Federal Government?
    Ms. Kent. Yes. Yes, sir.
    Mr. Hurd. How is the process going to catalog what those 
positions are? Because we don't have common job descriptions 
across the Federal Government. This is something that OPM was 
supposed to be working on. I'd welcome an update on this 
initiative.
    Ms. Kent. We are making good progress on that at clarifying 
the specific positions, as well as common nomenclature. 
Particularly, the CIO Council recently published a CISO 
Handbook to ensure that we are holding our cybersecurity teams 
accountable for the same standards of behavior across all of 
the agencies, but we still have work to do to fill those 
positions. And particularly in the entry levels to ensure that 
potentially we are identifying other skill sets in the Federal 
Government that we can move into some of those positions.
    Mr. Hurd. So when will we have a common picture of what 
positions are open and what these positions are going to be?
    Ms. Kent. I know that it is in the works, and I will get 
the date back to you.
    Mr. Hurd. Mr. Dodaro, you mentioned in your written 
remarks, the national initiative for cybersecurity education, 
cybersecurity workforce framework. Is that ringing a bell?
    Mr. Dodaro. It will ring Mr. Wilshusen's, it will ring his 
bell.
    Mr. Hurd. It will ring his bell. All right.
    Mr. Wilshusen. It does.
    Mr. Hurd. What is that? Where are we--you know, the report 
recommends, and y'all's report recommends that this is 
something that is not being addressed properly. Can you give us 
a little bit more context to this?
    Mr. Wilshusen. Sure, absolutely. The NIST's Cybersecurity 
Workforce is an attempt to kind of have a common language and 
designation for cybersecurity and IT-related activities. And 
the intent under the Federal Cybersecurity Workforce Assessment 
Act, Federal agencies are required to assess their 
cybersecurity workforce, identify the specific functions 
associated with each of those positions, or their IT and cyber 
positions, and then assign codes to it in the attempt to 
identify critical areas of need as it relates to cyber.
    We issued a report last month that showed that 13 out of 
the 23--24 agencies that we examined had not performed all of 
the activities that they were required to do. And we ended up 
making about 30 recommendations to those 13 agencies. We have 
ongoing work continuing--following up on the status of those 
recommendations and agencies' actions to finish implementation 
of the requirements of that Act.
    Mr. Hurd. Good copy. We will come back on a round two. And 
now, I'd like to recognize my friend from New York, Mrs. 
Maloney, for her 5 minutes.
    Mrs. Maloney. Thank you very much, Mr. Chairman and Mr. 
Ranking Member, and all of the panelists.
    Mr. Dodaro, in the high-risk report that GAO issued today, 
it states that the vast number of individuals potentially, if 
affected by data breaches at Federal agencies and private 
sector outlets, increases concern considerably that personally 
identified information is not being properly protected. And I 
think I agree with you completely too. Given the breaches that 
we've seen with Verizon in April, they released a report 
showing that in the past 12 months alone, there was a total 
over 53,000 incidents, and over 2,200 confirmed data breaches. 
And then in 2017, we saw the really awful data breach at 
Equifax, which was over 143 Americans had their personal 
information stolen. And the 2015 breach at OPM, which affected 
approximately 22 million individuals. It demonstrates the 
absolute massive scale of harm to privacy and security that 
data breaches can have, and this doesn't even get into the 
alleged foreign governments that are hacking into our private 
material.
    The high-risk reports states, and I quote, that the laws 
are currently written may not consistently protect personally 
identified information in all circumstances of its collection 
and use, end quote.
    Can you briefly explain how our current privacy laws and 
framework for protecting individuals' privacy is not adequate? 
Obviously, it's not adequate with this large number of breaches 
taking place. There's some reports that every person in 
government has been hacked. That everybody's breaking in 
everywhere. So could you respond to that?
    Mr. Dodaro. Absolutely. First, the Privacy Act was 
originally passed in 1974, so it's very dated and did not have 
anywhere near the context of the current computing environment 
in place, and what is likely to occur in the future. There was 
the E-Government Act in 2002 that took a couple of steps, but 
not sufficient.
    Here's two examples. One is that the current definition 
deals with a system of records that the government's 
responsibility is protecting that. That doesn't say anything 
about data mining, it doesn't say anything about databases that 
are used and scanned and scraped and whatever definition you 
want to use. So the ability now to be able to manipulate the 
data doesn't really--is not contemplated under current law.
