[House Hearing, 110 Congress] [From the U.S. Government Publishing Office] FEDERAL IT SECURITY: A REVIEW OF H.R. 4791 ======================================================================= JOINT HEARING before the SUBCOMMITTEE ON INFORMATION POLICY, CENSUS, AND NATIONAL ARCHIVES and the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, ORGANIZATION, AND PROCUREMENT of the COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS SECOND SESSION ON H.R. 4791 TO AMEND TITLE 44, UNITED STATES CODE, TO STRENGTHEN REQUIREMENTS FOR ENSURING THE EFFECTIVENESS OF INFORMATION SECURITY CONTROLS OVER INFORMATION RESOURCES THAT SUPPORT FEDERAL OPERATIONS AND ASSETS, AND FOR OTHER PURPOSES __________ FEBRUARY 14, 2008 __________ Serial No. 110-72 __________ Printed for the use of the Committee on Oversight and Government Reform Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html http://www.oversight.house.gov U.S. GOVERNMENT PRINTING OFFICE 44-178 PDF WASHINGTON DC: 2008 --------------------------------------------------------------------- For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001 COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HENRY A. WAXMAN, California, Chairman EDOLPHUS TOWNS, New York TOM DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania DAN BURTON, Indiana CAROLYN B. MALONEY, New York CHRISTOPHER SHAYS, Connecticut ELIJAH E. CUMMINGS, Maryland JOHN M. McHUGH, New York DENNIS J. KUCINICH, Ohio JOHN L. MICA, Florida DANNY K. DAVIS, Illinois MARK E. SOUDER, Indiana JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri CHRIS CANNON, Utah DIANE E. WATSON, California JOHN J. DUNCAN, Jr., Tennessee STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio BRIAN HIGGINS, New York DARRELL E. ISSA, California JOHN A. YARMUTH, Kentucky KENNY MARCHANT, Texas BRUCE L. BRALEY, Iowa LYNN A. WESTMORELAND, Georgia ELEANOR HOLMES NORTON, District of PATRICK T. McHENRY, North Carolina Columbia VIRGINIA FOXX, North Carolina BETTY McCOLLUM, Minnesota BRIAN P. BILBRAY, California JIM COOPER, Tennessee BILL SALI, Idaho CHRIS VAN HOLLEN, Maryland JIM JORDAN, Ohio PAUL W. HODES, New Hampshire CHRISTOPHER S. MURPHY, Connecticut JOHN P. SARBANES, Maryland PETER WELCH, Vermont ------ ------ Phil Schiliro, Chief of Staff Phil Barnett, Staff Director Earley Green, Chief Clerk David Marin, Minority Staff Director Subcommittee on Information Policy, Census, and National Archives WM. LACY CLAY, Missouri, Chairman PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio CAROLYN B. MALONEY, New York CHRIS CANNON, Utah JOHN A. YARMUTH, Kentucky BILL SALI, Idaho PAUL W. HODES, New Hampshire Tony Haywood, Staff Director Subcommittee on Government Management, Organization, and Procurement EDOLPHUS TOWNS, New York, Chairman PAUL E. KANJORSKI, Pennsylvania BRIAN P. BILBRAY, California CHRISTOPHER S. MURPHY, Connecticut TODD RUSSELL PLATTS, Pennsylvania, PETER WELCH, Vermont JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York Michael McCarthy, Staff Director C O N T E N T S ---------- Page Hearing held on February 14, 2008................................ 1 Text of H.R. 4791................................................ 5 Statement of: Evans, Karen S., Administrator for Electronic Government and Information Technology, Office of Management and Budget; Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office; Alan Paller, director of research, the Sans Institute; Bruce W. McConnell, president, McConnell International, LLC; and Tim Bennett, president, Cyber Security Industry Alliance....... 23 Bennett, Tim............................................. 93 Evans, Karen S........................................... 23 McConnell, Bruce W....................................... 82 Paller, Alan............................................. 65 Wilshusen, Gregory C..................................... 33 Letters, statements, etc., submitted for the record by: Bennett, Tim, president, Cyber Security Industry Alliance, prepared statement of...................................... 96 Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 3 Davis, Hon. Tom, a Representative in Congress from the State of Virginia: Letter dated July 27, 2007............................... 104 Prepared statement of.................................... 108 Evans, Karen S., Administrator for Electronic Government and Information Technology, Office of Management and Budget, prepared statement of...................................... 26 McConnell, Bruce W., president, McConnell International, LLC, prepared statement of...................................... 84 Paller, Alan, director of research, the Sans Institute, prepared statement of...................................... 67 Wilshusen, Gregory C., Director, Information Security Issues, Government Accountability Office, prepared statement of.... 35 FEDERAL IT SECURITY: A REVIEW OF H.R. 4791 ---------- THURSDAY, FEBRUARY 14, 2008 House of Representatives, Subcommittee on Information Policy, Census, and National Archives, joint with the Subcommittee on Government Management, Organization, and Procurement, Committee on Oversight and Government Reform, Washington, DC. The subcommittees met, pursuant to notice, at 11:30 a.m., in room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay (chairman of the Subcommittee on Information Policy, Census, and National Archives) presiding. Present: Representatives Clay, Davis of Virginia, and Platts. Staff present from the Information Policy, Census, and National Archives Subcommittee: Darryl Piggee, staff director/ counsel; Jean Gosa, clerk; and Adam Bordes, professional staff member. Staff present from the Government Management, Organization, and Procurement Subcommittee: Mike McCarthy, staff director; Velvet Johnson, counsel; Bill Jusino, professional staff member; and Kwane Drabo, clerk. Mr. Clay. Good morning. This hearing of the Oversight and Government Reform Committee is being held this morning by the Information Policy, Census, and National Archives Subcommittee, which I chair, and the Subcommittee on Government Management, Organization, and Procurement, chaired by Congressman Ed Towns of New York, who is under the weather this week and is not in town. But we will proceed without Mr. Towns. This hearing will now come to order. Today's hearing will examine the important topic of Federal information security. Our subcommittees are holding this hearing because security is both a management and technology challenge. Without objection, the Chair and ranking minority member will have 5 minutes to make opening statements, followed by opening statements not to exceed 3 minutes by other Members who wish to seek recognition. Without objection, Members and witnesses may have 5 legislative days to submit a written statement or extraneous materials for the record. Briefly, I would like to discuss some of the challenges that I see, and then I will yield to anyone else that shows up for comments. Let me say that today's joint subcommittee hearing on the Current State of Federal Information Security and Legislation to Strengthen the Federal Information Security Management Act, I am especially pleased to be teaming up with the Subcommittee on Government Management, Organization, and Procurement, chaired by Mr. Towns, for this critical issue. For fiscal year 2009, the President's budget proposes spending of roughly $70 billion on information technology products alone. Yet according to OMB's 2006 FISMA report to Congress, agency efforts to implement effective information security programs are inconsistent throughout Government. These problems go beyond isolated data breaches and have exposed systemic information security vulnerabilities that have gone unmitigated by our agencies and the IT contracting community that serves them. Having experienced 5 years of detailed OMB reporting through the FISMA process, I am certain that some real progress has been made in securing our agencies' IT assets. What I am unsure of, however, is whether our current requirements and OMB policies under FISMA are providing us enough tools to effective identify the inherent vulnerabilities in our systems, now or in the future. With this in mind, I, along with Chairman Towns and Chairman Waxman, have put forward a bill that would move us toward more rigid security requirements for agency systems while staying with in the current FISMA framework. Furthermore, our bill will add consistency and robustness to the current program performance evaluation process by requiring an annual audit of agency programs. Last, this legislation begins to recognize the duty of care responsibilities that must be shared between both Federal agencies and the contracts providing services to them. As technology evolves and the perimeters of IT enterprises expand, we must have a flexible security framework to harness such advances while ensuring that our networks remain secure. I am hopeful that our witnesses today will be ale to address these issues through the context of their experiences, and I look forward to their testimony. [The prepared statement of Hon. Wm. Lacy Clay and the text of H.R. 4791 