    Second, it gives the Federal agencies the ability to only, 
you know, use the data for, quote, authorized purposes. Now, 
that doesn't necessarily give the individuals whose data is 
being collected an understanding of what is an authorized 
purpose. So there's really not clarity about what the Federal 
Government's limits or abilities are to be able to deal with 
these things.
    Mrs. Maloney. What would you say is an authorized purpose?
    Mr. Dodaro. Well, it's--every agency is allowed to define 
it in their own way, which is what----
    Mrs. Maloney. Well, that's not right.
    Mr. Dodaro. Well, that's what we're saying. Basically, 
there needs to be more clarity on exactly----
    Mrs. Maloney. Can you get back to the committee with an 
explanation or a recommended definition of this?
    And you went on to say in your report that--that we needed 
to strengthen our consumer privacy laws. Is that right?
    Mr. Dodaro. Yes.
    Mrs. Maloney. Could you get back to us on how you would 
expect us, or to me, on how you'd like us to strengthen it?
    And if Congress does move forward with amending and 
updating the Nation's privacy laws, which we should, what are 
the key changes that you believe must be achieved?
    Mr. Dodaro. Yeah. We will definitely provide all that 
information to you in detail.
    On the consumer privacy framework, really, there isn't one, 
except in the healthcare area and HIPAA, for example, or 
Federal credit reporting, or some other information--
everything--nothing else is really covered, including 
information reselling of data.
    And with other technologies, facial recognition technology 
and other things, there is no consumer financial privacy--or 
consumer privacy framework in place, and we recommended that it 
be put in place. So we can give you some examples of that.
    Mrs. Maloney. Please do. Please do give it.
    And I do want to get to OMB for a moment, Ms. Kent. What is 
the administration's timeline for implementing GAO's 
recommendations? Are you implementing these recommendations 
they put out?
    RPTR KEAN
    EDTR HUMKE
    [3:24 p.m.]
    Ms. Kent. We're in process of many of the recommendations, 
particularly the ones that are in the area of Federal systems 
and information and, actually, in the privacy and security area 
that you just talked about.
    One of the key elements around how we secure data and 
citizen data is the efforts under IT modernization.
    It is very difficult or complex to secure data in systems 
that are over 20 years old. And as we modernize, we have better 
tools for data encryption and management of the data both at 
rest and in movement, and that is one of the ways that we 
protect all information that we have within our Federal agency 
purview against any type of threat.
    Mrs. Maloney. And very briefly, how can Congress assist you 
in this really huge effort and very, very important one? It 
used to be privacy was utmost concern on everyone's mind. And 
now with terrorism, attacks, and other things, it's not taken 
the really important level that it should in our country. And I 
want to express my appreciation for your report. But how can we 
help you?
    Ms. Kent. Congress can continue to help us through funding 
of the teams that focus on these efforts, through creative 
vehicles like the Technology Modernization Fund that let us 
actually advance the modernization activities much more 
quickly, as well as the efforts that I spoke of earlier on 
workforce.
    Mrs. Maloney. I'm way past time.
    Thank you for indulging, Mr. Chairman. I yield back. Thank 
you.
    Mr. Hurd. The distinguished gentleman from the Commonwealth 
of Virginia and ranking member is now recognized for his first 
5 minutes of questioning.
    Mr. Connolly. Thank you, Mr. Chairman. Thank you for your 
commitment to this subject matter.
    Mr. Dodaro, I want to thank you and GAO for elevating this 
particular part of the issue to your high risk grouping. 
Because it forces us to at least talk about it, hopefully do 
something about it, and you've been instrumental in the past in 
supporting our FATAR legislation and our scorecard efforts and 
the like. And I really credit GAO with helping us make the 
progress we've made.
    Last May, the Trump Administration, however, eliminated the 
White House cybersecurity coordinator position from the 
National Security Council. In light of your elevation of this 
as a high risk category, in retrospect, was that a prudent 
move? Was that a welcome move in the context in which you've 
delineated this subject matter?
    Mr. Dodaro. I think, just for clarification, we've had this 
on the high risk list since 1997, so this isn't a recent 
elevation. I'm concerned that there hasn't been enough progress 
in addressing this issue. I was, you know, surprised that the 
position was eliminated. I've been told that those 
responsibilities have been divided among two people. I haven't 
had a chance, since it's a recent activity, to look into it 
more. We plan to do that in the future.
    So once we look into it and see how they're planning to 
approach it with the elimination of that position, I'll be in a 
better position to advise the Congress on what to do.
    We've never really evaluated this cybersecurity coordinator 
role. We've been more focused on getting a national strategy in 
place and making clarifications. And I haven't really examined 
fully what that position did, what kind of resources they had 
available and what their accomplishments were during that 
period of time.
    So it's an area that I'm concerned about. You always want 
to have good leadership, and you can have good leadership in a 
number of different ways, but I want to look at it more 
carefully before I advise on exactly what would need to be done 
differently from what they're contemplating doing.
    Mr. Connolly. Yeah, you may be right. I mean, maybe 
diffusing responsibility or splitting responsibility allows us 
to have a sum greater--you know, the whole greater than the sum 
of the parts.
    On the other hand, you know, there was a report in Politico 
that said since its creation in 2009, the White House 
cybersecurity coordinator position has been key in resolving 
conflicts among agencies, preparing cabinet leaders to make 
major policy decisions, and responding to crises.
    As you know, Mr. Dodaro, sometimes--maybe more often than 
not--in government, you need a central focus. You need some 
champion who is vested with authority and responsibility for 
moving an agenda, for advocating for a cause. And absent that, 
often in big bureaucracies, you know, something we all think is 
a good thing just kind of dies on the vine for lack of 
attention and championship.
    So I would welcome you looking at that because I think we 
would want to know, did the Trump Administration make a good 
decision or did it make a mistake in abolishing this position.
    Ms. Kent, do you have views on that? I'm sure you do.
    Ms. Kent. Sir, I don't know that I would--what I would 
reflect is that the activities for the Federal agencies are 
directed by Homeland Security Advisor Fears. And in fact, my 
chief information security officer has a dual reporting 
relationship between he and I, so that there is no miss or time 
in translation for things that we need to take action on.
    And I think I have a very clear set of mandates of actions 
that we need to take across the Federal agencies.
    Mr. Connolly. Well, I'm glad to hear that. Do you know how 
long it took to get a CTO?
    Ms. Kent. To get a--I'm sorry?
    Mr. Connolly. A chief technology office or a CIO for the 
Federal Government?
    Ms. Kent. Yes, sir, I do.
    Mr. Connolly. In this administration, it is over a year.
    Ms. Kent. Yes, sir.
    Mr. Connolly. So I have to tell you, given that record, it 
is not exactly confidence-building that, you know, you've got 
it and you're moving an agenda--not you personally--but the 
administration. I mean, words are nice but actions are 
important.
    If I may, Mr. Chairman, because I think I'm going to have 
to run, I have one other subject that is of deep concern to me. 
And again, I'm going to ask you, Mr. Dodaro, to look into this.
    And I agree with what you said, Ms. Kent, we've been 
champions about the need to upgrade legacy systems or replace 
them, and to, you know, come into this part of the 21st Century 
so that we can encrypt, we can protect.
    But what is, you know, the purpose of technology is to do 
the job better. It's to be deployed. It is to give us 
capabilities we otherwise might not have. One of those 
capabilities is telework.
    And I can tell you as someone who lived through 9/11 and 
has lived through lots of hurricanes and other kinds of things 
here in the Nation's Capitol, telework increasingly becomes 
critical to continuity of operations, without which, government 
shuts down.
    And what has disturbed me is that the Trump Administration 
seems to be going in exactly the wrong direction with respect 
to telework. The Department of Education issued new guidelines 
that seem to severely curtail our robust program.
    USDA, which is highly touted by Jared Kushner and Chris 
Liddell--and I met with them and had a good meeting--but I did 
bring to their attention that I felt Secretary Purdue was going 
in the wrong direction on telework. He actually curtailed that 
program there.
    And then your office issued guidelines that, from the White 
House, that actually would limit, as I understand it, telework 
to be defined as no more than one day a week.
    Now, I don't know anyone in the telework profession who 
would agree with that definition. No one. Telework is to be 
encouraged more than one day a week. It's a structured program. 
It's not a spontaneous, like ``gee, I feel like teleworking 
today.'' That's not how it works. But we want to get the 
maximum benefits and we want to deploy technology, and we want 
to make sure this is part of the offering for the next 
generation of Federal employee. Because millennials expect that 
as part of the offering.