follow:] [GRAPHIC] [TIFF OMITTED] T4178.001 [GRAPHIC] [TIFF OMITTED] T4178.002 [GRAPHIC] [TIFF OMITTED] T4178.003 [GRAPHIC] [TIFF OMITTED] T4178.004 [GRAPHIC] [TIFF OMITTED] T4178.005 [GRAPHIC] [TIFF OMITTED] T4178.006 [GRAPHIC] [TIFF OMITTED] T4178.007 [GRAPHIC] [TIFF OMITTED] T4178.008 [GRAPHIC] [TIFF OMITTED] T4178.009 [GRAPHIC] [TIFF OMITTED] T4178.010 [GRAPHIC] [TIFF OMITTED] T4178.011 [GRAPHIC] [TIFF OMITTED] T4178.012 [GRAPHIC] [TIFF OMITTED] T4178.013 [GRAPHIC] [TIFF OMITTED] T4178.014 [GRAPHIC] [TIFF OMITTED] T4178.015 [GRAPHIC] [TIFF OMITTED] T4178.016 [GRAPHIC] [TIFF OMITTED] T4178.017 [GRAPHIC] [TIFF OMITTED] T4178.018 [GRAPHIC] [TIFF OMITTED] T4178.019 [GRAPHIC] [TIFF OMITTED] T4178.020 Mr. Clay. We will now receive testimony from the witnesses before us today. On today's panel, the subcommittees are pleased to have the following witnesses: Karen Evans, Administrator for the Office of E-Government and Information Technology. Ms. Evans is an experienced IT professional and leads the administration's programs on information security. Welcome back to the committee, Ms. Evans. We also have Greg Wilshusen, Director for Information Security Issues at the Government Accountability Office. Mr. Wilshusen is also a long-time expert and has testified on this topic before the Information Policy Subcommittee several times. Thank you for being here. Alan Paller is the director of research at the SANS Institute and is responsible for overseeing all research projects. Mr. Paller founded the CIO Institute and earned degrees in computer science and engineering from Cornell and MIT. Welcome to the committee hearing. Bruce McConnell, the president and founder of McConnell International. Prior to his current position, Mr. McConnell was chief of information and technology policy at the White House Office of Management and Budget, where he led several IT and security initiatives. Thank you for being here, too, Mr. McConnell. Rounding us out is Tim Bennett, president of Cyber Security Industry Alliance. Mr. Bennett served as the vice VP of the American Electronics Association and worked in senior roles within the Office of the U.S. Trade. Thank you also, Mr. Bennett, for coming today. I thank all of you for appearing before the subcommittee. It is the policy of the committee to swear in all witnesses before they testify, so I will ask you to please rise and raise your right hands. [Witnesses sworn.] Mr. Clay. Thank you, and let the record reflect that the witnesses answered in the affirmative. I ask that each witness now give a brief summary of their testimony and to keep the summary under 5 minutes in duration. Bear in mind your complete written statement will be included in the hearing record. I will let you know if you go over the 5. We will start with Ms. Evans. You may proceed. STATEMENTS OF KAREN S. EVANS, ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET; GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; ALAN PALLER, DIRECTOR OF RESEARCH, THE SANS INSTITUTE; BRUCE W. MCCONNELL, PRESIDENT, MCCONNELL INTERNATIONAL, LLC; AND TIM BENNETT, PRESIDENT, CYBER SECURITY INDUSTRY ALLIANCE STATEMENT OF KAREN S. EVANS Ms. Evans. Good morning, Chairman Clay. Thank you for inviting me to speak about the status of the Federal Government's efforts to safeguard our information and systems. My remarks today will highlight a few of the initiatives underway to manage the risk associated with our Government services in this ever-changing IT environment. The details are included in my written statement. I will conclude with our thoughts on your proposed bill, H.R. 4791. Information security and privacy are extremely important issues for the administration. On March 1st, the Office of Management and Budget [OMB], will provide our fifth annual report to Congress on the implementation of the Federal Information Security Management Act [FISMA], which will detail our improvements and remaining weaknesses for both security and privacy. Over the past year, departments and agencies continue to improve their security programs, manage their risks and become more fully compliant with FISMA. To enhance information security programs, OMB continues to use the oversight mechanisms to improve performance, including the President's management agenda score card and the agencies' capital planning processes. We are also engaging agencies in a variety of information security and privacy initiatives to close any remaining performance gaps. Over the past year, in collaboration with the National Institute for Standards and Technology [NIST], the Department of Defense, the National Security Agency, and Microsoft, we have developed a set of information security controls to be implemented on all Federal desktops, which are running Microsoft Windows XP or Vista, known as the Federal Desktop Core Configuration [FDCC]. By implementing a common configuration, we are gaining better control of our Federal desktops, allowing for closer monitoring and correction of potential vulnerabilities. We are also working with the vendor community to make their applications safer. NIST has developed testing tools for use both by the Federal agencies and the vendors and three independent laboratories have been accredited by NIST's National Voluntary Laboratory Accreditation Program, to provide the validation testing. We are very optimistic this program will greatly enhance the security of our Federal desktops and applications. To help agency procurement officers with the validation requirement, we are working with the Federal Acquisition Council to incorporate language into the Federal Acquisition Register. Agencies connect to the internet to develop timely information and to deliver services to the public. However, our Government systems are continuously operating under increasing levels of risk. Through the Trusted Internet Connections Initiative, we are working with agencies to reduce the overall number of external Federal connections to manage risk in a more cost-effective and efficient manner, while providing better awareness of our environment. Agencies turned in plans of action and milestones to fully optimize agency connections with a target completion date of June 2008. Recently, we provided the opportunity for all departments and agencies to review the proposed legislation, H.R. 4791. The bill contains several provisions which aim to enhance the protection of Federal information and personally identifiable information, as well as several provisions that propose changes to FISMA. While we strongly support enhancing protections for such information, we share several concerns expressed across the Federal agencies about the effect of this legislation. The administration believes the foundation and the framework established by FISMA is sound and also believes there is still much we can accomplish to improve the security and manage the risk associated with our information and information services. Nonetheless, we are concerned with the unintended consequences of the proposed change which would seriously impact established agency security and privacy practices, while not necessarily achieving the outcomes of improved privacy or security. While we understand technologies which are improperly implemented introduce increased risk, we recommend any potential changes to the statute be technology-neutral. We recognize that the IT landscape is ever-changing. As we deploy common, Government-wide solutions, departments and agencies increasingly are requiring services instead of procuring infrastructure. We welcome the opportunity to further discuss potential gaps which may need to be addressed through future FISMA enhancements if appropriate. We look forward to discussing our ongoing information security and privacy activities in greater detail. We feel our current activities and initiatives as included in my written statement already are beginning to close performance gaps H.R. 4791 attempts to address. I would be happy to answer questions at the appropriate time. [The prepared statement of Ms. Evans follows:] [GRAPHIC] [TIFF OMITTED] T4178.021 [GRAPHIC] [TIFF OMITTED] T4178.022 [GRAPHIC] [TIFF OMITTED] T4178.023 [GRAPHIC] [TIFF OMITTED] T4178.024 [GRAPHIC] [TIFF OMITTED] T4178.025 [GRAPHIC] [TIFF OMITTED] T4178.026 [GRAPHIC] [TIFF OMITTED] T4178.027 Mr. Clay. Thank you, Ms. Evans. Mr. Wilshusen, you may proceed. STATEMENT OF GREGORY C. WILSHUSEN Mr. Wilshusen. Mr. Chairman, I am pleased to be here today to testify on FISMA and the state of Federal information security. Rarely has the need for the Federal Government to implement effective controls over its information systems and information been more important. Virtually all Federal operations are supported by automated systems and electronic information, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without them. At the same time, Federal systems and critical infrastructures are increasingly being targeted for exploitation by a growing array of adversaries, including criminal groups, foreign nation states, hackers, terrorists and disgruntled insiders. Thus, it is imperative that agencies safeguard