    So what is going on here in terms of the reluctance to 
encourage rather than constrain telework in this 
administration? I have to confess to you, and then I'll shut 
up, I was really particularly bothered by this because we 
actually had a good meeting at the White House where we found 
common ground. And I reassured Mr. Kushner and Mr. Liddell 
that, frankly, if they continued going in the direction they 
described they would have our support, which is not an every 
day occurrence. And then this happened.
    And this seems to fly in the face of the kind of progress 
we thought we were going to make in common.
    Ms. Kent. Sir, I'm not informed on the specific decisions 
that the agencies made around their policies.
    I do know that one of the things that we are focused on as 
part of the President's management agenda and specific goal is 
the elimination of paper across the various processes in the 
government to actually free up the ability for individuals to 
not be dependent on being in a specific physical spot to do 
that work and drive other efficiencies.
    In addition, some of the investments that we're making in 
digital capabilities and new workforce tools actually enable 
work to be done from a broader reach of locations.
    Mr. Connolly. Well, I mean, there's actually explicit 
policy guidance that has been drafted that would curtail 
telework in your administration. And I'll be glad to get it to 
you, if you haven't seen it.
    Mr. Dodaro, I would just ask that you look into this, 
because I think it flies in the face of the progress we've 
tried to make. And, you know, the whole point here is to deploy 
the capability, not constrain it, and would welcome GAO to look 
into this and see if we can't----
    Mr. Dodaro. I'd be happy to do so.
    Mr. Connolly. I thank you so much. And Mr. Chairman, thank 
you for your indulgence. I'm sorry.
    Mr. Hurd. Mr. Mitchell, round two.
    Mr. Mitchell. Thank you, Mr. Chair.
    Mr. Connolly, you may want to stay for this conversation--
it's the beginning of it--because we're talking about legacy 
systems.
    Mr. Dodaro, have you looked at or done any analysis----
    Mr. Connolly. I would say to my friend, I would, but I 
belong to two committees that believe no human problem cannot 
be improved with another hearing. And my other committee is 
practicing that as we speak.
    Mr. Mitchell. Only two committees are doing that? I'm 
shocked.
    It's getting near district work period and it's gone, the 
wheels have come off the bus around here, okay?
    Let's talk about legacy systems for a moment. Have you done 
any analysis, any examples of the current cost of maintaining 
legacy systems versus just making a transition to a new system, 
and what is the comparison?
    If you could give me some examples, that would be great.
    Mr. Dodaro. Well, overall, what we've said of the annual 
Federal investment, which is about $80, $90 billion a year, 75 
percent of that goes to support the legacy systems as opposed 
to, you know, making investments and modern approaches in 
systems.
    So, you know, we've looked at a lot of individual cases, 
and I'd be happy to provide those for the record, but, you 
know, it definitely, you know, the government's track record in 
implementing new systems and being able to retire legacy 
systems isn't, you know, very good. But it needs to be better.
    And I think the legislation this committee has sponsored is 
helping move in that right direction. And, you know, I had 
always approach this with a PMA as well, a positive mental 
attitude, but I also have a view of what the realistic track 
record has been of the agencies. I'm hoping they do better. I 
hope the CIOs will do better in this area, but we need to make 
a better job in those areas.
    So the short answer to your question is the legacy systems 
involve a lot of spending and are sucking up a lot of the 
Federal government's investment, and we need to get new systems 
in place. But every time there's an effort to do that, there's 
a failure on the part of many agencies.
    Now, hopefully with Ms. Kent's leadership and elevating the 
CIOs to have more responsibility in the agencies, we'll see a 
different outcome going into the future. I certainly hope so.
    Mr. Mitchell. Well, I would like to see those examples, so 
if you can get those to the committee with things you've looked 
at, we would like to look at. Because at some point in time 
what we're doing is we're paying costs, workforce costs to work 
on legacy systems that should, in fact, be better----
    Mr. Dodaro. Yeah, I mean, a good example. We just issued a 
report about the Coast Guard system that was supposed to be put 
in place that failed. The VA, they spent, you know, over $1 
billion dollars trying to improve the current electronic 
healthcare system, that hasn't been successful as well.
    I mean, we've got a long list of activities where money has 
been invested, you know, in a lot of cases millions, hundreds 
of millions of dollars, and it hasn't produced the new system 
yet properly to retire the legacy system.
    So we'll get you a list. I'm confident we have one, and it 
will touch virtually every agency in the Federal Government.