their systems to protect against such risks as loss or theft to resources, disclosure or modification of sensitive information, including national security, law enforcement, proprietary business and personally identifiable information and disruption of critical operations. Today, I will summarize agency progress in performing key information security control activities, the effectiveness of information security at Federal agencies, and opportunities to strengthen security. In fiscal year 2007, the Federal Government reported improved security performance relative to key performance metrics established by OMB for FISMA reporting. For example, the percentage of certified and accredited systems Government-wide reportedly increased from 88 percent to 92 percent. These gains continue a historical trend that we reported on last year. Despite reported progress, 20 of 24 major Federal agencies continue to experience significant information security control deficiencies. Most agencies did not implement controls to sufficiently prevent, limit or detect access to computer networks, systems or information. Moreover, agencies do not always configure network devices to prevent unauthorized access and ensure system integrity, patch key servers and workstations in a timely manner, and maintain complete continuity of operations plans for key information systems. An underlying cause for these weaknesses is that agencies have not fully or effectively implemented the agency-wide information security programs required by FISMA. As a result, Federal systems and information are at increased risk of unauthorized access to and disclosure, modification or destruction of sensitive information as well as the inadvertent or deliberate disruption of system operations and services. Such risks are illustrated in part by an increasing number of security incidents reported by Federal agencies. Nevertheless, opportunities exist to bolster information security. Federal agencies could implement the hundreds of recommendations made by GAO and agency IGs to resolve previously reported control deficiencies and information security program shortfalls. In addition, OMB and other Federal agencies have initiated several Government-wide initiatives that are intended to improve security over Federal systems and information. For example, OMB has established an information systems security line of business to share common processes and functions for managing information system security across Federal agencies, and it has directed agencies to adopt the security configurations developed by NIST, DOD and DHS for certain Windows operating systems. Consideration could also be given to enhancing policies and practices related to security control testing and evaluation, FISMA reporting and the independent annual evaluations of agency information security programs required by FISMA. In summary, although Federal agencies report performing key control activities on an increasing percentage of their systems, persistent weaknesses in agency information security continues to threaten the confidentiality, integrity and availability of Federal systems and information. Until Federal agencies resolve their significant deficiencies and implement effective security programs, their systems and information will remain at undue and unnecessary risk. Mr. Chairman, this concludes my statement. I would be happy to answer your questions. [The prepared statement of Mr. Wilshusen follows:] [GRAPHIC] [TIFF OMITTED] T4178.028 [GRAPHIC] [TIFF OMITTED] T4178.029 [GRAPHIC] [TIFF OMITTED] T4178.030 [GRAPHIC] [TIFF OMITTED] T4178.031 [GRAPHIC] [TIFF OMITTED] T4178.032 [GRAPHIC] [TIFF OMITTED] T4178.033 [GRAPHIC] [TIFF OMITTED] T4178.034 [GRAPHIC] [TIFF OMITTED] T4178.035 [GRAPHIC] [TIFF OMITTED] T4178.036 [GRAPHIC] [TIFF OMITTED] T4178.037 [GRAPHIC] [TIFF OMITTED] T4178.038 [GRAPHIC] [TIFF OMITTED] T4178.039 [GRAPHIC] [TIFF OMITTED] T4178.040 [GRAPHIC] [TIFF OMITTED] T4178.041 [GRAPHIC] [TIFF OMITTED] T4178.042 [GRAPHIC] [TIFF OMITTED] T4178.043 [GRAPHIC] [TIFF OMITTED] T4178.044 [GRAPHIC] [TIFF OMITTED] T4178.045 [GRAPHIC] [TIFF OMITTED] T4178.046 [GRAPHIC] [TIFF OMITTED] T4178.047 [GRAPHIC] [TIFF OMITTED] T4178.048 [GRAPHIC] [TIFF OMITTED] T4178.049 [GRAPHIC] [TIFF OMITTED] T4178.050 [GRAPHIC] [TIFF OMITTED] T4178.051 [GRAPHIC] [TIFF OMITTED] T4178.052 [GRAPHIC] [TIFF OMITTED] T4178.053 [GRAPHIC] [TIFF OMITTED] T4178.054 [GRAPHIC] [TIFF OMITTED] T4178.055 [GRAPHIC] [TIFF OMITTED] T4178.056 [GRAPHIC] [TIFF OMITTED] T4178.057 Mr. Clay. Thank you so much, Mr. Wilshusen. Mr. Paller. STATEMENT OF ALAN PALLER Mr. Paller. Thank you, and thank you for having me. I have been to St. Louis a bunch of times, first with McDonnell Douglas and later with Boeing. It is a wonderful, high-tech city. Mr. Clay. Thank you so much. Mr. Paller. It is very impressive. Actually, what we are talking about today directly affects Boeing, too, so it is not just a Federal discussion because of the change that our other witnesses mentioned. I am just going to tell you a couple of stories. First of all, I am the research director at SANS, so we have about 68,000 people who are alumni who actually run security at most large organizations. Their job is almost completely impossible. It just isn't out in the public, but we are losing this war against cyber-crime at an accelerating rate, meaning we are falling farther behind every week. What we are talking about today actually will make a difference. It is not something nice to do for Federal agencies, it actually is a major war, it is involving espionage, it is involving a lot of things that deserve to be treated with more attention. I am here actually with the hope that you can do that by making the Federal Government lead by example. So where the Federal Government uses its procurement, you mentioned in your opening statement $70 billion, that is enough to do an amazing amount of good in security. You don't actually spend the money on security, you use the leverage of the Federal procurement to make the change. Just to clarify how FISMA became a compliance exercise instead of a security exercise, it wasn't the way the law was intended. It actually was a mistake that was made in GISRA before it became FISMA, the original law that got changed, it was written in the Senate and got changed into FISMA. What happened was that NIST wrote a catalog of things that every agency had to do. They don't even call it a road map or a blue print. They wrote a catalog. And then the IGs and others said, well, now you have to do everything in the catalog. And the problem is, if you had a catalog of things your kids had to do, and one of them was finish their homework and another one was check on the dog, but they were graded on how many things they did, they are going to do all the check on the dogs quick, because the do your homework is hard. And that is what happened with FISMA, because they got graded on how many things they did instead of the important things. So the leaders are smart, you guys, between Karen and the Hill, you guys made it impossible for them not to do everything. They got Fs on all their report cards. And because of that, they are smart enough to know, they have to get you off their back. So the CIO said, I don't care what you need to do for security, you have to get those reports done, because I have to go see Clay Johnson in the White House and he is going to--well, what they said isn't public. But he will do bad things to me if I don't get all my systems certified. So the key change, it is a very small change, I have provided your staff with some language that might be better, it will be made better by your people. But the key change is to prioritize. If homework is more important than checking on the dog, don't say you are going to do these 500 things, say, do your homework. Then if you get your homework done, then do these other things and we will give you bonuses for the other things. But let's make sure we prioritize the actions. That is what the companies that do security well do. It is all attack-based. They find out where the attacks are coming in, then make sure their defenses can stop those attacks. We don't do that in the Federal Government. So I put all that in the statement. I want to tell you one more story, because it is a ``Karen is a hero'' story, and it is really quite a good story. It is the other half of what you can do. John Gilligan was the CIO at the Air Force, he got up in front of 200 people and said, we can't secure our Windows boxes. In fact, we spend more money to clean up after the mess than we do to buy this stuff in the first place, and I am going to change that. He took $500 million over 7 years, so it is not much per year. That is relative to your $70 billion you are talking about. This is the example of how your money makes a difference, $500 million over 7 years. He said to Microsoft, hey, we want you to configure the system securely when you sell it to us instead of selling it to us open and making every one of our people try to do it after we buy it. And he got it done. Over 400,000 systems now are out of the box secure. The key is, they just reported this, they cut the patching time from 7 weeks to 3 days. And all the attacks come out in the first few days. So if you don't get it done fast, you might as well not patch at all. And they saved tens of millions of dollars. It is the only example where you save money and you improve security. It is what you can do with the leverage you have in your money. So I am happy to answer questions about any of this. Thank you for letting me come. [The prepared statement of Mr. Paller follows:] [GRAPHIC] [TIFF OMITTED] T4178.058 [GRAPHIC] [TIFF OMITTED] T4178.059 [GRAPHIC] [TIFF OMITTED] T4178.060 [GRAPHIC] [TIFF OMITTED] T4178.061 [GRAPHIC] [TIFF OMITTED] T4178.062 [GRAPHIC] [TIFF OMITTED] T4178.063 [GRAPHIC] [TIFF OMITTED] T4178.064 [GRAPHIC] [TIFF OMITTED] T4178.065 [GRAPHIC] [TIFF OMITTED] T4178.066 [GRAPHIC] [TIFF OMITTED] T4178.067 [GRAPHIC] [TIFF OMITTED] T4178.068 [GRAPHIC] [TIFF OMITTED] T4178.069 [GRAPHIC] [TIFF OMITTED] T4178.070 [GRAPHIC] [TIFF OMITTED] T4178.071 [GRAPHIC] [TIFF OMITTED] T4178.072 Mr. Clay. Thank you so much for that enlightening report. Mr. McConnell. STATEMENT OF BRUCE W. MCCONNELL Mr. McConnell. Thank you, Mr. Chairman and members of the subcommittees for the privilege and opportunity to testify today on Federal information security. The jurisdiction of this committee is so broad and its work is so important to the critical functioning of our Federal Government, it is a real pleasure. I am here today bringing you the perspective of 20 years of work in information policy and technology, including 15 years at OMB, serving 3 Presidents. I am also on a commission for cyber security for the 44th Presidency, which has been co- chaired by Congressman Jim Langevin and Congressman Michael McCaul. I am not speaking on behalf of that commission. You asked in your invitation that I provide policy recommendations for potential legislative consideration and to comment on the state of FISMA compliance and the provisions of H.R. 4791. I have done that in my written statement. But in my oral remarks, I wish to focus in on what I consider to be the most significant development in Federal information security in many years. My analysis is based solely on information that is in the public domain. On January 8th, President Bush issued a new National Security Homeland Security directive. This order establishes a comprehensive national cyber-security initiative. The issuance of this national security order shows that information security is receiving serious attention at the highest levels of the executive branch. I believe this is good news. The so-called Cyber Initiative recognizes the serious threats to the Nation's information infrastructure coming from State and non-State actors, including sophisticated criminals. It lays out the need to take proactive measures in cyberspace to detect and prevent intrusions from whatever source in real time before they can do significant damage. These tenets are important, and while the details are not yet public, they clearly include an increased role for the intelligence community, in particular the National Security Agency [NSA], in protecting Federal systems. Let me explain why I believe this expanded NSA role is germane to this committee's work. The Cyber Initiative relates directly to two statutes under your jurisdiction: FISMA and the Privacy Act. When this committee wrote FISMA's predecessor, the Computer Security Act of 1987, you vested the National Institute of Standards and Technology [NIST], with primary authority in the security of civilian agency information systems. You also explicitly limited the role of NSA with respect to civilian agency systems. There were several reasons for this differentiation of responsibilities. Foremost in the mind of Congress was the potential chilling effect on the free flow of information between Government and the public, including the information technology industry, if a military agency became too closely involved with civilian agency systems. As the committee's report in 1987 notes, ``Since it is a natural tendency of DOD to restrict access to information through the classification process, it would be almost impossible for the Department to strike an objective balance between the need to safeguard information and the need to maintain the free exchange of information.'' Civilian agency missions, such as those at the Census Bureau, the Internal Revenue Service and the Centers for Medicare and Medicaid Services, depend on the trust of the American people to operate successfully. These missions require the free and efficient flow of information to and from the public in order to deliver important public benefits and programs. In addition to the potential chilling effect on information flows, the statute also reflected potential concerns about privacy and civil liberties. This statutory framework separating civilian and military systems has been confirmed and strengthened three times in the last two decades. Now, Mr. Chairman, it may be that the world has changed so much that this historic distinction between civilian agency systems and national security systems no longer serves the Nation's interest. Certainly the current computer security regime in Government is not working adequately. There is a big gap between what the agencies need and what they are getting. The gap extends beyond Government systems to the U.S. information infrastructure. Therefore, there is a substantial argument that you need to put resources from the intelligence community against this problem, because that is where the most resources are on the Federal side. Of course, there is also substantial resources in the private sector in this area. So what is really needed is a partnership of trust between the Government and the private sector to address the Nation's information security needs. Many of the information security professionals I talk to suggest that this trust is at a relatively low point in our history and it needs to be strengthened if we are going to be able to address this critical issue. We need to determine who in the Government can most effectively foster trust and cooperation with industry and with the American people. So I encourage the committee to look at these roles and responsibilities in the context of FISMA and the Privacy Act. Thank you, sir. [The prepared statement of Mr. McConnell follows:] [GRAPHIC] [TIFF OMITTED] T4178.073 [GRAPHIC] [TIFF OMITTED] T4178.074 [GRAPHIC] [TIFF OMITTED] T4178.075 [GRAPHIC] [TIFF OMITTED] T4178.076 [GRAPHIC] [TIFF OMITTED] T4178.077 [GRAPHIC] [TIFF OMITTED] T4178.078 [GRAPHIC] [TIFF OMITTED] T4178.079 [GRAPHIC] [TIFF OMITTED] T4178.080 [GRAPHIC] [TIFF OMITTED] T4178.081 Mr. Clay. Thank you so much, Mr. McConnell. Our final witness will be Mr. Bennett. Mr. Bennett, you may proceed. STATEMENT OF TIM BENNETT Mr. Bennett. Thank you, Mr. Chairman, Congressman Davis. Thank you for the opportunity to share the views of the Cyber Security Industry Alliance on improvements in FISMA. CSIA is a group of leading security technology vendors that are dedicated to ensuring the privacy, reliability and integrity of information systems through public policy, technology, education and awareness. It is our belief that a comprehensive approach for enhancing the security and resilience of information systems is fundamental to economic security. Mr. Clay. Excuse me, Mr. Bennett, is your microphone on? Mr. Bennett. Allow me to commend this subcommittee and its parent committee for the sustained attention that has been given in recent years to the critical objective of strengthening information security within the Federal Government. As we have painfully learned and heard from a couple of the other witnesses this morning, Federal systems are frequently vulnerable to cyber attacks, and the oversight of this subcommittee and full committee are an important element in holding Federal agencies accountable for improved information security as well as highlighting ongoing challenges and vulnerabilities. The 110th Congress now has an important opportunity to amend FISMA to improve the information security climate at our Federal Government agencies. Even though the last few years have yielded a number of successes, there are certain weaknesses in our Government's critical infrastructure which still urgently need to be addressed. It has become clear that the infiltration of Federal Government networks and the possible theft and/or exploitation of information are among the most critical issues confronting our Federal Government. While progress has been made, much work remains to be done in order to truly secure our Government's IT infrastructure. FISMA has been fairly successful at getting agencies in general to pay closer attention to their information security obligations. Before FISMA, information security was not a top priority at Federal agencies. FISMA has been successful in raising awareness of information security in the agencies and also in Congress. However, Federal agencies scored an average grade of C minus in 2007's Information Security Report Card. Some