    Mr. Mitchell. We just had a hearing a bit ago on the 
Census. And as you are well aware, they are well behind, in 
terms of developing it's what they do in systems and they're 
over-budget. So it doesn't surprise me, but we need to start to 
look at that, so I'd like to see it.
    Ms. Kent, could I ask you, you mentioned the vacancies you 
have, about 15,000 vacancies of technical, cybersecurity 
personnel; is that connect?
    Ms. Kent. Yes, sir.
    Mr. Mitchell. What are the primary drivers of those 
vacancies.
    Ms. Kent. I'm sorry. Say that again?
    Mr. Mitchell. What are the primary drivers, causes of the--
--
    Ms. Kent. Of the vacancies?
    Mr. Mitchell. Yes.
    Ms. Kent. The primary drivers of the vacancies is that 
cybersecurity skills are one of the hottest skills in the 
industry right now and we're competing with the private sector, 
as well as the cybersecurity professionals have an expectation 
of quick mobility, large challenges and some ability to move 
very quickly in their profession. And some of those things 
don't align well.
    Mr. Mitchell. We've got big challenges. I can guarantee 
that.
    Ms. Kent. It is a very big challenge, but it's an area 
where there are many avenues that we're pursuing, both at 
entry-level positions as well as leadership positions, and 
continuing to explore exchanges with private sector to fill 
those gaps.
    Mr. Mitchell. When we had people leave my company, we 
always did a survey of, kind of get an idea of why you're 
going. I mean, I'm sure you did as well.
    What is the primary--average 10 years about 18 months and 
they're gone.
    What's the primary causes that people are up and leaving 
once you get them here?
    Ms. Kent. It is a highly valuable set of skills in the 
private sector industry. So many times it is a question of 
compensation.
    What we have to offer is an exciting mission and the 
ability--we have many very motivated professionals that come in 
because they believe in the missions that our agencies are 
focused on.
    Other times, they are leaving because they want more 
mobility. And mobility as they progress through, you know, the 
professional ranks.
    Mr. Mitchell. Have there been many recognitions made, Mr. 
Dodaro, on what we do in terms of compensation skill or a 
career structure for cybersecurity personnel in the Federal 
system?
    Mr. Dodaro. No. I mean, this is an area where we've had 
strategic human capital management on high risk since 2001.
    You know, one of the areas----
    Mr. Mitchell. What have you not had on high risk since 
2001?
    Mr. Dodaro. Well, there are things that aren't high risk. 
You know, we----
    Mr. Mitchell. Okay.
    Mr. Dodaro. But, you know, the problem here is the 
classification system that OPM has in place. I mean, there's 
really not been, I mean that system was created many years ago. 
It didn't contemplate cybersecurity. They've not adapted over 
time. And so right now the phase 1 of what the administration 
is currently doing is to take stock of what cybersecurity 
skills exists across the government.
    I mean, we should have known this for years earlier and 
developed new systems in place.
    Now, Congress has been very good where they've given a lot 
of special authorities to the agencies. But we found that they 
have over 100 special hiring authorities but they only use 
about a dozen or so. And so it's really OPM hasn't looked at 
whether or not the special hiring authorities are being 
effective or not.
    And so, you know, this means more attention. I'm very glad 
that the President's reorganization proposals focused on 
cybersecurity workforce.
    Mr. Mitchell. Can you share with OPM, at least my opinion--
not necessarily the committee opinion--but my opinion that--I 
ran a fair-sized company. The chief technology officer reported 
to me. They reported to me for a reason. And we had a deal. His 
phone never went off.
    And as soon as something went sideways, you know, he gave 
warning systems and you're well aware, Ms. Kent, what those 
are. And the deal was, he immediately went in and dealt with 
the issues. And the next thing he did was he called me. Because 
there is nothing that's more important than securing our data.
    We're a school group. We have the information on 6,500 
students at any point in time, their financial information, 
their parents' financial information. And that getting hacked 
is a serious issue, never mind the issues we have here.
    So suggest to OPM they may want to up the anti on this and 
make it a little more important because people aren't trusting 
the government because they don't believe their data is secure. 
Never mind the issues it creates for us in terms of national 
security.
    Thank you. I am out of time as well. Thank you, sir.
    Mr. Hurd. Ms. Kent, one of the recommendations that GAO 
suggests, needs to be improved, is this global supply chain of 
information that's on our Federal infrastructure.