argue that FISMA does not adequate measure information security. A high FISMA grade doesn't mean the agency is secure and vice versa. That is because FISMA grades reflect compliance with mandated processes. They do not measure how much these processes have actually increased information security. In particular, the selection of information security controls is subjective and not consistent across Federal agencies. Agencies determine on their own what level of risk is acceptable for a given system. They can then implement the corresponding controls, certify and accredit them and thus be compliant and receive a high grade regardless of the level of risk they have deemed acceptable. Certainly we want to avoid a check the box mentality and don't want FISMA to be reduced to a largely paperwork drill among the departments and agencies, consuming an inordinate amount of resources for reporting progress while yielding few genuine security improvements. Unfortunately, in some cases, that is what it has become. Some Federal agency chief information security officers are measured on their compliance scores with FISMA, not on whether they have adequately assessed risk in their respective agency or prevented breaches of sensitive information. Instead, we want agencies to actively protect their systems instead of just reacting to the latest threat with patches and other responses. With the benefit of 5 years' experience under FISMA and several insightful reports by the U.S. Government Accountability Office, it is now possible to identify possible improvements that can address those weaknesses in FISMA implementation that have now become apparent. With global attacks on data networks increasing at an alarming rate and in a more organized and sophisticated manner, there is precious little time to lose. Faced with this urgent need, we applaud the bill that you have introduced, H.R. 4791. We strongly support this bill. It would undertake the important step of codifying many of the recommended steps that OMB took in a series of memos to Federal agencies after a series of significant data breaches in recent years. The legislation provides much-needed common sense obligations to require agencies to develop policies and plans to identify and protect personal information, develop requirements for reporting data breaches and report to Congress a summary of information security breaches reported by Federal agencies. We recommend that the proposed legislation also include language requiring that data breaches of information systems maintained by contractors and other sources working on Federal projects be promptly notified to the Secretary and the CIO of the contracting agency. Federal contractors are responsible for many of the data breaches that agencies reported. CSIA believes that it is important to reaffirm that FISMA applies to Federal contractors. We also commend the chairman for having the insight to incorporate language into this legislation requiring that Federal Government agencies encrypt or make unusable and unreadable personal data and to establish minimum requirements for protection of information or mobile devices. H.R. 4791 also prudently establishes security requirements for peer-to-peer networks. We believe that agencies should be required to develop a plan to protect against the risks of peer-to-peer networks and provide detailed technology and the policy procedures they should take. To assist further consideration of this bill, we offer additional recommendations. One, align responsibilities and authorities to vest the CIO and CISO with specific power over information security. The current authority of agency CIOs to ensure should be the power to enforce cost effective measures of security. Two, require improvements to assessment, continuous monitoring and remediation in order to develop a comprehensive approach to information systems security. Three, mandate preparation of the complete inventory of all Federal agency IT assets by a certain date. Four, improvement performance measurement and provide incentives to agencies that give information security a high priority. Five, institutionalize security within Federal agency culture. Six, increase Federal agency IT security funding. Seven, reaffirm objective assessments of commercially available information technologies. And eight, narrow the scope of the privacy definition provided for in the proposed legislation. In closing, I commend the subcommittee for highlighting the importance of information security, for examining how we can improve FISMA and Federal agency information security practices going forward. The overriding objective should be to move Federal agencies to act in a manner that equates strong information security practices with overall mission accomplishment. We all know what is at stake. Thank you, Mr. Chairman. [The prepared statement of Mr. Bennett follows:] [GRAPHIC] [TIFF OMITTED] T4178.082 [GRAPHIC] [TIFF OMITTED] T4178.083 [GRAPHIC] [TIFF OMITTED] T4178.084 [GRAPHIC] [TIFF OMITTED] T4178.085 [GRAPHIC] [TIFF OMITTED] T4178.086 [GRAPHIC] [TIFF OMITTED] T4178.087 Mr. Clay. Thank you, Mr. Bennett. I thank the entire panel for their testimony today. Now we will proceed under the 5-minute rule to questions for the panel. I will recognize the ranking minority member of the full committee, from Virginia, my good friend, Tom Davis. Mr. Davis. Mr. Davis of Virginia. Thank you, Chairman Clay. I want to thank you for holding this important hearing. We are here to talk about information security from the Federal perspective. But these are issues and challenges we face at all levels of Government and even as individuals. Secure information is the lifeblood of effective Government policymaking, good program management and a thriving economy. Protecting that information has to be a priority, not an after- thought. The evolving nature of cyber threats requires constant vigilance. The Federal Government's information security program should be proactive, not reactive. If we keep chasing yesterday's problems, we will never be able to stop tomorrow's sophisticated challenges. When it comes to information security, all it takes is one weak link to break the data chain. One successful cyber attack could strike a stunning blow to an agency's operations and damage citizens' trust in electronic Government initiatives. Continued vulnerability puts personal information at risk. The loss of Blackberry service a few days ago reminded us of our dependence on IT, how difficult it is for us to function without it, and how fragile some key systems remain. One of the best ways to defend against attacks is to have a strong and yet a very flexible protection policy in place, not overly prescriptive. We want agencies to active protect their systems, instead of simply reacting to the latest threat with patches and other responses. On the Government Reform Committee, I focused on Government-wide information management and security for many years. The Privacy Act and the E-Government Act of 2002 outlined the parameters for the protection of personal information and the Federal Information Security Management Act [FISMA], requires each agency to create a comprehensive risk- based approach to agency-wide information security management through preparedness, evaluation and reporting requirements. It is intended to make security management an integral part of an agency's operation and to ensure that we are actively using best practices to secure our systems. Certainly, FISMA has its critics. We have heard from some of them today. But I think we also will hear that it still provides the necessary tools to secure our information, and has made information security a priority mention at agencies. We want to avoid that check the box mentality that has been criticized, and we need to incentivize strong information protection policies. We need to pursue a goal of security rather than compliance. Nearly 5 years after FISMA was enacted, there is always the risk of complacency. The basic FISMA concept and process remains sound. But we should ask if we can make it better. I think we can. As a start, I introduced legislation requiring timely notice be provided to individuals whose sensitive personal information could be compromised by a breach of data security at a Federal agency. Despite the volume of sensitive information held by agencies, there is no current requirement for citizens to be notified if their information is compromised. This legislation passed the House during the 109th Congress. I continue to urge Chairman Waxman to make it a priority this year. I would ask that the two letters I have sent to Chairman Waxman be included in the record, Mr. Chairman. Mr. Clay. Without objection, so ordered. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T4178.088 [GRAPHIC] [TIFF OMITTED] T4178.089 [GRAPHIC] [TIFF OMITTED] T4178.090 Mr. Davis of Virginia. Each year, I have released Federal Agencies Information Security score cards. Despite some improvements, scores for many departments remain unacceptably low. By the way, a lot of the scoring is done by GAO and OMB. It is not just done by our whim. The Federal Government overall received a C minus, a slight improvement over prior years. I know some don't like to be graded. I have actually had Cabinet secretaries call me to lobby about their grades. And others don't see the value. But I think most of us agree 5 years later that information security should be a priority at Federal agencies. This is how it should be. The Federal Government has sensitive personal information on every citizen, from health records to tax returns to military records. We need to ensure that the public knows when its sensitive personal information has been lost or compromised. Public confidence in Government in this area is essential. As we discuss Federal information security, we should focus on the most pressing issues and threats, remain technology- neutral and take care not to disrupt the progress we have made or the progress already underway. Not being technology-neutral, I think, siphons a lot of innovation from this area. That is a major concern with being overly prescriptive, something we have to balance. In the end, the public demands effective Government and the future of effective Government and security information depends more than ever on a successful future for FISMA. Thank you, Mr. Chairman. [The prepared statement of Hon. Tom Davis follows:] [GRAPHIC] [TIFF OMITTED] T4178.091 [GRAPHIC] [TIFF OMITTED] T4178.092 [GRAPHIC] [TIFF OMITTED] T4178.093 [GRAPHIC] [TIFF OMITTED] T4178.094 [GRAPHIC] [TIFF OMITTED] T4178.095 Mr. Clay. Thank you, and would the ranking member care to ask questions? Mr. Davis of Virginia. Ms. Evans, let me ask you, the administration has focused unprecedented attention on the mundane but the very essential tasks of improving Federal management practices, including a focus on expanding electronic Government. The President's management agenda rates agencies' efforts on E-Gov initiatives, OMB requires quarterly reports, yet we still have a long way to go before things are secure. Do you have any advice or recommendations for the next administration of things they should prioritize? Ms. Evans. I have a lot of advice. But in particular, I think that the areas that we focused on and the specific processes are good foundational activities that I think any administration would want to continue. For example, on the score card, one of the things that we look at, and on a quarterly basis as required by the guidance that has been outlined in FISMA, is the plan of actions and milestones which really is the constant assessment of risk. If an agency is in the check the box mentality, then we are going to get the results that the other panelists, my colleagues, have talked about. But if the agency head and the CIO are really evaluating the new technologies, the services that they have, that process, that monthly looking at things, the daily looking at things and then making sure that you have an adequate way to then address it I think is a good practice to carry forward. We call it certification and accreditation overall, we call the quarterly reports, plan of actions and milestones, but what it really is is getting to the culture of managing the risk. Mr. Davis of Virginia. Have you found any agencies that just check the box and literally don't have the substance behind checking it? Ms. Evans. I think that there are mixed results, as we have said in our reports in the past. I work very closely with all the agencies, especially through the CIO council. I do and am concerned that we balance the compliance aspect of this legislation and any legislation that we have against achieving the actual results. So I would say there are mixed results and it depends on the leadership and the CIO in particular of how they are managing that information security program within the department. Mr. Davis of Virginia. The report cards are not perfect, but right now, nobody else is keeping track, at least up here, over what is happening. If you don't give a report card or at least give some public embarrassment, there is no appropriations penalty to be paid or anything else. Ultimately it has to be directed from OMB. The executive branch doesn't need us involved in a perfect world. We have to make this a priority. But managers down below, given limited funds, generally want to accomplish their mission first. Many of them would just as soon take the risk of a data breach to be able to accomplish things, and if something happens, hopefully it won't happen on their watch. That is one of our concerns. Ms. Evans. And I would agree with you and I think that is what we have done through the criteria that we manage and look at on a quarterly basis through the E-Government Score Card on the President's management agenda. It is looking at all and everything that takes into consideration for a good information technology program in a department. If you master those management skills, then you have the foundation to go forward to support any program. All of this is about getting good program results and making sure that you have public confidence in your services. So you have to do many things in order to do that in this environment. The way to provide those services is through the use of information technology. Mr. Davis of Virginia. Mr. Paller, part of your testimony approaches Federal IT from an international perspective. How do we rank when you compare us with government IT security in other countries? Mr. Paller. First, the breach bill that you talked about, this is going to do a lot of good. Because people respond when they have to make something public in ways they don't even think about. Mr. Davis of Virginia. No question. The tendency is to sweep it under a rug, fully investigate, make sure you get your spin on it. That is just natural. We do the same, by the way, we are no different than the executive agencies. Mr. Paller. In almost all areas, we are stronger than other governments. The one place we fall way behind is in information sharing. The British figured out how to do that. They actually copied something we had called the NSIE, and spread it and we didn't copy what we had and we built this thing called ISACS that just don't work. So they are way ahead on information sharing. But in terms of actually securing Government systems, we are not way behind anyone. Mr. Davis of Virginia. We are also more of a target than most government systems, aren't we? Mr. Paller. We are getting hurt more, the British equally, the Australians, too. These nation-state attacks are enormous. the head of MI-5 actually just did a letter that it is all spreading to businesses now. If you do business in China, you are being just destroyed with cyber attacks. Mr. Davis of Virginia. I hope we can sit down and work some language out that and can all agree on this. Because a cyber Pearl Harbor or something of that nature would just be awful. And at that point, you would say, where have we all been on this. And a lot of us have been working on this for a long time. It is not easy. Can I just ask one other question? Mr. Wilshusen, some have suggested that standardizing IG audits, their practices in the area of information security, would help reduce the discrepancy between the agency grades, their compliance with the act and their information security practices. Is it feasible to standardize audit practices? Do you agree with that proposal? Mr. Wilshusen. I think audits and in particular, with the independent IG evaluations, we have noted in the pst that they have been inconsistent, the scope and methodology of their evaluations vary across agencies. And the form and content of the reports differs significantly from just repeating or presenting the information on the FISMA template that OMB has established to coming up with real conclusions and findings and issues on these security deficiencies at those agencies. So by having these evaluations of performance in accordance with Government auditing standards, for example, that could elevate and raise consistency in the content of those evaluations. Mr. Davis of Virginia. Thank you. Mr. Clay. Thank you, Mr. Davis. Mr. Paller, I am very interested in your testimony's support of prioritizing the testing and evaluation activities that are carried out by agencies on a regular basis. Thus, I have a few practical questions on how would you get there. Does current guidance from NIST, such as S.P. 853, provide a blue print for adequate security and should this guidance simply be made mandatory and binding on agencies? Mr. Paller. No, and hell, no. It is a catalog of everything anybody ever thought of that might help security, 853. Not even the audit guide, this is it. There is a parallel in the commercial world that is what you actually have to do to secure all the credit cards. Because the credit card industry says, we are going to stop losing it. This looks smaller. And this one, in all of this, firewalls are a really important part of security, lock the door, firewalls the door. In all of this, one-200th of it talks about firewalls. In the real one, one eighth. So 12\1/2\ percent talks about it. If you know security, you