    So if we take the narrow view of the supply chain of 
software or hardware that is put on a system responsible in the 
dot-gov domain, who is responsible for making sure that those 
widgets are secure?
    Ms. Kent. One of the things that I agree with the point 
around supply chain is ensuring that we have a mechanism, not 
only to know what is on our network, but to allow Congress and 
other bodies to make recommendations and have a structured way 
that we identify both hardware and software, where is it being 
used, and we have a structured way to pull those things out.
    As we worked through the Kaspersky situation, we had to 
create an entire process, communicate that information, and 
manage it one-by-one, across all of the agencies. And we did 
not have a systematic way to do that.
    Since we have now had additional concerns and, you know, 
those may continue, what we would like to have in place is a 
structured way to do that in ongoing identification by 
agencies.
    Mr. Hurd. So let me rephrase the question. Right now can 
you tell right now agency X, You've got to remove all this 
stuff? You as the Federal CIO can make that directive and X-
agency would have to comply with that.
    Ms. Kent. We have been taking directives from the National 
Security Council or from others, but, yes, that is the way that 
we have been executing the ones for which we've been given a 
directive to date.
    Mr. Hurd. Can the CIO for that agency make that decision 
and say, All this stuff is coming out?
    Ms. Kent. The CIOs have responsibility for the security 
posture of their agencies, so if they decide to take a more 
aggressive stance on some situation or, you know, for some 
reason that aligns with their mission, that is within their 
authority.
    Mr. Hurd. So let's say an agency has a device on their 
network that they shouldn't have, who should be in trouble? Who 
is responsible for having allowed that to happen? Or not 
finding that out in advance?
    Ms. Kent. That's a good question. We do hold agencies 
accountable for knowing what is on their network. And if there 
has been a directive to remove actions and a specific date by 
which to act, we are holding them accountable from an oversight 
perspective.
    Mr. Hurd. Mr. Dodaro, do you have any opinions on this?
    Critical infrastructure, I mean excuse me, supply chain 
within the dot.gov space. Let's start with that.
    Mr. Dodaro. Yeah, right, right. I think, you know, 
individual agencies are always the first line of responsibility 
in these cases to know what they're buying and what is in 
place.
    DHS has responsibility and has the ability to issue binding 
operational directives to agencies, across government, if need 
be, to remove devices or to do certain things as well. So DHS 
has some responsibilities.
    I would ask Greg to come up. He just testified on a supply 
chain issue recently, see if he has any additional thoughts.
    Mr. Hurd. While he is coming up, describe your vision, the 
future state that needs to happen in order for this to be 
removed from the GAO high risk report.
    Mr. Dodaro. On supply chain or the whole----
    Mr. Hurd. On supply chain over dot-gov.
    Mr. Dodaro. Yeah, there needs to be, you know, a clearer 
plan for determining the supply chain operations, you know, in 
terms of identification of vulnerabilities, and there needs to 
be greater accountability for enforcing that over time.
    Mr. Hurd. Who should do that?
    Mr. Dodaro. It has to be led by DHS or out of the White 
House to be enforced. I mean, it has to be. I mean, you know--
and there are separate issues at DOD, all right, on this issue, 
you know, for national security purposes, and they hold the 
prime contractors responsible. But there is a lot of 
subcontractors kind of issues.
    But in the civilian side of the government, I think it's 
got to come from DHS primarily, would be where I would start.
    Mr. Hurd. Mr. Wilshusen.
    Mr. Wilshusen. Yeah. It would need to be, I think, also 
DHS, but also certainly with input, collaboration with the 
intel community as well as DOD as they collect intelligence and 
information about the particular supply chain direct to 
particular components or systems that might be in use at 
Federal agencies.
    DHS has used its authority under the Federal Information 
Security Modernization Act to issue binding operational 
directives to require and compel all Federal agencies to remove 
Kaspersky Lab-type products, as was referenced earlier.
    We have been requested and we plan to start an engagement 
later this year to look at the process by which DHS determines 
when to issue a binding operational directive, how it comes 
about that decision and then what oversight mechanisms it has 
to ensure that its directives are actually being implemented 
and implemented effectively by the agencies.
    Mr. Hurd. Shifting gears on privacy. If the IRS database 
got hacked--and let's say a portion of American citizen's 
information was stolen--what is the responsibility of IRS to 
notify those individuals and notify Congress?
    What is the breach notification rules that IRS would be 
following in that case?