actually know security, not know about writing about security, but actually doing it, no, 853 is silly. Mr. Clay. How can new guidance or security controls be added in a real-time environment? Mr. Paller. I think again, the payment card industry does it. These are updated regularly. There is a massive new attack on Web applications. They used to go against Windows and the other things. Now they are going against every Web site. Well, this has nothing, it tells you nothing about doing that. But this one is updated very regularly, almost quarterly. It is not hard. All you do is you set up a council of the people who actually have to protect systems, say, what are you doing and then get them to agree, 10 or 12 of them, they agree and you write it up. It really isn't impossible. It is not easy, but it isn't impossible. Mr. Clay. You also referred to the Air Force contracting which had required vendors to deliver minimum security configurations for a system. Should a contractual mandate along these lines, with requirements defined by OMB and the Federal Acquisition Council be required under FISMA? Mr. Paller. That is actually Karen's, she has done a lot of wonderful things. Taking what the Air Force did and making it a Federal mandate is the biggest, single biggest thing in improving security we have ever done as a country. Mr. Clay. Is that what Ms. Evans is pushing? Mr. Paller. Yes, what Ms. Evans has done. Mr. Clay. Would we have the problem of technology moving ahead too quickly for regulations to keep up? Mr. Paller. No. The Air Force, for example, has this absolute mandate. You have to do it this way. And if you compare the Air Force's new computers with every other agency, they are ahead of the other agencies. So you can't say they are behind technologically when they actually have the most advanced technology and yet they are meeting the standard. It is because they do it together that they get all the advanced technologies. Mr. Clay. Thank you for that response. Let me ask Mr. McConnell, can you tell us how laws like FISMA and Clinger-Cohen have altered the information security landscape over the past decade, and if there areas in which we should try to harmonize the provisions in order to improve security? Mr. McConnell. Yes, sir. I think there have been three beneficial effects of FISMA and Clinger-Cohen. They have increased the level of attention that is paid to information security, they create a management structure that can be used to manage it, and they have encouraged integrating security into the overall program management. So you have a well-managed program that includes good security. I think what is needed at this point is for the executive branch to take full advantage of the authorities and structure that you have provided. I have seen that work in the past across administrations. The Clinger-Cohen bill set out authorities in a management structure that was passed during the Clinton administration. And now the current administration has really exercised those authorities in a significant way. I think as far as harmonization, the law that is probably the most in need of harmonization and updating that is under this committee's jurisdiction is the Privacy Act. That is the Privacy Act of 1974. And that as you can imagine, there is much that could be done to harmonize that with other things that have happened. Mr. Clay. Can you explain in further detail why an independent audit would hinder agency efforts to root out security vulnerabilities? Isn't one of the problems with FISMA related to the current evaluations having little consistency or applicability across agencies, making it a paperwork exercise? Mr. McConnell. I would agree that the current evaluations are inconsistent and that they often focus on paperwork. But I don't think those two aspects are necessarily connected. You have inconsistency because you have inconsistent evaluation criteria and processes. Whereas the paperwork is looking at a compliance, box checking, rather than on operational security, as Mr. Paller was saying, let's just get the stuff done. So you could have consistent processes, but still have the paperwork focus. The concern that I have about the mandatory audit is that you just exacerbate the compliance mentality. Everybody at that point is in a CYA thing, trying to make the audit right. So I think you need to have consistent evaluation criteria, independent evaluation criteria, but I don't recommend making it an audit. Mr. Wilshusen. Mr. Chairman, may I please comment? Mr. Clay. Sure. Mr. Wilshusen. One thing, and i Just want to make sure that we are clear on if we are talking about the annual independent IG evaluation or audit, if that is the change in H.R. 4791, versus the testing that may be done by the agencies. One thing that is important, if we go to an audit by the IG as part of the annual evaluation, is to make sure that the audit focuses on and the auditors conclude on the effectiveness of the information security controls, rather than making it merely compliance with the provisions of the act. And so it is important to direct the focus of the audit toward evaluating effectiveness as the IGs and auditors do as part of the consolidated financial statement or the audits of the agencies' financial statements. And that is why you have a disparity between why certain agencies are reporting increased performance versus the various metrics established by OMB for FISMA reporting versus those audit results of the effectiveness of controls. So there is a distinction there to try to make the annual IG evaluation by making it in accordance with audit standards and assuring that the auditors conclude on the effectiveness of controls, not merely compliance with the act. Mr. Clay. And these should be independent audits? Mr. Wilshusen. Absolutely. Mr. Clay. Yes. Mr. Wilshusen. And that is separate from the agencies that are also required under FISMA to test and evaluate the effectiveness of their controls. And that would be all their controls, management, operational, technical controls, on a frequency based on risk. We have found problems with that process being implemented by the agencies. But those are two separate issues, once performed independently by the IG or other auditors, others. The security tests and evaluations required as part of an agency information security program is performed by agency personnel or their contractors. Mr. Clay. Thank you for that response. Mr. Bennett, a critical element of FISMA is for agencies to develop a risk assessment of their systems in order to develop or integrate effective security policies and applications for them. With this in mind, please characterize the vendors' roles and responsibilities in developing and implementing secure networks and applications throughout an agency. Mr. Bennett. Yes, Mr. Chairman. The vendor should be responsible for understanding the agency's enterprise architecture and the operating environment to assure that their solutions will not disconnect or break the systems that are currently in place. While Government and their contractor personnel, support personnel are ultimately responsible for the support and operation of the infrastructure, only the vendors of these enterprise solutions really understand the protocols and underlying infrastructure requirements that will allow these products to work securely and as designed. This means that implementation, testing and integration of cyber security and risk in the mission achievement is the responsibility of the vendor in the larger context of the agency framework and budget. Mr. Clay. Is the mitigation of risk a shared duty or responsibility between both agency personnel and the vendor community? Mr. Bennett. Yes, absolutely it is a shared responsibility, to the extent that the vendors' products should work as advertised. The agency is solely responsible for the determination of how much risk they are willing to take and NIST guidelines do provide some guidance in this area. But once mitigation plan has been decide, the agency should have every expectation that the solutions that have been purchased performed as advertised. Mr. Clay. In actuality, and anybody on the panel can answer this, how does it actually work between vendor community and agency? Is it pretty seamless? Is it a turf war? What have you found? Ms. Evans, you can start. Ms. Evans. I would like to take the opportunity to first talk about that. I applaud the answer of my colleague at the other end of the table. But when it ultimately comes down to it, the agency head is ultimately responsible for the services that they procure and the contracts that they let. So it is the responsibility of the CIO, which is outlined in the statute, to ensure that we manage that risk appropriately. So you have to have very clear and open communications. You have to make sure that the contact is very clear as to what the roles and responsibilities are. But when it is said and done, the American people hold us, the executive branch, accountable for our actions and for our services. So I believe that what the administration