    Mr. Wilshusen. It depends. IRS would need to make--and this 
is under guidance provided by the Office of Management and 
Budget, indeed on how to respond to particular data breaches.
    Part of it is to conduct, at first, a risk assessment in 
which it looks at the scope of the breach and the potential 
harm that could occur to, say, in this case taxpayers, if their 
information is indeed compromised.
    And then it's supposed to make a risk assessment and then 
determine what type of actions to take. Part of that could 
include notification to those individuals that their 
information has been breached. It could also include providing 
some other remedies such as credit monitoring services and 
others----
    Mr. Hurd. So this is the standard written by OMB?
    Mr. Wilshusen. That's correct.
    Mr. Hurd. So if students' loan information at Department of 
Education was stolen, would that be the same notification 
responsibilities and privacy----
    Mr. Wilshusen. Yes, those guidelines are for all Federal 
agencies.
    Mr. Hurd. So OMB has issued breach standard notification 
across the Federal Government to include intel and militaries 
across all Federal agencies or is it just the dot-gov space?
    Mr. Wilshusen. I guess it would be dot-gov space.
    Mr. Hurd. Ms. Kent, do you have any opinions on this topic?
    Ms. Kent. It is not a topic that I am familiar with, all 
the specifics. I do recognize, though, in the description is, 
the process is very similar to industry and the notification 
process, identifying risks, understanding the risk of the 
individuals, and then determining if there are other mitigating 
factors that should be offered to those individuals.
    Mr. Hurd. Ms. Kent, changing gears here. OMB released its 
agency self-reported data on the status of their information 
security controls. We have found that agencies tend to present 
a prettier picture than their own IGs in those FISMA audits.
    Have you noticed this discrepancy? Are you working to make 
this accurate reporting? Are you acknowledging these problems? 
How do we plan to work with agencies to implement some of these 
basic cybersecurity requirements.
    Ms. Kent. I concur with your assessment. That was actually 
when I looked at the reports, one of the early things that I 
asked in joining.
    It is actually a conversation that I have had with the GAO 
team about how we can automate and actually extract data on 
some of the specific points versus asking for a self-reporting 
mechanism. And we'll continue the dialogue about how to improve 
that.
    Mr. Hurd. This is one of my final questions. It's a very 
broad basic question, and it's broad and basic for a reason. 
And we'll start with you Ms. Kent, and then we'll go down the 
line.
    Who is responsible for defending the digital infrastructure 
of the Federal Government?
    Ms. Kent. Say that again?
    Mr. Hurd. Who is responsible for defending the digital 
infrastructure of the Federal Government?
    Ms. Kent. The agencies are responsible for defending the 
digital infrastructure at their agency, and DHS is responsible 
for defending across the enterprise. And there's an interlock 
of responsibilities between the agencies and their 
communication with DHS in ensuring that DHS has visibility to 
issues, incidents, and what they are detecting going on in 
those individual agencies.
    Mr. Hurd. What is the role of the Federal Government in 
helping to defend the 16 areas that we consider to be critical 
infrastructure?
    Ms. Kent. I don't know that I'm following your question. 
Are you talking about the external industry?
    Mr. Hurd. So the 16 areas that we think are critical 
infrastructure, financial services, utilities, election 
infrastructure, go down the line, what is the Federal 
government's role in helping to defend those infrastructures?
    Ms. Kent. I see those as the responsibility of DHS. So I 
don't know that I am informed to comment. DHS and our National 
Security Council. And from a Federal agency perspective, I know 
when we expect that they are sharing threat information from 
those industries with us inside the Federal agency side so that 
we can react to those.
    Mr. Hurd. Got you. Mr. Dodaro, who's in charge?
    Mr. Dodaro. Well, in the Federal space, I would agree. I 
mean, the agencies are primarily responsible according to 
FISMA. That's the agency heads. I mean, Congress has 
established that in law. It has given DHS responsibility and 
law. And OMB sort of passed that responsibility to DHS years 
ago and without the authority.
    Now, Congress corrected that and gave DHS the authority, 
gives them the ability to issue these binding operational 
directives. And then OMB has responsibility as well for policy 
matters in a lot of these areas.
    So in the Federal space, I think that's pretty clear. In 
the critical infrastructure protection space, less so.
    Now, in some of the critical infrastructures, for example, 
in the nuclear area, there are regulatory responsibilities. So 
the Federal government's role is a little clearer in that area. 