has done with our policies and the actions that we are taking is trying to make that very clear and using the tools that we have in place to leverage our buying power, so that it is clear to us and clear to those who choose to provide the services for us what those expectations are, what the risks are and how those products need to work in our environment. Mr. Clay. Thank you. Mr. Wilshusen. Mr. Wilshusen. I would just like to add, FISMA requires that the agency is responsible for the security over the systems that are operated on its behalf by third parties and contractors. It should be an integral part of the agency's information security program. However, we have found in our report that we issued back in, I think it was April 2005, that many of the agencies did not have adequate policies or actually monitoring the effectiveness of security over systems operated by contractors. So Ms. Evans is absolutely correct, it is important that contracts be, or that the requirements for information security be specified in the contracts, so that the contractors know what to do. But there is also that other side of the agency taking responsibility to assure that the contractors are upholding their end of the bargain and implementing the security in accordance with the contract requirements and Federal requirements. Mr. Clay. Thank you. Mr. Paller. Mr. Paller. We train 14,000 people a year. Lots of them are Federal people, lots of them are contractors, lots of them are Boeing people. They can't figure this out on the fly. What Ms. Evans is talking about, contracting for what you want, the fact that we don't do that today is one of the two biggest flaws in all of our Federal security. What we do is we throw it over the wall to these contractors. And then when we find out there was something extra we needed to do for security, they say, well, that is another $100 million. Then we have to make choices between spending the extra money or not. We have to change the way we buy products, to buy it with security baked in, rather than getting caught. That happens with our third party, our software. Right now, if somebody does a software development for us and we find a major security flaw in it, we have to pay them to now go and we have to negotiate with them and now they are busy and they have something else to do. The whole contracting mechanism is, give it away and then, oh, shoot, security, we should have asked you for that. So what Ms. Evans is talking about is not a lightweight thing. It actually matters. Mr. Clay. Do you think in the President's proposed $70 billion budget for IT, do you think there are some built-in protections for that, for that security element? Mr. Paller. No, the contracting officers don't like this topic. So when the guys want to put it into contacts, am I being bad? Ms. Evans. No, you go ahead. [Laughter.] Mr. Clay. You are doing fine. Please proceed. Mr. Paller. The contracting officers don't like it and so when the technical person who knows what he wants goes to the contracting officer and says, can we put that in, he says, well, you are not being specific enough. And then it is gone. Ms. Evans. But I have good news. I bring good news, which is, we have, as I stated in my testimony, we have been working with the Federal Acquisition Council to make modifications to the FAR to do things like what we have done with the Federal Desktop Core Configuration. So the FAR will be amended to then include the common security configurations, which makes it a mandatory clause. That clause, that language is to be published in the Federal Register no later than Tuesday. So we understand where the performance gaps are. We know we have to follow through in our contracts to ensure that we can hold ourselves as well as the contractors accountable. So if you follow this example through, we gave agencies guidance last year, last June. All new contracts were to have this language in it if you were providing these types of operating systems or you were going to provide products that were going to operate on these operating systems. What we are following through now is making sure that we will be successful in spite of ourselves, because this will be in the FAR. It will go forward that way. So a lot of these things are now coming into place where the vendors now are like, OK, so what does this mean that I have to provide certification? That is the point of what NIST has done by having this program out which is dealing with--the acronym is S-CAP, but in essence what it does is validate that those security settings stay set when you bring them into your environment. So a vendor, when you bring in new tooling to your environment or a new application or anything, you run this tool. And it is going to tell you, against those 700 settings, what changes and what didn't. It gives you a percentage. We are talking 100 percent right now. We told the agencies that they had to comply with this. There is no, like, give me 80 percent or so. It is zero or 100. Then we thought, OK, from that perspective, how would that really go forward. We have agencies that can tell you exactly how many desktop have these operating environments and out of the 700, 5 are problematic and they know exactly now what applications that affects. We couldn't do that before. So now when you know what that is, you can now put in compensating controls. These lay the good foundations for an information management program. But the key was to ensure that the procurement cycle, and as these products and applications come into our environments, that they too are aware and that they are certifying against that environment. Mr. Clay. Will you provide us with the language? Ms. Evans. Absolutely. Mr. Clay. Thank you so much. Mr. McConnell, did yo have anything to add? Mr. McConnell. I think this has been pretty well discussed, sir. Mr. Clay. Mr. Bennett, one final question. You mentioned incentives for agency security performance in your testimony. I would like to explore that idea of a carrot and stick approach. Would incentives such as permitting agencies that receive an unqualified or clean independent audit to be audited only every other year be appropriate, and conversely, would penalties for an agency such as losing procurement funding until deficiencies are remedied be an effective tool? Mr. Bennett. Yes, Mr. Chairman. I think that might work and should be given serious consideration and should be counter- balanced by the concept that if there is inadequate performance, that the frequency of audits should be increased so that it works both ways and truly becomes a carrot with also a stick. Mr. Clay. Thank you so much. Do any other panelists have anything to add? Mr. Paller. I just wanted to connect the dots to Boeing. Everything we are talking about, about compliance, spending all this money, not doing security, I am getting calls all the time, they are just discovering it, does this really mean us, too? So everything we are talking about, about cleaning it up, is about to come back across the entire Defense industrial base, because a few months ago, they found out that the Chinese had gotten deeply into most of their computers as well. So they are now part of the game, and they are subject to all of this and people saying, well, let's make the FISMA-compliant, and all this discussion about paperwork and money wasted, it is all about what we are going to do to the contractors. Mr. Clay. So they are watching with a keen eye? Mr. Paller. They are going to scream when it hurts. Mr. Clay. They are going to scream when it hurts. Thank you so much, Mr. Paller. Ms. Evans. Ms. Evans. On the evaluations or audits, or whatever we end up calling it, I do think that it is important, again, that it is a balance of what we are looking at and the carrot and stick approach. This is something that in my own position that I am sure you guys manage with, as I do, is that we need to be careful about the compliance versus the actual results that we are trying to achieve. Putting timeframes on these things also could drive certain behavior that we may not necessarily want either. I really believe it gets down to, it is a culture of constantly evaluating the risks associated with the information that you have. And you know, to take away procurement authority or to take away money in some cases you might have to add money in order to fix these types of activities, because it is so pervasive. I really believe the way the administration puts together the budget, how we evaluate the capital planing, how we send this stuff forward, really allows the agencies to focus on managing that on a daily basis. It is not a time, it is not a quarter, it is not a year, it is not biannually. Agencies have to do this on a daily basis. It has to be a culture of managing risk on a daily basis. Mr. Clay. Thank you so much for that response, Ms. Evans. Let me thank the entire panel for today's hearing and your testimony. We certainly appreciate your participation in this hearing. That concludes this hearing. Hearing adjourned. [Whereupon, at 12:40 p.m., the subcommittees were adjourned.]