They have more authority to put in place requirements. But for 
by and large, for most of the 16 sectors for critical 
infrastructure, it's voluntary.
    And what we found is that the--there each has a Federal 
coordination point and a lot of the Federal coordinators really 
didn't know what the status was of the implementation of the 
voluntary standards.
    When we talked to a number of people in the sectors, you 
know, they were basically saying that they had challenges. They 
didn't have enough people, they didn't understand all the 
requirements. So that's the area I'm most concerned about.
    Mr. Hurd. So describe that future state when it comes to 
critical infrastructure that if we achieved you would pull this 
off as one of the four major challenges facing the Federal 
Government.
    Mr. Dodaro. Yeah. Well, number one, I would have to have 
some metrics and measures to know what the state of readiness 
really is in those areas.
    Right now, you don't have that. No one can answer that 
question, I believe, to say across the 16 sectors were ready. 
And here is why I believe that.
    So to me, you need that in place to provide the level of 
assurance that would be necessary in order to do that. And so 
that's, you know, a tall order. And then you would need to 
have, you know, a clearer understanding of information sharing.
    You know, our understanding of what's going on, you 
referenced this earlier about businesses being happy with 
information they're getting from DHS. I'm not too sure that 
that information flow is going two ways. And I think we need 
to, from the Federal Government standpoint, need to have 
greater assurance that there's a two-way dialogue here, and 
that we're really communicating and understanding what's going 
on with the risk in those areas.
    So to me, you need a clear metric understanding of what the 
status of readiness is for each of the 16 areas, and there 
would be different metrics for different sectors. I'm not 
suggesting there would just be one sector, but somebody has got 
to be in that position to know that.
    And right now, that's very sketchy at best. And as a 
result, I think we're very vulnerable in the Nation. I know 
there's a lot of policy issues about the Federal role, 
respecting the private sector, whatever. But I think we're 
getting to a point with the threats from state and non-state 
actors that we need to have more of a grownup conversation 
about the real risk to the country in those areas and a meeting 
of the minds on how best to protect our country for everybody.
    Mr. Hurd. Has GAO thought through what are those Doomsday 
scenarios that we should be prepared for? Because if there are 
unclear roles between the public and private sectors in 
response to a Doomsday scenario, we need to be thinking through 
what are those Doomsday scenarios that we need to be prepared 
for.
    Have you all spent some time on that? Have you all seen an 
entity that has designed that?
    Ms. Kent, you have seen stuff?
    I know there are some exercises. DHS does a few. But I feel 
like we haven't done enough, because if we're truly going to 
escape to a future state, we need to figure out what that is 
we're trying to be prepared for.
    If we're going to develop contingency planning, what 
contingency are we planning for?
    And Mr. Wilshusen you came up here, so I hope you have some 
interesting things to say.
    Mr. Wilshusen. I hope I can interest you.
    One, is DHS has developed a response plan, and it's tested 
annually, in which it is a test against different types of 
scenarios.
    And I do believe in some of the guidance at least--well, 
from the National Institute of Standards and Technology and 
some of its guidance, it does identify different threat 
scenarios for different types of potential attacks that can 
affect organizations and systems.
    Now, that's generally guided towards Federal agencies, but 
those same types of attacks can also be applied against 
critical infrastructure owners and operators in the systems 
that they operate.
    And so there are different threat scenarios that have been 
identified and those are things that both I think DHS and NIST 
has identified.
    Mr. Hurd. Well, Mr. Dodaro, you've heard me say this 
before. I'm a big fan of GAO. Whenever there's a new topic I am 
working on, I always start with whatever reports you all have 
developed.
    So thank you for you and your team and you all's service to 
making sure our government is responsive to the people that we 
serve. It's always a pleasure to have you here.
    Ms. Kent, any final words?
    Ms. Kent. I thank you for the opportunity. And as I said in 
the opening, every chance that we have to elevate the 
conversation around cybersecurity and the resources that we 
need to be in a position to protect our security posture, I 
greatly appreciate.
    Thank you.
    Mr. Hurd. Well, I thank our witnesses for appearing before 
us today.
    The hearing record will remain open for two weeks for any 
member to submit a written opening statement or questions for 
the record.
    And if there's no further business, without objection, the 
subcommittee stand adjourned.
    [Whereupon, at 4:01 p.m., the subcommittee was adjourned.]


                                APPENDIX

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]